rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS ipa-4.9.12-8.module_el8+672+ba1cd518

Browse Source
This commit is contained in:
eabdullin 2023-11-15 12:52:57 +00:00
parent 77e6c50e87
commit 7ee38917e2
27 changed files with 1885 additions and 603 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.11.tar.gz SOURCES/freeipa-4.9.12.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
4ef188d43f5f2a09e214dd2bae68595a5977bb61 SOURCES/freeipa-4.9.11.tar.gz ea6c8a209748b4ad8d07da556f705a366b3dd6c1 SOURCES/freeipa-4.9.12.tar.gz

41
SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
View File

@ -1,41 +0,0 @@
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Dec 02 2022 12:21:22 +0000
Subject: updates: fix memberManager ACI to allow managers from a specified group
The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.
Remove old ACI and add a full one during upgrade step.
Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index a168bb9..4a7ba13 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of host groups
dn: cn=hostgroups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Hosts can add and delete their own services
dn: cn=services,cn=accounts,$SUFFIX

261
SOURCES/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch Normal file
View File

@ -0,0 +1,261 @@
From f42a106e84c1fd609350da2540289ce945a7ecbd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 11 May 2023 10:53:58 +0200
Subject: [PATCH] user or group name: explain the supported format
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $
The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.
Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipalib/constants.py | 5 +++++
ipaserver/plugins/baseuser.py | 2 +-
ipaserver/plugins/group.py | 10 ++++++++--
ipaserver/plugins/idviews.py | 5 +++--
ipaserver/plugins/stageuser.py | 6 ++++++
ipaserver/plugins/user.py | 6 ++++++
ipatests/test_xmlrpc/test_group_plugin.py | 5 +++--
ipatests/test_xmlrpc/test_stageuser_plugin.py | 3 ++-
ipatests/test_xmlrpc/test_user_plugin.py | 7 ++++---
9 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 4b759a573..104419bc2 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -319,6 +319,11 @@ MAXHOSTFQDNLEN = 253
PATTERN_GROUPUSER_NAME = (
'(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
)
+ERRMSG_GROUPUSER_NAME = (
+ 'may only include letters, numbers, _, -, . and $'
+ ', refer to \'ipa help {}\' for complete format '
+ 'description'
+)
# Kerberos Anonymous principal name
ANON_USER = 'WELLKNOWN/ANONYMOUS'
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 684a65242..bae6c54ff 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -211,7 +211,7 @@ class baseuser(LDAPObject):
takes_params = (
Str('uid',
pattern=constants.PATTERN_GROUPUSER_NAME,
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
+ pattern_errmsg=constants.ERRMSG_GROUPUSER_NAME.format('user'),
maxlength=255,
cli_name='login',
label=_('User login'),
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index afdad93c1..0333ed622 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -24,7 +24,7 @@ import logging
from ipalib import api
from ipalib import Int, Str, Flag
-from ipalib.constants import PATTERN_GROUPUSER_NAME
+from ipalib.constants import PATTERN_GROUPUSER_NAME, ERRMSG_GROUPUSER_NAME
from ipalib.plugable import Registry
from .baseldap import (
add_external_post_callback,
@@ -70,6 +70,12 @@ converted to non-POSIX groups.
Every group must have a description.
+The group name must follow these rules:
+- cannot contain only numbers
+- must start with a letter, a number, _ or .
+- may contain letters, numbers, _, ., or -
+- may end with a letter, a number, _, ., - or $
+
POSIX groups must have a Group ID (GID) number. Changing a GID is
supported but can have an impact on your file permissions. It is not necessary
to supply a GID when creating a group. IPA will generate one automatically
@@ -330,7 +336,7 @@ class group(LDAPObject):
takes_params = (
Str('cn',
pattern=PATTERN_GROUPUSER_NAME,
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
maxlength=255,
cli_name='group_name',
label=_('Group name'),
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
index 4f4b3a2f7..6a16884cf 100644
--- a/ipaserver/plugins/idviews.py
+++ b/ipaserver/plugins/idviews.py
@@ -37,6 +37,7 @@ from ipalib.constants import (
IPA_ANCHOR_PREFIX,
SID_ANCHOR_PREFIX,
PATTERN_GROUPUSER_NAME,
+ ERRMSG_GROUPUSER_NAME
)
from ipalib.plugable import Registry
from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
@@ -1025,7 +1026,7 @@ class idoverrideuser(baseidoverride):
takes_params = baseidoverride.takes_params + (
Str('uid?',
pattern=PATTERN_GROUPUSER_NAME,
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('user'),
maxlength=255,
cli_name='login',
label=_('User login'),
@@ -1128,7 +1129,7 @@ class idoverridegroup(baseidoverride):
takes_params = baseidoverride.takes_params + (
Str('cn?',
pattern=PATTERN_GROUPUSER_NAME,
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
maxlength=255,
cli_name='group_name',
label=_('Group name'),
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 760dff7ab..51438a83a 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -94,6 +94,12 @@ usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
Use 'ipa config-mod' to change the username format allowed by IPA tools.
+The user name must follow these rules:
+- cannot contain only numbers
+- must start with a letter, a number, _ or .
+- may contain letters, numbers, _, ., or -
+- may end with a letter, a number, _, ., - or $
+
EXAMPLES:
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index fa8a67d3d..643b44f14 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -88,6 +88,12 @@ usernames that start with a digit or usernames that exceed a certain length
may cause problems for some UNIX systems.
Use 'ipa config-mod' to change the username format allowed by IPA tools.
+The user name must follow these rules:
+- cannot contain only numbers
+- must start with a letter, a number, _ or .
+- may contain letters, numbers, _, ., or -
+- may end with a letter, a number, _, ., - or $
+
Disabling a user account prevents that user from obtaining new Kerberos
credentials. It does not invalidate any credentials that have already
been issued.
diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
index f9a0e2cfe..27bc21fbc 100644
--- a/ipatests/test_xmlrpc/test_group_plugin.py
+++ b/ipatests/test_xmlrpc/test_group_plugin.py
@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/group.py` module.
import pytest
from ipalib import errors
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.xmlrpc_test import (
fuzzy_digits, fuzzy_uuid, fuzzy_set_ci,
@@ -169,7 +170,7 @@ class TestGroup(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='group_name',
- error=u'may only include letters, numbers, _, -, . and $')):
+ error=ERRMSG_GROUPUSER_NAME.format('group'))):
command()
def test_create_with_name_starting_with_numeric(self):
@@ -188,7 +189,7 @@ class TestGroup(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='group_name',
- error=u'may only include letters, numbers, _, -, . and $',
+ error=ERRMSG_GROUPUSER_NAME.format('group'),
)):
testgroup.create()
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index fd146876c..bd877aa94 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -12,6 +12,7 @@ import six
from collections import OrderedDict
from ipalib import api, errors
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipaplatform.constants import constants as platformconstants
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
@@ -357,7 +358,7 @@ class TestCreateInvalidAttributes(XMLRPC_test):
command = invalid.make_create_command()
with raises_exact(errors.ValidationError(
name='login',
- error=u"may only include letters, numbers, _, -, . and $")):
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_create_long_uid(self):
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index c156a8793..eadfe6a65 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -31,6 +31,7 @@ import ldap
import re
from ipalib import api, errors
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
from ipaplatform.constants import constants as platformconstants
from ipapython import ipautil
from ipatests.test_xmlrpc import objectclasses
@@ -502,7 +503,7 @@ class TestUpdate(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name='rename',
- error=u'may only include letters, numbers, _, -, . and $')):
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_add_radius_username(self, user):
@@ -556,7 +557,7 @@ class TestCreate(XMLRPC_test):
command = testuser.make_create_command()
with raises_exact(errors.ValidationError(
name=u'login',
- error=u'may only include letters, numbers, _, -, . and $')):
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
command()
def test_create_with_too_long_login(self):
@@ -730,7 +731,7 @@ class TestCreate(XMLRPC_test):
)
with raises_exact(errors.ValidationError(
name=u'login',
- error=u'may only include letters, numbers, _, -, . and $',
+ error=ERRMSG_GROUPUSER_NAME.format('user'),
)):
testuser.create()
--
2.40.1

242
SOURCES/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch Normal file
View File

@ -0,0 +1,242 @@
From 9fe30f21c987bdccf80ef5f6d645fdc59b393bdb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Revert "Use the OpenSSL certificate parser in cert-find"
This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f3380b4..2b18963 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -390,7 +390,6 @@ BuildRequires: python3-pylint
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
BuildRequires: python3-qrcode-core >= 5.0.0
-BuildRequires: python3-pyOpenSSL
BuildRequires: python3-samba
BuildRequires: python3-six
BuildRequires: python3-sss
@@ -862,7 +861,6 @@ Requires: python3-netifaces >= 0.10.4
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-pyusb
-Requires: python3-pyOpenSSL
Requires: python3-qrcode-core >= 5.0.0
Requires: python3-requests
Requires: python3-six
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index cec3d93..88c6b62 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -30,7 +30,6 @@ import cryptography.x509
from cryptography.hazmat.primitives import hashes, serialization
from dns import resolver, reversename
import six
-import sys
from ipalib import Command, Str, Int, Flag, StrEnum
from ipalib import api
@@ -1623,19 +1622,7 @@ class cert_find(Search, CertMethod):
)
def _get_cert_key(self, cert):
- # for cert-find with a certificate value
- if isinstance(cert, x509.IPACertificate):
- return (DN(cert.issuer), cert.serial_number)
-
- issuer = []
- for oid, value in cert.get_issuer().get_components():
- issuer.append(
- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
- )
- issuer = ','.join(issuer)
- # Use this to flip from OpenSSL reverse to X500 ordering
- issuer = DN(issuer).x500_text()
- return (DN(issuer), cert.get_serial_number())
+ return (DN(cert.issuer), cert.serial_number)
def _cert_search(self, pkey_only, **options):
result = collections.OrderedDict()
@@ -1755,11 +1742,6 @@ class cert_find(Search, CertMethod):
return result, False, complete
def _ldap_search(self, all, pkey_only, no_members, **options):
- # defer import of the OpenSSL module to not affect the requests
- # module which will use pyopenssl if this is available.
- if sys.modules.get('OpenSSL.SSL', False) is None:
- del sys.modules["OpenSSL.SSL"]
- import OpenSSL.crypto
ldap = self.api.Backend.ldap2
filters = []
@@ -1818,14 +1800,12 @@ class cert_find(Search, CertMethod):
ca_enabled = getattr(context, 'ca_enabled')
for entry in entries:
for attr in ('usercertificate', 'usercertificate;binary'):
- for der in entry.raw.get(attr, []):
- cert = OpenSSL.crypto.load_certificate(
- OpenSSL.crypto.FILETYPE_ASN1, der)
+ for cert in entry.get(attr, []):
cert_key = self._get_cert_key(cert)
try:
obj = result[cert_key]
except KeyError:
- obj = {'serial_number': cert.get_serial_number()}
+ obj = {'serial_number': cert.serial_number}
if not pkey_only and (all or not ca_enabled):
# Retrieving certificate details is now deferred
# until after all certificates are collected.
From 3b1dbcdba2994bf57908f530913998e9ab888e4c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Revert "cert_find: fix call with --all"
This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 88c6b62..ba37525 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1812,7 +1812,6 @@ class cert_find(Search, CertMethod):
# For the case of CA-less we need to keep
# the certificate because getting it again later
# would require unnecessary LDAP searches.
- cert = cert.to_cryptography()
obj['certificate'] = (
base64.b64encode(
cert.public_bytes(x509.Encoding.DER))
From d00fd3398c32beb2c3e72f4878c87f9d2c0e833d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Use the python-cryptography parser directly in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814
Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.
The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.
CLI times from before and after searching for all certs:
original:
-------------------------------
Number of entries returned 5038
-------------------------------
real 0m15.507s
user 0m0.828s
sys 0m0.241s
using cryptography:
real 0m4.037s
user 0m0.816s
sys 0m0.193s
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index ba37525..619be83 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1800,7 +1800,8 @@ class cert_find(Search, CertMethod):
ca_enabled = getattr(context, 'ca_enabled')
for entry in entries:
for attr in ('usercertificate', 'usercertificate;binary'):
- for cert in entry.get(attr, []):
+ for der in entry.raw.get(attr, []):
+ cert = cryptography.x509.load_der_x509_certificate(der)
cert_key = self._get_cert_key(cert)
try:
obj = result[cert_key]
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 433cebc..583c67f 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -254,6 +254,16 @@ class test_cert(BaseCert):
result = _emails_are_valid(email_addrs, [])
assert not result
+ def test_00012_cert_find_all(self):
+ """
+ Test that cert-find --all returns successfully.
+
+ We don't know how many we'll get but there should be at least 10
+ by default.
+ """
+ res = api.Command['cert_find'](all=True)
+ assert 'count' in res and res['count'] >= 10
+
def test_99999_cleanup(self):
"""
Clean up cert test data
@@ -283,7 +293,7 @@ class test_cert_find(XMLRPC_test):
short = api.env.host.split('.', maxsplit=1)[0]
- def test_0001_find_all(self):
+ def test_0001_find_all_certs(self):
"""
Search for all certificates.

46
SOURCES/0002-trust-add-handle-missing-msSFU30MaxGidNumber_rhbz#2162355.patch
View File

@ -1,46 +0,0 @@
From 703ab8c4dfb7f8fd1540c3849ad469d39695a26f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jan 25 2023 16:57:02 +0000
Subject: trust-add: handle missing msSFU30MaxGidNumber
When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.
msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.
To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.
Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index c074f6d..79264b8 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -379,7 +379,10 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
range_type = u'ipa-ad-trust-posix'
max_uid = info.get('msSFU30MaxUidNumber')
- max_gid = info.get('msSFU30MaxGidNumber', None)
+ # if max_gid is missing, assume 0 and the max will
+ # be obtained from max_uid. We just checked that
+ # msSFU30MaxUidNumber is defined
+ max_gid = info.get('msSFU30MaxGidNumber', [b'0'])
max_id = int(max(max_uid, max_gid)[0])
base_id = int(info.get('msSFU30OrderNumber')[0])

76
SOURCES/0003-Backport-latest-test-fixes-python3-ipatests_rhbz#2166929.patch
View File

@ -1,76 +0,0 @@
From e8ef2c2f226704ce510525f07675107179124a95 Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Feb 02 2023 06:53:56 +0000
Subject: With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.
Previously the message was:
"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
but now the message is:
\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
Pagure: https://pagure.io/freeipa/issue/9238
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
---
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 18a665e..60e8de9 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1312,9 +1312,6 @@ class TestIpaHealthCheck(IntegrationTest):
"""
error_msg = (
"\n\nIn Directory Server, we offer one hash suitable for this "
- "(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
- "\n\nYour configuration does not use these for password storage "
- "or the root password storage\nscheme.\n"
)
returncode, data = run_healthcheck(
self.master, "ipahealthcheck.ds.config", "ConfigCheck",
From 1bdd8147e7fa1032025dc6f6868e26f285744ee1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jan 11 2023 11:56:30 +0000
Subject: ipatests: mark test_smb as xfail
Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.
Related: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index eb3981b..30f8d59 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -349,6 +349,7 @@ class TestSMB(IntegrationTest):
@pytest.mark.skipif(
osinfo.id == 'fedora' and osinfo.version_number <= (31,),
reason='Test requires krb 1.18')
+ @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True)
def test_smb_service_s4u2self(self):
"""Test S4U2Self operation by IPA service
against both AD and IPA users

87
SOURCES/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch Normal file
View File

@ -0,0 +1,87 @@
From 86c1426b2d376a390e87b074d3e10d85fa124abf Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 21 2023 17:02:48 +0000
Subject: Upgrade: add PKI drop-in file if missing
During the installation of IPA server, the installer adds a drop-in
file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
that ensures the CA is reachable before the start command returns.
If the file is missing (for instance because the server was installed
with an old version before this drop-in was created), the upgrade
should add the file.
Fixes: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index dd22ac2..e4dc7ae 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1737,6 +1737,10 @@ def upgrade_configuration():
os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa-kdc-proxy.conf.template"))
if ca.is_configured():
+ # Ensure that the drop-in file is present
+ if not os.path.isfile(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF):
+ ca.add_ipa_wait()
+
# Handle upgrade of AJP connector configuration
rewrite = ca.secure_ajp_connector()
if ca.ajp_secret:
From 356ec5cbfe0876686239f938bdf54892dc30571e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 21 2023 17:02:48 +0000
Subject: Integration test: add a test for upgrade and PKI drop-in file
Add an upgrade test with the following scenario:
- remove PKI drop-in file (to simulate an upgrade from an old
version)
- remove caECServerCertWithSCT profile from LDAP
- launch the ipa-server-upgrade command
- check that the upgrade added the file
Related: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 9203503..182e3b5 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -455,3 +455,25 @@ class TestUpgrade(IntegrationTest):
assert 'tXTRecord' in location_krb_rec
assert len(location_krb_rec['tXTRecord']) == 1
assert location_krb_rec['tXTRecord'][0] == f'"{realm}"'
+
+ def test_pki_dropin_file(self):
+ """Test that upgrade adds the drop-in file if missing
+
+ Test for ticket 9381
+ Simulate an update from a version that didn't provide
+ /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf,
+ remove one of the certificate profiles from LDAP and check that upgrade
+ completes successfully and adds the missing file.
+ When the drop-in file is missing, the upgrade tries to login to
+ PKI in order to migrate the profile and fails because PKI failed to
+ start.
+ """
+ self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF])
+ ldif = textwrap.dedent("""
+ dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca
+ changetype: delete
+ """)
+ tasks.ldapmodify_dm(self.master, ldif)
+ self.master.run_command(['ipa-server-upgrade'])
+ assert self.master.transport.file_exists(
+ paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)

233
SOURCES/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch Normal file
View File

@ -0,0 +1,233 @@
From d29b47512a39ada02fb371521994576cd9815a6c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 19 Jun 2023 10:36:29 +0200
Subject: [PATCH] Upgrade: fix replica agreement
The upgrade checks the replication agreements to ensure that
some attributes are excluded from replication. The agreements
are stored in entries like
cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
but those entries are managed by the replication topology plugin
and should not be updated directly. The consequence is that the update
of the attributes fails and ipa-server-update prints an error message:
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
to perform: Entry and attributes are managed by topology plugin.No direct
modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.
The upgrade continues but the replication is not excluding
passwordgraceusertime.
Instead of editing the agreements, perform the modifications on
the topology segments.
Fixes: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../install/plugins/fix_replica_agreements.py | 80 +++++++++----------
1 file changed, 38 insertions(+), 42 deletions(-)
diff --git a/ipaserver/install/plugins/fix_replica_agreements.py b/ipaserver/install/plugins/fix_replica_agreements.py
index c0cdd3eb1..d963753d0 100644
--- a/ipaserver/install/plugins/fix_replica_agreements.py
+++ b/ipaserver/install/plugins/fix_replica_agreements.py
@@ -22,6 +22,7 @@ import logging
from ipaserver.install import replication
from ipalib import Registry
from ipalib import Updater
+from ipalib import errors
logger = logging.getLogger(__name__)
@@ -41,35 +42,42 @@ class update_replica_attribute_lists(Updater):
def execute(self, **options):
# We need an LDAPClient connection to the backend
logger.debug("Start replication agreement exclude list update task")
- conn = self.api.Backend.ldap2
- repl = replication.ReplicationManager(self.api.env.realm,
- self.api.env.host,
- None, conn=conn)
-
- # We need to update only IPA replica agreements, not winsync
- ipa_replicas = repl.find_ipa_replication_agreements()
-
- logger.debug("Found %d agreement(s)", len(ipa_replicas))
-
- for replica in ipa_replicas:
- for desc in replica.get('description', []):
- logger.debug('%s', desc)
-
- self._update_attr(repl, replica,
- 'nsDS5ReplicatedAttributeList',
- replication.EXCLUDES, template=EXCLUDE_TEMPLATE)
- self._update_attr(repl, replica,
- 'nsDS5ReplicatedAttributeListTotal',
- replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE)
- self._update_attr(repl, replica,
- 'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS)
+ # Find suffixes
+ suffixes = self.api.Command.topologysuffix_find()['result']
+ for suffix in suffixes:
+ suffix_name = suffix['cn'][0]
+ # Find segments
+ sgmts = self.api.Command.topologysegment_find(
+ suffix_name, all=True)['result']
+ for segment in sgmts:
+ updates = {}
+ updates = self._update_attr(
+ segment, updates,
+ 'nsds5replicatedattributelist',
+ replication.EXCLUDES, template=EXCLUDE_TEMPLATE)
+ updates = self._update_attr(
+ segment, updates,
+ 'nsds5replicatedattributelisttotal',
+ replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE)
+ updates = self._update_attr(
+ segment, updates,
+ 'nsds5replicastripattrs', replication.STRIP_ATTRS)
+ if updates:
+ try:
+ self.api.Command.topologysegment_mod(
+ suffix_name, segment['cn'][0],
+ **updates)
+ except errors.EmptyModlist:
+ # No update done
+ logger.debug("No update required for the segment %s",
+ segment['cn'][0])
logger.debug("Done updating agreements")
return False, [] # No restart, no updates
- def _update_attr(self, repl, replica, attribute, values, template='%s'):
+ def _update_attr(self, segment, updates, attribute, values, template='%s'):
"""Add or update an attribute of a replication agreement
If the attribute doesn't already exist, it is added and set to
@@ -77,27 +85,21 @@ class update_replica_attribute_lists(Updater):
If the attribute does exist, `values` missing from it are just
appended to the end, also space-separated.
- :param repl: Replication manager
- :param replica: Replica agreement
+ :param: updates: dict containing the updates
+ :param segment: dict containing segment information
:param attribute: Attribute to add or update
:param values: List of values the attribute should hold
:param template: Template to use when adding attribute
"""
- attrlist = replica.single_value.get(attribute)
+ attrlist = segment.get(attribute)
if attrlist is None:
logger.debug("Adding %s", attribute)
# Need to add it altogether
- replica[attribute] = [template % " ".join(values)]
-
- try:
- repl.conn.update_entry(replica)
- logger.debug("Updated")
- except Exception as e:
- logger.error("Error caught updating replica: %s", str(e))
+ updates[attribute] = template % " ".join(values)
else:
- attrlist_normalized = attrlist.lower().split()
+ attrlist_normalized = attrlist[0].lower().split()
missing = [a for a in values
if a.lower() not in attrlist_normalized]
@@ -105,14 +107,8 @@ class update_replica_attribute_lists(Updater):
logger.debug("%s needs updating (missing: %s)", attribute,
', '.join(missing))
- replica[attribute] = [
- '%s %s' % (attrlist, ' '.join(missing))]
+ updates[attribute] = '%s %s' % (attrlist[0], ' '.join(missing))
- try:
- repl.conn.update_entry(replica)
- logger.debug("Updated %s", attribute)
- except Exception as e:
- logger.error("Error caught updating %s: %s",
- attribute, str(e))
else:
logger.debug("%s: No update necessary", attribute)
+ return updates
--
2.41.0
From 93d97b59600c15e5028ee39b0e98450544165158 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 19 Jun 2023 10:36:59 +0200
Subject: [PATCH] Integration tests: add a test to ipa-server-upgrade
Add an integration test ensuring that the upgrade
properly updates the attributes to be excluded from
replication.
Related: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_simple_replication.py | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
index 17092a499..d1e65ef7c 100644
--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@@ -23,8 +23,10 @@ import pytest
from ipaplatform.paths import paths
from ipapython.dn import DN
+from ipaserver.install.replication import EXCLUDES
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_topology import find_segment
def check_replication(source_host, dest_host, login):
@@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest):
[paths.IPA_CUSTODIA_CHECK, self.master.hostname]
)
+ def test_fix_agreements(self):
+ """Test that upgrade fixes the list of attributes excluded from repl
+
+ Test for ticket 9385
+ """
+ # Prepare the server by removing some values from
+ # from the nsDS5ReplicatedAttributeList
+ segment = find_segment(self.master, self.replicas[0], "domain")
+ self.master.run_command([
+ "ipa", "topologysegment-mod", "domain", segment,
+ "--replattrs",
+ "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"])
+ # Run the upgrade
+ result = self.master.run_command(["ipa-server-upgrade"])
+ # Ensure that the upgrade updated the attribute without error
+ errmsg = "Error caught updating nsDS5ReplicatedAttributeList"
+ assert errmsg not in result.stdout_text
+ # Check the updated value
+ suffix = DN(self.master.domain.basedn)
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+ result = tasks.ldapsearch_dm(self.master, str(dn),
+ ["nsDS5ReplicatedAttributeList"])
+ output = result.stdout_text.lower()
+
+ template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s'
+ expected_value = template % " ".join(EXCLUDES)
+ assert expected_value.lower() in output
+
def test_replica_removal(self):
"""Test replica removal"""
result = self.master.run_command(['ipa-replica-manage', 'list'])
--
2.41.0

52
SOURCES/0004-server-install-remove-error-log-about-missing-bkup-file_rhbz#2160389.patch
View File

@ -1,52 +0,0 @@
From 6f50b00953c0000d6da8db0f5e8974ae33d7b5d5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jan 16 2023 07:44:50 +0000
Subject: server install: remove error log about missing bkup file
The client installer code can be called in 3 different ways:
- from ipa-client-install CLI
- from ipa-replica-install CLI if the client is not already installed
- from ipa-server-install
In the last case, the client installer is called with
options.on_master=True
As a result, it's skipping the part that is creating the krb5
configuration:
if not options.on_master:
nolog = tuple()
configure_krb5_conf(...)
The configure_krb5_conf method is the place where the krb5.conf file is
backup'ed with the extention ".ipabkp". For a master installation, this
code is not called and the ipabkp file does not exist => delete raises
an error.
When delete fails because the file does not exist, no need to log an
error message.
Fixes: https://pagure.io/freeipa/issue/9306
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e5d3e82..6e7f17d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -124,10 +124,9 @@ def cleanup(func):
os.rmdir(ccache_dir)
except OSError:
pass
- try:
- os.remove(krb_name + ".ipabkp")
- except OSError:
- logger.error("Could not remove %s.ipabkp", krb_name)
+ # During master installation, the .ipabkp file is not created
+ # Ignore the delete error if it is "file does not exist"
+ remove_file(krb_name + ".ipabkp")
return inner

52
SOURCES/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch Normal file
View File

@ -0,0 +1,52 @@
From a7e167154b889f75463ccc9cd91a75c1afb22da9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 28 2023 19:43:16 +0000
Subject: OTP: fix data type to avoid endianness issue
When 389-ds process an OTP authentication, the ipa-pwd-extop
plugin reads a buffer to extract the authentication type.
The type is stored in an int but the data is a ber_tag_t.
On big endian machines the type cast does not cause any issue
but on s390x the buffer that should return 128 is seen as 0.
As a consequence, the plugin considers that the method is not
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
The fix is simple and consists in using the right type
(ber_tag_t is an unsigned long).
Fixes: https://pagure.io/freeipa/issue/9402
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 9375941..4562652 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
Slapi_DN *target_sdn = NULL;
Slapi_DN *sdn = NULL;
const char *dn = NULL;
- int method = 0;
+ ber_tag_t method = 0;
bool syncreq;
bool otpreq;
int ret = 0;
@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* We're only interested in simple authentication. */
- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
+ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) {
+ LOG("Not handled (not simple bind or NULL dn/credentials)\n");
return 0;
+ }
/* Retrieve the user's entry. */
sdn = slapi_sdn_dup(target_sdn);

64
SOURCES/0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
View File

@ -1,64 +0,0 @@
From 2deaaa788cbdde22d5b15566599fdcf7a10f02c6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Feb 02 2023 10:08:26 +0000
Subject: automember-rebuild: add a notice about high CPU usage
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.
Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json
index 49d2883..5b73548 100644
--- a/install/ui/test/data/i18n_messages.json
+++ b/install/ui/test/data/i18n_messages.json
@@ -7,7 +7,7 @@
"actions": {
"apply": "Apply",
"automember_rebuild": "Rebuild auto membership",
- "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership?",
+ "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership? In case of a high number of users, hosts or groups, the operation may require high CPU usage.",
"automember_rebuild_success": "Automember rebuild membership task completed",
"confirm": "Are you sure you want to proceed with the action?",
"delete_confirm": "Are you sure you want to delete ${object}?",
diff --git a/ipaclient/plugins/automember.py b/ipaclient/plugins/automember.py
index df4a2e5..7108dc9 100644
--- a/ipaclient/plugins/automember.py
+++ b/ipaclient/plugins/automember.py
@@ -34,3 +34,11 @@ class automember_add_condition(MethodOverride):
flags=['suppress_empty'],
),
)
+
+
+@register(override=True, no_fail=True)
+class automember_rebuild(MethodOverride):
+ def interactive_prompt_callback(self, kw):
+ msg = _('IMPORTANT: In case of a high number of users, hosts or '
+ 'groups, the operation may require high CPU usage.')
+ self.Backend.textui.print_plain(msg)
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5ffa7a2..e1e920f 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -160,7 +160,11 @@ class i18n_messages(Command):
"actions": {
"apply": _("Apply"),
"automember_rebuild": _("Rebuild auto membership"),
- "automember_rebuild_confirm": _("Are you sure you want to rebuild auto membership?"),
+ "automember_rebuild_confirm": _(
+ "Are you sure you want to rebuild auto membership? In case of "
+ "a high number of users, hosts or groups, the operation "
+ "may require high CPU usage."
+ ),
"automember_rebuild_success": _("Automember rebuild membership task completed"),
"confirm": _("Are you sure you want to proceed with the action?"),
"delete_confirm": _("Are you sure you want to delete ${object}?"),

173
SOURCES/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch Normal file
View File

@ -0,0 +1,173 @@
From 7a94acca6a9efb546f1cf59f63fcb89f98944ea5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 25 May 2023 08:16:33 +0200
Subject: [PATCH] ACME tests: fix issue_and_expire_acme_cert method
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.
Fixes: https://pagure.io/freeipa/issue/9383
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_acme.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index c73f441fc..c69e810da 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -583,20 +583,20 @@ class TestACMERenew(IntegrationTest):
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
- tasks.get_kdcinfo(host)
+ tasks.get_kdcinfo(self.master)
# Note raiseonerr=False:
# the assert is located after kdcinfo retrieval.
# run kinit command repeatedly until sssd gets settle
# after date change
tasks.run_repeatedly(
- host, "KRB5_TRACE=/dev/stdout kinit admin",
+ self.master, "KRB5_TRACE=/dev/stdout kinit admin",
stdin_text='{0}\n{0}\n{0}\n'.format(
- self.clients[0].config.admin_password
+ self.master.config.admin_password
)
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
- tasks.get_kdcinfo(host)
+ tasks.get_kdcinfo(self.master)
yield
--
2.41.0
From 998bafee86a870ad1ea4d6bccf12f0fae64c398c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 31 May 2023 11:50:14 +0200
Subject: [PATCH] ipatest: remove xfail from test_smb
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.
Remove the xfail.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_smb.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 30f8d5901..eb3981bdd 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -349,7 +349,6 @@ class TestSMB(IntegrationTest):
@pytest.mark.skipif(
osinfo.id == 'fedora' and osinfo.version_number <= (31,),
reason='Test requires krb 1.18')
- @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True)
def test_smb_service_s4u2self(self):
"""Test S4U2Self operation by IPA service
against both AD and IPA users
--
2.41.0
From 1b51fa4cb07380d1102891233e85a7940f804c72 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 11 May 2023 12:50:10 +0530
Subject: [PATCH] ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not
included in krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Test checks that krb5.conf does not include
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
Related: https://pagure.io/freeipa/issue/9267
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_installation_client.py | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index 014b0f6ab..56e1593bf 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -76,6 +76,21 @@ class TestInstallClient(IntegrationTest):
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+ def test_client_install_with_krb5(self):
+ """Test that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not added in krb5.conf
+
+ SSSD already provides a config snippet which includes
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
+ Test checks that krb5.conf does not include
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
+
+ related: https://pagure.io/freeipa/issue/9267
+ """
+ krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF)
+ assert 'includedir {dir}'.format(
+ dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
+ ).encode() not in krb5_cfg
+
class TestClientInstallBind(IntegrationTest):
"""
--
2.41.0
From f599e2d67bad5945e4dcf99fdd584f01f1e20d1e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 6 Jun 2023 09:04:48 +0200
Subject: [PATCH] webuitests: close notification which hides Add button
The webui test test_service.py::test_service::test_arbitrary_certificates
randomly fails.
The test is creating a new service then navigates to the Service page
and clicks on the Add Certificate button.
The notification area may still be present and hide the button, with
the message "Service successfully added".
Close all notifications before navigating to the Service page.
Fixes: https://pagure.io/freeipa/issue/9389
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_webui/test_service.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_webui/test_service.py b/ipatests/test_webui/test_service.py
index f1d9a9d62..e2976d73a 100644
--- a/ipatests/test_webui/test_service.py
+++ b/ipatests/test_webui/test_service.py
@@ -296,6 +296,7 @@ class test_service(sevice_tasks):
cert_widget_sel = "div.certificate-widget"
self.add_record(ENTITY, data)
+ self.close_notifications()
self.navigate_to_record(pkey)
# check whether certificate section is present
--
2.41.0

185
SOURCES/0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
View File

@ -1,185 +0,0 @@
From 2a0868fccbc9f4dfc540a7d3bb5dfa22c0bdce4e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 30 Jan 2023 14:22:30 +0200
Subject: [PATCH 1/2] ipa-kdb: PAC consistency checker needs to handle child
domains as well
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.
Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.
Fixes: https://pagure.io/freeipa/issue/9316
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 51 +++++++++++++++++++++------------
1 file changed, 32 insertions(+), 19 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index a15050e2166..476d1cb558a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1827,11 +1827,43 @@ krb5_error_code filter_logon_info(krb5_context context,
bool result;
char *domstr = NULL;
+ ipactx = ipadb_get_context(context);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+
domain = get_domain_from_realm_update(context, realm);
if (!domain) {
return EINVAL;
}
+ /* check exact sid */
+ result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
+ if (!result) {
+ struct ipadb_mspac *mspac_ctx = ipactx->mspac;
+ result = FALSE;
+ /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
+ for (k = 0; k < mspac_ctx->num_trusts; k++) {
+ result = dom_sid_check(&mspac_ctx->trusts[k].domsid,
+ info->info->info3.base.domain_sid, true);
+ if (result) {
+ domain = &mspac_ctx->trusts[k];
+ break;
+ }
+ }
+ if (!result) {
+ domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
+ krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
+ "expected domain SID = %s, "
+ "found domain SID = %s",
+ domain->domain_name, domain->domain_sid,
+ domstr ? domstr : "<failed to display>");
+ talloc_free(domstr);
+ return EINVAL;
+ }
+ }
+
+ /* At this point we may have changed the domain we look at, */
/* check netbios/flat name */
if (strcasecmp(info->info->info3.base.logon_domain.string,
domain->flat_name) != 0) {
@@ -1843,21 +1875,6 @@ krb5_error_code filter_logon_info(krb5_context context,
return EINVAL;
}
- /* check exact sid */
- result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
- if (!result) {
- domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
- if (!domstr) {
- return EINVAL;
- }
- krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
- "expected domain SID = %s, "
- "found domain SID = %s",
- domain->domain_name, domain->domain_sid, domstr);
- talloc_free(domstr);
- return EINVAL;
- }
-
/* Check if this domain has been filtered out by the trust itself*/
if (domain->parent != NULL) {
for(k = 0; k < domain->parent->len_sid_blocklist_incoming; k++) {
@@ -1944,10 +1961,6 @@ krb5_error_code filter_logon_info(krb5_context context,
* should include different possibilities into account
* */
if (info->info->info3.sidcount != 0) {
- ipactx = ipadb_get_context(context);
- if (!ipactx || !ipactx->mspac) {
- return KRB5_KDB_DBNOTINITED;
- }
count = info->info->info3.sidcount;
i = 0;
j = 0;
From 1a4f2597253c750696f6cd34613b375dc30fe456 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 30 Jan 2023 19:27:49 +0530
Subject: [PATCH 2/2] Add test for SSH with GSSAPI auth.
Added test for aduser with GSSAPI authentication.
Related : https://pagure.io/freeipa/issue/9316
Signed-off-by: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 46 +++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 21c814ff1a9..a1ed906c6ae 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -527,6 +527,35 @@ def test_subordinate_suffix(self):
.format(self.ad_domain, subordinate_suffix))
self.ad.run_command(['powershell', '-c', cmd])
+ def test_ssh_aduser(self):
+ """Test ssh with GSSAPI is working with aduser
+
+ When kerberos ticket is obtained for child domain user
+ and ssh with this ticket should be successful
+ with no password prompt.
+
+ Related : https://pagure.io/freeipa/issue/9316
+ """
+ testuser = 'testuser@{0}'.format(self.ad_domain)
+ testusersub = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
+
+ def sshuser(host, user):
+ tasks.kdestroy_all(host)
+ try:
+ tasks.kinit_as_user(host, user,
+ host.config.ad_admin_password
+ )
+ ssh_cmd = "ssh -q -K -l {user} {host} hostname"
+ valid_ssh = host.run_command(
+ ssh_cmd.format(user=user, host=host.hostname)
+ )
+ assert host.hostname in valid_ssh.stdout_text
+ finally:
+ tasks.kdestroy_all(host)
+
+ sshuser(self.master, testuser)
+ sshuser(self.master, testusersub)
+
def test_remove_nonposix_trust(self):
self.remove_trust(self.ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad)
@@ -784,6 +813,23 @@ def test_user_gid_uid_resolution_in_external_treedomain_trust(self):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ def test_ssh_adtreeuser(self):
+ testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+ self.master.run_command(["id", testuser])
+ tasks.clear_sssd_cache(self.master)
+ tasks.kdestroy_all(self.master)
+ try:
+ tasks.kinit_as_user(self.master, testuser,
+ password="Secret123456"
+ )
+ ssh_cmd = "ssh -q -K -l {user} {host} hostname"
+ valid_ssh = self.master.run_command(
+ ssh_cmd.format(user=testuser, host=self.master.hostname)
+ )
+ assert self.master.hostname in valid_ssh.stdout_text
+ finally:
+ tasks.kdestroy_all(self.master)
+
def test_remove_external_treedomain_trust(self):
self.remove_trust(self.tree_ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)

64
SOURCES/0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
View File

@ -1,64 +0,0 @@
From b35c75d864040b98ed3f9214d5d17d32f06d6ee1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 11 Jul 2022 14:20:32 -0400
Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.
This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.
Fixes: https://pagure.io/freeipa/issue/9195
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/dns_data_management.py | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index e2bc530ee8a..aaae5446856 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -19,6 +19,7 @@
from time import sleep, time
from ipalib import errors
+from ipalib.constants import IPA_CA_RECORD
from ipalib.dns import record_name_format
from ipapython.dnsutil import DNSName
from ipaserver.install import installutils
@@ -187,7 +188,7 @@ def __add_uri_records(
def __add_ca_records_from_hostname(self, zone_obj, hostname):
assert isinstance(hostname, DNSName) and hostname.is_absolute()
- r_name = DNSName('ipa-ca') + self.domain_abs
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
rrsets = None
end_time = time() + CA_RECORDS_DNS_TIMEOUT
while True:
@@ -210,6 +211,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname):
for rrset in rrsets:
for rd in rrset:
+ logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
rdataset = zone_obj.get_rdataset(
r_name, rd.rdtype, create=True)
rdataset.add(rd, ttl=self.TTL)
@@ -461,6 +463,14 @@ def update_base_records(self):
)
)
+ # Remove the ipa-ca record(s). They will be reconstructed in
+ # get_base_records().
+ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
+ try:
+ self.api_instance.Command.dnsrecord_del(
+ self.domain_abs, r_name, del_all=True)
+ except errors.NotFound:
+ pass
base_zone = self.get_base_records()
for record_name, node in base_zone.items():
set_cname_template = record_name in names_requiring_cname_templates

85
SOURCES/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch Normal file
View File

@ -0,0 +1,85 @@
From b5793c854035a122ed4c66f917cc427e5024e46a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Aug 02 2023 11:52:30 +0000
Subject: ipa-kdb: fix error handling of is_master_host()
Adding proper error handling to the is_master_host() function to allow
it to make the difference between the absence of a master host object
and a connection failure. This will keep the krb5kdc daemon from
continuing to run with a NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/9422
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 8da7543..83cb991 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
return 0;
}
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
+static krb5_error_code
+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
{
- int ret;
+ int err;
char *master_host_base = NULL;
- LDAPMessage *result = NULL;
- krb5_error_code err;
+ LDAPMessage *ldap_res = NULL;
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
fqdn, ipactx->base);
- if (ret == -1) {
- return false;
- }
+ if (err == -1)
+ return ENOMEM;
+
err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
- NULL, NULL, &result);
+ NULL, NULL, &ldap_res);
free(master_host_base);
- ldap_msgfree(result);
- if (err == 0) {
- return true;
- }
+ ldap_msgfree(ldap_res);
+ if (err != KRB5_KDB_NOENTRY && err != 0)
+ return err;
+
+ if (result)
+ *result = err != KRB5_KDB_NOENTRY;
- return false;
+ return 0;
}
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
- bool is_master = is_master_host(
- ipactx,
- sep ? sep + 1 : info3->base.account_name.string);
+ bool is_master;
+
+ ret = is_master_host(ipactx,
+ sep ? sep + 1 : info3->base.account_name.string,
+ &is_master);
+ if (ret)
+ return ret;
+
if (is_master) {
/* Well known RID of domain controllers group */
if (info3->base.rid == 0) {

39
SOURCES/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch Normal file
View File

@ -0,0 +1,39 @@
From f68468718c1e01df4a9180e17d7e24d961850e19 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Wed, 14 Jun 2023 17:32:02 +0530
Subject: [PATCH] ipatests: enable firewall rule for http service on acme
client
when system hardning done i.e in case of STIG, sometimes http challanges
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
the communication.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_acme.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index c69e810da70..414fae8d751 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -10,6 +10,7 @@
from ipalib.constants import IPA_CA_RECORD
from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration.firewall import Firewall
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipaplatform.osinfo import osinfo
@@ -82,6 +83,9 @@ def prepare_acme_client(master, client):
acme_host = f'{IPA_CA_RECORD}.{master.domain.name}'
acme_server = f'https://{acme_host}/acme/directory'
+ # enable firewall rule on client
+ Firewall(client).enable_services(["http", "https"])
+
# install acme client packages
if not skip_certbot_tests:
tasks.install_packages(client, ['certbot'])

193
SOURCES/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch Normal file
View File

@ -0,0 +1,193 @@
From 99aa03413421cf2839e89e10ca279ec19233dd01 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jul 20 2023 08:23:36 +0000
Subject: User plugin: improve error related to non existing idp
The user and stageuser commands return the following error
when the user is created/updated with a non existing idp:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: no such entry
The error is not descriptive enough and has been modified to
display instead:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: External IdP configuration dummy not found
Fixes: https://pagure.io/freeipa/issue/9416
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 73b76d3..ba5f9b7 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -708,7 +708,11 @@ class baseuser_mod(LDAPUpdate):
if 'ipaidpuser' not in obj_classes:
entry_attrs['objectclass'].append('ipaidpuser')
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
+ try:
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
+ except errors.NotFound:
+ reason = "External IdP configuration {} not found"
+ raise errors.NotFound(reason=_(reason).format(cl))
entry_attrs['ipaidpconfiglink'] = answer
# Note: we could have used the method add_missing_object_class
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 51438a8..852e51b 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -404,7 +404,11 @@ class stageuser_add(baseuser_add):
if 'ipaidpuser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipaidpuser')
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
+ try:
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
+ except errors.NotFound:
+ reason = "External IdP configuration {} not found"
+ raise errors.NotFound(reason=_(reason).format(cl))
entry_attrs['ipaidpconfiglink'] = answer
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 643b44f..a337e1f 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -638,7 +638,11 @@ class user_add(baseuser_add):
if 'ipaidpuser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipaidpuser')
- answer = self.api.Object['idp'].get_dn_if_exists(rcl)
+ try:
+ answer = self.api.Object['idp'].get_dn_if_exists(rcl)
+ except errors.NotFound:
+ reason = "External IdP configuration {} not found"
+ raise errors.NotFound(reason=_(reason).format(rcl))
entry_attrs['ipaidpconfiglink'] = answer
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
From dbcbe9a39c99008c6858bab53e2807b7bf01ba65 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jul 20 2023 08:23:36 +0000
Subject: xmlrpc tests: add a test for user plugin with non-existing idp
Add new tests checking the error returned for
ipa user-add ... --idp nonexistingidp
ipa user-mod ... --idp nonexistingidp
ipa stageuser-add ... --idp nonexistingidp
ipa stageuser-mod ... --idp nonexistingidp
The expected error message is:
ipa: ERROR: External IdP configuration nonexistingidp not found
Related: https://pagure.io/freeipa/issue/9416
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 394015f..9ae5561 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -39,6 +39,8 @@ gid = u'456'
invalidrealm1 = u'suser1@NOTFOUND.ORG'
invalidrealm2 = u'suser1@BAD@NOTFOUND.ORG'
+nonexistentidp = 'IdPDoesNotExist'
+
invaliduser1 = u'+tuser1'
invaliduser2 = u'tuser1234567890123456789012345678901234567890'
invaliduser3 = u'1234'
@@ -431,6 +433,15 @@ class TestCreateInvalidAttributes(XMLRPC_test):
invalidrealm2))):
command()
+ def test_create_invalid_idp(self, stageduser):
+ stageduser.ensure_missing()
+ command = stageduser.make_create_command(
+ options={u'ipaidpconfiglink': nonexistentidp})
+ with raises_exact(errors.NotFound(
+ reason="External IdP configuration {} not found".format(
+ nonexistentidp))):
+ command()
+
@pytest.mark.tier1
class TestUpdateInvalidAttributes(XMLRPC_test):
@@ -466,6 +477,15 @@ class TestUpdateInvalidAttributes(XMLRPC_test):
message=u'invalid \'gidnumber\': must be at least 1')):
command()
+ def test_update_invalididp(self, stageduser):
+ stageduser.ensure_exists()
+ command = stageduser.make_update_command(
+ updates={u'ipaidpconfiglink': nonexistentidp})
+ with raises_exact(errors.NotFound(
+ reason="External IdP configuration {} not found".format(
+ nonexistentidp))):
+ command()
+
@pytest.mark.tier1
class TestActive(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 8ac19a4..baa2867 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -86,6 +86,8 @@ expired_expiration_string = "1991-12-07T19:54:13Z"
# Date in ISO format (2013-12-10T12:00:00)
isodate_re = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$')
+nonexistentidp = 'IdPDoesNotExist'
+
@pytest.fixture(scope='class')
def user_min(request, xmlrpc_setup):
@@ -542,6 +544,18 @@ class TestUpdate(XMLRPC_test):
command()
user.delete()
+ def test_update_invalid_idp(self, user):
+ """ Test user-mod --idp with a non-existent idp """
+ user.ensure_exists()
+ command = user.make_update_command(
+ updates=dict(ipaidpconfiglink=nonexistentidp)
+ )
+ with raises_exact(errors.NotFound(
+ reason="External IdP configuration {} not found".format(
+ nonexistentidp)
+ )):
+ command()
+
@pytest.mark.tier1
class TestCreate(XMLRPC_test):
@@ -770,6 +784,17 @@ class TestCreate(XMLRPC_test):
user_radius.check_create(result)
user_radius.delete()
+ def test_create_with_invalididp(self):
+ testuser = UserTracker(
+ name='idpuser', givenname='idp', sn='user',
+ ipaidpconfiglink=nonexistentidp
+ )
+ with raises_exact(errors.NotFound(
+ reason="External IdP configuration {} not found".format(
+ nonexistentidp)
+ )):
+ testuser.create()
+
@pytest.mark.tier1
class TestUserWithGroup(XMLRPC_test):

169
SOURCES/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch Normal file
View File

@ -0,0 +1,169 @@
From f215d3f45396fa29bdd69f56096b50842df14908 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Aug 01 2023 22:03:03 +0000
Subject: Prevent the admin user from being deleted
admin is required for trust operations
Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.
Fixes: https://pagure.io/freeipa/issue/8878
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index a337e1f..6f5e349 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -138,14 +138,23 @@ MEMBEROF_ADMINS = "(memberOf={})".format(
)
NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS)
+PROTECTED_USERS = ('admin',)
def check_protected_member(user, protected_group_name=u'admins'):
'''
- Ensure the last enabled member of a protected group cannot be deleted or
- disabled by raising LastMemberError.
+ Ensure admin and the last enabled member of a protected group cannot
+ be deleted or disabled by raising ProtectedEntryError or
+ LastMemberError as appropriate.
'''
+ if user in PROTECTED_USERS:
+ raise errors.ProtectedEntryError(
+ label=_("user"),
+ key=user,
+ reason=_("privileged user"),
+ )
+
# Get all users in the protected group
result = api.Command.user_find(in_group=protected_group_name)
@@ -868,6 +877,12 @@ class user_mod(baseuser_mod):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
dn, oc = self.obj.get_either_dn(*keys, **options)
+ if options.get('rename') and keys[-1] in PROTECTED_USERS:
+ raise errors.ProtectedEntryError(
+ label=_("user"),
+ key=keys[-1],
+ reason=_("privileged user"),
+ )
if 'objectclass' not in entry_attrs and 'rename' not in options:
entry_attrs.update({'objectclass': oc})
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index baa2867..df105a2 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -978,22 +978,32 @@ class TestManagers(XMLRPC_test):
@pytest.mark.tier1
class TestAdmins(XMLRPC_test):
- def test_remove_original_admin(self):
- """ Try to remove the only admin """
+ def test_delete_admin(self):
+ """ Try to delete the protected admin user """
tracker = Tracker()
- command = tracker.make_command('user_del', [admin1])
+ command = tracker.make_command('user_del', admin1)
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
+ key=admin1, reason='privileged user')):
+ command()
+
+ def test_rename_admin(self):
+ """ Try to rename the admin user """
+ tracker = Tracker()
+ command = tracker.make_command('user_mod', admin1,
+ **dict(rename=u'newadmin'))
+
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
+ key=admin1, reason='privileged user')):
command()
def test_disable_original_admin(self):
- """ Try to disable the only admin """
+ """ Try to disable the original admin """
tracker = Tracker()
command = tracker.make_command('user_disable', admin1)
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
+ key=admin1, reason='privileged user')):
command()
def test_create_admin2(self, admin2):
@@ -1011,21 +1021,11 @@ class TestAdmins(XMLRPC_test):
admin2.disable()
tracker = Tracker()
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
+ key=admin1, reason='privileged user')):
tracker.run_command('user_disable', admin1)
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
- tracker.run_command('user_del', admin1)
admin2.delete()
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
- tracker.run_command('user_disable', admin1)
- with raises_exact(errors.LastMemberError(
- key=admin1, label=u'group', container=admin_group)):
- tracker.run_command('user_del', admin1)
-
@pytest.mark.tier1
class TestPreferredLanguages(XMLRPC_test):
From 7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Aug 08 2023 14:50:32 +0000
Subject: ipatests: update expected webui msg for admin deletion
The deletion of the admin is now forbidden (even if it is
not the last member of the admins group) and the error
message has changed from "admin cannot be deleted or
disabled because it is the last member of group admins"
to " user admin cannot be deleted/modified: privileged user".
Update the expected message in the webui test.
Related: https://pagure.io/freeipa/issue/8878
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
index 8d44fbd..a8a92d0 100644
--- a/ipatests/test_webui/test_user.py
+++ b/ipatests/test_webui/test_user.py
@@ -50,8 +50,7 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are "
FIELD_REQ = 'Required field'
ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $'
ERR_MISMATCH = 'Passwords must match'
-ERR_ADMIN_DEL = ('admin cannot be deleted or disabled because it is the last '
- 'member of group admins')
+ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user')
USR_EXIST = 'user with name "{}" already exists'
ENTRY_EXIST = 'This entry already exists'
ACTIVE_ERR = 'active user with name "{}" already exists'

114
SOURCES/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch Normal file
View File

@ -0,0 +1,114 @@
From 9438ce9207445e4ad4a9c7bdf0c9e569cabac571 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Aug 01 2023 06:07:06 +0000
Subject: Fix memory leak in the OTP last token plugin
Three memory leaks are addressed:
1. String values retrieved from the pblock need to be manually
freed.
2. The list of objectclasses retreived from the pblock need to be
freed.
3. Internal search results need to be freed.
Fixes: https://pagure.io/freeipa/issue/9403
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index b7a2ba7..11106b2 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id;
static bool entry_is_token(Slapi_Entry *entry)
{
- char **ocls;
+ char **ocls = NULL;
ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry)
}
}
+ slapi_ch_array_free(ocls);
return false;
}
@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn)
static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
{
Slapi_DN *target_sdn = NULL;
- const char *bind_dn;
+ char *bind_dn;
+ bool rv = false;
/* Ignore internal operations. */
if (slapi_op_internal(pb))
@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
/* Load parameters. */
(void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
(void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
- if (target_sdn == NULL || bind_dn == NULL) {
- LOG_FATAL("Missing parameters!\n");
- return false;
+ if (bind_dn == NULL) {
+ LOG_FATAL("bind_dn parameter missing!\n");
+ goto done;
+ }
+ if (target_sdn == NULL) {
+ LOG_FATAL("target_sdn parameter missing!\n");
+ goto done;
}
if (entry != NULL
? !entry_is_token(entry)
- : !sdn_in_otp_container(target_sdn))
- return true;
+ : !sdn_in_otp_container(target_sdn)) {
+ rv = true;
+ goto done;
+ }
- if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
- return true;
+ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) {
+ rv = true;
+ goto done;
+ }
- if (is_pwd_enabled(bind_dn))
- return true;
+ if (is_pwd_enabled(bind_dn)) {
+ rv = true;
+ goto done;
+ }
- return false;
+done:
+ slapi_ch_free_string(&bind_dn);
+ return rv;
}
static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
index a3cbfb0..4be4ede 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn
}
error:
+ slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
return tokens;
}

58
SOURCES/0012-ipatests-fix-test_topology_rhbz#2232351.patch Normal file
View File

@ -0,0 +1,58 @@
From fdaad3a45f5674876fd3f6cc7ad1e916ebfc7080 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Aug 14 2023 13:02:20 +0000
Subject: ipatests: fix test_topology
The test TestTopologyOptions::test_add_remove_segment is
randomly failing downstream. Test scenario:
- create a line topology master <-> repl1 <-> repl2
- create user on master
- wait for repl success on master
- check that the user is seen on repl2
The test waits for replication to complete on the master but
it should also wait for the replication to complete on repl1
before checking the user presence on repl2.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index 8a240fa..618c9d5 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest):
self.replicas[0],
self.replicas[1])
assert err == "", err
+ # At this point we have replicas[1] <-> master <-> replicas[0]
+ # ^--------------------------^
+
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest):
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
+ # At this point we have master <-> replicas[0] <-> replicas[1]
+
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
master_ldap = self.master.ldap_connect()
+ repl_ldap = self.replicas[0].ldap_connect()
tasks.wait_for_replication(master_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest):
'--first', 'test',
'--last', 'user'])
tasks.wait_for_replication(master_ldap)
+ tasks.wait_for_replication(repl_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
# We end up having a line topology: master <-> replica1 <-> replica2

40
SOURCES/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch Normal file
View File

@ -0,0 +1,40 @@
From f38eefd9f7e54470de7c707782114b17aac8762a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Aug 16 2023 15:25:34 +0000
Subject: Installer: activate nss and pam services in sssd.conf
If there is already a sssd.conf file before the installer is
executed, the nss and pam services may not be enabled by the
installer. This happens for instance if the machine is hardened
for STIG and sssd.conf does not define services=... in the
[sssd] section.
The consequence is that trust cannot be established with an AD
domain.
The installer must enable nss and pam services even if there is
a pre-existing sssd.conf file.
Fixes: https://pagure.io/freeipa/issue/9427
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index ef29a2c..07d62a7 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -969,6 +969,9 @@ def configure_sssd_conf(
nss_service.set_option('memcache_timeout', 600)
sssdconfig.save_service(nss_service)
+ sssd_enable_service(sssdconfig, 'nss')
+ sssd_enable_service(sssdconfig, 'pam')
+
domain.set_option('ipa_domain', cli_domain)
domain.set_option('ipa_hostname', client_hostname)
if cli_domain.lower() != cli_realm.lower():

7
SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
View File

@ -15,7 +15,7 @@ diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8f5c370e5..e20edb7bc 100755 index 8f5c370e5..e20edb7bc 100755
--- a/freeipa.spec.in --- a/freeipa.spec.in
+++ b/freeipa.spec.in +++ b/freeipa.spec.in
@@ -585,11 +585,9 @@ Requires: %{name}-server = %{version}-%{release} @@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2 Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version} Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version} Requires: bind-utils >= %{bind_version}
@ -32,16 +32,15 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644 index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py --- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py
@@ -258,8 +258,7 @@ class BasePathNamespace: @@ -259,7 +259,6 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" - DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" + DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool" GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd" GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644 index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py --- a/ipaplatform/fedora/paths.py

46
SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch
View File

@ -4,20 +4,20 @@ Date: Mon, 19 Dec 2022 14:57:03 -0300
Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports" Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a. This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
---
ipapython/dnsutil.py | 41 -------------------------
ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------
2 files changed, 81 deletions(-)
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 58de365ab..4baeaf8cc 100644 index 58de365ab..4baeaf8cc 100644
--- a/ipapython/dnsutil.py --- a/ipapython/dnsutil.py 2023-05-19 05:12:52.471239297 -0300
+++ b/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py 2023-05-24 12:20:13.588867053 -0300
@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver): @@ -145,55 +145,6 @@
nameservers.remove(ipv4_loopback) nameservers.remove(ipv4_loopback)
self.nameservers = nameservers self.nameservers = nameservers
- @dns.resolver.Resolver.nameservers.setter - @property
- def nameservers(self):
- return self._nameservers
-
- @nameservers.setter
- def nameservers(self, nameservers): - def nameservers(self, nameservers):
- """ - """
- *nameservers*, a ``list`` of nameservers with optional ports: - *nameservers*, a ``list`` of nameservers with optional ports:
@ -54,7 +54,11 @@ index 58de365ab..4baeaf8cc 100644
- nameservers = _nameservers - nameservers = _nameservers
- -
- # Call dns.resolver.Resolver.nameservers setter - # Call dns.resolver.Resolver.nameservers setter
- dns.resolver.Resolver.nameservers.__set__(self, nameservers) - if hasattr(dns.resolver.Resolver, "nameservers"):
- dns.resolver.Resolver.nameservers.__set__(self, nameservers)
- else:
- # old dnspython (<2) doesn't have 'nameservers' property
- self._nameservers = nameservers
- # Set nameserver_ports after successfull call to setter - # Set nameserver_ports after successfull call to setter
- self.nameserver_ports = nameserver_ports - self.nameserver_ports = nameserver_ports
- -
@ -62,23 +66,29 @@ index 58de365ab..4baeaf8cc 100644
class DNSZoneAlreadyExists(dns.exception.DNSException): class DNSZoneAlreadyExists(dns.exception.DNSException):
supp_kwargs = {'zone', 'ns'} supp_kwargs = {'zone', 'ns'}
diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
index 09463c69d..5e7a46197 100644 index 9070d89ad..5e7a46197 100644
--- a/ipatests/test_ipapython/test_dnsutil.py --- a/ipatests/test_ipapython/test_dnsutil.py
+++ b/ipatests/test_ipapython/test_dnsutil.py +++ b/ipatests/test_ipapython/test_dnsutil.py
@@ -101,43 +101,3 @@ class TestSortURI: @@ -101,48 +101,3 @@ class TestSortURI:
assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3] assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3] assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2] assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
- -
- -
-class TestDNSResolver: -class TestDNSResolver:
- def test_nameservers(self): - @pytest.fixture(name="res")
- res = dnsutil.DNSResolver() - def resolver(self):
- """Resolver that doesn't read /etc/resolv.conf
-
- /etc/resolv.conf is not mandatory on systems
- """
- return dnsutil.DNSResolver(configure=False)
-
- def test_nameservers(self, res):
- res.nameservers = ["4.4.4.4", "8.8.8.8"] - res.nameservers = ["4.4.4.4", "8.8.8.8"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- -
- def test_nameservers_with_ports(self): - def test_nameservers_with_ports(self, res):
- res = dnsutil.DNSResolver()
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] - res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} - assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
@ -87,8 +97,7 @@ index 09463c69d..5e7a46197 100644
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} - assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
- -
- def test_nameservers_with_bad_ports(self): - def test_nameservers_with_bad_ports(self, res):
- res = dnsutil.DNSResolver()
- try: - try:
- res.nameservers = ["4.4.4.4 port a"] - res.nameservers = ["4.4.4.4 port a"]
- except ValueError: - except ValueError:
@ -109,6 +118,3 @@ index 09463c69d..5e7a46197 100644
- pass - pass
- else: - else:
- pytest.fail("No fail on bad port 65536") - pytest.fail("No fail on bad port 65536")
--
2.38.1

