diff --git a/0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch b/0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch new file mode 100644 index 0000000..d06f248 --- /dev/null +++ b/0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch @@ -0,0 +1,41 @@ +From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 30 Aug 2021 18:40:24 +0200 +Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo + +On aarch64, custodia creates AVC when accessing /proc/cpuinfo. + +According to gcrypt manual +(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html), +/proc/cpuinfo is used on ARM architecture to read the hardware +capabilities of the CPU. This explains why the issue happens only +on aarch64. + +audit2allow suggests to add the following: +allow ipa_custodia_t proc_t:file { getattr open read }; + +but this policy would be too broad. Instead, the patch is using +the interface kernel_read_system_state. + +Fixes: https://pagure.io/freeipa/issue/8972 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + selinux/ipa.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 68e10941951ac391fda7854d1403558c069dad46..7492fca04d4f0d031ecd83871078247d73cc87e0 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) + + kernel_dgram_send(ipa_custodia_t) + kernel_read_network_state(ipa_custodia_t) ++kernel_read_system_state(ipa_custodia_t) + + auth_read_passwd(ipa_custodia_t) + +-- +2.31.1 + diff --git a/0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch b/0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch new file mode 100644 index 0000000..e8dfa24 --- /dev/null +++ b/0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch @@ -0,0 +1,46 @@ +From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 25 Aug 2021 17:10:29 +0200 +Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ + +If a client sends a request to lookup an object from a given trusted +domain by UID or GID and an object with matching ID is only found in a +different domain the extdom should return LDAP_NO_SUCH_OBJECT to +indicate to the client that the requested ID does not exists in the +given domain. + +Resolves: https://pagure.io/freeipa/issue/8965 +Reviewed-By: Rob Crittenden +--- + .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 5d97ff6137d9d660f6121f468261c6878a9aa12a..6f646b9f49ef31e1872e87640c524db972e53b6d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +-- +2.31.1 + diff --git a/0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch b/0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch new file mode 100644 index 0000000..a36c923 --- /dev/null +++ b/0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch @@ -0,0 +1,35 @@ +From 4785a90946ec694ccc082f062b2181b23c7099e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Thu, 2 Sep 2021 16:17:01 +0200 +Subject: [PATCH] subid: subid-match: display the owner's ID not DN +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the subid-match command would output the full +DN of the owner of the matched range. +With this change, the UID of the owner is displayed, just like +for other subid- commands. + +Fixes: https://github.com/freeipa/freeipa/pull/6001 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/subid.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py +index 440f24ee627f0736100f63026158c564b04520c2..132c85c7f198217ba70f2332306ee2550be86035 100644 +--- a/ipaserver/plugins/subid.py ++++ b/ipaserver/plugins/subid.py +@@ -524,6 +524,7 @@ class subid_match(subid_find): + osubuid = options["ipasubuidnumber"] + new_entries = [] + for entry in entries: ++ self.obj.convert_owner(entry, options) + esubuid = int(entry.single_value["ipasubuidnumber"]) + esubcount = int(entry.single_value["ipasubuidcount"]) + minsubuid = esubuid +-- +2.31.1 + diff --git a/0054-migrate-ds-workaround-to-detect-compat-tree.patch b/0054-migrate-ds-workaround-to-detect-compat-tree.patch new file mode 100644 index 0000000..16dac6f --- /dev/null +++ b/0054-migrate-ds-workaround-to-detect-compat-tree.patch @@ -0,0 +1,37 @@ +From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 7 Sep 2021 17:06:53 +0200 +Subject: [PATCH] migrate-ds: workaround to detect compat tree + +Migrate-ds needs to check if compat tree is enabled before +migrating users and groups. The check is doing a base +search on cn=compat,$SUFFIX and considers the compat tree +enabled when the entry exists. + +Due to a bug in slapi-nis, the base search may return NotFound +even though the compat tree is enabled. The workaround is to +perform a base search on cn=users,cn=compat,$SUFFIX instead. + +Fixes: https://pagure.io/freeipa/issue/8984 +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/migration.