rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-23

Browse Source 
- Resolves: RHEL-105973
  Include fixes in python3-ipatests package
- Resolves: RHEL-105513
  kdb: prevent double crash in RBCD ACL free
- Resolves: RHEL-101708
  ipatests: use "sos report" instead of "sosreport" command
- Resolves: RHEL-95733
  Incorrect use of external IdP GitHub trademark
- Resolves: RHEL-95374
  eDNS: multiple issues during encrypted DNS setup

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2025-07-30 16:49:26 +02:00
parent 5b80c47b95
commit 6a20fd2794
7 changed files with 583 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
0126-ipatests-use-sos-report-instead-of-sosreport-command.patch Normal file
View File

@ -0,0 +1,40 @@
From 1c789f5ffde5d443fa2ce6ccfc4eb55f9a8afb4c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 25 Feb 2025 10:24:56 +0100
Subject: [PATCH] ipatests: use "sos report" instead of "sosreport" command
The "soscommand" has been deprecated and "sos report" should be
used instead. The redirector was removed in sos 4.9.
Fixes: https://pagure.io/freeipa/issue/9752
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 7c3f5857a477070d8a9b52c04d41f35ac580c97f..05a0adb24a3f26d70d0690462e7c0fefbf98c6e6 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1405,7 +1405,7 @@ class TestIpaHealthCheck(IntegrationTest):
msg = "[plugin:ipa] collecting path '{}'".format(HEALTHCHECK_LOG)
cmd = self.master.run_command(
[
- "sosreport",
+ "sos", "report",
"-o",
"ipa",
"--case-id",
@@ -1508,7 +1508,7 @@ class TestIpaHealthCheck(IntegrationTest):
caseid = "123456"
self.master.run_command(
[
- "sosreport",
+ "sos", "report",
"-o",
"ipa",
"--case-id",
--
2.50.1

57
0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch Normal file
View File

@ -0,0 +1,57 @@
From a6ae9f740991888bede82884bd9609db220430e3 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 23 Jun 2025 10:49:34 +0200
Subject: [PATCH] dns: only overwrite resolv.conf during eDNS setup when needed
Don't overwrite resolv.conf if it already points to 127.0.0.1. This
ensures compatibility with read-only containers.
Fixes: https://pagure.io/freeipa/issue/9813
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dns.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 9740faeddb244a56b2dc8a274ff82158f6dd2204..0f7a3073f4de1641afb7fdfa77413b978fd23974 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -33,7 +33,7 @@ from ipapython import ipautil
from ipapython import dnsutil
from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS
from ipapython.dn import DN
-from ipapython.dnsutil import check_zone_overlap
+from ipapython.dnsutil import check_zone_overlap, get_ipa_resolver
from ipapython.install import typing
from ipapython.install.core import group, knob
from ipapython.admintool import ScriptError
@@ -171,17 +171,19 @@ def _setup_dns_over_tls(options):
f.write("\n".join(dns_none))
nm.reload_or_restart()
- # Overwrite resolv.conf to point to IPA
+ # Ensure resolv.conf points to IPA
cfg = [
"# auto-generated by IPA installer",
"search .",
"nameserver 127.0.0.1\n"
]
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
- fstore.backup_file(paths.RESOLV_CONF)
- with open(paths.RESOLV_CONF, 'w') as f:
- f.write('\n'.join(cfg))
- os.chmod(paths.RESOLV_CONF, 0o644)
+ nameservers = get_ipa_resolver().nameservers
+ if not nameservers or nameservers[0] != "127.0.0.1":
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+ fstore.backup_file(paths.RESOLV_CONF)
+ with open(paths.RESOLV_CONF, 'w') as f:
+ f.write('\n'.join(cfg))
+ os.chmod(paths.RESOLV_CONF, 0o644)
services.knownservices.unbound.enable()
services.knownservices.unbound.restart()
--
2.50.1

151
0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch Normal file
View File

@ -0,0 +1,151 @@
From 6bb7ebd40f3fa9c266e62caef961c1078440751d Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 17 Jun 2025 17:15:49 -0300
Subject: [PATCH] Use correct capitalization for GitHub and GitLab
The correct third party trademarks are GitHub and GitLab, and this is
the capitalization that needs to be used for documentation and messages,
when referring to each service.
Fixes: https://pagure.io/freeipa/issue/9811
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
doc/designs/external-idp/idp-api.md | 22 +++++++++++-----------
doc/workshop/12-external-idp-support.rst | 4 ++--
ipaserver/plugins/internal.py | 2 +-
ipatests/test_integration/test_cert.py | 2 +-
po/ipa.pot | 2 +-
5 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/doc/designs/external-idp/idp-api.md b/doc/designs/external-idp/idp-api.md
index fe2ba8d67389b89216b128c253695e3d1da363be..59d2ccb5707cda549130fc0f4e05c8e8ee9bb86b 100644
--- a/doc/designs/external-idp/idp-api.md
+++ b/doc/designs/external-idp/idp-api.md
@@ -156,13 +156,13 @@ List of pre-populated IdP types is currently limited by the following provider
Some IdP providers support parametrized URIs which include organization or a
realm name, or specific base URL, or both.
-One notable omission in the pre-populated IdP types above is Gitlab.
+One notable omission in the pre-populated IdP types above is GitLab.
FreeIPA only supports IdPs that implement OAuth 2.0 Device authorization
grant flow as defined by the [RFC 8628](https://www.rfc-editor.org/rfc/rfc8628).
If required IdP cannot be made to support Device authorization grant flow, it
is recommended to use OAuth 2.0 federation within an IdP that supports this
-method. Gitlab does not support OAuth 2.0 Device authorization grant flow and
+method. GitLab does not support OAuth 2.0 Device authorization grant flow and
thus is not supported directly.
SSSD 2.7.0 implements Kerberos pre-authentication method `idp` (registered as a
@@ -193,7 +193,7 @@ Choosing `--provider=google` would expand to use the following options:
| `--scope`=STR | `openid email` |
| `--idp-user-id`=STR | `email` |
-#### Github IdPs
+#### GitHub IdPs
Choosing `--provider=github` would expand to use the following options:
@@ -207,17 +207,17 @@ Choosing `--provider=github` would expand to use the following options:
| `--scope`=STR | `user` |
| `--idp-user-id`=STR | `login` |
-Please note that Github explicitly states that a user login is not unique and
+Please note that GitHub explicitly states that a user login is not unique and
can be reused after a user account was deleted. The configuration above aims
-for an easy setup for testing. If production deployment with Github IdP would
+for an easy setup for testing. If production deployment with GitHub IdP would
be required, it is recommended to change `--idp-user-id` to a more unique subject
-like `id`. Unfortunately, Github UI does not give an easy way to discover a
+like `id`. Unfortunately, GitHub UI does not give an easy way to discover a
user ID. Other IdPs also lack an easy way to resolve these internal identifiers
when not authorized by the user themselves.
-For Github, user's ID can be looked up without authentication through the Users
+For GitHub, user's ID can be looked up without authentication through the Users
API. Assuming we have `curl` and `jq` utilities available, a request to
-discover an ID of a Github user named `test` would look like:
+discover an ID of a GitHub user named `test` would look like:
```
$ curl --silent \
@@ -386,10 +386,10 @@ scope is used, this typically maps to `sub` value. Since there are no ways to
pull this value for all users in advance, pre-populated IdP templates set OAuth
2.0 scopes to include `email` and then use `email` to map IdP subject where possible.
There are some well-known IdPs which allow reuse of user accounts and emails, this
-applies to both Github and Gitlab. Since Gitlab does not support OAuth 2.0
+applies to both GitHub and GitLab. Since GitLab does not support OAuth 2.0
Device authorization grant flow, it is not an issue in itself for this project. However,
-for Github it is known that user accounts can be recycled after their removal. In
-this case we would recommend to use internal Github identifier instead.
