diff --git a/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch b/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch new file mode 100644 index 0000000..3c5dc68 --- /dev/null +++ b/0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch @@ -0,0 +1,44 @@ +From 42be04fe4ff317efe599dcbc2637f94ecc6fa220 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 21 Nov 2022 16:12:46 +0200 +Subject: [PATCH] updates: fix memberManager ACI to allow managers from a + specified group + +The original implementation of the member manager added support for both +user and group managers but left out upgrade scenario. This means when +upgrading existing installation a manager whose rights defined by the +group membership would not be able to add group members until the ACI is +fixed. + +Remove old ACI and add a full one during upgrade step. + +Fixes: https://pagure.io/freeipa/issue/9286 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + install/updates/20-aci.update | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update +index a168bb9573a9fbb9ff15f0b19bb8ec75b48d82a9..4a7ba137c4711aa3f8b064fdd482ffee76c59949 100644 +--- a/install/updates/20-aci.update ++++ b/install/updates/20-aci.update +@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can + + # Allow member managers to modify members of user groups + dn: cn=groups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Allow member managers to modify members of host groups + dn: cn=hostgroups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Hosts can add and delete their own services + dn: cn=services,cn=accounts,$SUFFIX +-- +2.38.1 + diff --git a/0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch b/0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch new file mode 100644 index 0000000..3d6e689 --- /dev/null +++ b/0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch @@ -0,0 +1,42 @@ +From 2d0a0cc40fb8674f30ba62980b1953cef840009e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 1 Dec 2022 13:58:58 +0100 +Subject: [PATCH] Spec file: ipa-client depends on krb5-pkinit-openssl + +Now that ipa-client-installs supports pkinit, the package +depends on krb5-pkinit-openssl. +Update the spec file, move the dependency from ipa-server +to ipa-client subpackage. + +Fixes: https://pagure.io/freeipa/issue/9290 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + freeipa.spec.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index f09741d7ad6c09e52c4bd24fcc9300584f83a49d..7dcf2e66abe40e6bde3491268b9c012f7578a8b6 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -449,7 +449,6 @@ Requires: nss-tools >= %{nss_version} + Requires(post): krb5-server >= %{krb5_version} + Requires(post): krb5-server >= %{krb5_base_version} + Requires: krb5-kdb-version = %{krb5_kdb_version} +-Requires: krb5-pkinit-openssl >= %{krb5_version} + Requires: cyrus-sasl-gssapi%{?_isa} + Requires: chrony + Requires: httpd >= %{httpd_version} +@@ -675,6 +674,8 @@ Requires: python3-sssdconfig >= %{sssd_version} + Requires: cyrus-sasl-gssapi%{?_isa} + Requires: chrony + Requires: krb5-workstation >= %{krb5_version} ++# support pkinit with client install ++Requires: krb5-pkinit-openssl >= %{krb5_version} + # authselect: sssd profile with-subid + %if 0%{?fedora} >= 36 + Requires: authselect >= 1.4.0 +-- +2.38.1 + diff --git a/freeipa.spec b/freeipa.spec index ce98001..0edc516 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -217,7 +217,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -237,6 +237,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 +Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch +Patch0002: 0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -441,7 +443,6 @@ Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version} Requires: krb5-kdb-version = %{krb5_kdb_version} -Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: httpd >= %{httpd_version} @@ -667,6 +668,8 @@ Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} +# support pkinit with client install +Requires: krb5-pkinit-openssl >= %{krb5_version} # authselect: sssd profile with-subid %if 0%{?fedora} >= 36 Requires: authselect >= 1.4.0 @@ -1745,6 +1748,10 @@ fi %endif %changelog +* Fri Dec 9 2022 Florence Blanc-Renaud - 4.10.1-2 +- Resolves: rhbz#2148887 MemberManager with groups fails +- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit + * Fri Nov 25 2022 Florence Blanc-Renaud - 4.10.1-1 - Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2 - Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf