diff --git a/0126-ipatests-use-sos-report-instead-of-sosreport-command.patch b/0126-ipatests-use-sos-report-instead-of-sosreport-command.patch new file mode 100644 index 0000000..2451d30 --- /dev/null +++ b/0126-ipatests-use-sos-report-instead-of-sosreport-command.patch @@ -0,0 +1,40 @@ +From 1c789f5ffde5d443fa2ce6ccfc4eb55f9a8afb4c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 25 Feb 2025 10:24:56 +0100 +Subject: [PATCH] ipatests: use "sos report" instead of "sosreport" command + +The "soscommand" has been deprecated and "sos report" should be +used instead. The redirector was removed in sos 4.9. + +Fixes: https://pagure.io/freeipa/issue/9752 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_integration/test_ipahealthcheck.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 7c3f5857a477070d8a9b52c04d41f35ac580c97f..05a0adb24a3f26d70d0690462e7c0fefbf98c6e6 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -1405,7 +1405,7 @@ class TestIpaHealthCheck(IntegrationTest): + msg = "[plugin:ipa] collecting path '{}'".format(HEALTHCHECK_LOG) + cmd = self.master.run_command( + [ +- "sosreport", ++ "sos", "report", + "-o", + "ipa", + "--case-id", +@@ -1508,7 +1508,7 @@ class TestIpaHealthCheck(IntegrationTest): + caseid = "123456" + self.master.run_command( + [ +- "sosreport", ++ "sos", "report", + "-o", + "ipa", + "--case-id", +-- +2.50.1 + diff --git a/0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch b/0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch new file mode 100644 index 0000000..3396803 --- /dev/null +++ b/0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch @@ -0,0 +1,57 @@ +From a6ae9f740991888bede82884bd9609db220430e3 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 23 Jun 2025 10:49:34 +0200 +Subject: [PATCH] dns: only overwrite resolv.conf during eDNS setup when needed + +Don't overwrite resolv.conf if it already points to 127.0.0.1. This +ensures compatibility with read-only containers. + +Fixes: https://pagure.io/freeipa/issue/9813 +Signed-off-by: Antonio Torres +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/dns.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index 9740faeddb244a56b2dc8a274ff82158f6dd2204..0f7a3073f4de1641afb7fdfa77413b978fd23974 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -33,7 +33,7 @@ from ipapython import ipautil + from ipapython import dnsutil + from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS + from ipapython.dn import DN +-from ipapython.dnsutil import check_zone_overlap ++from ipapython.dnsutil import check_zone_overlap, get_ipa_resolver + from ipapython.install import typing + from ipapython.install.core import group, knob + from ipapython.admintool import ScriptError +@@ -171,17 +171,19 @@ def _setup_dns_over_tls(options): + f.write("\n".join(dns_none)) + nm.reload_or_restart() + +- # Overwrite resolv.conf to point to IPA ++ # Ensure resolv.conf points to IPA + cfg = [ + "# auto-generated by IPA installer", + "search .", + "nameserver 127.0.0.1\n" + ] +- fstore = sysrestore.FileStore(paths.SYSRESTORE) +- fstore.backup_file(paths.RESOLV_CONF) +- with open(paths.RESOLV_CONF, 'w') as f: +- f.write('\n'.join(cfg)) +- os.chmod(paths.RESOLV_CONF, 0o644) ++ nameservers = get_ipa_resolver().nameservers ++ if not nameservers or nameservers[0] != "127.0.0.1": ++ fstore = sysrestore.FileStore(paths.SYSRESTORE) ++ fstore.backup_file(paths.RESOLV_CONF) ++ with open(paths.RESOLV_CONF, 'w') as f: ++ f.write('\n'.join(cfg)) ++ os.chmod(paths.RESOLV_CONF, 0o644) + + services.knownservices.unbound.enable() + services.knownservices.unbound.restart() +-- +2.50.1 + diff --git a/0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch b/0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch new file mode 100644 index 0000000..257f243 --- /dev/null +++ b/0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch @@ -0,0 +1,151 @@ +From 6bb7ebd40f3fa9c266e62caef961c1078440751d Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Tue, 17 Jun 2025 17:15:49 -0300 +Subject: [PATCH] Use correct capitalization for GitHub and GitLab + +The correct third party trademarks are GitHub and GitLab, and this is +the capitalization that needs to be used for documentation and messages, +when referring to each service. + +Fixes: https://pagure.io/freeipa/issue/9811 +Signed-off-by: Rafael Guterres Jeffman +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + doc/designs/external-idp/idp-api.md | 22 +++++++++++----------- + doc/workshop/12-external-idp-support.rst | 4 ++-- + ipaserver/plugins/internal.py | 2 +- + ipatests/test_integration/test_cert.py | 2 +- + po/ipa.pot | 2 +- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/doc/designs/external-idp/idp-api.md b/doc/designs/external-idp/idp-api.md +index fe2ba8d67389b89216b128c253695e3d1da363be..59d2ccb5707cda549130fc0f4e05c8e8ee9bb86b 100644 +--- a/doc/designs/external-idp/idp-api.md ++++ b/doc/designs/external-idp/idp-api.md +@@ -156,13 +156,13 @@ List of pre-populated IdP types is currently limited by the following provider + Some IdP providers support parametrized URIs which include organization or a + realm name, or specific base URL, or both. + +-One notable omission in the pre-populated IdP types above is Gitlab. ++One notable omission in the pre-populated IdP types above is GitLab. + + FreeIPA only supports IdPs that implement OAuth 2.0 Device authorization + grant flow as defined by the [RFC 8628](https://www.rfc-editor.org/rfc/rfc8628). + If required IdP cannot be made to support Device authorization grant flow, it + is recommended to use OAuth 2.0 federation within an IdP that supports this +-method. Gitlab does not support OAuth 2.0 Device authorization grant flow and ++method. GitLab does not support OAuth 2.0 Device authorization grant flow and + thus is not supported directly. + + SSSD 2.7.0 implements Kerberos pre-authentication method `idp` (registered as a +@@ -193,7 +193,7 @@ Choosing `--provider=google` would expand to use the following options: + | `--scope`=STR | `openid email` | + | `--idp-user-id`=STR | `email` | + +-#### Github IdPs ++#### GitHub IdPs + + Choosing `--provider=github` would expand to use the following options: + +@@ -207,17 +207,17 @@ Choosing `--provider=github` would expand to use the following options: + | `--scope`=STR | `user` | + | `--idp-user-id`=STR | `login` | + +-Please note that Github explicitly states that a user login is not unique and ++Please note that GitHub explicitly states that a user login is not unique and + can be reused after a user account was deleted. The configuration above aims +-for an easy setup for testing. If production deployment with Github IdP would ++for an easy setup for testing. If production deployment with GitHub IdP would + be required, it is recommended to change `--idp-user-id` to a more unique subject +-like `id`. Unfortunately, Github UI does not give an easy way to discover a ++like `id`. Unfortunately, GitHub UI does not give an easy way to discover a + user ID. Other IdPs also lack an easy way to resolve these internal identifiers + when not authorized by the user themselves. + +-For Github, user's ID can be looked up without authentication through the Users ++For GitHub, user's ID can be looked up without authentication through the Users + API. Assuming we have `curl` and `jq` utilities available, a request to +-discover an ID of a Github user named `test` would look like: ++discover an ID of a GitHub user named `test` would look like: + + ``` + $ curl --silent \ +@@ -386,10 +386,10 @@ scope is used, this typically maps to `sub` value. Since there are no ways to + pull this value for all users in advance, pre-populated IdP templates set OAuth + 2.0 scopes to include `email` and then use `email` to map IdP subject where possible. + There are some well-known IdPs which allow reuse of user accounts and emails, this +-applies to both Github and Gitlab. Since Gitlab does not support OAuth 2.0 ++applies to both GitHub and GitLab. Since GitLab does not support OAuth 2.0 + Device authorization grant flow, it is not an issue in itself for this project. However, +-for Github it is known that user accounts can be recycled after their removal. In +-this case we would recommend to use internal Github identifier instead. ++for GitHub it is known that user accounts can be recycled after their removal. In ++this case we would recommend to use internal GitHub identifier instead. + + ## Upgrade and backward compatibility + +diff --git a/doc/workshop/12-external-idp-support.rst b/doc/workshop/12-external-idp-support.rst +index 022c26483fa5b08fa02b69ff63fac7d08c53d110..66c714c257f0dacc724753cbc73968a588aa3a07 100644 +--- a/doc/workshop/12-external-idp-support.rst ++++ b/doc/workshop/12-external-idp-support.rst +@@ -94,7 +94,7 @@ authorization grant flow: + + * Microsoft Identity Platform, including Azure AD + * Google +-* Github ++* GitHub + * Keycloak, including Red Hat SSO + * Okta + +@@ -389,7 +389,7 @@ IPA. Option ``--provider keycloak`` allows us to fill-in pre-defined template + for Keycloak or Red Hat SSO IdPs. The template expects both Keycloak's realm + (``--org`` option) and a base URL (``--base-url`` option) because Keycloak is + typically deployed as a part of a larger solution. These options may not be +-needed for other pre-defined templates like Google or Github. ++needed for other pre-defined templates like Google or GitHub. + + The `openid` scope is mandatory since + [Keycloak 19.0.2](https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes). +diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py +index e8642b6f03754fbdc6a099b72407ed2df25da86f..283b430778c37861c417c7829ac04bd2fb966be0 100644 +--- a/ipaserver/plugins/internal.py ++++ b/ipaserver/plugins/internal.py +@@ -1100,7 +1100,7 @@ class i18n_messages(Command): + "idp": { + "template_keycloak": _("Keycloak or Red Hat SSO"), + "template_google": _("Google"), +- "template_github": _("Github"), ++ "template_github": _("GitHub"), + "template_microsoft": _("Microsoft or Azure"), + "template_okta": _("Okta"), + "label_idpclient": _("OAuth 2.0 client details"), +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 88859e67f5653bc91f25152c414350c0ba41e036..05b20b910b249af24039a497538f96dad07162aa 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -540,7 +540,7 @@ class TestCAShowErrorHandling(IntegrationTest): + 4. Verify LWCA is recognized on the server + 5. Run `ipa ca-show ` + +- PKI Github Link: https://github.com/dogtagpki/pki/pull/3605/ ++ PKI GitHub Link: https://github.com/dogtagpki/pki/pull/3605/ + """ + self.replicas[0].run_command(['systemctl', 'stop', 'ipa-custodia']) + lwca = 'lwca1' +diff --git a/po/ipa.pot b/po/ipa.pot +index 41ee14059f1dc00f22c53d59f82ba9c4df439d1a..07413d546241149fcde36c38c0750d040916ba0f 100644 +--- a/po/ipa.pot ++++ b/po/ipa.pot +@@ -23944,7 +23944,7 @@ msgid "Google" + msgstr "" + + #: ipaserver/plugins/internal.py:1103 +-msgid "Github" ++msgid "GitHub" + msgstr "" + + #: ipaserver/plugins/internal.py:1104 +-- +2.50.1 + diff --git a/0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch b/0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch new file mode 100644 index 0000000..c6a701c --- /dev/null +++ b/0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch @@ -0,0 +1,35 @@ +From 45cce31e2596de2c9b6048674510572c248e2ec9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 15 Jul 2025 10:52:01 +0300 +Subject: [PATCH] kdb: prevent double crash in RBCD ACL free + +acl_list was set to prev->tl_data_contents and its value is freed but +then is is freed again outside of the if(). Just reset acl_list pointer +as prev->tl_data_contents is removed unconditionally outside of the RBCD +ACL removal. + +Related: https://pagure.io/freeipa/issue/9367 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + daemons/ipa-kdb/ipa_kdb_principals.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 19998c2a38b5d8ae80aeedeb003f54241d2c2a9f..a7e77e940ab61b27407076a834f3804b0e69c122 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -2160,7 +2160,8 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) + for (i = 0; (acl_list != NULL) && (acl_list[i] != NULL); i++) { + free(acl_list[i]); + } +- free(acl_list); ++ /* prev->tl_data_contents will be removed below */ ++ acl_list = NULL; + } + free(prev->tl_data_contents); + free(prev); +-- +2.50.1 + diff --git a/0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch b/0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch new file mode 100644 index 0000000..84e85a1 --- /dev/null +++ b/0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch @@ -0,0 +1,110 @@ +From 0c9ba2a0075f02315810521357cf2e5b52fc7d41 