rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL ipa-4.12.2-24.0.1.el10_1.1

Browse Source
This commit is contained in:
eabdullin 2025-12-04 07:33:32 +00:00
parent dab2757773
commit 8a9c84b9d9
66 changed files with 6428 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
.gitignore vendored
View File

@ -1,140 +1 @@
/freeipa-2.0.0GIT442d6ad.tar.gz
/freeipa-2.0.0.pre2.tar.gz
/freeipa-2.0.0.rc1.tar.gz
/freeipa-2.0.0.rc2.tar.gz
/freeipa-2.0.0.tar.gz
/freeipa-2.0.1.tar.gz
/freeipa-2.1.0.tar.gz
/freeipa-2.1.2.tar.gz
/freeipa-2.1.2-2.1.3.patch.gz
/freeipa-2.1.3-systemd.patch.gz
/freeipa-2.1.3.tar.gz
/freeipa-2.1.3-wait_for_socket.patch.gz
/freeipa-2.1.4.tar.gz
/freeipa-2.1.90.pre1.tar.gz
/freeipa-2.1.90.rc1.tar.gz
/freeipa-2.2.0.tar.gz
/freeipa-3.0.0.pre1.tar.gz
/freeipa-3.0.0.pre2.tar.gz
/freeipa-3.0.0.rc1.tar.gz
/freeipa-3.0.0.rc2.tar.gz
/freeipa-3.0.0.tar.gz
/freeipa-3.1.0.tar.gz
/freeipa-3.1.2.tar.gz
/freeipa-3.2.0.pre1.tar.gz
/freeipa-3.2.0.tar.gz
/freeipa-3.2.2.tar.gz
/freeipa-3.3.0.tar.gz
/freeipa-3.3.1.tar.gz
/freeipa-3.3.3.tar.gz
/freeipa-3.3.4.tar.gz
/freeipa-3.3.5.tar.gz
/freeipa-4.0.0.tar.gz
/freeipa-4.0.1.tar.gz
/freeipa-4.0.2.tar.gz
/freeipa-4.0.3.tar.gz
/freeipa-4.1.0.tar.gz
/freeipa-4.1.1.tar.gz
/freeipa-4.1.2.tar.gz
/freeipa-4.1.3.tar.gz
/freeipa-4.1.4.tar.gz
/freeipa-4.2.1.tar.gz
/freeipa-4.2.2.tar.gz
/freeipa-4.2.3.tar.gz
/freeipa-4.3.0.tar.gz
/freeipa-4.3.1.tar.gz
/freeipa-4.3.2.tar.gz
/freeipa-4.4.1.tar.gz
/freeipa-4.4.2.tar.gz
/freeipa-4.4.3.tar.gz
/freeipa-4.4.4.tar.gz
/freeipa-4.4.4.tar.gz.asc
/freeipa-4.5.1.tar.gz
/freeipa-4.5.1.tar.gz.asc
/freeipa-4.5.2.tar.gz
/freeipa-4.5.2.tar.gz.asc
/freeipa-4.5.3.tar.gz
/freeipa-4.5.3.tar.gz.asc
/freeipa-4.6.0.tar.gz
/freeipa-4.6.0.tar.gz.asc
/freeipa-4.6.1.tar.gz
/freeipa-4.6.1.tar.gz.asc
/freeipa-4.6.3.tar.gz
/freeipa-4.6.3.tar.gz.asc
/freeipa-4.6.90.pre1-1.fc29.src.rpm
/freeipa-4.6.90.pre1.tar.gz
/freeipa-4.6.90.pre1.tar.gz.asc
/freeipa-4.6.90.pre2.tar.gz
/freeipa-4.6.90.pre2.tar.gz.asc
/freeipa-4.7.0.tar.gz
/freeipa-4.7.0.tar.gz.asc
/freeipa-4.7.1.tar.gz
/freeipa-4.7.1.tar.gz.asc
/freeipa-4.7.2.tar.gz
/freeipa-4.7.2.tar.gz.asc
/freeipa-4.7.90.pre1.tar.gz
/freeipa-4.7.90.pre1.tar.gz.asc
/freeipa-4.8.0.tar.gz
/freeipa-4.8.0.tar.gz.asc
/freeipa-4.8.1.tar.gz
/freeipa-4.8.1.tar.gz.asc
/freeipa-4.8.2.tar.gz
/freeipa-4.8.2.tar.gz.asc
/freeipa-4.8.3.tar.gz
/freeipa-4.8.3.tar.gz.asc
/freeipa-4.8.4.tar.gz
/freeipa-4.8.4.tar.gz.asc
/freeipa-4.8.5.tar.gz
/freeipa-4.8.5.tar.gz.asc
/freeipa-4.8.6.tar.gz
/freeipa-4.8.6.tar.gz.asc
/freeipa-4.8.7.tar.gz
/freeipa-4.8.7.tar.gz.asc
/freeipa-4.8.9.tar.gz
/freeipa-4.8.9.tar.gz.asc
/freeipa-4.8.10.tar.gz
/freeipa-4.8.10.tar.gz.asc
/freeipa-4.9.0rc1.tar.gz
/freeipa-4.9.0rc1.tar.gz.asc
/freeipa-4.9.0rc2.tar.gz
/freeipa-4.9.0rc2.tar.gz.asc
/freeipa-4.9.0rc3.tar.gz
/freeipa-4.9.0rc3.tar.gz.asc
/freeipa-4.9.0.tar.gz
/freeipa-4.9.0.tar.gz.asc
/freeipa-4.9.1.tar.gz
/freeipa-4.9.1.tar.gz.asc
/freeipa-4.9.2.tar.gz
/freeipa-4.9.2.tar.gz.asc
/freeipa-4.9.3.tar.gz
/freeipa-4.9.3.tar.gz.asc
/freeipa-4.9.4.tar.gz
/freeipa-4.9.4.tar.gz.asc
/freeipa-4.9.6.tar.gz
/freeipa-4.9.6.tar.gz.asc
/freeipa-4.9.7.tar.gz
/freeipa-4.9.7.tar.gz.asc
/freeipa-4.9.8.tar.gz
/freeipa-4.9.8.tar.gz.asc
/freeipa-4.9.9.tar.gz
/freeipa-4.9.9.tar.gz.asc
/freeipa-4.9.10.tar.gz
/freeipa-4.9.10.tar.gz.asc
/freeipa-4.10.0.tar.gz
/freeipa-4.10.0.tar.gz.asc
/freeipa-4.10.1.tar.gz
/freeipa-4.10.1.tar.gz.asc
/freeipa-4.10.2.tar.gz
/freeipa-4.10.2.tar.gz.asc
/freeipa-4.11.0beta1.tar.gz
/freeipa-4.11.0beta1.tar.gz.asc
/freeipa-4.11.0.tar.gz
/freeipa-4.11.0.tar.gz.asc
/freeipa-4.11.1.tar.gz
/freeipa-4.11.1.tar.gz.asc
/freeipa-4.12.0.tar.gz
/freeipa-4.12.0.tar.gz.asc
/freeipa-4.12.1.tar.gz.asc
/freeipa-4.12.1.tar.gz
/freeipa-4.12.2.tar.gz
/freeipa-4.12.2.tar.gz.asc
freeipa-4.12.2.tar.gz

66
0070-ipa-migrate-do-not-migrate-tombstone-entries-ignore-.patch Normal file
View File

@ -0,0 +1,66 @@
From 7fd4b940abd2084fd6ec7de73dfd68551fce73fe Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 29 Jan 2025 10:07:45 -0500
Subject: [PATCH] ipa-migrate - do not migrate tombstone entries, ignore
MidairCollisions, and krbpwdpolicyreference
Replication related entries should not be migrated. The main reason is
that we do not allow entries to be added that have an RDN of nsuniqueid
(only the server can internally add them).
Most midair collisions are transient issues and can be ignored for
migration purposes. In migration tests this only happens when an
attribute does not exist in the local server. This happens frequently
with COS attributes.
We should also ignore 'krbpwdpolicyreference' as it's an attribute that is
set by COS and does not need to be migrated.
Fixes: https://pagure.io/freeipa/issue/9737
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 8 ++++++++
ipaserver/install/ipa_migrate_constants.py | 1 +
2 files changed, 9 insertions(+)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index ece473bc8cb525e2d563356b5b274502d6b703e8..5ba140ce37156a6f2cb50d08427f5024925686e6 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -1462,6 +1462,10 @@ class IPAMigrate():
if DN(exclude_dn) in DN(entry_dn):
return
+ # Skip tombstones
+ if 'nsTombstone' in entry_attrs['objectClass']:
+ return
+
# Determine entry type: user, group, hbac, etc
entry_type = self.get_entry_type(entry_dn, entry_attrs)
if entry_type is None:
@@ -1568,6 +1572,10 @@ class IPAMigrate():
stats['custom'] += 1
else:
DB_OBJECTS[entry_type]['count'] += 1
+ except errors.MidairCollision as e:
+ # Typically means no such attribute, ok to ignore
+ self.log_debug(f'Failed to update "{local_dn}" error: '
+ f'{str(e)} - ok to ignore')
except errors.ExecutionError as e:
self.log_error(f'Failed to update "{local_dn}" error: '
f'{str(e)}')
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index e8192fb1aabae1c36669370eff242428a1f0355f..09856f07cabd124a7899bc5f355a56eb23023cc0 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -71,6 +71,7 @@ IGNORE_ATTRS = [
'serverhostname',
'krbpasswordexpiration',
'krblastadminunlock',
+ 'krbpwdpolicyreference', # COS attribute
]
# For production mode, bring everything over
--
2.48.1

65
0071-Replace-fips-mode-setup.patch Normal file
View File

@ -0,0 +1,65 @@
From 460281f4508864ef25b3b9992e5922e7947a3109 Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Tue, 18 Feb 2025 15:36:12 +0100
Subject: [PATCH] Replace fips-mode-setup
RHEL10 no longer support fips-setup-mode, this has been
replaced in the healthcheck tool, but also needs to be replaced here.
Fixes: https://pagure.io/freeipa/issue/9750
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaplatform/base/paths.py | 1 -
ipatests/test_integration/test_ipahealthcheck.py | 15 ++++++---------
2 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b2da94992a031878fc20a98ff1023c2f5c80acca..6a62d7bd0a2f75f43f6dd62fccbaa84a1c9929c0 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -28,7 +28,6 @@ class BasePathNamespace:
BIN_HOSTNAMECTL = "/bin/hostnamectl"
CRYPTO_POLICY_OPENSSLCNF_FILE = None
ECHO = "/bin/echo"
- FIPS_MODE_SETUP = "/bin/fips-mode-setup"
GZIP = "/bin/gzip"
LS = "/bin/ls"
SYSTEMCTL = "/bin/systemctl"
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 05a0adb24a3f26d70d0690462e7c0fefbf98c6e6..9f4017e35ec89d19f8d1bd354ecdd8fb21071e6a 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -377,21 +377,18 @@ class TestIpaHealthCheck(IntegrationTest):
failures_only=False)
assert returncode == 0
- cmd = self.master.run_command(
- [paths.FIPS_MODE_SETUP, "--is-enabled"], raiseonerr=False
- )
- returncode = cmd.returncode
+ is_fips_enabled = tasks.is_fips_enabled(self.master)
assert "fips" in check[0]["kw"]
if check[0]["kw"]["fips"] == "disabled":
- assert returncode == 2
+ assert not is_fips_enabled
elif check[0]["kw"]["fips"] == "enabled":
- assert returncode == 0
- elif check[0]["kw"]["fips"] == f"missing {paths.FIPS_MODE_SETUP}":
- assert returncode == 127
+ assert is_fips_enabled
else:
- assert returncode == 1
+ raise ValueError("File %s doesn't exist or contains unexpected "
+ "value, this is a kernel issue!"
+ % paths.PROC_FIPS_ENABLED)
def test_ipa_healthcheck_after_certupdate(self):
"""
--
2.48.1

39
0072-Skip-for-unpatched-freeipa-healthcheck.patch Normal file
View File

@ -0,0 +1,39 @@
From 3e8348a252114005678c1155c70bb806e9efc4f0 Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Mon, 24 Feb 2025 11:32:59 +0100
Subject: [PATCH] Skip for unpatched freeipa-healthcheck
The patch is not yet live, therefore we should expect an failure.
Once the patched version goes out, the test should work properly.
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 9f4017e35ec89d19f8d1bd354ecdd8fb21071e6a..d72808f0f9b6dc7e438a16f9bd7e676f473fd323 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -370,6 +370,16 @@ class TestIpaHealthCheck(IntegrationTest):
https://pagure.io/freeipa/issue/8951
"""
+ healthcheck_version = tasks.get_healthcheck_version(self.master)
+ if (
+ parse_version(healthcheck_version) < parse_version("0.17")
+ and osinfo.id == 'rhel'
+ and osinfo.version_number == (10,0)
+ ):
+ # Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349
+ pytest.xfail("Patch is unavailable for RHEL 10.0 and "
+ "freeipa-healtheck version 0.16 or less")
+
returncode, check = run_healthcheck(self.master,
source="ipahealthcheck.meta.core",
check="MetaCheck",
--
2.48.1

35
0073-WebUI-fix-the-tooltip-for-Search-Size-limit.patch Normal file
View File

@ -0,0 +1,35 @@
From 100737fff5a0039cd883a92400d1495dd5bf7658 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 7 Mar 2025 09:01:35 +0100
Subject: [PATCH] WebUI: fix the tooltip for Search Size limit
The tooltip for IPA Server > Configuration > Search size limit
is using the doc from ipasearchtimelimit instead of
ipasearchrecordslimit.
Use the right tooltip to properly display:
Maximum number of records to search (-1 or 0 is unlimited)
Fixes: https://pagure.io/freeipa/issue/9758
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/serverconfig.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index e81e48cfb405c4ccc2591edb754fa88f5586c8e0..d7f67e885bdb2c884a5dedd615bade5fcedc863d 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -47,7 +47,7 @@ return {
fields: [
{
name: 'ipasearchrecordslimit',
- tooltip: '@mc-opt:config_mod:ipasearchtimelimit:doc'
+ tooltip: '@mc-opt:config_mod:ipasearchrecordslimit:doc'
},
{
name: 'ipasearchtimelimit',
--
2.48.1

56
0074-Leapp-upgrade-skip-systemctl-calls.patch Normal file
View File

@ -0,0 +1,56 @@
From 9b566fe458fb36eb5eb3212b01bc6ba48ac8349a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 11 Mar 2025 15:55:11 +0100
Subject: [PATCH] Leapp upgrade: skip systemctl calls
During LEAPP upgrade, the system is booted in a special mode
without systemd. As a consequence, any scriptlet calling
systemctl fails and may break the upgrade.
Skip the call to systemctl if a LEAPP upgrade is in progress
(this is easily checked using the env variable $LEAPP_IPU_IN_PROGRESS
that is set for instance to LEAPP_IPU_IN_PROGRESS=8to9).
Fixes: RHEL-82089
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b539f51f88a19a3686684dd0a9138add97bbd285..143ee5c83d16b59531feda011c087c0ab4c82786 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1241,8 +1241,11 @@ if [ $1 = 0 ]; then
# NOTE: systemd specific section
/bin/systemctl --quiet stop ipa.service || :
/bin/systemctl --quiet disable ipa.service || :
- /bin/systemctl reload-or-try-restart dbus
- /bin/systemctl reload-or-try-restart oddjobd
+ # Skip systemctl calls when leapp upgrade is in progress
+ if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+ fi
# END
fi
@@ -1306,8 +1309,11 @@ fi
%preun server-trust-ad
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
- /bin/systemctl reload-or-try-restart dbus
- /bin/systemctl reload-or-try-restart oddjobd
+ # Skip systemctl calls when leapp upgrade is in progress
+ if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+ fi
fi
# ONLY_CLIENT
--
2.48.1

355
0075-Disable-raw-and-structured-together.patch Normal file
View File

@ -0,0 +1,355 @@
From 653b4b6971b1778988718840a301c10b3e35e700 Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Thu, 6 Mar 2025 09:32:01 +0100
Subject: [PATCH] Disable --raw and --structured together
Disables --raw and --structured for dnsrecord-* command.
This is being shown in help for structured, as raw is implemented in
almost every command, therefore people are more likely to view
structured. Also contains tests, even though this is newly noted, this
combination has never worked in the past.
Fixes: https://pagure.io/freeipa/issue/9756
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/remote_plugins/2_114/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_156/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_164/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_49/dns.py | 15 +++++++----
ipaserver/plugins/dns.py | 28 ++++++++++++++++++++
ipatests/test_xmlrpc/test_dns_plugin.py | 35 +++++++++++++++++++++++++
6 files changed, 103 insertions(+), 20 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
index 6260420008e3371dc95317d67d2f37a46b4d5d42..2f414927bad2f0838bec42bab734d3a42e87005f 100644
--- a/ipaclient/remote_plugins/2_114/dns.py
+++ b/ipaclient/remote_plugins/2_114/dns.py
@@ -2625,7 +2625,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2991,7 +2992,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3405,7 +3407,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4290,7 +4293,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4363,7 +4367,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
index 4ebad93e79d38c1171b066cc5a1a0b8d6fce64b2..9ce8a7eef99eff7592f8550d0000506cc2d7824c 100644
--- a/ipaclient/remote_plugins/2_156/dns.py
+++ b/ipaclient/remote_plugins/2_156/dns.py
@@ -2540,7 +2540,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2861,7 +2862,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3230,7 +3232,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4065,7 +4068,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4138,7 +4142,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
index f5adb4d54e8501b6b4efed06404ff299aa918cfb..284ef2cdaa757341db4eed044be3bb051db83d99 100644
--- a/ipaclient/remote_plugins/2_164/dns.py
+++ b/ipaclient/remote_plugins/2_164/dns.py
@@ -2548,7 +2548,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2869,7 +2870,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3238,7 +3240,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4073,7 +4076,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4146,7 +4150,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
index 4b543a2c2539f7b67467b0a38ab8013a1ebe0840..1610f4af18ee46bc7304839ede2d587d61c6d0e2 100644
--- a/ipaclient/remote_plugins/2_49/dns.py
+++ b/ipaclient/remote_plugins/2_49/dns.py
@@ -2233,7 +2233,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2594,7 +2595,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3013,7 +3015,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4025,7 +4028,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4094,7 +4098,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index 0d6260cd6c4edb8c1a9d7ac8927b7595588fae58..ff2d3ff8a7c2839645c9906300cba0d399f2325a 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -3587,6 +3587,12 @@ class dnsrecord_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
precallback_attrs = []
processed_attrs = []
for option, option_val in options.items():
@@ -3729,6 +3735,12 @@ class dnsrecord_mod(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
if options.get('rename') and self.obj.is_pkey_zone_record(*keys):
# zone rename is not allowed
raise errors.ValidationError(name='rename',
@@ -3883,6 +3895,7 @@ class dnsrecord_del(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
try:
old_entry = ldap.get_entry(dn, _record_attributes)
except errors.NotFound:
@@ -3983,6 +3996,16 @@ class dnsrecord_show(LDAPRetrieve):
dnsrecord.structured_flag,
)
+ def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+ assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
+ return dn
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
if self.obj.is_pkey_zone_record(*keys):
@@ -4013,6 +4036,11 @@ class dnsrecord_find(LDAPSearch):
dnszoneidnsname, *args, **options):
assert isinstance(base_dn, DN)
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
# validate if zone is master zone
self.obj.check_zone(dnszoneidnsname, **options)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 39d42e306d12c4f6623a1ed657aeac3d3bfa3e22..803b0a9571c2888dd02c4595c68403f37be7fed7 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -3426,6 +3426,41 @@ class test_dns(Declarative):
},
),
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-add",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-mod",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-show",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-find",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
]
--
2.48.1

435
0076-config-mod-allow-disabling-subordinate-ID-integratio.patch Normal file
View File

@ -0,0 +1,435 @@
From f906e3625491e9b6fc67fdd5ac6b429531658be1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 28 Feb 2025 14:57:25 +0200
Subject: [PATCH] config-mod: allow disabling subordinate ID integration
When full 32-bit ID range usage is required, subordinate ID support have
to be disabled. However, even if ID range for subordinate IDs were to be
removed, it will be restored during the next data upgrade.
Change upgrade code to only apply subID range creation when subID
support is enabled.
Do not allow allocating subIDs if their use is disabled.
Allow full 32-bit uidNumber/gidNumber values in JSON payload.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
API.txt | 2 +-
doc/api/config_mod.md | 2 +-
doc/designs/subordinate-ids.md | 22 +++++++++
install/share/Makefile.am | 1 +
install/share/subid-generators.uldif | 38 ++++++++++++++++
install/updates/73-subid.update | 37 ---------------
.../updates/90-post_upgrade_plugins.update | 1 +
ipalib/messages.py | 13 ++++++
ipaplatform/base/paths.py | 1 +
ipaserver/install/ipa_subids.py | 5 +++
.../install/plugins/update_subid_support.py | 45 +++++++++++++++++++
ipaserver/plugins/config.py | 34 +++++++++++++-
ipaserver/plugins/subid.py | 11 +++++
ipaserver/plugins/user.py | 4 +-
14 files changed, 174 insertions(+), 42 deletions(-)
create mode 100644 install/share/subid-generators.uldif
create mode 100644 ipaserver/install/plugins/update_subid_support.py
diff --git a/API.txt b/API.txt
index 61e8e463ab5c66b1609f8cc61f93ae2ded959bba..f19e3bf344cf6f23680c268c5081570ac629f851 100644
--- a/API.txt
+++ b/API.txt
@@ -1083,7 +1083,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
option: Str('delattr*', cli_name='delattr')
option: Flag('enable_sid?', autofill=True, default=False)
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP', u'SubID:Disable'])
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
index b3203c350605af5a386544c858a9a5f7f724342f..e18dd55c75993016afbcd8a15d33f13a38ef96b3 100644
--- a/doc/api/config_mod.md
+++ b/doc/api/config_mod.md
@@ -27,7 +27,7 @@ No arguments.
* ipauserobjectclasses : :ref:`Str<Str>`
* ipapwdexpadvnotify : :ref:`Int<Int>`
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP', 'SubID:Disable')
* ipaselinuxusermaporder : :ref:`Str<Str>`
* ipaselinuxusermapdefault : :ref:`Str<Str>`
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
diff --git a/doc/designs/subordinate-ids.md b/doc/designs/subordinate-ids.md
index b280df1a9eb2fc8e0ff53271b19a2d5b13399506..dac1c3292fecdebcc7f49118ea0b23d8c5aeff37 100644
--- a/doc/designs/subordinate-ids.md
+++ b/doc/designs/subordinate-ids.md
@@ -64,6 +64,18 @@ and don't auto-map or auto-assign subordinate ids by default. Instead
we give the admin several options to assign them manually, semi-manual,
or automatically.
+For deployments where there is a need to consume IDs above 2^31 for normal UID
+and GID assignments, one has to disable subordinate ID feature. This should be
+done with `ipa config-mod --addattr ipaconfigstring=SubID:Disable` command.
+After it is done, subordinate ID range can be removed with `ipa idrange-del`
+command and on the IPA server one have to run `ipa-server-upgrade` command to
+make sure internal DNA plugin configuration is removed as well.
+Finally, a new local ID range can be added to cover required part of the
+2^31..2^32-1 space. The range must have RID bases to make sure FreeIPA will
+generate SIDs properly to users and groups created with IDs from this range.
+
+**NOTE**: Disabling subordinate ID feature can only be done if no subordinate
+IDs were already allocated.
### Revision 1 limitation
@@ -340,6 +352,16 @@ subordinate id entries for new users:
$ ipa config-mod --user-default-subid=true
```
+Subordinate ID feature can be disabled completely. This is done with `ipa
+config-mod --addattr ipaconfigstring=SubID:Disable` command. After it is done,
+subordinate ID range can be removed with `ipa idrange-del` command and on the
+IPA server one have to run `ipa-server-upgrade` command to make sure internal
+DNA plugin configuration is removed as well. Finally, a new local ID range can
+be added to cover the required part of the full 32-bit ID space.
+
+**NOTE**: Disabling subordinate ID feature can only be done if no subordinate
+IDs were already allocated.
+
Subordinate ids are managed by a new plugin class. The ``subid-add``
and ``subid-del`` commands are hidden from command line. New subordinate
ids are generated and auto-assigned with ``subid-generate``.
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4029297b76cc2f30dc9eab606e5670667978dd27..d8d270ca9f4b13ed01e65c6460a3a6b0dbbc5ebe 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA = \
vault.ldif \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ subid-generators.uldif \
ipa-httpd.conf.template \
ipa-httpd-wsgi.conf.template \
gssapi.login \
diff --git a/install/share/subid-generators.uldif b/install/share/subid-generators.uldif
new file mode 100644
index 0000000000000000000000000000000000000000..118077382b860c655aa63907ab3db090110349d6
--- /dev/null
+++ b/install/share/subid-generators.uldif
@@ -0,0 +1,38 @@
+# DNA plugin and idrange configuration
+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: subordinate-ids
+
+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+default: objectclass: top
+default: objectclass: extensibleObject
+default: cn: Subordinate IDs
+default: dnaType: ipasubuidnumber
+default: dnaType: ipasubgidnumber
+default: dnaNextValue: eval($SUBID_RANGE_START)
+default: dnaMaxValue: eval($SUBID_RANGE_MAX)
+default: dnaMagicRegen: -1
+default: dnaFilter: (objectClass=ipaSubordinateId)
+default: dnaScope: $SUFFIX
+default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
+add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: ipaIDrange
+default: objectClass: ipaTrustedADDomainRange
+default: cn: ${REALM}_subid_range
+default: ipaBaseID: $SUBID_RANGE_START
+default: ipaIDRangeSize: $SUBID_RANGE_SIZE
+# HACK: RIDs to work around adtrust sidgen issue
+default: ipaBaseRID: eval($SUBID_BASE_RID)
+default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+default: ipaRangeType: ipa-ad-trust
+
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 3c030b41e6d01ed48a0e5cc5c0ed7e536c9d3412..18bca60bcd85b32350a456f71ef9d97ef35b9584 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -67,40 +67,3 @@ dn: cn=subids,cn=accounts,$SUFFIX
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
-# DNA plugin and idrange configuration
-dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
-default: objectClass: nsContainer
-default: objectClass: top
-default: cn: subordinate-ids
-
-dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
-default: objectclass: top
-default: objectclass: extensibleObject
-default: cn: Subordinate IDs
-default: dnaType: ipasubuidnumber
-default: dnaType: ipasubgidnumber
-default: dnaNextValue: eval($SUBID_RANGE_START)
-default: dnaMaxValue: eval($SUBID_RANGE_MAX)
-default: dnaMagicRegen: -1
-default: dnaFilter: (objectClass=ipaSubordinateId)
-default: dnaScope: $SUFFIX
-default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
-default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
-default: dnaExcludeScope: cn=provisioning,$SUFFIX
-default: dnaInterval: eval($SUBID_COUNT)
-add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
-
-dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaIDrange
-default: objectClass: ipaTrustedADDomainRange
-default: cn: ${REALM}_subid_range
-default: ipaBaseID: $SUBID_RANGE_START
-default: ipaIDRangeSize: $SUBID_RANGE_SIZE
-# HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_BASE_RID)
-default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
-# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
-# see https://github.com/SSSD/sssd/issues/5571
-default: ipaRangeType: ipa-ad-trust
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 9a9d80a9245654691ef96bb048dfbe950a4a7c6f..7c3bba3e0317162d4739513e16b9fac973495c66 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -34,6 +34,7 @@ plugin: update_dnsforward_emptyzones
plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_read_replication_agreements_permission
+plugin: update_subid_support
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
plugin: update_dnsserver_configuration_into_ldap
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 732de7cb92bb530a734a68440478dfda09062db8..6a70bbc7556126748cc2ec031fc2af36bfe76f74 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -506,6 +506,19 @@ class MissingTargetAttributesinPermission(PublicMessage):
"are set.")
+class ServerUpgradeRequired(PublicMessage):
+ """
+ **13033** Server upgrade required
+ """
+ errno = 13033
+ type = "warning"
+ format = _(
+ "Change of the state of '%(feature)s' feature requires to run "
+ "'ipa-server-upgrade' command on IPA server %(server)s "
+ "to apply configuration changes."
+ )
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f794aae6d7b19a60ba40282f83a41052584517cb..a5bca789bdb8d07b51779e28adf64c9b68892328 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -302,6 +302,7 @@ class BasePathNamespace:
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
+ SUBID_GENERATORS_ULDIF = "/usr/share/ipa/subid-generators.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
DICT_WORDS = "/usr/share/dict/words"
diff --git a/ipaserver/install/ipa_subids.py b/ipaserver/install/ipa_subids.py
index 1537047c33431b59d776f9bfa6325d52561e1ac6..8c542e4eae4b6e378a99ed748cd3a2b311dc0ce8 100644
--- a/ipaserver/install/ipa_subids.py
+++ b/ipaserver/install/ipa_subids.py
@@ -116,6 +116,11 @@ class IPASubids(AdminTool):
api.finalize()
api.Backend.ldap2.connect()
self.ldap2 = api.Backend.ldap2
+
+ if api.Object.config.is_config_option_present('SubID:Disable'):
+ print("Support for subordinate IDs is disabled.")
+ return 2
+
subid_generate = api.Command.subid_generate
dry_run = self.safe_options.dry_run
diff --git a/ipaserver/install/plugins/update_subid_support.py b/ipaserver/install/plugins/update_subid_support.py
new file mode 100644
index 0000000000000000000000000000000000000000..54852d2034012bcac9d12b6e81a3025ac3fe7caf
--- /dev/null
+++ b/ipaserver/install/plugins/update_subid_support.py
@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
+#
+import logging
+from ipalib import Registry, Updater, errors
+from ipaserver.install import ldapupdate
+from ipaplatform.paths import paths
+from ipapython.dn import DN
+
+logger = logging.getLogger(__name__)
+
+register = Registry()
+
+
+@register()
+class update_subid_support(Updater):
+ """
+ Conditionally add SubID ranges when subID support is enabled
+ """
+
+ dna_plugin_dn = DN(
+ ('cn', 'Distributed Numeric Assignment Plugin'),
+ ('cn', 'plugins'),
+ ('cn', 'config')
+ )
+
+ def execute(self, **options):
+ subid_disabled = self.api.Object.config.is_config_option_present(
+ 'SubID:Disable')
+ if not subid_disabled:
+ ld = ldapupdate.LDAPUpdate(api=self.api)
+ ld.update([paths.SUBID_GENERATORS_ULDIF])
+ else:
+ # make sure to remove DNA configuration
+ conn = self.api.Backend.ldap2
+ try:
+ subid_dna_config = DN(
+ ('cn', 'Subordinate IDs'), self.dna_plugin_dn
+ )
+ entry = conn.get_entry(subid_dna_config)
+ conn.delete_entry(entry)
+ except errors.NotFound:
+ pass
+
+ return False, []
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index adf21ea0c59f70714298af74d7e92f7200f75085..c509c2c13adfb4950741f63ffcbc9f3f806c0c3b 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -33,7 +33,7 @@ from .baseldap import (
LDAPUpdate,
LDAPRetrieve)
from .selinuxusermap import validate_selinuxuser
-from ipalib import _
+from ipalib import _, messages
from ipapython.admintool import ScriptError
from ipapython.dn import DN
from ipaserver.plugins.privilege import principal_has_privilege
@@ -261,7 +261,7 @@ class config(LDAPObject):
values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
u'KDC:Disable Default Preauth for SPNs',
- u'EnforceLDAPOTP'),
+ u'EnforceLDAPOTP', u'SubID:Disable'),
),
Str('ipaselinuxusermaporder',
label=_('SELinux user map order'),
@@ -521,6 +521,12 @@ class config(LDAPObject):
for domain in submitted_domains:
self._validate_single_domain(attr_name, domain, known_domains)
+ def is_config_option_present(self, option):
+ dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'), self.api.env.basedn)
+ configentry = self.api.Backend.ldap2.get_entry(dn, ['ipaconfigstring'])
+ configstring = configentry['ipaconfigstring']
+ return (option.lower() in map(str.lower, configstring))
+
@register()
class config_mod(LDAPUpdate):
@@ -695,6 +701,30 @@ class config_mod(LDAPUpdate):
raise errors.ValidationError(name=failedattr,
error=_('SELinux user map default user not in order list'))
+ if 'ipaconfigstring' in entry_attrs:
+ configstring = entry_attrs['ipaconfigstring']
+ if 'SubID:Disable'.lower() in map(str.lower, configstring):
+ # Check if SubIDs already allocated
+ try:
+ result = self.api.Command.subid_stats()
+ stats = result['result']
+ except errors.PublicError:
+ stats = {'assigned_subids': 0}
+ if stats["assigned_subids"] > 0:
+ error_message = _("Subordinate ID feature can not be "
+ "disabled when there are subIDs "
+ "already in use.")
+ raise errors.ValidationError(name='configuration state',
+ error=error_message)
+ # SubID:Disable enforces disabling default subid generation
+ entry_attrs['ipauserdefaultsubordinateid'] = False
+ self.add_message(
+ messages.ServerUpgradeRequired(
+ feature='Subordinate ID',
+ server=_('<all IPA servers>')
+ )
+ )
+
if 'ca_renewal_master_server' in options:
new_master = options['ca_renewal_master_server']
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 132c85c7f198217ba70f2332306ee2550be86035..2be2cdeff920ff79eb7df6e3cf635df96d7f3348 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -265,6 +265,12 @@ class subid(LDAPObject):
def handle_subordinate_ids(self, ldap, dn, entry_attrs):
"""Handle ipaSubordinateId object class"""
+
+ if self.api.Object.config.is_config_option_present('SubID:Disable'):
+ raise errors.ValidationError(
+ name="configuration state",
+ error=_("Support for subordinate IDs is disabled"))
+
new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
@@ -577,6 +583,11 @@ class subid_stats(LDAPQuery):
return int(entry.single_value["numSubordinates"])
def execute(self, *keys, **options):
+ if self.api.Object.config.is_config_option_present('SubID:Disable'):
+ raise errors.ValidationError(
+ name="configuration state",
+ error=_("Support for subordinate IDs is disabled"))
+
ldap = self.obj.backend
dna_remaining = self.get_remaining_dna(ldap, **options)
baseid, rangesize = self.get_idrange(ldap, **options)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index a3e9c29035161af40c29093b3792f2d97847e5d1..875f2b4babc526359d76778321ba7402198acac9 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -718,7 +718,9 @@ class user_add(baseuser_add):
default_subid = config.single_value.get(
'ipaUserDefaultSubordinateId', False
)
- if default_subid:
+ subid_disabled = self.api.Object.config.is_config_option_present(
+ 'SubID:Disable')
+ if default_subid and not subid_disabled:
result = self.api.Command.subid_generate(
ipaowner=entry_attrs.single_value['uid'],
version=options['version']
--
2.48.1

33
0077-update_dna_shared_config-do-not-fail-when-config-is-.patch Normal file
View File

@ -0,0 +1,33 @@
From b8b91dfe71d7d049f5e55a8195cb37f87837bbce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 12 Mar 2025 21:52:56 +0200
Subject: [PATCH] update_dna_shared_config: do not fail when config is not
found
The helper function was supposed to return a DN or None.
Related: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/plugins/update_dna_shared_config.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/update_dna_shared_config.py b/ipaserver/install/plugins/update_dna_shared_config.py
index 955bee5dd830f0dcad3f0810e7e2f1a1c725a0aa..42ee86d8b547fa9d6fb4cced5e36d243ba8cd4ff 100644
--- a/ipaserver/install/plugins/update_dna_shared_config.py
+++ b/ipaserver/install/plugins/update_dna_shared_config.py
@@ -49,7 +49,7 @@ class update_dna_shared_config(Updater):
except errors.NotFound:
logger.error("Could not find DNA config entry: %s",
dna_config_base)
- return False, ()
+ return None
else:
logger.debug('Found DNA config %s', dna_config_base)
--
2.48.1

71
0078-baseuser-allow-uidNumber-and-gidNumber-of-32-bit-ran.patch Normal file
View File

@ -0,0 +1,71 @@
From 65cb358c01568e9a11899dbfe21eaeb916af3cdf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 28 Feb 2025 15:34:12 +0200
Subject: [PATCH] baseuser: allow uidNumber and gidNumber of 32-bit range
JSON format allows to encode integers up to 2^53-1. Linux systems allow
for 32-bit IDs. Permit setting full 32-bit uidNumber and gidNumber
through IPA API. Administrators already can set 32-bit IDs via LDAP.
ID Range also needs to permit larger sizes of RID bases. SIDGEN plugin
already treats RID bases as 1..MAX_UINT32.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/plugins/baseuser.py | 4 +++-
ipaserver/plugins/idrange.py | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index b66016305276f7f66d2e9dd4c7946cf49ec5cd96..22393b8f6c5d3e40b57f11947d0a0358d3a087bc 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@ import six