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py +index db5241915497b14a12ed2c33003e1c4fc1a5369f..6ee205fc836a463ac250baa6131e43acb0c00efa 100644 +--- a/ipaserver/plugins/migration.py ++++ b/ipaserver/plugins/migration.py +@@ -922,7 +922,8 @@ migration process might be incomplete\n''') + # check whether the compat plugin is enabled + if not options.get('compat'): + try: +- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn))) ++ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'), ++ (api.env.basedn))) + return dict(result={}, failed={}, enabled=True, compat=False) + except errors.NotFound: + pass +-- +2.31.1 + diff --git a/0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch b/0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch new file mode 100644 index 0000000..b9c02d6 --- /dev/null +++ b/0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch @@ -0,0 +1,60 @@ +From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 9 Sep 2021 15:26:55 -0400 +Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache + +usercertificate often has a subclass and both the plain and +subclassed (binary) values are queried. I'm concerned that +they are used more or less interchangably in places so not +caching these entries is the safest path forward for now until +we can dedicate the time to find all usages, determine their +safety and/or perhaps handle this gracefully within the cache +now. + +What we see in this bug is that usercertificate;binary holds the +first certificate value but a user-mod is done with +setattr usercertificate=. Since there is no +usercertificate value (remember, it's usercertificate;binary) +a replace is done and 389-ds wipes the existing value as we've +asked it to. + +I'm not comfortable with simply treating them the same because +in LDAP they are not. + +https://pagure.io/freeipa/issue/8986 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +Reviewed-By: Fraser Tweedale +--- + ipapython/ipaldap.py | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index f94b784d680f33d026e4d56ec8627d4d2ab87931..ced8f1bd66dc8f1f5c206677d2725d1e72b489f9 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient): + entry=None, exception=None): + # idnsname - caching prevents delete when mod value to None + # cospriority - in a Class of Service object, uncacheable +- # TODO - usercertificate was banned at one point and I don't remember +- # why... +- BANNED_ATTRS = {'idnsname', 'cospriority'} ++ # usercertificate* - caching subtypes is tricky, trade less ++ # complexity for performance ++ # ++ # TODO: teach the cache about subtypes ++ ++ BANNED_ATTRS = { ++ 'idnsname', ++ 'cospriority', ++ 'usercertificate', ++ 'usercertificate;binary' ++ } + if not self._enable_cache: + return + +-- +2.31.1 + diff --git a/0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch b/0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch new file mode 100644 index 0000000..db49c3c --- /dev/null +++ b/0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch @@ -0,0 +1,68 @@ +From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 10 Sep 2021 09:01:48 -0400 +Subject: [PATCH] ipatests: Test that a user can be issued multiple + certificates + +Prevent regressions in the LDAP cache layer that caused newly +issued certificates to overwrite existing ones. + +https://pagure.io/freeipa/issue/8986 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +Reviewed-By: Fraser Tweedale +--- + ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -16,6 +16,7 @@ import string + import time + + from ipaplatform.paths import paths ++from ipapython.dn import DN + from cryptography import x509 + from cryptography.x509.oid import ExtensionOID + from cryptography.hazmat.backends import default_backend +@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest): + ) + assert "profile: caServerCert" in result.stdout_text + ++ def test_multiple_user_certificates(self): ++ """Test that a user may be issued multiple certificates""" ++ ldap = self.master.ldap_connect() ++ ++ user = 'user1' ++ ++ tasks.kinit_admin(self.master) ++ tasks.user_add(self.master, user) ++ ++ for id in (0,1): ++ csr_file = f'{id}.csr' ++ key_file = f'{id}.key' ++ cert_file = f'{id}.crt' ++ openssl_cmd = [ ++ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file, ++ '-nodes', '-out', csr_file, '-subj', '/CN=' + user] ++ self.master.run_command(openssl_cmd) ++ ++ cmd_args = ['ipa', 'cert-request', '--principal', user, ++ '--certificate-out', cert_file, csr_file] ++ self.master.run_command(cmd_args) ++ ++ # easier to count by pulling the LDAP entry ++ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'), ++ ('cn', 'accounts'), self.master.domain.basedn)) ++ ++ assert len(entry.get('usercertificate')) == 2 ++ + @pytest.fixture + def test_subca_certs(self): + """ +-- +2.31.1 + diff --git a/0057-Parse-getStatus-as-JSON-not-XML.patch b/0057-Parse-getStatus-as-JSON-not-XML.patch new file mode 100644 index 0000000..e3cae57 --- /dev/null +++ b/0057-Parse-getStatus-as-JSON-not-XML.patch @@ -0,0 +1,56 @@ +From 7fb95cc638b1c9b7f2e9a67dba859ef8126f2c5f Mon Sep 17 00:00:00 2001 +From: Chris Kelley +Date: Tue, 27 Jul 2021 21:57:26 +0100 +Subject: [PATCH] Parse getStatus as JSON not XML + +On dogtagpki/pki master XML is being replaced by JSON, getStatus will +return JSON in PKI 11.0+ + +The PR for dogtagpki/pki that makes this change necessary is: +https://github.com/dogtagpki/pki/pull/3674 + +Reviewed-By: Francois Cami +Reviewed-By: Rob Crittenden +--- + install/tools/ipa-pki-wait-running.in | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in +index 4f0f2f34a7b0a43210676e7fd50e7029e798f301..9ca6e974e55a4d68afd06e1d9c7b67c5f926e48c 100644 +--- a/install/tools/ipa-pki-wait-running.in ++++ b/install/tools/ipa-pki-wait-running.in +@@ -13,6 +13,7 @@ import logging + import sys + import time + from xml.etree import ElementTree ++import json + + from ipalib import api + from ipaplatform.paths import paths +@@ -74,10 +75,19 @@ def get_status(conn, timeout): + """ + client = SystemStatusClient(conn) + response = client.get_status(timeout=timeout) +- root = ElementTree.fromstring(response) +- status = root.findtext("Status") +- error = root.findtext("Error") +- logging.debug("Got status '%s', error '%s'", status, error) ++ status = None ++ error = None ++ try: ++ json_response = json.loads(response) ++ status = json_response['Response']['Status'] ++ except KeyError as e: ++ error = repr(e) ++ except json.JSONDecodeError: ++ logger.debug("Response is not valid JSON, try XML") ++ root = ElementTree.fromstring(response) ++ status = root.findtext("Status") ++ error = root.findtext("Error") ++ logger.debug("Got status '%s', error '%s'", status, error) + return status, error + + +-- +2.31.1 + diff --git a/0058-Parse-cert-chain-as-JSON-not-XML.patch b/0058-Parse-cert-chain-as-JSON-not-XML.patch new file mode 100644 index 0000000..ca959dd --- /dev/null +++ b/0058-Parse-cert-chain-as-JSON-not-XML.patch @@ -0,0 +1,79 @@ +From 40f76a53f78267b4d2b890defa3e4f7d27fdfb7a Mon Sep 17 00:00:00 2001 +From: Chris Kelley +Date: Thu, 5 Aug 2021 12:00:15 +0100 +Subject: [PATCH] Parse cert chain as JSON not XML + +On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+ + +The PR for dogtagpki/pki that makes this change necessary is: +https://github.com/dogtagpki/pki/pull/3677 + +Reviewed-By: Rob Crittenden +--- + ipapython/dogtag.py | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py +index 0503938fb9783d397cc7366339bb9fab48033985..8f0f0473ae313edb17e10de8b2ca7f43f231e706 100644 +--- a/ipapython/dogtag.py ++++ b/ipapython/dogtag.py +@@ -20,6 +20,7 @@ + import collections + import gzip + import io ++import json + import logging + from urllib.parse import urlencode + import xml.dom.minidom +@@ -100,6 +101,10 @@ def get_ca_certchain(ca_host=None): + data = res.read() + conn.close() + try: ++ doc = json.loads(data) ++ chain = doc['Response']['ChainBase64'] ++ except (json.JSONDecodeError, KeyError): ++ logger.debug("Response is not valid JSON, try XML") + doc = xml.dom.minidom.parseString(data) + try: + item_node = doc.getElementsByTagName("ChainBase64") +@@ -107,9 +112,9 @@ def get_ca_certchain(ca_host=None): + except IndexError: + raise error_from_xml( + doc, _("Retrieving CA cert chain failed: %s")) +- finally: +- if doc: +- doc.unlink() ++ finally: ++ if doc: ++ doc.unlink() + else: + raise errors.RemoteRetrieveError( + reason=_("request failed with HTTP status %d") % res.status) +@@ -118,13 +123,18 @@ def get_ca_certchain(ca_host=None): + + + def _parse_ca_status(body): +- doc = xml.dom.minidom.parseString(body) + try: +- item_node = doc.getElementsByTagName("XMLResponse")[0] +- item_node = item_node.getElementsByTagName("Status")[0] +- return item_node.childNodes[0].data +- except IndexError: +- raise error_from_xml(doc, _("Retrieving CA status failed: %s")) ++ doc = json.loads(body) ++ return doc['Response']['Status'] ++ except (json.JSONDecodeError, KeyError): ++ logger.debug("Response is not valid JSON, try XML") ++ doc = xml.dom.minidom.parseString(body) ++ try: ++ item_node = doc.getElementsByTagName("XMLResponse")[0] ++ item_node = item_node.getElementsByTagName("Status")[0] ++ return item_node.childNodes[0].data ++ except IndexError: ++ raise error_from_xml(doc, _("Retrieving CA status failed: %s")) + + + def ca_status(ca_host=None): +-- +2.31.1 + diff --git a/0059-Specify-PKI-installation-log-paths.patch b/0059-Specify-PKI-installation-log-paths.patch new file mode 100644 index 0000000..44af243 --- /dev/null +++ b/0059-Specify-PKI-installation-log-paths.patch @@ -0,0 +1,84 @@ +From 5abf1bc79f8b32c6638ff98fbe2e4a8dec9a5010 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 12 Aug 2021 13:26:42 -0500 +Subject: [PATCH] Specify PKI installation log paths + +The DogtagInstance.spawn_instance() and uninstall() have +been modified to specify the paths of PKI installation +logs using --log-file option on PKI 11.0.0 or later. + +This allows IPA to have a full control over the log files +instead of relying on PKI's default log files. + +Fixes: https://pagure.io/freeipa/issue/8966 +Signed-off-by: Endi Sukma Dewata +--- + ipaserver/install/dogtaginstance.py | 35 ++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index 644acd4eacea22f41a7cd36b54553d6d7cd22690..0d9aebb542f242b81315edd016699697f2fc4091 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -36,8 +36,10 @@ from configparser import DEFAULTSECT, ConfigParser, RawConfigParser + + import six + ++import pki + from pki.client import PKIConnection + import pki.system ++import pki.util + + from ipalib import api, errors, x509 + from ipalib.install import certmonger +@@ -202,6 +204,18 @@ class DogtagInstance(service.Service): + "-f", cfg_file, + "--debug"] + ++ # specify --log-file on PKI 11.0.0 or later ++ ++ pki_version = pki.util.Version(pki.specification_version()) ++ if pki_version >= pki.util.Version("11.0.0"): ++ timestamp = time.strftime( ++ "%Y%m%d%H%M%S", ++ time.localtime(time.time())) ++ log_file = os.path.join( ++ paths.VAR_LOG_PKI_DIR, ++ "pki-%s-spawn.%s.log" % (self.subsystem.lower(), timestamp)) ++ args.extend(["--log-file", log_file]) ++ + with open(cfg_file) as f: + logger.debug( + 'Contents of pkispawn configuration file (%s):\n%s', +@@ -290,10 +304,25 @@ class DogtagInstance(service.Service): + if self.is_installed(): + self.print_msg("Unconfiguring %s" % self.subsystem) + ++ args = [paths.PKIDESTROY, ++ "-i", "pki-tomcat", ++ "-s", self.subsystem] ++ ++ # specify --log-file on PKI 11.0.0 or later ++ ++ pki_version = pki.util.Version(pki.specification_version()) ++ if pki_version >= pki.util.Version("11.0.0"): ++ timestamp = time.strftime( ++ "%Y%m%d%H%M%S", ++ time.localtime(time.time())) ++ log_file = os.path.join( ++ paths.VAR_LOG_PKI_DIR, ++ "pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp)) ++ args.extend(["--log-file", log_file]) ++ + try: +- ipautil.run([paths.PKIDESTROY, +- "-i", 'pki-tomcat', +- "-s", self.subsystem]) ++ ipautil.run(args) ++ + except ipautil.CalledProcessError as e: + logger.critical("failed to uninstall %s instance %s", + self.subsystem, e) +-- +2.31.1 + diff --git a/0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch b/0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch new file mode 100644 index 0000000..4b5a221 --- /dev/null +++ b/0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch @@ -0,0 +1,33 @@ +From d43b513927d6dd0a12464dd24287ce40ccaf33e4 Mon Sep 17 00:00:00 2001 +From: Chris Kelley +Date: Fri, 10 Sep 2021 16:47:22 +0100 +Subject: [PATCH] Make Dogtag return XML for ipa cert-find + +Using JSON by default within Dogtag appears to cause ipa cert-find to +return JSON, when the request was made with XML. We can request that XML +is returned as before by specifying so in the request header. + +Fixes: https://pagure.io/freeipa/issue/8980 +Signed-off-by: Chris Kelley +Reviewed-By: Francois Cami +--- + ipaserver/plugins/dogtag.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index be2e4bb4e2a1b96c1bff6056da30c704c36789f3..b4feddfac19a4c5659d29bf7b6f5fd9b1247524c 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -1832,7 +1832,8 @@ class ra(rabase.rabase, RestClient): + method='POST', + headers={'Accept-Encoding': 'gzip, deflate', + 'User-Agent': 'IPA', +- 'Content-Type': 'application/xml'}, ++ 'Content-Type': 'application/xml', ++ 'Accept': 'application/xml'}, + body=payload + ) + +-- +2.31.1 + diff --git a/freeipa.spec b/freeipa.spec index 4f1ec27..23476ad 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -196,7 +196,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 9%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -266,6 +266,16 @@ Patch0047: 0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch Patch0048: 0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch Patch0049: 0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch Patch0050: 0050-ipatests-use-whole-date-for-journalctl-since.patch +Patch0051: 0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch +Patch0052: 0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch +Patch0053: 0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch +Patch0054: 0054-migrate-ds-workaround-to-detect-compat-tree.patch +Patch0055: 0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch +Patch0056: 0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch +Patch0057: 0057-Parse-getStatus-as-JSON-not-XML.patch +Patch0058: 0058-Parse-cert-chain-as-JSON-not-XML.patch +Patch0059: 0059-Specify-PKI-installation-log-paths.patch +Patch0060: 0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1752,6 +1762,28 @@ fi %endif %changelog +* Tue Oct 5 2021 Florence Blanc-Renaud - 4.9.6-9 +- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance' + - Parse getStatus as JSON not XML + - Parse cert chain as JSON not XML + - Specify PKI installation log paths + - Make Dogtag return XML for ipa cert-find + +* Fri Sep 17 2021 Florence Blanc-Renaud - 4.9.6-8 +- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding + - Don't store entries with a usercertificate in the LDAP cache + - ipatests: Test that a user can be issued multiple certificates + +* Fri Sep 10 2021 Florence Blanc-Renaud - 4.9.6-7 +- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server + - selinux policy: allow custodia to access /proc/cpuinfo +- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT + - extdom: return LDAP_NO_SUCH_OBJECT if domains differ +- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID. + - subid: subid-match: display the owner's ID not DN +- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled + - migrate-ds: workaround to detect compat tree + * Thu Aug 26 2021 Florence Blanc-Renaud - 4.9.6-6 - Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests - ipatests: Test unsecure nsupdate.