rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.11.0-10 

- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios)
- Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER
- Resolves: RHEL-30905 Backport latest test fixes in ipa
This commit is contained in:
Florence Blanc-Renaud 2024-03-29 14:53:47 +01:00
parent 0c468af06a
commit 7507e52258
6 changed files with 531 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch Normal file
View File

@ -0,0 +1,294 @@
From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 30 Jan 2024 11:17:27 +0200
Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).
This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.
Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
API.txt | 2 +-
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------
.../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 +
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++
doc/api/config_mod.md | 2 +-
ipaserver/plugins/config.py | 3 +-
ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++
7 files changed, 98 insertions(+), 18 deletions(-)
diff --git a/API.txt b/API.txt
index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644
--- a/API.txt
+++ b/API.txt
@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
option: Str('delattr*', cli_name='delattr')
option: Flag('enable_sid?', autofill=True, default=False)
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
char *tmpstr;
int ret;
size_t i;
+ bool fips_enabled = false;
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
config->allow_nt_hash = false;
if (ipapwd_fips_enabled()) {
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
+ fips_enabled = true;
+ }
+
+ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
+ ret = ipapwd_getEntry(sdn, &config_entry, NULL);
+ slapi_sdn_free(&sdn);
+ if (ret != LDAP_SUCCESS) {
+ LOG_FATAL("No config Entry?\n");
+ goto free_and_error;
} else {
- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
- ret = ipapwd_getEntry(sdn, &config_entry, NULL);
- slapi_sdn_free(&sdn);
- if (ret != LDAP_SUCCESS) {
- LOG_FATAL("No config Entry?\n");
- goto free_and_error;
- } else {
- tmparray = slapi_entry_attr_get_charray(config_entry,
- "ipaConfigString");
- for (i = 0; tmparray && tmparray[i]; i++) {
+ tmparray = slapi_entry_attr_get_charray(config_entry,
+ "ipaConfigString");
+ for (i = 0; tmparray && tmparray[i]; i++) {
+ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) {
+ config->enforce_ldap_otp = true;
+ continue;
+ }
+ if (!fips_enabled) {
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
}
}
- if (tmparray) slapi_ch_array_free(tmparray);
}
-
- slapi_entry_free(config_entry);
+ if (tmparray) slapi_ch_array_free(tmparray);
}
+ slapi_entry_free(config_entry);
+
return config;
free_and_error:
@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
rc = LDAP_OPERATIONS_ERROR;
}
+ /* do not return the master key if asked */
+ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) {
+ free((*config)->kmkey->contents);
+ free((*config)->kmkey);
+ (*config)->kmkey = NULL;
+ }
+
done:
return rc;
}
@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
krb5_free_default_realm(c->krbctx, c->realm);
krb5_free_context(c->krbctx);
- free(c->kmkey->contents);
- free(c->kmkey);
+ if (c->kmkey) {
+ free(c->kmkey->contents);
+ free(c->kmkey);
+ }
free(c->supp_encsalts);
free(c->pref_encsalts);
slapi_ch_array_free(c->passsync_mgrs);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -70,6 +70,7 @@
#define IPAPWD_CHECK_CONN_SECURE 0x00000001
#define IPAPWD_CHECK_DN 0x00000002
+#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004
#define IPA_CHANGETYPE_NORMAL 0
#define IPA_CHANGETYPE_ADMIN 1
@@ -109,6 +110,7 @@ struct ipapwd_krbcfg {
char **passsync_mgrs;
int num_passsync_mgrs;
bool allow_nt_hash;
+ bool enforce_ldap_otp;
};
int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
"krbPasswordExpiration", "krblastpwchange",
NULL
};
+ struct ipapwd_krbcfg *krbcfg = NULL;
struct berval *credentials = NULL;
Slapi_Entry *entry = NULL;
Slapi_DN *target_sdn = NULL;
@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Try to do OTP first. */
syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID);
otpreq = otpctrl_present(pb, OTP_REQUIRED_OID);
+ if (!syncreq && !otpreq) {
+ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG);
+ if (ret != 0) {
+ LOG_FATAL("ipapwd_gen_checks failed!?\n");
+ slapi_entry_free(entry);
+ slapi_sdn_free(&sdn);
+ return 0;
+ }
+ if (krbcfg->enforce_ldap_otp) {
+ otpreq = true;
+ }
+ }
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))
goto invalid_creds;
@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
return 0;
invalid_creds:
+ free_ipapwd_krbcfg(&krbcfg);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644
--- a/doc/api/config_mod.md
+++ b/doc/api/config_mod.md
@@ -27,7 +27,7 @@ No arguments.
* ipauserobjectclasses : :ref:`Str<Str>`
* ipapwdexpadvnotify : :ref:`Int<Int>`
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs')
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
* ipaselinuxusermaporder : :ref:`Str<Str>`
* ipaselinuxusermapdefault : :ref:`Str<Str>`
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -247,7 +247,8 @@ class config(LDAPObject):
doc=_('Extra hashes to generate in password plug-in'),
values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
- u'KDC:Disable Default Preauth for SPNs'),
+ u'KDC:Disable Default Preauth for SPNs',
+ u'EnforceLDAPOTP'),
),
Str('ipaselinuxusermaporder',
label=_('SELinux user map order'),
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -21,6 +21,9 @@ from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipapython.dn import DN
+from ldap.controls.simple import BooleanControl
+
+from ipalib import errors
PASSWORD = "DummyPassword123"
USER = "opttestuser"
@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest):
assert "ipa-otpd" not in failed_services.stdout_text
finally:
del_otptoken(self.master, otpuid)
+
+ def test_totp_ldap(self):
+ master = self.master
+ basedn = master.domain.basedn
+ USER1 = 'user-forced-otp'
+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}")
+
+ tasks.create_active_user(master, USER1, PASSWORD)
+ tasks.kinit_admin(master)
+ # Enforce use of OTP token for this user
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type=otp'])
+ try:
+ conn = master.ldap_connect()
+ # First, attempt authenticating with a password but without LDAP
+ # control to enforce OTP presence and without server-side
+ # enforcement of the OTP presence check.
+ conn.simple_bind(binddn, f"{PASSWORD}")
+ # Add an OTP token now
+ otpuid, totp = add_otptoken(master, USER1, otptype="totp")
+ # Next, enforce Password+OTP for a user with OTP token
+ master.run_command(['ipa', 'config-mod', '--addattr',
+ 'ipaconfigstring=EnforceLDAPOTP'])
+ # Next, authenticate with Password+OTP and with the LDAP control
+ # this operation should succeed
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}",
+ client_controls=[
+ BooleanControl(
+ controlType="2.16.840.1.113730.3.8.10.7",
+ booleanValue=True)])
+ # Remove token
+ del_otptoken(self.master, otpuid)
+ # Now, try to authenticate without otp and without control
+ # this operation should fail
+ try:
+ conn.simple_bind(binddn, f"{PASSWORD}")
+ except errors.ACIError:
+ pass
+ master.run_command(['ipa', 'config-mod', '--delattr',
+ 'ipaconfigstring=EnforceLDAPOTP'])
+ finally:
+ master.run_command(['ipa', 'user-del', USER1])
--
2.44.0

