ipa-4.10.1-2

- Resolves: rhbz#2148887 MemberManager with groups fails - Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2022-12-09 14:31:00 +01:00 · 2022-12-09 14:31:00 +01:00 · 7faaf4f321
commit 7faaf4f321
parent b01c9f88f3
3 changed files with 95 additions and 2 deletions
--- a/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch
+++ b/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch
@ -0,0 +1,44 @@
+From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 21 Nov 2022 16:12:46 +0200
+Subject: [PATCH] updates: fix memberManager ACI to allow managers from a
+ specified group
+
+The original implementation of the member manager added support for both
+user and group managers but left out upgrade scenario. This means when
+upgrading existing installation a manager whose rights defined by the
+group membership would not be able to add group members until the ACI is
+fixed.
+
+Remove old ACI and add a full one during upgrade step.
+
+Fixes: https://pagure.io/freeipa/issue/9286
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ install/updates/20-aci.update | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
+index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644
+--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
+@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
+ 
+ # Allow member managers to modify members of user groups
+ dn: cn=groups,cn=accounts,$SUFFIX
+-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+ 
+ # Allow member managers to modify members of host groups
+ dn: cn=hostgroups,cn=accounts,$SUFFIX
+-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+ 
+ # Hosts can add and delete their own services
+ dn: cn=services,cn=accounts,$SUFFIX
+-- 
+2.38.1
+
--- a/0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch
+++ b/0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch
@ -0,0 +1,42 @@
+From 2d0a0cc40fb8674f30ba62980b1953cef840009e Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 1 Dec 2022 13:58:58 +0100
+Subject: [PATCH] Spec file: ipa-client depends on krb5-pkinit-openssl
+
+Now that ipa-client-installs supports pkinit, the package
+depends on krb5-pkinit-openssl.
+Update the spec file, move the dependency from ipa-server
+to ipa-client subpackage.
+
+Fixes: https://pagure.io/freeipa/issue/9290
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ freeipa.spec.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index f09741d7ad6c09e52c4bd24fcc9300584f83a49d..7dcf2e66abe40e6bde3491268b9c012f7578a8b6 100755
+--- a/freeipa.spec.in
+++ b/freeipa.spec.in
+@@ -449,7 +449,6 @@ Requires: nss-tools >= %{nss_version}
+ Requires(post): krb5-server >= %{krb5_version}
+ Requires(post): krb5-server >= %{krb5_base_version}
+ Requires: krb5-kdb-version = %{krb5_kdb_version}
+-Requires: krb5-pkinit-openssl >= %{krb5_version}
+ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: chrony
+ Requires: httpd >= %{httpd_version}
+@@ -675,6 +674,8 @@ Requires: python3-sssdconfig >= %{sssd_version}
+ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: chrony
+ Requires: krb5-workstation >= %{krb5_version}
+# support pkinit with client install
+Requires: krb5-pkinit-openssl >= %{krb5_version}
+ # authselect: sssd profile with-subid
+ %if 0%{?fedora} >= 36
+ Requires: authselect >= 1.4.0
+-- 
+2.38.1
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -217,7 +217,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -237,6 +237,8 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
+Patch0001:      0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch
+Patch0002:      0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -441,7 +443,6 @@ Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}
 Requires: krb5-kdb-version = %{krb5_kdb_version}
-Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: httpd >= %{httpd_version}
@ -667,6 +668,8 @@ Requires: python3-sssdconfig >= %{sssd_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
+# support pkinit with client install
+Requires: krb5-pkinit-openssl >= %{krb5_version}
 # authselect: sssd profile with-subid
 %if 0%{?fedora} >= 36
 Requires: authselect >= 1.4.0
@ -1745,6 +1748,10 @@ fi
 %endif

 %changelog
+* Fri Dec 9 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-2
+- Resolves: rhbz#2148887 MemberManager with groups fails
+- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit
+
 * Fri Nov 25 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-1
 - Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
 - Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf