rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa release 4.9.13-16

Browse Source 
- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire
  Resolves: RHEL-4941
- Fix rpminspect's 'patches' warnings
  Resolves: RHEL-22497

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman 2025-03-31 14:18:24 -03:00
parent f69a9dccaa
commit 74fc7d8915
5 changed files with 116 additions and 29 deletions

25
0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch
View File

@ -40,12 +40,11 @@ index 06d511c76..dbb98dba6 100644
#include "ipa_krb5.h"
#include "ipa_hostname.h"
+#include <kadm5/admin.h>
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
@@ -207,6 +208,19 @@ static const struct {
@@ -207,5 +208,18 @@ static const struct {
{ "idp", IPADB_USER_AUTH_IDP },
{ "passkey", IPADB_USER_AUTH_PASSKEY },
{ }
+},
+ objclass_table[] = {
@ -61,10 +60,10 @@ index 06d511c76..dbb98dba6 100644
+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD },
+ { }
};
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
*userauth = IPADB_USER_AUTH_NONE;
vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
- if (!vals)
@ -121,7 +120,7 @@ index 06d511c76..dbb98dba6 100644
/* If password auth is enabled, enable hardened policy too. */
if (*userauth & IPADB_USER_AUTH_PASSWORD) {
*userauth |= IPADB_USER_AUTH_HARDENED;
--
--
2.43.0
@ -163,7 +162,7 @@ index 436ee0e62..2802221c7 100644
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;
--
--
2.43.0
@ -188,14 +187,14 @@ index dbb98dba6..4e6cacf24 100644
@@ -195,6 +195,9 @@ done:
return base;
}
+/* In this table all _AUTH_PASSWORD entries will be
+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth()
+ * which means there is no need to explicitly add it here */
static const struct {
const char *name;
enum ipadb_user_auth flag;
--
--
2.43.0
@ -230,7 +229,7 @@ index caa0e6a34..5c2e7af02 100644
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
def install(cls, mh):
tasks.install_master(cls.master)
+ def enforce_password_and_otp(self):
+ """enforce otp by default and password for admin """
+ self.master.run_command(
@ -255,7 +254,7 @@ index caa0e6a34..5c2e7af02 100644
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
client.put_file_contents(self.tmpbundle, cabundle)
+ def test_restart_krb5kdc(self):
+ tasks.kinit_admin(self.master)
+ self.enforce_password_and_otp()
@ -267,6 +266,6 @@ index caa0e6a34..5c2e7af02 100644
def test_client_install_pkinit(self):
tasks.kinit_admin(self.master)
self.add_certmaperule()
--
--
2.43.0

17
0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
View File

@ -50,7 +50,7 @@ diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-man
index cebf73a..71851be 100644
--- a/install/tools/ipa-replica-manage.in
+++ b/install/tools/ipa-replica-manage.in
@@ -1269,12 +1269,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
@@ -1237,12 +1237,13 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
@ -62,9 +62,10 @@ index cebf73a..71851be 100644
repl.wait_for_repl_update(repl.conn, agreement.dn)
- ds.replica_manage_time_skew(prevent=True)
+ ds.replica_revert_time_skew()
+
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
nolookup=False):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 35cec89..e15e629 100644
--- a/ipaserver/install/cainstance.py
@ -91,7 +92,7 @@ index cbacfae..ba4bf8a 100644
self.step("ignore time skew for initial replication",
- self.__replica_ignore_initial_time_skew)
+ self.replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replica)
self.step("prevent time skew after initial replication",
- self.replica_manage_time_skew)
@ -102,7 +103,7 @@ index cbacfae..ba4bf8a 100644
@@ -995,16 +995,6 @@ class DsInstance(service.Service):
def __add_replication_acis(self):
self._ldap_mod("replica-acis.ldif", self.sub_dict)
- def __replica_ignore_initial_time_skew(self):
- self.replica_manage_time_skew(prevent=False)
-
@ -114,7 +115,7 @@ index cbacfae..ba4bf8a 100644
- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
-
def __setup_s4u2proxy(self):
def __add_principal(last_cn, principal, self):
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 13ae346..15ca70b 100644
@ -123,7 +124,7 @@ index 13ae346..15ca70b 100644
@@ -811,6 +811,31 @@ class Service:
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
self.set_keytab_owner()
+ def replica_ignore_initial_time_skew(self):
+ """
+ Set nsslapd-ignore-time-skew = on if not already set
@ -149,7 +150,7 @@ index 13ae346..15ca70b 100644
+ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew
+ api.Backend.ldap2.update_entry(entry_attrs)
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,

82
0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch Normal file
View File

@ -0,0 +1,82 @@
From ac6eee670d8a753e66ba69a65eff55447fff2822 Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Mar 25 2025 09:33:06 +0000
Subject: Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired.
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 8e02d1e..960d7b9 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
cert_nicknames = {
+ 'ca_issuing': 'caSigningCert cert-pki-ca',
'sslserver': 'Server-Cert cert-pki-ca',
'subsystem': 'subsystemCert cert-pki-ca',
'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
print("Nothing to do.")
return 0
+ if any(key == 'ca_issuing' for key, _ in certs):
+ logger.debug("CA signing cert is expired, exiting!")
+ print(
+ "The CA signing certificate is expired or will expire within "
+ "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+ "refer to the ipa-cacert-manage tool to renew the CA "
+ "certificate before proceeding."
+ )
+ return 1
+
print(msg)
print_intentions(certs, extra_certs, non_renewed)
From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Mar 25 2025 18:03:54 +0000
Subject: Test fix for the update
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 15d8a81..d11fd3d 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
valid. If CA cert expired, ipa-cert-fix won't work.
related: https://pagure.io/freeipa/issue/8721
+
+ If CA cert is close to expiry, there's no reason to issue new certs
+ with short validity period. So, ipa-cert-fix should fail in this case.
+
+ related: https://pagure.io/freeipa/issue/9760
"""
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
# check that pki-server cert-fix command fails
- err_msg = ("ERROR: CalledProcessError(Command "
- "['pki-server', 'cert-fix'")
+ err_msg = ("CA signing cert is expired, exiting!")
+ assert result.returncode == 1
assert err_msg in result.stderr_text

3
1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
View File

@ -32,7 +32,7 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,6 @@ class BasePathNamespace:
@@ -258,8 +258,7 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
@ -41,6 +41,7 @@ index 7d21367ec..42a47f1df 100644
- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py

18
ipa.spec
View File

@ -190,7 +190,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 15%{?rc_version:.%rc_version}%{?dist}
Release: 16%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -246,6 +246,7 @@ Patch0034: 0034-Add-ipa-idrange-fix_rhel#56920.patch
Patch0035: 0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch
Patch0036: 0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
Patch0037: 0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
Patch0038: 0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
%if 0%{?rhel} >= 8
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1009,10 +1010,7 @@ for i in *.po ; do
done
popd
for p in %patches ; do
%__patch -p1 -i $p
UpdateTimestamps -p1 $p
done
%autopatch -p1 -q
%build
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
@ -1763,6 +1761,12 @@ fi
%endif
%changelog
* Mon Mar 31 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-16
- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire
Resolves: RHEL-4941
- Fix rpminspect's 'patches' warnings
Resolves: RHEL-22497
* Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-15
- Replica CA installation: ignore skew during initial replication
Resolves RHEL-80995
@ -1929,7 +1933,7 @@ fi
* Thu May 25 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-2
- Use the OpenSSL certificate parser in cert-find
Resolves: RHBZ#2209947
Resolves: RHBZ#2209947
* Wed May 24 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-1
- Rebase ipa to 4.9.12
@ -1962,7 +1966,7 @@ fi
Resolves: RHBZ#2129895
- Fix canonicalization issue in Web UI
Resolves: RHBZ#2127035
- Remove idnssoaserial argument from dns zone API.
- Remove idnssoaserial argument from dns zone API.
Resolves: RHBZ#2108630
- Warn for permissions with read/write/search/compare and no attrs
Resolves: RHBZ#2098187