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Wed, 9 Apr 2025 13:10:58 +0530 +Subject: [PATCH] ipatests: Tests for ipa-migrate tool with ldif file + +This test checks that when ipa-migrate tool +uses ldif file it works without any error. + +Related: https://pagure.io/freeipa/issue/9776 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + .../test_ipa_ipa_migration.py | 80 +++++++++++++++++++ + 1 file changed, 80 insertions(+) + +diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py +index 95c29234fc7893d3eae5d900a58aa7b1162ed61d..c6247e772b257748aa0c0f58bd04b53d3756125c 100644 +--- a/ipatests/test_integration/test_ipa_ipa_migration.py ++++ b/ipatests/test_integration/test_ipa_ipa_migration.py +@@ -1265,3 +1265,83 @@ class TestIPAMigrationWithADtrust(IntegrationTest): + ["ipa", "idrange-show", ad_domain_name + "_id_range"] + ) + assert cmd1.stdout_text == cmd2.stdout_text ++ ++ ++class TestIPAMigratewithBackupRestore(IntegrationTest): ++ """ ++ Test for ipa-migrate tool with backup files. ++ The master and replicas[1] are used to create the data source. ++ The replicas[0] is used as new server, retrieving data from the source. ++ replicas[1] is needed to make sure that the source LDIF ++ file contains replication attributes with ++ options (for instance objectClass;vucsn-67f7b3de000300030000). ++ """ ++ num_replicas = 2 ++ topology = "line" ++ ++ @classmethod ++ def install(cls, mh): ++ tasks.install_master(cls.master, setup_dns=True, setup_kra=True) ++ prepare_ipa_server(cls.master) ++ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True) ++ tasks.install_replica(cls.master, cls.replicas[1], ++ setup_dns=True, setup_kra=True) ++ ++ @pytest.fixture ++ def create_delete_user(self): ++ """ ++ This fixtures creates a ldapuser using the ++ ldif file and then delete the users ++ """ ++ self.master.run_command(['ipa', 'user-add', 'testuser', ++ '--first', 'test', ++ '--last', 'user']) ++ self.master.run_command(['ipa', 'user-del', 'testuser']) ++ yield ++ ++ def test_ipa_migrate_stage_mode(self, create_delete_user): ++ """ ++ This test checks ipa-migrate with LDIF file ++ from backup of remote server is successful. ++ """ ++ ERR_MSG = ( ++ "error: change collided with another change" ++ ) ++ dashed_domain_name = self.master.domain.realm.replace( ++ ".", '-' ++ ) ++ DB_LDIF_FILE = '{}-userRoot.ldif'.format( ++ dashed_domain_name ++ ) ++ SCHEMA_LDIF_FILE = '{}''/config_files/schema/99user.ldif'.format( ++ dashed_domain_name) ++ CONFIG_LDIF_FILE = '{}''/config_files/dse.ldif'.format( ++ dashed_domain_name) ++ param = [ ++ '-n', '-g', CONFIG_LDIF_FILE, '-m', SCHEMA_LDIF_FILE, ++ '-f', DB_LDIF_FILE ++ ] ++ tasks.kinit_admin(self.master) ++ tasks.kinit_admin(self.replicas[0]) ++ backup_path = tasks.get_backup_dir(self.master) ++ remote_ipa_tar_file = backup_path + '/ipa-full.tar' ++ ipa_tar_file = self.master.get_file_contents( ++ remote_ipa_tar_file ++ ) ++ replica_file_name = "/tmp/ipa-full.tar" ++ self.replicas[0].put_file_contents( ++ replica_file_name, ipa_tar_file ++ ) ++ self.replicas[0].run_command( ++ ['/usr/bin/tar', '-xvf', replica_file_name] ++ ) ++ result = run_migrate( ++ self.replicas[0], ++ "stage-mode", ++ self.master.hostname, ++ "cn=Directory Manager", ++ self.master.config.admin_password, ++ extra_args=param, ++ ) ++ assert result.returncode == 0 ++ assert ERR_MSG not in result.stderr_text +-- +2.50.1 + diff --git a/0131-dns-disable-all-previous-Unbound-configuration-befor.patch b/0131-dns-disable-all-previous-Unbound-configuration-befor.patch new file mode 100644 index 0000000..c06c1b5 --- /dev/null +++ b/0131-dns-disable-all-previous-Unbound-configuration-befor.patch @@ -0,0 +1,174 @@ +From bae780843ef26da1d0876086205cda9f590e9c01 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Tue, 24 Jun 2025 13:41:17 +0200 +Subject: [PATCH] dns: disable all previous Unbound configuration before + deploying ours + +Previous configuration from another packages might break our Unbound +setup. Rename the config files to disable them before deploying our +configuration. + +Fixes: https://pagure.io/freeipa/issue/9814 +Signed-off-by: Antonio Torres +Reviewed-By: Thomas Woerner +Reviewed-By: Rob Crittenden +--- + ipaclient/install/client.py | 29 ++++++++++++++++++++++++++--- + ipaplatform/base/paths.py | 1 + + ipaserver/install/bindinstance.py | 17 +++++++++++++++-- + ipaserver/install/dns.py | 11 ++++++++++- + 4 files changed, 52 insertions(+), 6 deletions(-) + +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index 96e91268f54aecf08e0791c91811072e8d6f459f..1885e4a8d4d1ae97ee70c163d5a47bb819288065 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -1656,7 +1656,7 @@ def get_server_connection_interface(server): + raise RuntimeError(msg) + + +-def client_dns(server, hostname, options): ++def client_dns(server, hostname, options, statestore): + + try: + verify_host_resolvable(hostname) +@@ -1672,12 +1672,22 @@ def client_dns(server, hostname, options): + + # Setup DNS over TLS + if options.dns_over_tls: ++ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) ++ statestore.backup_state("dns_over_tls", "enabled", True) ++ save_state(services.knownservices["unbound"], statestore) + # setup and enable Unbound as resolver + server_ip = str(list(dnsutil.resolve_ip_addresses(server))[0]) + forward_addr = "forward-addr: %s#%s" % (server_ip, server) + # module_config_iterator is commented out if DNSSEC validation is + # not disabled. + module_config_iterator = '' if options.no_dnssec_validation else '# ' ++ # backup and remove all previous Unbound configuration ++ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR): ++ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename) ++ if filepath == paths.UNBOUND_CONF: ++ continue ++ fstore.backup_file(filepath) ++ remove_file(filepath) + ipautil.copy_template_file( + paths.UNBOUND_CONF_SRC, + paths.UNBOUND_CONF, +@@ -1710,7 +1720,6 @@ def client_dns(server, hostname, options): + "search .", + "nameserver 127.0.0.55\n" + ] +- fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) + fstore.backup_file(paths.RESOLV_CONF) + with open(paths.RESOLV_CONF, 'w') as f: + f.write('\n'.join(cfg)) +@@ -3242,7 +3251,7 @@ def _install(options, tdict): + tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) + + if not options.on_master: +- client_dns(cli_server[0], hostname, options) ++ client_dns(cli_server[0], hostname, options, statestore) + + update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options, cli_server[0]) + +@@ -3632,6 +3641,20 @@ def uninstall(options): + except Exception: + pass + ++ # Restore unbound to its original status ++ if statestore.restore_state("dns_over_tls", "enabled"): ++ unbound = services.knownservices['unbound'] ++ if not statestore.restore_state('unbound', 'running'): ++ unbound.stop() ++ if not statestore.restore_state('unbound', 'enabled'): ++ unbound.disable() ++ # restore unbound config files that were removed during IPA install ++ remove_file(paths.UNBOUND_CONF) ++ for filename, fileinfo in fstore.files.items(): ++ if paths.UNBOUND_CONFIG_DIR in fileinfo: ++ fstore.restore_file( ++ os.path.join(paths.UNBOUND_CONFIG_DIR, filename)) ++ + logger.info("Disabling client Kerberos and LDAP configurations") + was_sssd_installed = False + was_sshd_configured = False +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index a5bca789bdb8d07b51779e28adf64c9b68892328..8b62971f98cb282a7bcbe30019d39bcdfadec7a9 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -102,6 +102,7 @@ class BasePathNamespace: + NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic" + NAMED_CRYPTO_POLICY_FILE = None + UNBOUND_CONF_SRC = '/usr/share/ipa/client/unbound.conf.template' ++ UNBOUND_CONFIG_DIR = "/etc/unbound/conf.d/" + UNBOUND_CONF = "/etc/unbound/conf.d/zzz-ipa.conf" + NSLCD_CONF = "/etc/nslcd.conf" + NSS_LDAP_CONF = "/etc/nss_ldap.conf" +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 0cc1f1325ce0a9dbdb09f4100a1a22bc4f24924a..ea4d4bf0e8a2d189cc0e59835db2423d7ff1cfeb 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -690,6 +690,10 @@ class BindInstance(service.Service): + self.reverse_zones = reverse_zones + + self.sstore.backup_state("dns_over_tls", "enabled", dns_over_tls) ++ self.sstore.backup_state("unbound", "running", ++ services.knownservices["unbound"].is_running()) ++ self.sstore.backup_state("unbound", "enabled", ++ services.knownservices["unbound"].is_enabled()) + + if not zonemgr: + self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain) +@@ -1382,8 +1386,17 @@ class BindInstance(service.Service): + if self.sstore.restore_state("dns_over_tls", "enabled"): + if not self.sstore.restore_state("dns_over_tls", "external_crt"): + certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT) +- services.knownservices["unbound"].disable() +- services.knownservices["unbound"].stop() ++ # only disable unbound if it was before IPA was deployed ++ if not self.sstore.restore_state("unbound", "enabled"): ++ services.knownservices["unbound"].disable() ++ if not self.sstore.restore_state("unbound", "running"): ++ services.knownservices["unbound"].stop() ++ # restore unbound config files that were removed during IPA install ++ ipautil.remove_file(paths.UNBOUND_CONF) ++ for filename, fileinfo in self.fstore.files.items(): ++ if paths.UNBOUND_CONFIG_DIR in fileinfo: ++ self.fstore.restore_file( ++ os.path.join(paths.UNBOUND_CONFIG_DIR, filename)) + + ipautil.remove_file(paths.NAMED_CONF_BAK) + ipautil.remove_file(paths.NAMED_CUSTOM_CONF) +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index 0f7a3073f4de1641afb7fdfa77413b978fd23974..39c2f677b659ef578ab0f14322465e9d9f036c99 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -138,6 +138,16 @@ def _setup_dns_over_tls(options): + # module_config_iterator is commented out if DNSSEC validation is + # not disabled. + module_config_iterator = '' if options.no_dnssec_validation else '# ' ++ ++ # backup and remove all previous Unbound configuration ++ fstore = sysrestore.FileStore(paths.SYSRESTORE) ++ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR): ++ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename) ++ if filepath == paths.UNBOUND_CONF: ++ continue ++ fstore.backup_file(filepath) ++ ipautil.remove_file(filepath) ++ + ipautil.copy_template_file( + paths.UNBOUND_CONF_SRC, + paths.UNBOUND_CONF, +@@ -179,7 +189,6 @@ def _setup_dns_over_tls(options): + ] + nameservers = get_ipa_resolver().nameservers + if not nameservers or nameservers[0] != "127.0.0.1": +- fstore = sysrestore.FileStore(paths.SYSRESTORE) + fstore.backup_file(paths.RESOLV_CONF) + with open(paths.RESOLV_CONF, 'w') as f: + f.write('\n'.join(cfg)) +-- +2.50.1 + diff --git a/freeipa.spec b/freeipa.spec index 23cf4e3..5a4dfc1 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -230,7 +230,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 22%{?rc_version:.%rc_version}%{?dist} +Release: 23%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -385,6 +385,12 @@ Patch0122: 0122-ipa-client-install-New-no-dnssec-validation-option.patch Patch0123: 0123-ipaserver-install-dns.py-Allow-to-Turn-off-DNSSEC-va.patch Patch0124: 0124-ipatests-Tests-for-32BitIdranges.patch Patch0125: 0125-Replica-Request-cert-for-DoT-before-setting-up-bind.patch +Patch0126: 0126-ipatests-use-sos-report-instead-of-sosreport-command.patch +Patch0127: 0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch +Patch0128: 0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch +Patch0129: 0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch +Patch0130: 0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch +Patch0131: 0131-dns-disable-all-previous-Unbound-configuration-befor.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -438,8 +444,9 @@ BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 +# Do not use nodejs-24 # Do not use nodejs22 on fedora < 41, https://pagure.io/freeipa/issue/9643 -BuildRequires: nodejs(abi) +BuildRequires: nodejs(abi) == 127 %elif 0%{?fedora} >= 39 # Do not use nodejs20 on fedora < 39, https://pagure.io/freeipa/issue/9374 BuildRequires: nodejs(abi) < 127 @@ -2046,6 +2053,13 @@ fi %endif %changelog +* Wed Jul 30 2025 Florence Blanc-Renaud - 4.12.2-23 +- Resolves: RHEL-105973 Include fixes in python3-ipatests package +- Resolves: RHEL-105513 kdb: prevent double crash in RBCD ACL free +- Resolves: RHEL-101708 ipatests: use "sos report" instead of "sosreport" command +- Resolves: RHEL-95733 Incorrect use of external IdP GitHub trademark +- Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup + * Thu Jun 26 2025 Florence Blanc-Renaud - 4.12.2-22 - Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup - Resolves: RHEL-89893 ipa: Privilege escalation from host to domain admin in FreeIPA