ipa-4.11.0-10
- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios) - Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER - Resolves: RHEL-30905 Backport latest test fixes in ipa
This commit is contained in:
parent
0c468af06a
commit
7507e52258
294
0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch
Normal file
294
0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch
Normal file
@ -0,0 +1,294 @@
|
||||
From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Tue, 30 Jan 2024 11:17:27 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
|
||||
|
||||
When authentication indicators were introduced in 2016, ipa-pwd-extop
|
||||
plugin gained ability to reject LDAP BIND when an LDAP client insists
|
||||
the authentication must use an OTP token. This is used by ipa-otpd to
|
||||
ensure Kerberos authentication using OTP method is done with at least
|
||||
two factors (the token and the password).
|
||||
|
||||
This enfrocement is only possible when an LDAP client sends the LDAP
|
||||
control. There are cases when LDAP clients cannot be configured to send
|
||||
a custom LDAP control during BIND operation. For these clients an LDAP
|
||||
BIND against an account that only has password and no valid token would
|
||||
succeed even if admins intend it to fail.
|
||||
|
||||
Ability to do LDAP BIND without a token was added to allow users to add
|
||||
their own OTP tokens securely. If administrators require full
|
||||
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
|
||||
sending the LDAP control to do so.
|
||||
|
||||
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
|
||||
prevent LDAP BIND with a password only if user is required to have OTP
|
||||
tokens. With this configuration enabled, it will be not possible for
|
||||
users to add OTP token if one is missing, thus ensuring no user can
|
||||
authenticate without OTP and admins will have to add initial OTP tokens
|
||||
to users explicitly.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/5169
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
API.txt | 2 +-
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 +
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++
|
||||
doc/api/config_mod.md | 2 +-
|
||||
ipaserver/plugins/config.py | 3 +-
|
||||
ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++
|
||||
7 files changed, 98 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
|
||||
option: Str('ca_renewal_master_server?', autofill=False)
|
||||
option: Str('delattr*', cli_name='delattr')
|
||||
option: Flag('enable_sid?', autofill=True, default=False)
|
||||
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
|
||||
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
|
||||
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
|
||||
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
|
||||
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
||||
char *tmpstr;
|
||||
int ret;
|
||||
size_t i;
|
||||
+ bool fips_enabled = false;
|
||||
|
||||
config = calloc(1, sizeof(struct ipapwd_krbcfg));
|
||||
if (!config) {
|
||||
@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
||||
config->allow_nt_hash = false;
|
||||
if (ipapwd_fips_enabled()) {
|
||||
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
|
||||
+ fips_enabled = true;
|
||||
+ }
|
||||
+
|
||||
+ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
|
||||
+ ret = ipapwd_getEntry(sdn, &config_entry, NULL);
|
||||
+ slapi_sdn_free(&sdn);
|
||||
+ if (ret != LDAP_SUCCESS) {
|
||||
+ LOG_FATAL("No config Entry?\n");
|
||||
+ goto free_and_error;
|
||||
} else {
|
||||
- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
|
||||
- ret = ipapwd_getEntry(sdn, &config_entry, NULL);
|
||||
- slapi_sdn_free(&sdn);