+for GitHub it is known that user accounts can be recycled after their removal. In
+this case we would recommend to use internal GitHub identifier instead.
## Upgrade and backward compatibility
diff --git a/doc/workshop/12-external-idp-support.rst b/doc/workshop/12-external-idp-support.rst
index 022c26483fa5b08fa02b69ff63fac7d08c53d110..66c714c257f0dacc724753cbc73968a588aa3a07 100644
--- a/doc/workshop/12-external-idp-support.rst
+++ b/doc/workshop/12-external-idp-support.rst
@@ -94,7 +94,7 @@ authorization grant flow:
* Microsoft Identity Platform, including Azure AD
* Google
-* Github
+* GitHub
* Keycloak, including Red Hat SSO
* Okta
@@ -389,7 +389,7 @@ IPA. Option ``--provider keycloak`` allows us to fill-in pre-defined template
for Keycloak or Red Hat SSO IdPs. The template expects both Keycloak's realm
(``--org`` option) and a base URL (``--base-url`` option) because Keycloak is
typically deployed as a part of a larger solution. These options may not be
-needed for other pre-defined templates like Google or Github.
+needed for other pre-defined templates like Google or GitHub.
The `openid` scope is mandatory since
[Keycloak 19.0.2](https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes).
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index e8642b6f03754fbdc6a099b72407ed2df25da86f..283b430778c37861c417c7829ac04bd2fb966be0 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1100,7 +1100,7 @@ class i18n_messages(Command):
"idp": {
"template_keycloak": _("Keycloak or Red Hat SSO"),
"template_google": _("Google"),
- "template_github": _("Github"),
+ "template_github": _("GitHub"),
"template_microsoft": _("Microsoft or Azure"),
"template_okta": _("Okta"),
"label_idpclient": _("OAuth 2.0 client details"),
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 88859e67f5653bc91f25152c414350c0ba41e036..05b20b910b249af24039a497538f96dad07162aa 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -540,7 +540,7 @@ class TestCAShowErrorHandling(IntegrationTest):
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
- PKI Github Link: https://github.com/dogtagpki/pki/pull/3605/
+ PKI GitHub Link: https://github.com/dogtagpki/pki/pull/3605/
"""
self.replicas[0].run_command(['systemctl', 'stop', 'ipa-custodia'])
lwca = 'lwca1'
diff --git a/po/ipa.pot b/po/ipa.pot
index 41ee14059f1dc00f22c53d59f82ba9c4df439d1a..07413d546241149fcde36c38c0750d040916ba0f 100644
--- a/po/ipa.pot
+++ b/po/ipa.pot
@@ -23944,7 +23944,7 @@ msgid "Google"
msgstr ""
#: ipaserver/plugins/internal.py:1103
-msgid "Github"
+msgid "GitHub"
msgstr ""
#: ipaserver/plugins/internal.py:1104
--
2.50.1

35
0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch Normal file
View File

@ -0,0 +1,35 @@
From 45cce31e2596de2c9b6048674510572c248e2ec9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 15 Jul 2025 10:52:01 +0300
Subject: [PATCH] kdb: prevent double crash in RBCD ACL free
acl_list was set to prev->tl_data_contents and its value is freed but
then is is freed again outside of the if(). Just reset acl_list pointer
as prev->tl_data_contents is removed unconditionally outside of the RBCD
ACL removal.
Related: https://pagure.io/freeipa/issue/9367
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 19998c2a38b5d8ae80aeedeb003f54241d2c2a9f..a7e77e940ab61b27407076a834f3804b0e69c122 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -2160,7 +2160,8 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
for (i = 0; (acl_list != NULL) && (acl_list[i] != NULL); i++) {
free(acl_list[i]);
}
- free(acl_list);
+ /* prev->tl_data_contents will be removed below */
+ acl_list = NULL;
}
free(prev->tl_data_contents);
free(prev);
--
2.50.1

110
0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch Normal file
View File

@ -0,0 +1,110 @@
From 0c9ba2a0075f02315810521357cf2e5b52fc7d41 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 9 Apr 2025 13:10:58 +0530
Subject: [PATCH] ipatests: Tests for ipa-migrate tool with ldif file
This test checks that when ipa-migrate tool
uses ldif file it works without any error.
Related: https://pagure.io/freeipa/issue/9776
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_ipa_ipa_migration.py | 80 +++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 95c29234fc7893d3eae5d900a58aa7b1162ed61d..c6247e772b257748aa0c0f58bd04b53d3756125c 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -1265,3 +1265,83 @@ class TestIPAMigrationWithADtrust(IntegrationTest):
["ipa", "idrange-show", ad_domain_name + "_id_range"]
)
assert cmd1.stdout_text == cmd2.stdout_text
+
+
+class TestIPAMigratewithBackupRestore(IntegrationTest):
+ """
+ Test for ipa-migrate tool with backup files.
+ The master and replicas[1] are used to create the data source.
+ The replicas[0] is used as new server, retrieving data from the source.
+ replicas[1] is needed to make sure that the source LDIF
+ file contains replication attributes with
+ options (for instance objectClass;vucsn-67f7b3de000300030000).
+ """
+ num_replicas = 2
+ topology = "line"
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+ prepare_ipa_server(cls.master)
+ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True)
+ tasks.install_replica(cls.master, cls.replicas[1],
+ setup_dns=True, setup_kra=True)
+
+ @pytest.fixture
+ def create_delete_user(self):
+ """
+ This fixtures creates a ldapuser using the
+ ldif file and then delete the users
+ """
+ self.master.run_command(['ipa', 'user-add', 'testuser',
+ '--first', 'test',
+ '--last', 'user'])
+ self.master.run_command(['ipa', 'user-del', 'testuser'])
+ yield
+
+ def test_ipa_migrate_stage_mode(self, create_delete_user):
+ """
+ This test checks ipa-migrate with LDIF file
+ from backup of remote server is successful.
+ """
+ ERR_MSG = (
+ "error: change collided with another change"
+ )
+ dashed_domain_name = self.master.domain.realm.replace(
+ ".", '-'
+ )
+ DB_LDIF_FILE = '{}-userRoot.ldif'.format(
+ dashed_domain_name
+ )
+ SCHEMA_LDIF_FILE = '{}''/config_files/schema/99user.ldif'.format(
+ dashed_domain_name)
+ CONFIG_LDIF_FILE = '{}''/config_files/dse.ldif'.format(
+ dashed_domain_name)
+ param = [
+ '-n', '-g', CONFIG_LDIF_FILE, '-m', SCHEMA_LDIF_FILE,
+ '-f', DB_LDIF_FILE
+ ]
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ backup_path = tasks.get_backup_dir(self.master)
+ remote_ipa_tar_file = backup_path + '/ipa-full.tar'
+ ipa_tar_file = self.master.get_file_contents(
+ remote_ipa_tar_file
+ )
+ replica_file_name = "/tmp/ipa-full.tar"
+ self.replicas[0].put_file_contents(
+ replica_file_name, ipa_tar_file
+ )
+ self.replicas[0].run_command(
+ ['/usr/bin/tar', '-xvf', replica_file_name]
+ )
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ assert result.returncode == 0
+ assert ERR_MSG not in result.stderr_text
--
2.50.1

174
0131-dns-disable-all-previous-Unbound-configuration-befor.patch Normal file
View File

@ -0,0 +1,174 @@
From bae780843ef26da1d0876086205cda9f590e9c01 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 24 Jun 2025 13:41:17 +0200
Subject: [PATCH] dns: disable all previous Unbound configuration before
deploying ours
Previous configuration from another packages might break our Unbound
setup. Rename the config files to disable them before deploying our
configuration.
Fixes: https://pagure.io/freeipa/issue/9814
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/install/client.py | 29 ++++++++++++++++++++++++++---
ipaplatform/base/paths.py | 1 +
ipaserver/install/bindinstance.py | 17 +++++++++++++++--
ipaserver/install/dns.py | 11 ++++++++++-
4 files changed, 52 insertions(+), 6 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 96e91268f54aecf08e0791c91811072e8d6f459f..1885e4a8d4d1ae97ee70c163d5a47bb819288065 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1656,7 +1656,7 @@ def get_server_connection_interface(server):
raise RuntimeError(msg)
-def client_dns(server, hostname, options):
+def client_dns(server, hostname, options, statestore):
try:
verify_host_resolvable(hostname)
@@ -1672,12 +1672,22 @@ def client_dns(server, hostname, options):
# Setup DNS over TLS
if options.dns_over_tls:
+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+ statestore.backup_state("dns_over_tls", "enabled", True)
+ save_state(services.knownservices["unbound"], statestore)
# setup and enable Unbound as resolver
server_ip = str(list(dnsutil.resolve_ip_addresses(server))[0])
forward_addr = "forward-addr: %s#%s" % (server_ip, server)
# module_config_iterator is commented out if DNSSEC validation is
# not disabled.
module_config_iterator = '' if options.no_dnssec_validation else '# '
+ # backup and remove all previous Unbound configuration
+ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR):
+ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename)
+ if filepath == paths.UNBOUND_CONF:
+ continue
+ fstore.backup_file(filepath)
+ remove_file(filepath)
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
@@ -1710,7 +1720,6 @@ def client_dns(server, hostname, options):
"search .",
"nameserver 127.0.0.55\n"
]
- fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
fstore.backup_file(paths.RESOLV_CONF)
with open(paths.RESOLV_CONF, 'w') as f:
f.write('\n'.join(cfg))
@@ -3242,7 +3251,7 @@ def _install(options, tdict):
tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
if not options.on_master:
- client_dns(cli_server[0], hostname, options)
+ client_dns(cli_server[0], hostname, options, statestore)
update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options, cli_server[0])
@@ -3632,6 +3641,20 @@ def uninstall(options):
except Exception:
pass
+ # Restore unbound to its original status
+ if statestore.restore_state("dns_over_tls", "enabled"):
+ unbound = services.knownservices['unbound']
+ if not statestore.restore_state('unbound', 'running'):
+ unbound.stop()
+ if not statestore.restore_state('unbound', 'enabled'):
+ unbound.disable()
+ # restore unbound config files that were removed during IPA install
+ remove_file(paths.UNBOUND_CONF)
+ for filename, fileinfo in fstore.files.items():
+ if paths.UNBOUND_CONFIG_DIR in fileinfo:
+ fstore.restore_file(
+ os.path.join(paths.UNBOUND_CONFIG_DIR, filename))
+
logger.info("Disabling client Kerberos and LDAP configurations")
was_sssd_installed = False
was_sshd_configured = False
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a5bca789bdb8d07b51779e28adf64c9b68892328..8b62971f98cb282a7bcbe30019d39bcdfadec7a9 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -102,6 +102,7 @@ class BasePathNamespace:
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NAMED_CRYPTO_POLICY_FILE = None
UNBOUND_CONF_SRC = '/usr/share/ipa/client/unbound.conf.template'
+ UNBOUND_CONFIG_DIR = "/etc/unbound/conf.d/"
UNBOUND_CONF = "/etc/unbound/conf.d/zzz-ipa.conf"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 0cc1f1325ce0a9dbdb09f4100a1a22bc4f24924a..ea4d4bf0e8a2d189cc0e59835db2423d7ff1cfeb 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -690,6 +690,10 @@ class BindInstance(service.Service):
self.reverse_zones = reverse_zones
self.sstore.backup_state("dns_over_tls", "enabled", dns_over_tls)
+ self.sstore.backup_state("unbound", "running",
+ services.knownservices["unbound"].is_running())
+ self.sstore.backup_state("unbound", "enabled",