16
SOURCES/freeipa-4.9.11.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi
00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ
4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG
KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7
go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI
wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv
EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf
+y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr
WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc
oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut
IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd
umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E=
=8YVm
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.12.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmRnL+gACgkQaYdvcqbi
00/1Gg/8CFABojXZyUkQnWeaHdrFeHeE+DW2qTs9Wr/TQwF67fYkh7lj3p+WqMlD
kMMNAfLn4wUnJNDMv64QlE6RAz71KetQlQt+mZQVT9M0nDepLhBw86qmNbJj611J
+2B79hzNLT8tmOf9NyLRJbFp3QebSPELX9hycPj1Ovd1tr/61tcwcNzE6ZLrX5vb
IPkCT2bo+6MceIsR50tTRxxK6J9jFYX73PjHJ5Ix7ssDf4vg2OBRTwUdLeZAkWlA
q+0bPPp+F3PWLhnSs+vIs5plHUI/hcGCt9pTvw/d6jUUxuwZadGGbRZSyDN7aj2Q
zEXeZsCtOSk5cx65lWHl+7TTyVvCoemeZPZ92EiCtVJfiuK3/6a/WFWanBZoO0E3
N0p6HUcvIRPrEj0nQwH2vr0zkfSPA4g30k+Q9qeP3ArN+i+5OFfuiwiqk1AIJ2rv
ERhBRryOaNeiVpYghMQdtacWP/qQunfH6VdhA61Q089/lhomGeSytQI+fV4TXOhV
ldV7dftaWpQT3QYWSsKzoiHpyjIwOA8dBvQF2YDX7LNmeO/hj4ToFp00CVCWdb0j
MHs2X9p42kkhw2oZOf3GNyNvpybxUv59ER4YDEHbj8+iZyVjiqfcp71373DqpieW
iGjB3Wc0gO3cdYk3Mdl0SgkD7k0U9iwwh7qJeqqUYT3gKf9mqbY=
=dT0o
-----END PGP SIGNATURE-----

125
SPECS/ipa.spec
View File

@ -64,7 +64,7 @@
%if 0%{?rhel} %if 0%{?rhel}
%global package_name ipa %global package_name ipa
%global alt_name freeipa %global alt_name freeipa
%global krb5_version 1.18.2-2 %global krb5_version 1.18.2-25
%global krb5_kdb_version 8.0 %global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19 %global python_netaddr_version 0.7.19
@ -176,7 +176,7 @@
# Work-around fact that RPM SPEC parser does not accept # Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.11 %define IPA_VERSION 4.9.12
# Release candidate version -- uncomment with one percent for RC versions # Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil #%%global rc_version %%nil
%define AT_SIGN @ %define AT_SIGN @
@ -189,7 +189,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 5%{?rc_version:.%rc_version}%{?dist} Release: 8%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -209,13 +209,19 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START # RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD} %if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8 %if 0%{?rhel} >= 8
Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch
Patch0002: 0002-trust-add-handle-missing-msSFU30MaxGidNumber_rhbz#2162355.patch Patch0002: 0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch
Patch0003: 0003-Backport-latest-test-fixes-python3-ipatests_rhbz#2166929.patch Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch
Patch0004: 0004-server-install-remove-error-log-about-missing-bkup-file_rhbz#2160389.patch Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch
Patch0005: 0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch
Patch0006: 0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch
Patch0007: 0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch Patch0007: 0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch
Patch0008: 0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch
Patch0009: 0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch
Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch
Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@ -229,8 +235,8 @@ Patch1004: 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch
%endif %endif
# RHEL spec file only: END # RHEL spec file only: END
## For the timestamp trick in patch application # For the timestamp trick in patch application
#BuildRequires: diffstat BuildRequires: diffstat
BuildRequires: openldap-devel BuildRequires: openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version # For KDB DAL version, make explicit dependency so that increase of version
@ -673,6 +679,7 @@ Requires: jansson
%endif %endif
Requires: sssd-ipa >= %{sssd_version} Requires: sssd-ipa >= %{sssd_version}
Requires: sssd-idp >= %{sssd_version} Requires: sssd-idp >= %{sssd_version}
Requires: sssd-krb5 >= %{sssd_version}
Requires: certmonger >= %{certmonger_version} Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version} Requires: nss-tools >= %{nss_version}
Requires: bind-utils Requires: bind-utils
@ -952,8 +959,22 @@ Custom SELinux policy module for FreeIPA
%prep %prep
# Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level"
# is the patch prefix option (e.g. -p1)
# Taken from specfile for sssd and python-simplejson
UpdateTimestamps() {
Level=$1
PatchFile=$2
%autosetup -n freeipa-%{version}%{?rc_version} -N -p1 # Locate the affected files:
for f in $(diffstat $Level -l $PatchFile); do
# Set the files to have the same timestamp as that of the patch:
touch -c -r $PatchFile $f
done
}
%setup -n freeipa-%{version}%{?rc_version} -q
# To allow proper application patches to the stripped po files, strip originals # To allow proper application patches to the stripped po files, strip originals
pushd po pushd po
@ -963,8 +984,10 @@ for i in *.po ; do
done done
popd popd
%autopatch -p1 for p in %patches ; do
%__patch -p1 -i $p
UpdateTimestamps -p1 $p
done
%build %build
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
@ -1217,10 +1240,8 @@ if [ $1 -gt 1 ] ; then
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
fi fi
fi fi
@ -1715,21 +1736,59 @@ fi
%endif %endif
%changelog %changelog
* Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5 * Thu Aug 31 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-8
- Wipe the ipa-ca DNS record when updating system records - Require krb5 release 1.18.2-25 or later
Resolves: RHBZ#2158775 Resolves: RHBZ#2234711
* Thu Feb 09 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-4 * Wed Aug 16 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-7
- trust-add: handle missinf msSFU30MaxGidNumber - ipatests: fix test_topology
Resolves: RHBZ#2162355 Resolves: RHBZ#2232351
- Backport latest test fixes for python3-ipatests - Installer: activate nss and pam services in sssd.conf
Resolves: RHBZ#2166929 Resolves: RHBZ#2216532
- server install: remove error log about missing bkup file
Resolves: RHBZ#2160389 * Thu Aug 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-6
- automember-rebuild: add a notice about high CPU usage - ipa-kdb: fix error handling of is_master_host()
Resolves: RHBZ#2018198 Resolves: RHBZ#2214638
- ipa-kdb: PAC consistency checker needs to handle child domains as well - ipatests: enable firewall rule for http service on acme client
Resolves: RHBZ#2166324 Resolves: RHBZ#2230256
- User plugin: improve error related to non existing idp
Resolves: RHBZ#2224572
- Prevent admin user from being deleted
Resolves: RHBZ#1821181
- Fix memory leak in the OTP last token plugin
Resolves: RHBZ#2227783
* Mon Jul 17 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-5
- Upgrade: fix replica agreement, fix backported patch
Related: RHBZ#2216551
* Fri Jun 30 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-4
- kdb: Use-krb5_pac_full_sign_compat() when available
Resolves: RHBZ#2176406
- OTP: fix-data-type-to-avoid-endianness-issue
Resolves: RHBZ#2218293
- Upgrade: fix replica agreement
Resolves: RHBZ#2216551
- Upgrade: add PKI drop-in file if missing
Resolves: RHBZ#2215336
- Use the python-cryptography parser directly in cert-find
Resolves: RHBZ#2164349
- Backport test updates
Resolves: RHBZ#221884
* Wed Jun 21 2023 Julien Rische <jrische@redhat.com> - 4.9.12-3
- Rely on sssd-krb5 to include SSSD-generated krb5 configuration
Resolves: RHBZ#2214563
* Thu May 25 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-2
- Use the OpenSSL certificate parser in cert-find
Resolves: RHBZ#2209947
* Wed May 24 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-1
- Rebase ipa to 4.9.12
Resolves: RHBZ#2196425
- user or group name: explain the supported format
Resolves: RHBZ#2150217
* Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3 * Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3
- Revert DNSResolver Fix use of nameservers with ports. - Revert DNSResolver Fix use of nameservers with ports.