|
||||
- if (ret != LDAP_SUCCESS) {
|
||||
- LOG_FATAL("No config Entry?\n");
|
||||
- goto free_and_error;
|
||||
- } else {
|
||||
- tmparray = slapi_entry_attr_get_charray(config_entry,
|
||||
- "ipaConfigString");
|
||||
- for (i = 0; tmparray && tmparray[i]; i++) {
|
||||
+ tmparray = slapi_entry_attr_get_charray(config_entry,
|
||||
+ "ipaConfigString");
|
||||
+ for (i = 0; tmparray && tmparray[i]; i++) {
|
||||
+ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) {
|
||||
+ config->enforce_ldap_otp = true;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (!fips_enabled) {
|
||||
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
|
||||
config->allow_nt_hash = true;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
- if (tmparray) slapi_ch_array_free(tmparray);
|
||||
}
|
||||
-
|
||||
- slapi_entry_free(config_entry);
|
||||
+ if (tmparray) slapi_ch_array_free(tmparray);
|
||||
}
|
||||
|
||||
+ slapi_entry_free(config_entry);
|
||||
+
|
||||
return config;
|
||||
|
||||
free_and_error:
|
||||
@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
|
||||
+ /* do not return the master key if asked */
|
||||
+ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) {
|
||||
+ free((*config)->kmkey->contents);
|
||||
+ free((*config)->kmkey);
|
||||
+ (*config)->kmkey = NULL;
|
||||
+ }
|
||||
+
|
||||
done:
|
||||
return rc;
|
||||
}
|
||||
@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
|
||||
|
||||
krb5_free_default_realm(c->krbctx, c->realm);
|
||||
krb5_free_context(c->krbctx);
|
||||
- free(c->kmkey->contents);
|
||||
- free(c->kmkey);
|
||||
+ if (c->kmkey) {
|
||||
+ free(c->kmkey->contents);
|
||||
+ free(c->kmkey);
|
||||
+ }
|
||||
free(c->supp_encsalts);
|
||||
free(c->pref_encsalts);
|
||||
slapi_ch_array_free(c->passsync_mgrs);
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
@@ -70,6 +70,7 @@
|
||||
|
||||
#define IPAPWD_CHECK_CONN_SECURE 0x00000001
|
||||
#define IPAPWD_CHECK_DN 0x00000002
|
||||
+#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004
|
||||
|
||||
#define IPA_CHANGETYPE_NORMAL 0
|
||||
#define IPA_CHANGETYPE_ADMIN 1
|
||||
@@ -109,6 +110,7 @@ struct ipapwd_krbcfg {
|
||||
char **passsync_mgrs;
|
||||
int num_passsync_mgrs;
|
||||
bool allow_nt_hash;
|
||||
+ bool enforce_ldap_otp;
|
||||
};
|
||||
|
||||
int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
"krbPasswordExpiration", "krblastpwchange",
|
||||
NULL
|
||||
};
|
||||
+ struct ipapwd_krbcfg *krbcfg = NULL;
|
||||
struct berval *credentials = NULL;
|
||||
Slapi_Entry *entry = NULL;
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
/* Try to do OTP first. */
|
||||
syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID);
|
||||
otpreq = otpctrl_present(pb, OTP_REQUIRED_OID);
|
||||
+ if (!syncreq && !otpreq) {
|
||||
+ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG);
|
||||
+ if (ret != 0) {
|
||||
+ LOG_FATAL("ipapwd_gen_checks failed!?\n");
|
||||
+ slapi_entry_free(entry);
|
||||
+ slapi_sdn_free(&sdn);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (krbcfg->enforce_ldap_otp) {
|
||||
+ otpreq = true;
|
||||
+ }
|
||||
+ }
|
||||
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))
|
||||
goto invalid_creds;
|
||||
|
||||
@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
return 0;
|
||||
|
||||
invalid_creds:
|
||||
+ free_ipapwd_krbcfg(&krbcfg);
|
||||
slapi_entry_free(entry);
|
||||
slapi_sdn_free(&sdn);
|
||||
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
||||
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
|
||||
index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644
|
||||
--- a/doc/api/config_mod.md
|
||||
+++ b/doc/api/config_mod.md
|
||||
@@ -27,7 +27,7 @@ No arguments.
|
||||
* ipauserobjectclasses : :ref:`Str<Str>`
|
||||
* ipapwdexpadvnotify : :ref:`Int<Int>`
|
||||
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
|
||||
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs')
|
||||
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
|
||||
* ipaselinuxusermaporder : :ref:`Str<Str>`
|
||||
* ipaselinuxusermapdefault : :ref:`Str<Str>`
|
||||
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
|
||||
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
|
||||
index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644
|
||||
--- a/ipaserver/plugins/config.py
|
||||
+++ b/ipaserver/plugins/config.py
|
||||
@@ -247,7 +247,8 @@ class config(LDAPObject):
|
||||
doc=_('Extra hashes to generate in password plug-in'),
|
||||
values=(u'AllowNThash',
|
||||
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
|
||||
- u'KDC:Disable Default Preauth for SPNs'),
|
||||
+ u'KDC:Disable Default Preauth for SPNs',
|
||||
+ u'EnforceLDAPOTP'),
|
||||
),
|
||||
Str('ipaselinuxusermaporder',
|
||||
label=_('SELinux user map order'),
|
||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||
index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644
|
||||
--- a/ipatests/test_integration/test_otp.py
|
||||
+++ b/ipatests/test_integration/test_otp.py
|
||||
@@ -21,6 +21,9 @@ from ipaplatform.paths import paths
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipapython.dn import DN
|
||||
|
||||
+from ldap.controls.simple import BooleanControl
|
||||
+
|
||||
+from ipalib import errors
|
||||
|
||||
PASSWORD = "DummyPassword123"
|
||||
USER = "opttestuser"
|
||||
@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest):
|
||||
assert "ipa-otpd" not in failed_services.stdout_text
|
||||
finally:
|
||||
del_otptoken(self.master, otpuid)
|
||||
+
|
||||
+ def test_totp_ldap(self):
|
||||
+ master = self.master
|
||||
+ basedn = master.domain.basedn
|
||||
+ USER1 = 'user-forced-otp'
|
||||
+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}")
|
||||
+
|
||||
+ tasks.create_active_user(master, USER1, PASSWORD)
|
||||
+ tasks.kinit_admin(master)
|
||||
+ # Enforce use of OTP token for this user
|
||||
+ master.run_command(['ipa', 'user-mod', USER1,
|
||||
+ '--user-auth-type=otp'])
|
||||
+ try:
|
||||
+ conn = master.ldap_connect()
|
||||
+ # First, attempt authenticating with a password but without LDAP
|
||||
+ # control to enforce OTP presence and without server-side
|
||||
+ # enforcement of the OTP presence check.
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}")
|
||||
+ # Add an OTP token now
|
||||
+ otpuid, totp = add_otptoken(master, USER1, otptype="totp")
|
||||
+ # Next, enforce Password+OTP for a user with OTP token
|
||||
+ master.run_command(['ipa', 'config-mod', '--addattr',
|
||||
+ 'ipaconfigstring=EnforceLDAPOTP'])
|
||||
+ # Next, authenticate with Password+OTP and with the LDAP control
|
||||
+ # this operation should succeed
|
||||
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}",
|
||||
+ client_controls=[
|
||||
+ BooleanControl(
|
||||
+ controlType="2.16.840.1.113730.3.8.10.7",
|
||||
+ booleanValue=True)])
|
||||
+ # Remove token
|
||||
+ del_otptoken(self.master, otpuid)
|
||||
+ # Now, try to authenticate without otp and without control
|
||||
+ # this operation should fail
|
||||
+ try:
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}")
|
||||
+ except errors.ACIError:
|
||||
+ pass
|
||||
+ master.run_command(['ipa', 'config-mod', '--delattr',
|
||||
+ 'ipaconfigstring=EnforceLDAPOTP'])
|
||||
+ finally:
|
||||
+ master.run_command(['ipa', 'user-del', USER1])
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,63 @@
|
||||
From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Sat, 2 Mar 2024 09:31:46 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind
|
||||
with OTP
|
||||
|
||||
In case there is a successful OTP authentication attempt, register it as
|
||||
an operation note on the BIND operation in LDAP. 389-ds then will print
|
||||
a multi-factor authentication note in both access and security logs
|
||||
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/5169
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++
|
||||
server.m4 | 8 ++++++++
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
/* Attempt to write out kerberos keys for the user. */
|
||||
ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
|
||||
|
||||
+#ifdef USE_OP_NOTE_MFA_AUTH
|
||||
+ /* If it was a successful authentication with OTP required, mark it
|
||||
+ * for access log to notice multi-factor authentication has happened
|
||||
+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
||||
+ */
|
||||
+ if (!syncreq && otpreq) {
|
||||
+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
slapi_entry_free(entry);
|
||||
slapi_sdn_free(&sdn);
|
||||
return 0;
|
||||
diff --git a/server.m4 b/server.m4
|
||||
index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644
|
||||
--- a/server.m4
|
||||
+++ b/server.m4
|
||||
@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
|
||||
# slapi-plugin.h includes nspr.h
|
||||
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
|
||||
|
||||
+bck_cflags="$CFLAGS"
|
||||
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
|
||||
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
|
||||
+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
|
||||
+ [Use LDAP operation note for multi-factor LDAP BIND])],
|
||||
+ [], [[#include <dirsrv/slapi-plugin.h>]])
|
||||
+CFLAGS="$bck_cflags"
|
||||
+
|
||||
dnl -- sss_idmap is needed by the extdom exop --
|
||||
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
|
||||
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,42 @@
|
||||
From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 14 Mar 2024 12:19:12 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds
|
||||
locally
|
||||
|
||||
The function slapi_pblock_set_flag_operation_notes(); is defined in
|
||||
ldap/servers/slapd/pblock.c in 389-ds but is only available through
|
||||
slapi-private.h header, not through slapi-plugin.h public API.
|
||||
|
||||
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
|
||||
|
||||
Since we only use it with an MFA note, all versions of the 389-ds that
|
||||
will support MFA note will have this function.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9554
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1414,6 +1414,11 @@ done:
|
||||
}
|
||||
|
||||
|
||||
+#ifdef USE_OP_NOTE_MFA_AUTH
|
||||
+/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */
|
||||
+extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
|
||||
+#endif
|
||||
+
|
||||
/* PRE BIND Operation
|
||||
*
|
||||
* Used for:
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,53 @@
|
||||
From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 11 Mar 2024 11:48:01 +0200
|
||||
Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out
|
||||
realm domains
|
||||
|
||||
When get_realmdomains() method is called, it will filter out subdomains
|
||||
of the IPA primary domain. This is required because Active Directory
|
||||
domain controllers are assuming subdomains already covered by the main
|
||||
domain namespace.
|
||||
|
||||
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
|
||||
method of validating the forest trust information. They are the same as
|
||||
rules in [MS-ADTS] section 6.1.6. Specifically,
|
||||
|
||||
- A top-level name must not be superior to an enabled top-level name
|
||||
for another trusted domain object, unless the current trusted domain
|
||||
object has a corresponding exclusion record.
|
||||
|
||||
In practice, we filtered those subdomains already but the code wasn't
|
||||
invalidating a previously retrieved forest trust information.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9551
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/dcerpc.py | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
|
||||
|
||||
info.count = len(ftinfo_records)
|
||||
info.entries = ftinfo_records
|
||||
+ another_domain.ftinfo_data = info
|
||||
return info
|
||||
|
||||
def clear_ftinfo_conflict(self, another_domain, cinfo):
|
||||
@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
|
||||
return
|
||||
|
||||
self.local_domain.ftinfo_records = []
|
||||
+ self.local_domain.ftinfo_data = None
|
||||
|
||||
realm_domains = self.api.Command.realmdomains_show()['result']
|
||||
# Use realmdomains' modification timestamp
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,68 @@
|
||||
From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Wed, 20 Mar 2024 14:29:46 +0530
|
||||
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
|
||||
testcases.
|
||||
|
||||
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
|
||||
which causes error in STIG mode.
|
||||
|
||||
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
|
||||
Incorrect password/PIN entered.
|
||||
|
||||
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
|
||||
Fixture to remove Server cert and revert the change.
|
||||
"""
|
||||
instance = realm_to_serverid(self.master.domain.realm)
|
||||
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
self.master.run_command(
|
||||
[
|
||||
"certutil",
|
||||
"-L",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
"-a",
|
||||
"-o",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
]
|
||||
)
|
||||
@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
|
||||
[
|
||||
"certutil",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-A",
|
||||
"-i",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
"-t",
|
||||
"u,u,u",
|
||||
"-f",
|
||||
- paths.IPA_NSSDB_PWDFILE_TXT,
|
||||
+ "%s/pwdfile.txt" % instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
]
|
||||
--
|
||||
2.44.0
|
||||
|
12
freeipa.spec
12
freeipa.spec
@ -223,7 +223,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 9%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
@ -309,6 +309,11 @@ Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
||||
Patch0060: 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch
|
||||
Patch0061: 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch
|
||||
Patch0062: 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch
|
||||
Patch0063: 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch
|
||||
Patch0064: 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch
|
||||
Patch0065: 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch
|
||||
Patch0066: 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch
|
||||
Patch0067: 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -1801,6 +1806,11 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Mar 29 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-10
|
||||
- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios)
|
||||
- Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER
|
||||
- Resolves: RHEL-30905 Backport latest test fixes in ipa
|
||||
|
||||
* Thu Mar 07 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-9
|
||||
- Resolves: RHEL-28258 vault fails on non-fips client if server is in FIPS mode
|
||||
- Resolves: RHEL-26154 ipa: freeipa: specially crafted HTTP requests potentially lead to DoS or data exposure
|
||||
|
Loading…
Reference in New Issue
Block a user