63
0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch Normal file
View File

@ -0,0 +1,63 @@
From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 2 Mar 2024 09:31:46 +0200
Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind
with OTP
In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++
server.m4 | 8 ++++++++
2 files changed, 18 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Attempt to write out kerberos keys for the user. */
ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
+#ifdef USE_OP_NOTE_MFA_AUTH
+ /* If it was a successful authentication with OTP required, mark it
+ * for access log to notice multi-factor authentication has happened
+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
+ */
+ if (!syncreq && otpreq) {
+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
+ }
+#endif
+
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
return 0;
diff --git a/server.m4 b/server.m4
index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644
--- a/server.m4
+++ b/server.m4
@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
# slapi-plugin.h includes nspr.h
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
+bck_cflags="$CFLAGS"
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
+ [Use LDAP operation note for multi-factor LDAP BIND])],
+ [], [[#include <dirsrv/slapi-plugin.h>]])
+CFLAGS="$bck_cflags"
+
dnl -- sss_idmap is needed by the extdom exop --
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
--
2.44.0

42
0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch Normal file
View File

@ -0,0 +1,42 @@
From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 14 Mar 2024 12:19:12 +0200
Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds
locally
The function slapi_pblock_set_flag_operation_notes(); is defined in
ldap/servers/slapd/pblock.c in 389-ds but is only available through
slapi-private.h header, not through slapi-plugin.h public API.
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
Since we only use it with an MFA note, all versions of the 389-ds that
will support MFA note will have this function.
Fixes: https://pagure.io/freeipa/issue/9554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1414,6 +1414,11 @@ done:
}
+#ifdef USE_OP_NOTE_MFA_AUTH
+/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */
+extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
+#endif
+
/* PRE BIND Operation
*
* Used for:
--
2.44.0

53
0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch Normal file
View File

@ -0,0 +1,53 @@
From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 11 Mar 2024 11:48:01 +0200
Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out
realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
domain controllers are assuming subdomains already covered by the main
domain namespace.
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
method of validating the forest trust information. They are the same as
rules in [MS-ADTS] section 6.1.6. Specifically,
- A top-level name must not be superior to an enabled top-level name
for another trusted domain object, unless the current trusted domain
object has a corresponding exclusion record.
In practice, we filtered those subdomains already but the code wasn't
invalidating a previously retrieved forest trust information.
Fixes: https://pagure.io/freeipa/issue/9551
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/dcerpc.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
info.count = len(ftinfo_records)
info.entries = ftinfo_records
+ another_domain.ftinfo_data = info
return info
def clear_ftinfo_conflict(self, another_domain, cinfo):
@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
return
self.local_domain.ftinfo_records = []
+ self.local_domain.ftinfo_data = None
realm_domains = self.api.Command.realmdomains_show()['result']
# Use realmdomains' modification timestamp
--
2.44.0

68
0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch Normal file
View File

@ -0,0 +1,68 @@
From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 20 Mar 2024 14:29:46 +0530
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
Fixture to remove Server cert and revert the change.
"""
instance = realm_to_serverid(self.master.domain.realm)
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
self.master.run_command(
[
"certutil",
"-L",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-n",
"Server-Cert",
"-a",
"-o",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
]
)
@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
[
"certutil",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-A",
"-i",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
"-t",
"u,u,u",
"-f",
- paths.IPA_NSSDB_PWDFILE_TXT,
+ "%s/pwdfile.txt" % instance_dir,
"-n",
"Server-Cert",
]
--
2.44.0

12
freeipa.spec
View File

@ -223,7 +223,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 9%{?rc_version:.%rc_version}%{?dist}
Release: 10%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -309,6 +309,11 @@ Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
Patch0060: 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch
Patch0061: 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch
Patch0062: 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch
Patch0063: 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch
Patch0064: 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch
Patch0065: 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch
Patch0066: 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch
Patch0067: 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1801,6 +1806,11 @@ fi
%endif
%changelog
* Fri Mar 29 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-10
- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios)
- Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER
- Resolves: RHEL-30905 Backport latest test fixes in ipa
* Thu Mar 07 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-9
- Resolves: RHEL-28258 vault fails on non-fips client if server is in FIPS mode
- Resolves: RHEL-26154 ipa: freeipa: specially crafted HTTP requests potentially lead to DoS or data exposure