+ services.knownservices["unbound"].is_enabled())
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
@@ -1382,8 +1386,17 @@ class BindInstance(service.Service):
if self.sstore.restore_state("dns_over_tls", "enabled"):
if not self.sstore.restore_state("dns_over_tls", "external_crt"):
certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT)
- services.knownservices["unbound"].disable()
- services.knownservices["unbound"].stop()
+ # only disable unbound if it was before IPA was deployed
+ if not self.sstore.restore_state("unbound", "enabled"):
+ services.knownservices["unbound"].disable()
+ if not self.sstore.restore_state("unbound", "running"):
+ services.knownservices["unbound"].stop()
+ # restore unbound config files that were removed during IPA install
+ ipautil.remove_file(paths.UNBOUND_CONF)
+ for filename, fileinfo in self.fstore.files.items():
+ if paths.UNBOUND_CONFIG_DIR in fileinfo:
+ self.fstore.restore_file(
+ os.path.join(paths.UNBOUND_CONFIG_DIR, filename))
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 0f7a3073f4de1641afb7fdfa77413b978fd23974..39c2f677b659ef578ab0f14322465e9d9f036c99 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -138,6 +138,16 @@ def _setup_dns_over_tls(options):
# module_config_iterator is commented out if DNSSEC validation is
# not disabled.
module_config_iterator = '' if options.no_dnssec_validation else '# '
+
+ # backup and remove all previous Unbound configuration
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR):
+ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename)
+ if filepath == paths.UNBOUND_CONF:
+ continue
+ fstore.backup_file(filepath)
+ ipautil.remove_file(filepath)
+
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
@@ -179,7 +189,6 @@ def _setup_dns_over_tls(options):
]
nameservers = get_ipa_resolver().nameservers
if not nameservers or nameservers[0] != "127.0.0.1":
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
fstore.backup_file(paths.RESOLV_CONF)
with open(paths.RESOLV_CONF, 'w') as f:
f.write('\n'.join(cfg))
--
2.50.1

18
freeipa.spec
View File

@ -230,7 +230,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 22%{?rc_version:.%rc_version}%{?dist}
Release: 23%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -385,6 +385,12 @@ Patch0122: 0122-ipa-client-install-New-no-dnssec-validation-option.patch
Patch0123: 0123-ipaserver-install-dns.py-Allow-to-Turn-off-DNSSEC-va.patch
Patch0124: 0124-ipatests-Tests-for-32BitIdranges.patch
Patch0125: 0125-Replica-Request-cert-for-DoT-before-setting-up-bind.patch
Patch0126: 0126-ipatests-use-sos-report-instead-of-sosreport-command.patch
Patch0127: 0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch
Patch0128: 0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch
Patch0129: 0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
Patch0130: 0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
Patch0131: 0131-dns-disable-all-previous-Unbound-configuration-befor.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -438,8 +444,9 @@ BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
# Do not use nodejs-24
# Do not use nodejs22 on fedora < 41, https://pagure.io/freeipa/issue/9643
BuildRequires: nodejs(abi)
BuildRequires: nodejs(abi) == 127
%elif 0%{?fedora} >= 39
# Do not use nodejs20 on fedora < 39, https://pagure.io/freeipa/issue/9374
BuildRequires: nodejs(abi) < 127
@ -2046,6 +2053,13 @@ fi
%endif
%changelog
* Wed Jul 30 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-23
- Resolves: RHEL-105973 Include fixes in python3-ipatests package
- Resolves: RHEL-105513 kdb: prevent double crash in RBCD ACL free
- Resolves: RHEL-101708 ipatests: use "sos report" instead of "sosreport" command
- Resolves: RHEL-95733 Incorrect use of external IdP GitHub trademark
- Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup
* Thu Jun 26 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
- Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup
- Resolves: RHEL-89893 ipa: Privilege escalation from host to domain admin in FreeIPA