rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2.2

Browse Source 
- Resolves: RHEL-47294 SID generation task is failing when SELinux is in Enforcing mode
- Resolves: RHEL-56472 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-56917 RFE add a tool to quickly detect and fix issues with IPA ID ranges
- Resolves: RHEL-56965 Backport test fixes in python3-ipatests
- Resolves: RHEL-58067 ipa replication installation fails in FIPS mode on rhel10
- Resolves: RHEL-59265 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode
- Resolves: RHEL-59266 Also enable SSSD's ssh service when enabling sss_ssh_knownhosts

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-09-18 11:23:26 +02:00
parent 0378d5e4e5
commit 5d90090676
11 changed files with 2495 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
0003-ipatests-Check-Default-PAC-type-is-added-to-config.patch Normal file
View File

@ -0,0 +1,92 @@
From ad4b7f6cedaed54acf279033b650010c65face10 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 20 Aug 2024 14:52:03 +0530
Subject: [PATCH] ipatests: Check Default PAC type is added to config
This patch checks that the default PAC type
is added to configuration i.e ipaKrbAuthzData: MS-PAC
during ipa-server-installation
The patch also checks that if 'ipaKrbAuthzData: MS-PAC'
attribute is deleted and then when we run 'ipa-server-upgrade'
command the attribute is added back.
Related: https://pagure.io/freeipa/issue/9632
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_installation.py | 15 +++++++++++
ipatests/test_integration/test_upgrade.py | 26 ++++++++++++++++++-
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index ada43e33fe173ea3c315178c37e2a664b05b905b..c5565c452010f23f038ddf329454b591ef09f6af 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1190,6 +1190,21 @@ class TestInstallMaster(IntegrationTest):
expected_stdout=f'href="https://{self.master.hostname}/'
)
+ def test_pac_configuration_enabled(self):
+ """
+ This testcase checks that the default PAC type
+ is added to configuration.
+ """
+ base_dn = str(self.master.domain.basedn)
+ dn = DN(
+ ("cn", "ipaConfig"),
+ ("cn", "etc"),
+ base_dn
+ )
+ result = tasks.ldapsearch_dm(self.master, str(dn),
+ ["ipaKrbAuthzData"])
+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text
+
def test_hostname_parameter(self, server_cleanup):
"""
Test that --hostname parameter is respected in interactive mode.
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 011de939e92790734d63da2f85be1c25349116a8..a0f393780ccc25774466992976532c876aa876da 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -165,7 +165,6 @@ class TestUpgrade(IntegrationTest):
ldap.update_entry(location_krb_rec)
yield _setup_locations
-
ldap = self.master.ldap_connect()
modified = False
@@ -491,3 +490,28 @@ class TestUpgrade(IntegrationTest):
tasks.reinstall_packages(self.master, ['*ipa-client'])
assert not self.master.transport.file_exists(
paths.SSH_CONFIG + ".orig")
+
+ def test_mspac_attribute_set(self):
+ """
+ This testcase deletes the already existing attribute
+ 'ipaKrbAuthzData: MS-PAC'.
+ The test then runs ipa-server-upgrade and checks that
+ the attribute 'ipaKrbAuthzData: MS-PAC' is added again.
+ """
+ base_dn = str(self.master.domain.basedn)
+ dn = DN(
+ ("cn", "ipaConfig"),
+ ("cn", "etc"),
+ base_dn
+ )
+ ldif = textwrap.dedent("""
+ dn: cn=ipaConfig,cn=etc,{}
+ changetype: modify
+ delete: ipaKrbAuthzData
+ """).format(base_dn)
+ tasks.ldapmodify_dm(self.master, ldif)
+ tasks.kinit_admin(self.master)
+ self.master.run_command(['ipa-server-upgrade'])
+ result = tasks.ldapsearch_dm(self.master, str(dn),
+ ["ipaKrbAuthzData"])
+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text
--
2.46.0

86
0004-selinux-add-all-IPA-log-files-to-ipa_log_t-file-cont.patch Normal file
View File

@ -0,0 +1,86 @@
From 42eb97ee6bd8011b590aef321d4386ea9352933d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 28 Aug 2024 10:02:19 +0300
Subject: [PATCH] selinux: add all IPA log files to ipa_log_t file context
We have multiple log files that produced by IPA components. Some of them
are written by the tools that run as root and inherit their file context
from /var/log -> var_log_t. However, increasingly we get tools that were
run through oddjob helpers. These supposed to be run within ipa_helper_t
SELinux context which has write permissions for ipa_log_t file context.
Add all known log files from the base platform. The following script was
used to generate them:
$ git grep '_LOG = .*ipa.*\.log' ipaplatform/base/paths.py | cut -d= -f2 | \
xargs -I% echo -e "%\t--\tgen_context(system_u:object_r:ipa_log_t,s0)"
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-custodia.audit.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
ipa-custodia.audit.log was already in the present list.
Additionally, ipa-migrate-conflict.ldif is used by the ipa-migrate tool
but is not provided through the ipaplatform mechanism. It is added
explicitly.
Fixes: https://pagure.io/freeipa/issue/9654
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
selinux/ipa.fc | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
index 700e3a14a11fcd403a2e6f57ec781c58dae77660..47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2 100644
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@@ -24,7 +24,26 @@
/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
-/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
+/var/log/ipa-migrate-conflict.ldif -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
--
2.46.0

1501
0005-Add-ipa-idrange-fix.patch Normal file
View File

File diff suppressed because it is too large Load Diff

36
0006-ipatests-Add-missing-comma-in-test_idrange_no_rid_ba.patch Normal file
View File

@ -0,0 +1,36 @@
From 4fef80aeaaf017b286bd12ebfc30529f6a65a80e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 2 Sep 2024 18:28:27 +0200
Subject: [PATCH] ipatests: Add missing comma in
test_idrange_no_rid_bases_reversed
The test is calling ipa idrange-add but is missing a comma in
the arguments list.
The resulting call is using "--rid-base 100300000--secondary-rid-base".
Add the missing comma to build the command with
"--rid-base 100300000 --secondary-rid-base"
Fixes: https://pagure.io/freeipa/issue/9656
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_ipa_idrange_fix.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipa_idrange_fix.py b/ipatests/test_integration/test_ipa_idrange_fix.py
index de3da9bfd221ce74f1d1bbb0dbe12e4db08b8daa..ff8fbdac9d028d26fc55f5e357f89af879a61723 100644
--- a/ipatests/test_integration/test_ipa_idrange_fix.py
+++ b/ipatests/test_integration/test_ipa_idrange_fix.py
@@ -72,7 +72,7 @@ class TestIpaIdrangeFix(IntegrationTest):
"idrange_reversed",
"--base-id", '50000',
"--range-size", '20000',
- "--rid-base", '100300000'
+ "--rid-base", '100300000',
"--secondary-rid-base", '301000'
])
--
2.46.0

32
0007-ipatests-Update-ipa-adtrust-install-test.patch Normal file
View File

@ -0,0 +1,32 @@
From a18eb8358675b3697ccf8f8d8dc230cc62df6a4d Mon Sep 17 00:00:00 2001
From: Erik Belko <ebelko@redhat.com>
Date: Thu, 29 Aug 2024 16:47:21 +0200
Subject: [PATCH] ipatests: Update ipa-adtrust-install test
update test_user_connects_smb_share_if_locked_specific_group with wait
for SSSD to be online after ipa-adtrust-install command
Related: https://pagure.io/freeipa/issue/9655
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_adtrust_install.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index 72e8d874fb17adadc556ba55b825a88a3ac21a67..de252db1705ad940c3b5ee4df967d7c17a4203a7 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -853,6 +853,8 @@ class TestIpaAdTrustInstall(IntegrationTest):
self.master.config.admin_password,
"-U"]
)
+ # Wait for SSSD to become online before doing any other check
+ tasks.wait_for_sssd_domain_status_online(self.master)
self.master.run_command(["mkdir", "/freeipa4234"])
self.master.run_command(
["chcon", "-t", "samba_share_t",
--
2.46.0

33
0008-Installer-activate-ssh-service-in-sssd.conf.patch Normal file
View File

@ -0,0 +1,33 @@
From 373d41f211c1a04dc432a068bc7d2ba825ff554c Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Tue, 13 Aug 2024 12:44:21 +0200
Subject: [PATCH] Installer: activate ssh service in sssd.conf
This commit enables SSSD's ssh service in ipa-client-install to ensure
sss_ssh_knownhosts and sss_ssh_knownhostsproxy functions properly.
Fixes: https://pagure.io/freeipa/issue/9649
Related: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/install/client.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 802db9614b24553b2b49259f3aebb366093560ac..47a371f629f6ddfb1cd5e9fff9faad737aa01f54 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -974,6 +974,8 @@ def configure_sssd_conf(
sssd_enable_service(sssdconfig, 'nss')
sssd_enable_service(sssdconfig, 'pam')
+ if options.conf_ssh:
+ sssd_enable_service(sssdconfig, 'ssh')
domain.set_option('ipa_domain', cli_domain)
domain.set_option('ipa_hostname', client_hostname)
--
2.46.0

404
0009-ipa-migrate-fix-migration-issues-with-entries-using-.patch Normal file
View File

@ -0,0 +1,404 @@
From 8d242ba741ec22b258d5e70a530cefd0940783c7 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 23 Jul 2024 17:07:06 -0400
Subject: [PATCH] ipa-migrate - fix migration issues with entries using
ipaUniqueId in the RDN
We need to handle these entries differently and specify what attribute
and search base to use to find the entry on the local server. Most
entries can use the "cn" attribute but for selinux usermaps we need to
search using the ipaOwner attribute which is a DN, and in turn requires
additional handling/converting in order to properly check if the usermap
exists or not.
Also fixed an issue where an attribute should be removed from the local
entry if it does not exist on the remote entry.
And fixed the handling od "sudoOrder" which is defined as multi-valued
in the schema, but we really need to treat it as single-valued
Fixes: https://pagure.io/freeipa/issue/9640
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 119 +++++++++++++++++++--
ipaserver/install/ipa_migrate_constants.py | 82 +++++++++++++--
2 files changed, 187 insertions(+), 14 deletions(-)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index e21937401b3463335d8297b41a403405071d3795..78c530f24fe5d8c9f5de0f816df9904bf30c7b94 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -32,7 +32,7 @@ from ipaserver.install.ipa_migrate_constants import (
DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS,
DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS,
- DB_EXCLUDE_TREES
+ DB_EXCLUDE_TREES, POLICY_OP_ATTRS
)
"""
@@ -529,6 +529,14 @@ class IPAMigrate():
#
# Helper functions
#
+ def attr_is_operational(self, attr):
+ schema = self.local_conn.schema
+ attr_obj = schema.get_obj(ldap.schema.AttributeType, attr)
+ if attr_obj is not None:
+ if attr_obj.usage == 1:
+ return True
+ return False
+
def replace_suffix(self, entry_dn):
"""
Replace the base DN in an entry DN
@@ -1122,6 +1130,18 @@ class IPAMigrate():
stats['reset_range'] += 1
return entry
+ def attr_is_required(self, attr, entry):
+ """
+ Check if an attribute is required in this entry
+ """
+ entry_oc = entry['objectClass']
+ for oc in entry_oc:
+ required_attrs = self.local_conn.get_allowed_attributes(
+ [oc], raise_on_unknown=False, attributes="must")
+ if attr.lower() in required_attrs:
+ return True
+ return False
+
def clean_entry(self, entry_dn, entry_type, entry_attrs):
"""
Clean up the entry from the remote server
@@ -1311,7 +1331,17 @@ class IPAMigrate():
f"'{old_value}' "
"new value "
f"'{local_entry[attr][0]}'")
-
+ elif 'single' == sp_attr[1]:
+ # The attribute is defined as multivalued, but
+ # we really need to treat it as single valued
+ self.log_debug("Entry is different and will "
+ f"be updated: '{local_dn}' "
+ f"attribute '{attr}' replaced "
+ "with val "
+ f"'{remote_attrs[attr][0]}' "
+ "old value: "
+ f"{local_entry[attr][0]}")
+ local_entry[attr][0] = remote_attrs[attr][0]
goto_next_attr = True
break
@@ -1358,6 +1388,31 @@ class IPAMigrate():
local_entry[attr] = remote_attrs[attr]
entry_updated = True
+ # Remove attributes in the local entry that do not exist in the
+ # remote entry
+ remove_attrs = []
+ for attr in local_entry:
+ if (self.attr_is_operational(attr)
+ and attr.lower() not in POLICY_OP_ATTRS) or \
+ attr.lower() in IGNORE_ATTRS or \
+ attr.lower() in STRIP_ATTRS or \
+ attr.lower() == "usercertificate":
+ # This is an attribute that we do not want to remove
+ continue
+
+ if attr not in remote_attrs and \
+ not self.attr_is_required(attr, local_entry):
+ # Mark this attribute for deletion
+ remove_attrs.append(attr)
+ entry_updated = True
+
+ # Remove attributes
+ for remove_attr in remove_attrs:
+ self.log_debug("Entry is different and will be updated: "
+ f"'{local_dn}' attribute '{remove_attr}' "
+ "is being removed")
+ del local_entry[remove_attr]
+
if range_reset:
stats['reset_range'] += 1
@@ -1371,6 +1426,9 @@ class IPAMigrate():
"""
Process chunks of remote entries from a paged results search
+ entry_dn = the remote entry DN
+ entry_attrs = the remote entry's attributes stored in a dict
+
Identify entry type
Process entry (removing/change attr/val/schema)
Compare processed remote entry with local entry, merge/overwrite?
@@ -1426,6 +1484,47 @@ class IPAMigrate():
# Based on the entry type do additional work
#
+ # For entries with alternate identifying needs we need to rebuild the
+ # local dn. Typically this is for entries that use ipaUniqueId as the
+ # RDN attr
+ if entry_type != "custom" and 'alt_id' in DB_OBJECTS[entry_type]:
+ attr = DB_OBJECTS[entry_type]['alt_id']['attr']
+ base = DB_OBJECTS[entry_type]['alt_id']['base']
+ srch_filter = f'{attr}={entry_attrs[attr][0]}'
+ if DB_OBJECTS[entry_type]['alt_id']['isDN'] is True:
+ # Convert the filter to match the local suffix
+ srch_filter = self.replace_suffix(srch_filter)
+ srch_base = base + str(self.local_suffix)
+
+ try:
+ entries = self.local_conn.get_entries(DN(srch_base),
+ filter=srch_filter)
+ if len(entries) == 1:
+ local_dn = entries[0].dn
+ elif len(entries) == 0:
+ # Not found, no problem just proceed and we will add it
+ pass
+ else:
+ # Found too many entries - should not happen
+ self.log_error('Found too many local matching entries '
+ f'for "{local_dn}"')
+ if self.args.force:
+ stats['ignored_errors'] += 1
+ return
+ else:
+ sys.exit(1)
+ except errors.EmptyResult:
+ # Not found, no problem just proceed and we will add it later
+ pass
+ except (errors.NetworkError, errors.DatabaseError) as e:
+ self.log_error('Failed to find a local matching entry for '
+ f'"{local_dn}" error: {str(e)}')
+ if self.args.force:
+ stats['ignored_errors'] += 1
+ return
+ else:
+ sys.exit(1)
+
# See if the entry exists on the local server
try:
local_entry = self.local_conn.get_entry(DN(local_dn),
@@ -1441,14 +1540,20 @@ class IPAMigrate():
if self.dryrun:
self.write_update_to_ldif(local_entry)
- DB_OBJECTS[entry_type]['count'] += 1
+ if entry_type == "custom":
+ stats['custom'] += 1
+ else:
+ DB_OBJECTS[entry_type]['count'] += 1
stats['total_db_migrated'] += 1
return
# Update the local entry
try:
self.local_conn.update_entry(local_entry)
- DB_OBJECTS[entry_type]['count'] += 1
+ if entry_type == "custom":
+ stats['custom'] += 1
+ else:
+ DB_OBJECTS[entry_type]['count'] += 1
except errors.ExecutionError as e:
self.log_error(f'Failed to update "{local_dn}" error: '
f'{str(e)}')
@@ -1567,7 +1672,7 @@ class IPAMigrate():
"""
Used paged search for online method to avoid large memory footprint
"""
- self.log_info("Migrating database ... (this make take a while)")
+ self.log_info("Migrating database ... (this may take a while)")
if self.args.db_ldif is not None:
self.processDBOffline()
else:
@@ -1608,7 +1713,7 @@ class IPAMigrate():
f"{len(objectclasses)} objectClasses")
# Loop over attributes and objectclasses and count them
- schema = self.local_conn._get_schema()
+ schema = self.local_conn.schema
local_schema = schema.ldap_entry()
for schema_type in [(attributes, "attributeTypes"),
(objectclasses, "objectClasses")]:
@@ -1967,7 +2072,7 @@ class IPAMigrate():
# Run ipa-server-upgrade
self.log_info("Running ipa-server-upgrade ... "
- "(this make take a while)")
+ "(this may take a while)")
if self.dryrun:
self.log_info("Skipping ipa-server-upgrade in dryrun mode.")
else:
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index 0e26c75497b216f09ed450aa25a09c2102582326..250f1b5b01bf066d316a98489ab6153b89615173 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -19,6 +19,28 @@ STRIP_OP_ATTRS = [
'nsuniqueid',
'dsentrydn',
'entryuuid',
+ 'entrydn',
+ 'entryid',
+ 'entryusn',
+ 'numsubordinates',
+ 'parentid',
+ 'tombstonenumsubordinates'
+]
+
+# Operational attributes that we would want to remove from the local entry if
+# they don't exist in the remote entry
+POLICY_OP_ATTRS = [
+ 'nsaccountlock',
+ 'passwordexpiratontime',
+ 'passwordgraceusertime',
+ 'pwdpolicysubentry',
+ 'passwordexpwarned',
+ 'passwordretrycount',
+ 'retrycountresettime',
+ 'accountunlocktime',
+ 'passwordhistory',
+ 'passwordallowchangetime',
+ 'pwdreset'
]
# Atributes to strip from users/groups
@@ -110,7 +132,7 @@ STRIP_OC = [
#
# The DS_CONFIG mapping breaks each config entry (or type of entry) into its
# own catagory. Each catagory, or type, as DN list "dn", the attributes# we
-# are intrested in. These attributes are broken into singel valued "attrs",
+# are intrested in. These attributes are broken into single valued "attrs",
# or multi-valued attributes "multivalued". If the attributes is single
# valued then the value is replaced, if it's multivalued then it is "appended"
#
@@ -565,6 +587,12 @@ DS_INDEXES = {
# identify the entry.
# The "label" and "count" attributes are used for the Summary Report
#
+# Some entries use ipaUniqueId as the RDN attribute, this makes comparing
+# entries between the remote and local servers problematic. So we need special
+# identifying information to find the local entry. In this case we use the
+# "alt_id" key which is a dict of an attribute 'attr' and partial base DN
+# 'base' - which is expected to end in a comma.
+#
DB_OBJECTS = {
# Plugins
'automember_def': {
@@ -640,8 +668,8 @@ DB_OBJECTS = {
'oc': ['ipaconfigobject', 'ipaguiconfig'],
'subtree': 'cn=ipaconfig,cn=etc,$SUFFIX',
'special_attrs': [
- # needs special handling, but
- # ipa-server-upgrade rewrites this attribute anyway!
+ # needs special handling, but ipa-server-upgrade rewrites this
+ # attribute anyway!
('ipausersearchfields', 'list'),
],
'label': 'IPA Config',
@@ -772,11 +800,16 @@ DB_OBJECTS = {
'mode': 'all',
'count': 0,
},
- 'subids': { # unknown what these entries look like TODO
+ 'subids': {
'oc': [],
'subtree': ',cn=subids,cn=accounts,$SUFFIX',
'label': 'Sub IDs',
- 'mode': 'all', # TODO Maybe production only?
+ 'mode': 'production',
+ 'alt_id': {
+ 'attr': 'ipaOwner',
+ 'isDN': True,
+ 'base': 'cn=subids,cn=accounts,',
+ },
'count': 0,
},
@@ -884,6 +917,11 @@ DB_OBJECTS = {
'oc': ['ipahbacrule'],
'subtree': ',cn=hbac,$SUFFIX',
'label': 'HBAC Rules',
+ 'alt_id': {
+ 'attr': 'cn',
+ 'base': 'cn=hbac,',
+ 'isDN': False,
+ },
'mode': 'all',
'count': 0,
},
@@ -892,6 +930,11 @@ DB_OBJECTS = {
'selinux_usermap': { # Not sure if this is needed, entry is empty TODO
'oc': [],
'subtree': ',cn=usermap,cn=selinux,$SUFFIX',
+ 'alt_id': {
+ 'attr': 'cn',
+ 'base': 'cn=usermap,cn=selinux,',
+ 'isDN': False,
+ },
'label': 'Selinux Usermaps',
'mode': 'all',
'count': 0,
@@ -902,12 +945,27 @@ DB_OBJECTS = {
'oc': ['ipasudorule'],
'subtree': ',cn=sudorules,cn=sudo,$SUFFIX',
'label': 'Sudo Rules',
+ 'alt_id': {
+ 'attr': 'cn',
+ 'base': 'cn=sudorules,cn=sudo,',
+ 'isDN': False,
+ },
+ 'special_attrs': [
+ # schema defines sudoOrder as mutlivalued, but we need to treat
+ # it as single valued
+ ('sudoorder', 'single'),
+ ],
'mode': 'all',
'count': 0,
},
'sudo_cmds': {
'oc': ['ipasudocmd'],
'subtree': ',cn=sudocmds,cn=sudo,$SUFFIX',
+ 'alt_id': {
+ 'attr': 'sudoCmd',
+ 'base': 'cn=sudocmds,cn=sudo,',
+ 'isDN': False,
+ },
'label': 'Sudo Commands',
'mode': 'all',
'count': 0,
@@ -991,6 +1049,11 @@ DB_OBJECTS = {
'oc': ['ipanisnetgroup'],
'not_oc': ['mepmanagedentry'],
'subtree': ',cn=ng,cn=alt,$SUFFIX',
+ 'alt_id': {
+ 'attr': 'cn',
+ 'base': 'cn=ng,cn=alt,',
+ 'isDN': False,
+ },
'label': 'Network Groups',
'mode': 'all',
'count': 0,
@@ -1006,9 +1069,14 @@ DB_OBJECTS = {
'count': 0,
},
'caacls': {
- 'oc': ['top'],
+ 'oc': ['ipacaacl'],
'subtree': ',cn=caacls,cn=ca,$SUFFIX',
- 'label': 'CA Certificates',
+ 'alt_id': {
+ 'attr': 'cn',
+ 'base': 'cn=caacls,cn=ca,',
+ 'isDN': False,
+ },
+ 'label': 'CA Certificate ACLs',
'mode': 'all',
'count': 0,
},
--
2.46.0

68
0010-ipa-migrate-fix-alternate-entry-search-filter.patch Normal file
View File

@ -0,0 +1,68 @@
From 3b5a980f5b65b03b9fd7ad0cfbb6c87874d3ff24 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 3 Sep 2024 13:42:05 -0400
Subject: [PATCH] ipa-migrate - fix alternate entry search filter
Processing a filter like a DN can cause normalization issues that result
in an invalid filter. Make sure the filter is encapsulated with
parenthesis and we call replace_suffix_value() instead of
replace_suffix()
Fixes: https://pagure.io/freeipa/issue/9658
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Fix typo in test
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_migrate.py | 4 ++--
ipatests/test_integration/test_ipa_ipa_migration.py | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 78c530f24fe5d8c9f5de0f816df9904bf30c7b94..38356aa23ea435e2a616f48356feaea7b50dd1e4 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -1490,10 +1490,10 @@ class IPAMigrate():
if entry_type != "custom" and 'alt_id' in DB_OBJECTS[entry_type]:
attr = DB_OBJECTS[entry_type]['alt_id']['attr']
base = DB_OBJECTS[entry_type]['alt_id']['base']
- srch_filter = f'{attr}={entry_attrs[attr][0]}'
+ srch_filter = f'({attr}={entry_attrs[attr][0]})'
if DB_OBJECTS[entry_type]['alt_id']['isDN'] is True:
# Convert the filter to match the local suffix
- srch_filter = self.replace_suffix(srch_filter)
+ srch_filter = self.replace_suffix_value(srch_filter)
srch_base = base + str(self.local_suffix)
try:
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index f697bbfbfc6169309274db689501c99fe148cc70..288165e8a83a96e6f6bd4e52866f98617f497c56 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -610,7 +610,7 @@ class TestIPAMigrateScenario1(IntegrationTest):
MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n"
MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n"
IPA_UPGRADE_LOG_MSG = (
- "Running ipa-server-upgrade ... (this make take a while)\n"
+ "Running ipa-server-upgrade ... (this may take a while)\n"
)
SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n"
MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n"
@@ -641,10 +641,10 @@ class TestIPAMigrateScenario1(IntegrationTest):
tasks.kinit_admin(self.replicas[0])
MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n"
MIGRATION_DATABASE_LOG_MSG = (
- "Migrating database ... (this make take a while)\n"
+ "Migrating database ... (this may take a while)\n"
)
IPA_UPGRADE_LOG_MSG = (
- "Running ipa-server-upgrade ... (this make take a while)\n"
+ "Running ipa-server-upgrade ... (this may take a while)\n"
)
SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n"
result = run_migrate(
--
2.46.0

82
0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch Normal file
View File

@ -0,0 +1,82 @@
From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 5 Sep 2024 14:52:26 +0200
Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl
pkcs12
In FIPS mode the command openssl pkcs12 fails unless the
export is called with -nomac and import with -nomacver
The command is used by custodia to export private keys from the
master and import them in the replica.
Fixes: https://pagure.io/freeipa/issue/9577
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/secrets/handlers/pemfile.py | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644
--- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py
@@ -8,6 +8,7 @@ import json
import os
from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
from ipapython import ipautil
from . import common
@@ -25,7 +26,7 @@ def export_key(args, tmpdir):
f.write(password)
# OpenSSL does not support pkcs12 export of a cert without key
- ipautil.run([
+ cmd = [
paths.OPENSSL, 'pkcs12', '-export',
'-in', args.certfile,
'-out', pk12file,
@@ -34,7 +35,13 @@ def export_key(args, tmpdir):
'-keypbe', 'AES-256-CBC',
'-certpbe', 'AES-256-CBC',
'-macalg', 'sha384',
- ])
+ ]
+
+ fips_enabled = tasks.is_fips_enabled()
+ if fips_enabled:
+ cmd.append('-nomac')
+
+ ipautil.run(cmd)
with open(pk12file, 'rb') as f:
p12data = f.read()
@@ -69,6 +76,11 @@ def import_key(args, tmpdir):
'-out', args.certfile,
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
]
+
+ fips_enabled = tasks.is_fips_enabled()
+ if fips_enabled:
+ cmd.append('-nomacver')
+
ipautil.run(cmd, umask=0o027)
# get the private key from the file
@@ -79,6 +91,10 @@ def import_key(args, tmpdir):
'-out', args.keyfile,
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
]
+
+ if fips_enabled:
+ cmd.append('-nomacver')
+
ipautil.run(cmd, umask=0o027)
--
2.46.0

139
0012-ipatests-make-TestDuplicates-teardowns-order-agnosti.patch Normal file
View File

@ -0,0 +1,139 @@
From d102773ce24481c6797f71557b75e77921164285 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Thu, 12 Sep 2024 12:38:52 +0300
Subject: [PATCH] ipatests: make TestDuplicates teardowns order agnostic
Fixtures 'user4' and 'user5' track the same actual user 'tuser'.
If used together their teardowns can fail depending on the
order of execution.
With this change fixtures of TestDuplicates are simplified and
method-scoped.
Related: https://pagure.io/freeipa/issue/9571
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_stageuser_plugin.py | 76 +++++++------------
1 file changed, 28 insertions(+), 48 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 9ae5561dfa4e0d54fe1231501bfea3c0ba261849..6ed593fbf24dd2e8ce087625b9cb4c21c9a3c145 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -120,12 +120,6 @@ def stageduser3(request, xmlrpc_setup):
return tracker.make_fixture_activate(request)
-@pytest.fixture(scope='class')
-def stageduser4(request, xmlrpc_setup):
- tracker = StageUserTracker(u'tuser', u'test', u'user')
- return tracker.make_fixture(request)
-
-
@pytest.fixture(scope='class')
def stageduser_notposix(request, xmlrpc_setup):
tracker = StageUserTracker(u'notposix', u'notposix', u'notposix')
@@ -161,18 +155,6 @@ def user3(request, xmlrpc_setup):
return tracker.make_fixture(request)
-@pytest.fixture(scope='class')
-def user4(request, xmlrpc_setup):
- tracker = UserTracker(u'tuser', u'test', u'user')
- return tracker.make_fixture(request)
-
-
-@pytest.fixture(scope='class')
-def user5(request, xmlrpc_setup):
- tracker = UserTracker(u'tuser', u'test', u'user')
- return tracker.make_fixture(request)
-
-
@pytest.fixture(scope='class')
def user6(request, xmlrpc_setup):
tracker = UserTracker(u'suser2', u'staged', u'user')
@@ -724,52 +706,50 @@ class TestManagers(XMLRPC_test):
@pytest.mark.tier1
class TestDuplicates(XMLRPC_test):
- def test_active_same_as_preserved(self, user4, user5):
- user4.ensure_missing()
- user5.make_preserved_user()
- command = user4.make_create_command()
+ @pytest.fixture
+ def user(self, request, xmlrpc_setup):
+ tracker = UserTracker("tuser", "test", "user")
+ return tracker.make_fixture(request)
+
+ @pytest.fixture
+ def stageduser(self, request, xmlrpc_setup):
+ tracker = StageUserTracker("tuser", "test", "user")
+ return tracker.make_fixture(request)
+
+ def test_active_same_as_preserved(self, user):
+ user.make_preserved_user()
+ command = user.make_create_command()
with raises_exact(errors.DuplicateEntry(
- message=u'user with name "%s" already exists' % user4.uid)):
+ message=u'user with name "%s" already exists' % user.uid)):
command()
- user5.delete()
- def test_staged_same_as_active(self, user4, stageduser4):
- user4.ensure_exists()
- stageduser4.create() # can be created
+ def test_staged_same_as_active(self, user, stageduser):
+ user.create()
+ stageduser.create() # can be created
- command = stageduser4.make_activate_command()
+ command = stageduser.make_activate_command()
with raises_exact(errors.DuplicateEntry(
message=u'active user with name "%s" already exists' %
- user4.uid)):
+ user.uid)):
command() # cannot be activated
- user4.delete()
- stageduser4.delete()
-
- def test_staged_same_as_preserved(self, user5, stageduser4):
- user5.make_preserved_user()
- stageduser4.create() # can be created
+ def test_staged_same_as_preserved(self, user, stageduser):
+ user.make_preserved_user()
+ stageduser.create() # can be created
- command = stageduser4.make_activate_command()
+ command = stageduser.make_activate_command()
with raises_exact(errors.DuplicateEntry(
message=u'This entry already exists')):
command() # cannot be activated
- user5.delete()
- stageduser4.delete()
+ def test_active_same_as_staged(self, user, stageduser):
+ stageduser.create()
+ user.create() # can be created
- def test_active_same_as_staged(self, user4, stageduser4):
- user4.ensure_missing()
- stageduser4.ensure_exists()
- command = user4.make_create_command()
- result = command()
- user4.track_create()
- user4.check_create(result) # can be created
-
- command = stageduser4.make_activate_command()
+ command = stageduser.make_activate_command()
with raises_exact(errors.DuplicateEntry(
message=u'active user with name "%s" already exists' %
- user4.uid)):
+ user.uid)):
command() # cannot be activated
--
2.46.0

