ipa-4.10.1-2
- Resolves: rhbz#2148887 MemberManager with groups fails - Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
parent
b01c9f88f3
commit
7faaf4f321
|
|
@ -0,0 +1,44 @@
|
|||
From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 21 Nov 2022 16:12:46 +0200
|
||||
Subject: [PATCH] updates: fix memberManager ACI to allow managers from a
|
||||
specified group
|
||||
|
||||
The original implementation of the member manager added support for both
|
||||
user and group managers but left out upgrade scenario. This means when
|
||||
upgrading existing installation a manager whose rights defined by the
|
||||
group membership would not be able to add group members until the ACI is
|
||||
fixed.
|
||||
|
||||
Remove old ACI and add a full one during upgrade step.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9286
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
install/updates/20-aci.update | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
||||
index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644
|
||||
--- a/install/updates/20-aci.update
|
||||
+++ b/install/updates/20-aci.update
|
||||
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
|
||||
|
||||
# Allow member managers to modify members of user groups
|
||||
dn: cn=groups,cn=accounts,$SUFFIX
|
||||
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
||||
|
||||
# Allow member managers to modify members of host groups
|
||||
dn: cn=hostgroups,cn=accounts,$SUFFIX
|
||||
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
||||
|
||||
# Hosts can add and delete their own services
|
||||
dn: cn=services,cn=accounts,$SUFFIX
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From 2d0a0cc40fb8674f30ba62980b1953cef840009e Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 1 Dec 2022 13:58:58 +0100
|
||||
Subject: [PATCH] Spec file: ipa-client depends on krb5-pkinit-openssl
|
||||
|
||||
Now that ipa-client-installs supports pkinit, the package
|
||||
depends on krb5-pkinit-openssl.
|
||||
Update the spec file, move the dependency from ipa-server
|
||||
to ipa-client subpackage.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9290
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index f09741d7ad6c09e52c4bd24fcc9300584f83a49d..7dcf2e66abe40e6bde3491268b9c012f7578a8b6 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -449,7 +449,6 @@ Requires: nss-tools >= %{nss_version}
|
||||
Requires(post): krb5-server >= %{krb5_version}
|
||||
Requires(post): krb5-server >= %{krb5_base_version}
|
||||
Requires: krb5-kdb-version = %{krb5_kdb_version}
|
||||
-Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: chrony
|
||||
Requires: httpd >= %{httpd_version}
|
||||
@@ -675,6 +674,8 @@ Requires: python3-sssdconfig >= %{sssd_version}
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: chrony
|
||||
Requires: krb5-workstation >= %{krb5_version}
|
||||
+# support pkinit with client install
|
||||
+Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||||
# authselect: sssd profile with-subid
|
||||
%if 0%{?fedora} >= 36
|
||||
Requires: authselect >= 1.4.0
|
||||
--
|
||||
2.38.1
|
||||
|
||||
11
freeipa.spec
11
freeipa.spec
|
|
@ -217,7 +217,7 @@
|
|||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 2%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
|
|
@ -237,6 +237,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||
# RHEL spec file only: START
|
||||
%if %{NON_DEVELOPER_BUILD}
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch
|
||||
Patch0002: 0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
|
|
@ -441,7 +443,6 @@ Requires: nss-tools >= %{nss_version}
|
|||
Requires(post): krb5-server >= %{krb5_version}
|
||||
Requires(post): krb5-server >= %{krb5_base_version}
|
||||
Requires: krb5-kdb-version = %{krb5_kdb_version}
|
||||
Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: chrony
|
||||
Requires: httpd >= %{httpd_version}
|
||||
|
|
@ -667,6 +668,8 @@ Requires: python3-sssdconfig >= %{sssd_version}
|
|||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: chrony
|
||||
Requires: krb5-workstation >= %{krb5_version}
|
||||
# support pkinit with client install
|
||||
Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||||
# authselect: sssd profile with-subid
|
||||
%if 0%{?fedora} >= 36
|
||||
Requires: authselect >= 1.4.0
|
||||
|
|
@ -1745,6 +1748,10 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Dec 9 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-2
|
||||
- Resolves: rhbz#2148887 MemberManager with groups fails
|
||||
- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit
|
||||
|
||||
* Fri Nov 25 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-1
|
||||
- Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
|
||||
- Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
|
||||
|
|
|
|||
Loading…
Reference in New Issue