23
freeipa.spec
View File

@ -205,7 +205,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 1%{?rc_version:.%rc_version}%{?dist} Release: 2%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -239,6 +239,16 @@ Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%if 0%{?rhel} >= 9 %if 0%{?rhel} >= 9
Patch0001: 0001-Revert-Replace-netifaces-with-ifaddr.patch Patch0001: 0001-Revert-Replace-netifaces-with-ifaddr.patch
Patch0002: 0002-freeipa-disable-nis.patch Patch0002: 0002-freeipa-disable-nis.patch
Patch0003: 0003-ipatests-Check-Default-PAC-type-is-added-to-config.patch
Patch0004: 0004-selinux-add-all-IPA-log-files-to-ipa_log_t-file-cont.patch
Patch0005: 0005-Add-ipa-idrange-fix.patch
Patch0006: 0006-ipatests-Add-missing-comma-in-test_idrange_no_rid_ba.patch
Patch0007: 0007-ipatests-Update-ipa-adtrust-install-test.patch
Patch0008: 0008-Installer-activate-ssh-service-in-sssd.conf.patch
Patch0009: 0009-ipa-migrate-fix-migration-issues-with-entries-using-.patch
Patch0010: 0010-ipa-migrate-fix-alternate-entry-search-filter.patch
Patch0011: 0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch
Patch0012: 0012-ipatests-make-TestDuplicates-teardowns-order-agnosti.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
@ -1493,6 +1503,7 @@ fi
%{_sbindir}/ipa-pkinit-manage %{_sbindir}/ipa-pkinit-manage
%{_sbindir}/ipa-crlgen-manage %{_sbindir}/ipa-crlgen-manage
%{_sbindir}/ipa-cert-fix %{_sbindir}/ipa-cert-fix
%{_sbindir}/ipa-idrange-fix
%{_sbindir}/ipa-acme-manage %{_sbindir}/ipa-acme-manage
%{_sbindir}/ipa-migrate %{_sbindir}/ipa-migrate
%if 0%{?fedora} >= 38 %if 0%{?fedora} >= 38
@ -1571,6 +1582,7 @@ fi
%{_mandir}/man1/ipa-pkinit-manage.1* %{_mandir}/man1/ipa-pkinit-manage.1*
%{_mandir}/man1/ipa-crlgen-manage.1* %{_mandir}/man1/ipa-crlgen-manage.1*
%{_mandir}/man1/ipa-cert-fix.1* %{_mandir}/man1/ipa-cert-fix.1*
%{_mandir}/man1/ipa-idrange-fix.1*
%{_mandir}/man1/ipa-acme-manage.1* %{_mandir}/man1/ipa-acme-manage.1*
%{_mandir}/man1/ipa-migrate.1* %{_mandir}/man1/ipa-migrate.1*
@ -1859,6 +1871,15 @@ fi
%endif %endif
%changelog %changelog
* Wed Sep 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2.2
- Resolves: RHEL-47294 SID generation task is failing when SELinux is in Enforcing mode
- Resolves: RHEL-56472 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-56917 RFE add a tool to quickly detect and fix issues with IPA ID ranges
- Resolves: RHEL-56965 Backport test fixes in python3-ipatests
- Resolves: RHEL-58067 ipa replication installation fails in FIPS mode on rhel10
- Resolves: RHEL-59265 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode
- Resolves: RHEL-59266 Also enable SSSD's ssh service when enabling sss_ssh_knownhosts
* Thu Aug 22 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2.1 * Thu Aug 22 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2.1
- Resolves: RHEL-54545 Covscan issues: Resource Leak - Resolves: RHEL-54545 Covscan issues: Resource Leak
- Resolves: RHEL-54304 support for python cryptography 43.0.0 - Resolves: RHEL-54304 support for python cryptography 43.0.0