from ipalib import api, errors, constants
from ipalib import (
Flag, Int, Password, Str, Bool, StrEnum, DateTime, DNParam)
-from ipalib.parameters import Principal, Certificate
+from ipalib.parameters import Principal, Certificate, MAX_UINT32
from ipalib.plugable import Registry
from .baseldap import (
DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
@@ -348,11 +348,13 @@ class baseuser(LDAPObject):
label=_('UID'),
doc=_('User ID Number (system will assign one if not provided)'),
minvalue=1,
+ maxvalue=MAX_UINT32,
),
Int('gidnumber?',
label=_('GID'),
doc=_('Group ID Number'),
minvalue=1,
+ maxvalue=MAX_UINT32,
),
Str('street?',
cli_name='street',
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index ec061a455ca26aa7b5354b5b4cc8318e2559d5af..26a3bb666273013912e80d49b56031869157375a 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -235,10 +235,14 @@ class idrange(LDAPObject):
Int('ipabaserid?',
cli_name='rid_base',
label=_('First RID of the corresponding RID range'),
+ minvalue=1,
+ maxvalue=Int.MAX_UINT32
),
Int('ipasecondarybaserid?',
cli_name='secondary_rid_base',
label=_('First RID of the secondary RID range'),
+ minvalue=1,
+ maxvalue=Int.MAX_UINT32
),
Str('ipanttrusteddomainsid?',
cli_name='dom_sid',
--
2.48.1

133
0079-ipatests-add-a-test-to-use-full-32-bit-ID-range-spac.patch Normal file
View File

@ -0,0 +1,133 @@
From 015d26bab4296dc18e97dd10054a3f668282ef88 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 5 Mar 2025 12:49:27 +0200
Subject: [PATCH] ipatests: add a test to use full 32-bit ID range space
The test reconfigures IPA deployment to disable subordinate IDs support
and then configures an additional ID range to cover upper half of the
2^32 ID space. It then makes sure that a user with an UID/GID from that
ID range can be created and used.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_32bit_idranges.py | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 ipatests/test_integration/test_32bit_idranges.py
diff --git a/ipatests/test_integration/test_32bit_idranges.py b/ipatests/test_integration/test_32bit_idranges.py
new file mode 100644
index 0000000000000000000000000000000000000000..e76e117e5f1627af02274a13d3ac12ca84eb7ad9
--- /dev/null
+++ b/ipatests/test_integration/test_32bit_idranges.py
@@ -0,0 +1,104 @@
+#
+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+
+
+class Test32BitIdRanges(IntegrationTest):
+ topology = "line"
+
+ def test_remove_subid_range(self):
+ """
+ Test that allocating subid will fail after disabling global option
+ """
+ master = self.master
+ tasks.kinit_admin(master)
+
+ idrange = f"{master.domain.realm}_subid_range"
+ master.run_command(
+ ["ipa", "config-mod", "--addattr", "ipaconfigstring=SubID:Disable"]
+ )
+ master.run_command(["ipa", "idrange-del", idrange])
+
+ tasks.user_add(master, 'subiduser')
+ result = master.run_command(
+ ["ipa", "subid-generate", "--owner", "subiduser"], raiseonerr=False
+ )
+ assert result.returncode > 0
+ assert "Support for subordinate IDs is disabled" in result.stderr_text
+ tasks.user_del(master, 'subiduser')
+
+ def test_invoke_upgrader(self):
+ """Test that ipa-server-upgrade does not add subid ranges back"""
+
+ master = self.master
+ master.run_command(['ipa-server-upgrade'], raiseonerr=True)
+ idrange = f"{master.domain.realm}_subid_range"
+ result = master.run_command(
+ ["ipa", "idrange-show", idrange], raiseonerr=False
+ )
+ assert result.returncode > 0
+ assert f"{idrange}: range not found" in result.stderr_text
+
+ result = tasks.ldapsearch_dm(
+ master,
+ 'cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,'
+ 'cn=plugins,cn=config',
+ ['dnaType'],
+ scope='base',
+ raiseonerr=False
+ )
+ assert result.returncode == 32
+ output = result.stdout_text.lower()
+ assert "dnatype: " not in output
+
+ def test_create_user_with_32bit_id(self):
+ """Test that ID range above 2^31 can be used to assign IDs
+ to users and groups. Also check that SIDs generated properly.
+ """
+
+ master = self.master
+ idrange = f"{master.domain.realm}_upper_32bit_range"
+ id_base = 1 << 31
+ id_length = (1 << 31) - 2
+ uid = id_base + 1
+ gid = id_base + 1
+ master.run_command(
+ [
+ "ipa",
+ "idrange-add",
+ idrange,
+ "--base-id", str(id_base),
+ "--range-size", str(id_length),
+ "--rid-base", str(int(id_base >> 3)),
+ "--secondary-rid-base", str(int(id_base >> 3) + id_length),
+ "--type=ipa-local"
+ ]
+ )
+
+ # We added new ID range, SIDGEN will only take it after
+ # restarting a directory server instance.
+ tasks.restart_ipa_server(master)
+
+ # Clear SSSD cache to pick up new ID range
+ tasks.clear_sssd_cache(master)
+
+ tasks.user_add(master, "user", extra_args=[
+ "--uid", str(uid), "--gid", str(gid)
+ ])
+
+ result = master.run_command(
+ ["ipa", "user-show", "user", "--all", "--raw"], raiseonerr=False
+ )
+ assert result.returncode == 0
+ assert "ipaNTSecurityIdentifier:" in result.stdout_text
+
+ result = master.run_command(
+ ["id", "user"], raiseonerr=False
+ )
+ assert result.returncode == 0
+ assert str(uid) in result.stdout_text
--
2.48.1

41
0080-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch Normal file
View File

@ -0,0 +1,41 @@
From 01f23216ab5b383710dad086a01bb73b2da383d1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 17 Mar 2025 16:21:23 +0100
Subject: [PATCH] idrange: use minvalue=0 for baserid and secondarybaserid
With the support of 32 bit idrange, the minvalue was set to 1
but this introduces a regression in the command ipa trust-add
as the range for AD trust is added with baserid=0
Lower the minvalue to 0
Fixes: https://pagure.io/freeipa/issue/9765
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/idrange.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 26a3bb666273013912e80d49b56031869157375a..d155fb46da8240449a077d35e86a91ee9f95c132 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -235,13 +235,13 @@ class idrange(LDAPObject):
Int('ipabaserid?',
cli_name='rid_base',
label=_('First RID of the corresponding RID range'),
- minvalue=1,
+ minvalue=0,
maxvalue=Int.MAX_UINT32
),
Int('ipasecondarybaserid?',
cli_name='secondary_rid_base',
label=_('First RID of the secondary RID range'),
- minvalue=1,
+ minvalue=0,
maxvalue=Int.MAX_UINT32
),
Str('ipanttrusteddomainsid?',
--
2.48.1

190
0081-ipatests-Tests-to-check-data-in-journal-log.patch Normal file
View File

@ -0,0 +1,190 @@
From 47770b8626c353b95d4ae89a0fb7e23b3791d3ea Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 22 Jan 2025 16:03:37 +0530
Subject: [PATCH] ipatests: Tests to check data in journal log
This testcase checks that ipa administrative user
password is not displayed in journal log.
Related: https://issues.redhat.com/browse/RHEL-67190
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 10 ++
ipatests/test_integration/test_commands.py | 116 +++++++++++++++++----
2 files changed, 104 insertions(+), 22 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 4ce33bb47cbc52641088f73cdb75d7bb184c274b..dccfaf30e708f18c81d3f1662d6df7b116ed36ac 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -3004,3 +3004,13 @@ def copy_files(source_host, dest_host, filelist):
dest_host.transport.mkdir_recursive(os.path.dirname(file))
data = source_host.get_file_contents(file)
dest_host.transport.put_file_contents(file, data)
+
+
+def check_journal_does_not_contain_secret(host, cmd):
+ """
+ Helper to check journal logs doesnt reveal secrets
+ """
+ journalctl_cmd = ['journalctl', '-t', cmd, '-n1', '-o', 'json-pretty']
+ result = host.run_command(journalctl_cmd, raiseonerr=False)
+ assert (host.config.admin_password not in result.stdout_text)
+ assert (host.config.dirman_password not in result.stdout_text)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 9c65b7c6bbf4c6378bdf0fa9da0242805ddd17aa..47ef232563d67f86040e2c5944805e430ab2e26c 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -39,6 +39,7 @@ from ipaplatform.tasks import tasks as platform_tasks
from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
+from ipatests.test_integration.test_topology import find_segment
from ipaserver.install.installutils import realm_to_serverid
from pkg_resources import parse_version
@@ -1662,28 +1663,77 @@ class TestIPACommand(IntegrationTest):
assert result.returncode == 1
assert 'cannot be deleted or disabled' in result.stderr_text
- def test_ipa_cacert_manage_prune(self):
- """Test for ipa-cacert-manage prune"""
-
- certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
- self.master.put_file_contents(certfile, isrgrootx1)
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'install', certfile])
-
- certs_before_prune = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
- ).stdout_text
+ def test_ipa_systemd_journal(self):
+ """
+ This testcase checks that administrative user credentials
+ is not leaked to journald log
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ tasks.kinit_admin(self.clients[0])
+ cmds = [
+ ['/usr/sbin/ipa-adtrust-install', '-a',
+ self.master.config.admin_password, '-U'],
+ ['/usr/sbin/ipa-replica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-csreplica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-kra-install', '-p',
+ self.master.config.dirman_password, '-U'],
+ ['/usr/sbin/ipa-server-certinstall', '-k', '--pin',
+ self.master.config.dirman_password, '-p',
+ self.master.config.dirman_password, paths.KDC_CERT,
+ paths.KDC_KEY]
+ ]
+ for cmd in cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.master, cmd[0]
+ )
+ for cmd in cmds:
+ self.replicas[0].run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], cmd[0]
+ )
+ tasks.check_journal_does_not_contain_secret(
+ self.clients[0], 'python3'
+ )
+ # Backup and restore IPA and check secrets are not leaked.
+ backup_path = tasks.get_backup_dir(self.master)
+ restore_cmd = (
+ ['/usr/sbin/ipa-restore', '-p',
+ self.master.config.dirman_password,
+ backup_path, '-U']
+ )
+ self.master.run_command(restore_cmd)
- assert isrgrootx1_nick in certs_before_prune
+ # re-initializing topology after restore
+ for topo_suffix in 'domain', 'ca':
+ topo_name = find_segment(self.master, self.replicas[0], topo_suffix)
+ arg = ['ipa', 'topologysegment-reinitialize',
+ topo_suffix, topo_name]
+ if topo_name.split('-to-', maxsplit=1)[0] != self.master.hostname:
+ arg.append('--left')
+ else:
+ arg.append('--right')
+ self.replicas[0].run_command(arg)
- # Jump in time to make sure the cert is expired
- self.master.run_command(['date', '-s', '+15Years'])
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
- ).stdout_text
- self.master.run_command(['date', '-s', '-15Years'])
+ # wait sometime for re-initialization
+ tasks.wait_for_replication(self.replicas[0].ldap_connect())
- assert isrgrootx1_nick in result
+ tasks.check_journal_does_not_contain_secret(
+ self.master, restore_cmd[0]
+ )
+ # Checking for secrets in IPA server install
+ tasks.check_journal_does_not_contain_secret(
+ self.master, '/usr/sbin/ipa-server-install'
+ )
+ # Checking for secrets in IPA replica install
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], '/usr/sbin/ipa-replica-install'
+ )
class TestIPACommandWithoutReplica(IntegrationTest):
@@ -1719,10 +1769,9 @@ class TestIPACommandWithoutReplica(IntegrationTest):
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
def test_basesearch_compat_tree(self):
- """Test ldapsearch against compat tree is working
-
+ """
+ Test ldapsearch against compat tree is working
This to ensure that ldapsearch with base scope is not failing.
-
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
version = self.master.run_command(
@@ -1920,6 +1969,29 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert old_err_msg not in dirsrv_error_log
assert re.search(new_err_msg, dirsrv_error_log)
+ def test_ipa_cacert_manage_prune(self):
+ """Test for ipa-cacert-manage prune"""
+
+ certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
+ self.master.put_file_contents(certfile, isrgrootx1)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs_before_prune = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert isrgrootx1_nick in certs_before_prune
+
+ # Jump in time to make sure the cert is expired
+ self.master.run_command(['date', '-s', '+15Years'])
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
+ ).stdout_text
+ self.master.run_command(['date', '-s', '-15Years'])
+
+ assert isrgrootx1_nick in result
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.48.1

69
0082-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch Normal file
View File

@ -0,0 +1,69 @@
From ac308ab8f5685465e755b4ba7e5d428fe38bea4d Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Mon, 17 Mar 2025 09:26:44 +0100
Subject: [PATCH] Disallow removal of dogtag and ipa-dnskeysyncd services on
IPA servers
Also removes dogtagldap from unremovable services
Fixes: https://pagure.io/freeipa/issue/9764
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/service.py | 2 +-
ipatests/test_xmlrpc/test_service_plugin.py | 26 +++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 075a1be8aab5d638cb632b64e766231d3761f731..f50406472a7c1d636bd8731dc550c0d850b2264d 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -323,7 +323,7 @@ def check_required_principal(ldap, principal):
try:
host_is_master(ldap, principal.hostname)
except errors.ValidationError:
- service_types = {'http', 'ldap', 'dns', 'dogtagldap'}
+ service_types = {'http', 'ldap', 'dns', 'dogtag', 'ipa-dnskeysyncd'}
if principal.service_name.lower() in service_types:
raise errors.ValidationError(
name='principal',
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index a3b245679a224572a999354bc7d63360b1f06eed..4aeeb9d89971a56a2ccfccd616b15392f5f0e0ee 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -864,6 +864,32 @@ class test_service(Declarative):
),
),
+ dict(
+ desc=('Delete the current host (master?) %s dogtag service,'
+ ' should be caught' % api.env.host),
+ command=('service_del', ['dogtag/%s' % api.env.host], {}),
+ expected=errors.ValidationError(
+ name='principal',
+ error='dogtag/%s@%s is required by the IPA master' % (
+ api.env.host,
+ api.env.realm
+ )
+ ),
+ ),
+
+ dict(
+ desc=('Delete the current host (master?) %s ipa-dnskeysyncd'
+ ' service, should be caught' % api.env.host),
+ command=('service_del', ['ipa-dnskeysyncd/%s' % api.env.host], {}),
+ expected=errors.ValidationError(
+ name='principal',
+ error='ipa-dnskeysyncd/%s@%s is required by the IPA master' % (
+ api.env.host,
+ api.env.realm
+ )
+ ),
+ ),
+
dict(
desc='Disable the current host (master?) %s HTTP service, should be caught' % api.env.host,
--
2.48.1

888
0083-Don-t-require-certificates-to-have-unique-ipaCertSub.patch Normal file
View File

@ -0,0 +1,888 @@
From 722a5a4e0f0c6948252d385da4ffef7c03338aec Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Aug 2024 16:48:19 -0400
Subject: [PATCH] Don't require certificates to have unique ipaCertSubject
In the wild a public CA issued a new subordinate CA certificate
with an identical subject to another, with a new private key.
This was uninstallable using ipa-cacert-manage because it would
fail with "subject public key info mismatch" during verification
because a different certificate with the same subject but
different public key was installed.
I'm not sure of the reasoning to prevent this situation but I
see it as giving users flexibility. This may be hurtful to them
but they can always remove any affected certs.
This is backwards compatible with older releases from the client
perspective. Older servers will choke on the duplicates and
won't be able to manage these.
A new serial number option is added for displaying the list of
certificates and for use when deleting one with a duplicate subject.
ipa-cacert-manage delete on systems without this patch will
successfully remove ALL of the requested certificates. There is no
way to distinguish. At least it won't break anything and the
deleted certificates can be re-added.
Fixes: https://pagure.io/freeipa/issue/9652
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/restart_scripts/renew_ca_cert.in | 4 +-
install/tools/man/ipa-cacert-manage.1 | 11 ++
install/updates/10-uniqueness.update | 21 +--
ipaclient/install/client.py | 6 +-
ipaclient/install/ipa_certupdate.py | 2 +-
ipalib/install/certstore.py | 46 +++++-
ipaplatform/debian/tasks.py | 2 +-
ipaplatform/redhat/tasks.py | 2 +-
ipapython/certdb.py | 110 ++++++++------
ipaserver/install/certs.py | 7 +-
ipaserver/install/installutils.py | 3 +-
ipaserver/install/ipa_cacert_manage.py | 82 +++++++----
ipaserver/install/ipa_server_certinstall.py | 5 +-
ipaserver/install/krbinstance.py | 2 +-
ipaserver/install/service.py | 4 +-
ipatests/test_integration/test_commands.py | 151 +++++++++++++++++++-
16 files changed, 351 insertions(+), 107 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in
index cbb2c89a81e15bf02c09d7d4328a866cb77f8837..814acdaa772acbf241a8169e273d5b7bbb5773b8 100644
--- a/install/restart_scripts/renew_ca_cert.in
+++ b/install/restart_scripts/renew_ca_cert.in
@@ -168,7 +168,7 @@ def _main():
ca_certs = []
realm_nickname = get_ca_nickname(api.env.realm)
- for ca_cert, ca_nick, ca_flags in ca_certs:
+ for ca_cert, ca_nick, ca_flags, _serial in ca_certs:
try:
if ca_nick == realm_nickname:
ca_nick = 'caSigningCert cert-pki-ca'
@@ -180,7 +180,7 @@ def _main():
# Pass Dogtag's self-tests
for ca_nick in db.find_root_cert(nickname)[-2:-1]:
- ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+ ca_flags = dict(cc[1:3] for cc in ca_certs)[ca_nick]
usages = ca_flags.usages or set()
ca_flags_modified = TrustFlags(ca_flags.has_key,
True, True,
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 8913fe5d2abab5e5b78cf51abd4fae5d7a0ad78f..1e15d47a55492b31c3198496050508dec3fb6a82 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -57,6 +57,14 @@ Important: this does not replace IPA CA but adds the provided certificate as a k
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.sp
The supported formats for the certificate files are DER, PEM and PKCS#7 format.
+.sp
+CA certificates with the same subject but different private keys maybe installed simultaneously with the following restrictions from NSS:
+.IP \[bu]
+The certificates cannot have different NSS trust flags.
+.IP \[bu]
+The nickname is not configurable between different certificates of the same subject. It will always be the same (even if you try).
+.sp
+Additionally CA certificates with the same subject should include the Authority Key Identifier extension in order to identify the public key of the certificate issuer (CA) that signed the certificate (it may be itself). Similarly it should have a Subject Key Identifier extension. This is used to create the trust chain not through subjects but by using the SKID and AKID which is what allows duplicate certificate subjects to be resolved correctly. Without an AKID multiple certificates of the same subject will not resolve as expected.
.RE
.TP
\fBdelete\fR
@@ -153,6 +161,9 @@ p \- not trusted
.TP
\fB\-f\fR, \fB\-\-force\fR
Force a CA certificate to be removed even if chain validation fails.
+.TP
+\fB\-s\fR \fISERIAL_NUMBER\fR, \fB\-\-serial\fR=\fISERIAL_NUMBER\fR
+Serial number of the certificate to delete (decimal). This is needed to determine which certificate to remove if there are multiple certificates stored with the same name.
.SH "EXIT STATUS"
0 if the command was successful
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 699de3b4d3305def5d81aeb945106b80eef0ef40..fa17911f2ed9c7bcaa851de0f0a4790a550e1c91 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -15,23 +15,6 @@ default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
-dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
-default:objectClass: top
-default:objectClass: nsSlapdPlugin
-default:objectClass: extensibleObject
-default:cn: certificate store subject uniqueness
-default:nsslapd-pluginDescription: Enforce unique attribute values
-default:nsslapd-pluginPath: libattr-unique-plugin
-default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
-default:nsslapd-pluginType: preoperation
-default:nsslapd-pluginEnabled: on
-default:uniqueness-attribute-name: ipaCertSubject
-default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
-default:nsslapd-plugin-depends-on-type: database
-default:nsslapd-pluginId: NSUniqueAttr
-default:nsslapd-pluginVersion: 1.1.0
-default:nsslapd-pluginVendor: Fedora Project
-
dn: cn=certificate store issuer/serial uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
@@ -128,3 +111,7 @@ default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+
+# A unique ipaCertSubject is no longer required
+dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
+deleteentry: cn=certificate store subject uniqueness,cn=plugins,cn=config
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 9e4d3bbe70826a18c55f4c4abe0ff1d42b0b509d..372daa51e4647023dde76e183189eeebdd9525b8 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -3200,15 +3200,15 @@ def _install(options, tdict):
ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
ca_subject)
ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
- for (c, n, t, u) in ca_certs]
+ for (c, n, t, u, s) in ca_certs]
x509.write_certificate_list(
- [c for c, n, t, u in ca_certs if t is not False],
+ [c for c, n, t, u, s in ca_certs if t is not False],
paths.KDC_CA_BUNDLE_PEM,
mode=0o644
)
x509.write_certificate_list(
- [c for c, n, t, u in ca_certs if t is not False],
+ [c for c, n, t, u, s in ca_certs if t is not False],
paths.CA_BUNDLE_PEM,
mode=0o644
)
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index bc70254e2b34f21889793d34724c13d73882418b..88618a9c23265e1ab1328361125acc3724cd329f 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -276,7 +276,7 @@ def update_db(path, certs):
for name, flags in db.list_certs():
if flags.ca:
db.delete_cert(name)
- for cert, nickname, trusted, eku in certs:
+ for cert, nickname, trusted, eku, _serial in certs:
trust_flags = certstore.key_policy_to_trust_flags(trusted, True, eku)
try:
db.add_cert(cert, nickname, trust_flags)
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 8b182958c26e066eaeca859f451073c83e82bd67..fb4f09a2b44aa5b65efb6e10afcd7c515535e56b 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -179,10 +179,9 @@ def update_ca_cert(ldap, base_dn, cert, trusted=None, ext_key_usage=None,
# We are adding a new cert, validate it
if entry.single_value['ipaCertSubject'].lower() != subject.lower():
raise ValueError("subject name mismatch")
- if entry.single_value['ipaPublicKey'] != public_key:
- raise ValueError("subject public key info mismatch")
entry['ipaCertIssuerSerial'].append(issuer_serial)
entry['cACertificate;binary'].append(cert)
+ entry['ipaPublicKey'].append(public_key)
# Update key trust
if trusted is not None:
@@ -224,6 +223,38 @@ def update_ca_cert(ldap, base_dn, cert, trusted=None, ext_key_usage=None,
clean_old_config(ldap, base_dn, dn, config_ipa, config_compat)
+def delete_ca_cert(ldap, base_dn, cert):
+ """
+ Remove a CA certificate in the certificate store.
+ """
+ subject, issuer_serial, _public_key = _parse_cert(cert)
+
+ filter = ldap.make_filter({'ipaCertSubject': subject})
+ result, _truncated = ldap.find_entries(
+ base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
+ base_dn),
+ filter=filter,
+ attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
+ 'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
+ 'ipaConfigString', 'cACertificate;binary'])
+ entry = result[0]
+
+ for old_cert in entry['cACertificate;binary']:
+ # Check if we are adding a new cert
+ if old_cert == cert:
+ break
+ else:
+ raise ValueError("certificate not found")
+
+ entry['ipaCertIssuerSerial'].remove(issuer_serial)
+ entry['cACertificate;binary'].remove(cert)
+
+ if len(entry['ipaCertIssuerSerial']) == 0:
+ ldap.delete_entry(entry.dn)
+ else:
+ ldap.update_entry(entry)
+
+
def put_ca_cert(ldap, base_dn, cert, nickname, trusted=None,
ext_key_usage=None, config_ipa=False, config_compat=False):
"""
@@ -309,11 +340,14 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
for cert in entry.get('cACertificate;binary', []):
try:
- _parse_cert(cert)
+ _subject, issuer_serial, _pkinfo = _parse_cert(cert)
except ValueError:
certs = []
break
- certs.append((cert, nickname, trusted, ext_key_usage))
+ serial_number = issuer_serial.split(';')[1]
+ certs.append(
+ (cert, nickname, trusted, ext_key_usage, serial_number)
+ )
except errors.NotFound:
try:
ldap.get_entry(container_dn, [''])
@@ -381,9 +415,9 @@ def get_ca_certs_nss(ldap, base_dn, compat_realm, compat_ipa_ca,
certs = get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
filter_subject=filter_subject)
- for cert, nickname, trusted, ext_key_usage in certs:
+ for cert, nickname, trusted, ext_key_usage, _serial_number in certs:
trust_flags = key_policy_to_trust_flags(trusted, True, ext_key_usage)
- nss_certs.append((cert, nickname, trust_flags))
+ nss_certs.append((cert, nickname, trust_flags, _serial_number))
return nss_certs
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
index a7b5cdf38d23669bd8beaa9b85020355eaeb2af2..8a50c66bc1facac4a793db209d54fc59049a94c0 100644
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -126,7 +126,7 @@ used by ca-certificates and is provided for information only.\
logger.error("Could not create %s", path)
raise
- for cert, nickname, trusted, _ext_key_usage in ca_certs:
+ for cert, nickname, trusted, _ext_key_usage, _serial in ca_certs:
if not trusted:
continue
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 4fb6208073d7326b80042408fff98e4124e0dbed..d3eda01720655df4bebb317d636621a3dee9a24d 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -329,7 +329,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
raise
has_eku = set()
- for cert, nickname, trusted, _ext_key_usage in ca_certs:
+ for cert, nickname, trusted, _ext_key_usage, _serial in ca_certs:
try:
subject = cert.subject_bytes
issuer = cert.issuer_bytes
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index ec8f639051b0d4134fccc1c02aff6b4f3b43ebce..3314c3a03d815cc69a2c9036d434a00391dc378f 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -633,7 +633,7 @@ class NSSDatabase:
pkcs12_password_file.close()
def import_files(self, files, import_keys=False, key_password=None,
- key_nickname=None):
+ key_nickname=None, trust_flags=EMPTY_TRUST_FLAGS):
"""
Import certificates and a single private key from multiple files
@@ -809,7 +809,7 @@ class NSSDatabase:
for cert in extracted_certs:
nickname = str(DN(cert.subject))
- self.add_cert(cert, nickname, EMPTY_TRUST_FLAGS)
+ self.add_cert(cert, nickname, trust_flags)
if extracted_key:
with tempfile.NamedTemporaryFile() as in_file, \
@@ -867,6 +867,27 @@ class NSSDatabase:
cert, _start = find_cert_from_txt(result.output, start=0)
return cert
+ def get_all_certs(self, nickname):
+ """
+ :param nickname: nickname of the certificate in the NSS database
+ :returns: list of bytes of all certificates for the nickname
+ """
+ args = ['-L', '-n', nickname, '-a']
+ try:
+ result = self.run_certutil(args, capture_output=True)
+ except ipautil.CalledProcessError:
+ raise RuntimeError("Failed to get %s" % nickname)
+ certs = []
+
+ st = 0
+ while True:
+ try:
+ cert, st = find_cert_from_txt(result.output, start=st)
+ except RuntimeError:
+ break
+ certs.append(cert)
+ return certs
+
def has_nickname(self, nickname):
try:
self.get_cert(nickname)
@@ -990,53 +1011,58 @@ class NSSDatabase:
raise ValueError('invalid for server %s' % hostname)
def verify_ca_cert_validity(self, nickname, minpathlen=None):
- cert = self.get_cert(nickname)
- self._verify_cert_validity(cert)
+ def verify_ca_cert(cert, nickname, minpathlen):
+ self._verify_cert_validity(cert)
- if not cert.subject:
- raise ValueError("has empty subject")
+ if not cert.subject:
+ raise ValueError("has empty subject")
- try:
- bc = cert.extensions.get_extension_for_class(
+ try:
+ bc = cert.extensions.get_extension_for_class(
cryptography.x509.BasicConstraints)
- except cryptography.x509.ExtensionNotFound:
- raise ValueError("missing basic constraints")
-
- if not bc.value.ca:
- raise ValueError("not a CA certificate")
- if minpathlen is not None:
- # path_length is None means no limitation
- pl = bc.value.path_length
- if pl is not None and pl < minpathlen:
- raise ValueError(
- "basic contraint pathlen {}, must be at least {}".format(
- pl, minpathlen
+ except cryptography.x509.ExtensionNotFound:
+ raise ValueError("missing basic constraints")
+
+ if not bc.value.ca:
+ raise ValueError("not a CA certificate")
+ if minpathlen is not None:
+ # path_length is None means no limitation
+ pl = bc.value.path_length
+ if pl is not None and pl < minpathlen:
+ raise ValueError(
+ "basic contraint pathlen {}, "
+ "must be at least {}".format(
+ pl, minpathlen
+ )
)
- )
- try:
- ski = cert.extensions.get_extension_for_class(
+ try:
+ ski = cert.extensions.get_extension_for_class(
cryptography.x509.SubjectKeyIdentifier)
- except cryptography.x509.ExtensionNotFound:
- raise ValueError("missing subject key identifier extension")
- else:
- if len(ski.value.digest) == 0:
- raise ValueError("subject key identifier must not be empty")
+ except cryptography.x509.ExtensionNotFound:
+ raise ValueError("missing subject key identifier extension")
+ else:
+ if len(ski.value.digest) == 0:
+ raise ValueError("subject key identifier must not be empty")
- try:
- self.run_certutil(
- [
- '-V', # check validity of cert and attrs
- '-n', nickname,
- '-u', 'L', # usage; 'L' means "SSL CA"
- '-e', # check signature(s); this checks
- # key sizes, sig algorithm, etc.
- ],
- capture_output=True)
- except ipautil.CalledProcessError as e:
- # certutil output in case of error is
- # 'certutil: certificate is invalid: <ERROR_STRING>\n'
- raise ValueError(e.output)
+ try:
+ self.run_certutil(
+ [
+ '-V', # check validity of cert and attrs
+ '-n', nickname,
+ '-u', 'L', # usage; 'L' means "SSL CA"
+ '-e', # check signature(s); this checks
+ # key sizes, sig algorithm, etc.
+ ],
+ capture_output=True)
+ except ipautil.CalledProcessError as e:
+ # certutil output in case of error is
+ # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+ raise ValueError(e.output)
+
+ certlist = self.get_all_certs(nickname)
+ for cert in certlist:
+ verify_ca_cert(cert, nickname, minpathlen)
def verify_kdc_cert_validity(self, nickname, realm):
nicknames = self.get_trust_chain(nickname)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f8be1ef0641fa30567f0b95fe8aa00ccc68d27e5..a3e38cdaaf4c6b358ec93c8ca55646086812bf0e 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -373,7 +373,7 @@ class CertDB:
except RuntimeError:
break
- def get_cert_from_db(self, nickname):
+ def get_cert_from_db(self, nickname, all=False):
"""
Retrieve a certificate from the current NSS database for nickname.
"""
@@ -386,7 +386,10 @@ class CertDB:
if token:
args.extend(['-h', token])
result = self.run_certutil(args, capture_output=True)
- return x509.load_pem_x509_certificate(result.raw_output)
+ if all:
+ return x509.load_certificate_list(result.raw_output)
+ else:
+ return x509.load_pem_x509_certificate(result.raw_output)
except ipautil.CalledProcessError:
return None
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 3a31f8a98231bf5a2e0337de7be10b37626add86..f6f06c9a18d75f44e13f5d6bf5a3dc0976dc26a2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -901,7 +901,8 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
if ca_cert_files:
try:
- nssdb.import_files(ca_cert_files)
+ nssdb.import_files(ca_cert_files,
+ trust_flags=EXTERNAL_CA_TRUST_FLAGS)
except RuntimeError as e:
raise ScriptError(str(e))
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 048245237855212afe1f3ec4795b2253026ef864..6a03fa74e34bd068090ae1f4d5adfc79608fd02b 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -101,6 +101,9 @@ class CACertManage(admintool.AdminTool):
delete_group.add_option(
"-f", "--force", action='store_true',
help="Force removing the CA even if chain validation fails")
+ delete_group.add_option(
+ "-s", "--serial",
+ help="Serial number of the certificate to delete (decimal)")
parser.add_option_group(delete_group)
def validate_options(self):
@@ -413,6 +416,11 @@ class CACertManage(admintool.AdminTool):
"Nickname can only be used if only a single "
"certificate is loaded")
+ for nickname, trust_flags in imported:
+ if trust_flags.has_key:
+ continue
+ tmpdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
+
# If a nickname was provided re-import the cert
if options.nickname:
(nickname, trust_flags) = imported[0]
@@ -421,7 +429,7 @@ class CACertManage(admintool.AdminTool):
tmpdb.add_cert(cert, options.nickname, EXTERNAL_CA_TRUST_FLAGS)
imported = tmpdb.list_certs()
- for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, ca_trust_flags, _serial in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
for nickname, trust_flags in imported:
@@ -461,10 +469,11 @@ class CACertManage(admintool.AdminTool):
for nickname, _trust_flags in imported:
try:
- cert = tmpdb.get_cert(nickname)
- certstore.put_ca_cert_nss(
- api.Backend.ldap2, api.env.basedn, cert, nickname,
- trust_flags)
+ certlist = tmpdb.get_all_certs(nickname)
+ for cert in certlist:
+ certstore.put_ca_cert_nss(
+ api.Backend.ldap2, api.env.basedn, cert, nickname,
+ trust_flags)
except ValueError as e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
@@ -476,8 +485,8 @@ class CACertManage(admintool.AdminTool):
api.env.basedn,
api.env.realm,
False)
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
- print(ca_nickname)
+ for _ca_cert, ca_nickname, _ca_trust_flags, serial in ca_certs:
+ print(f"{ca_nickname} {serial}")
def _delete_by_nickname(self, nicknames, options):
conn = api.Backend.ldap2
@@ -489,9 +498,25 @@ class CACertManage(admintool.AdminTool):
ipa_ca_nickname = get_ca_nickname(api.env.realm)
+ # Count the number of times the nickname appears in case we
+ # have a duplicate. If a serial number is provided we can skip
+ # this.
+ cert_count = 0
+ if not options.serial:
+ for nickname in nicknames:
+ for _ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
+ if ca_nickname == nickname:
+ cert_count += 1
+ if cert_count > 1:
+ raise admintool.ScriptError(
+ 'Multiple matching certificates found (%d). Use the '
+ '--serial option to specify which one to remove.' %
+ cert_count
+ )
+
for nickname in nicknames:
found = False
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for _ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
if ca_nickname == nickname:
if ca_nickname == ipa_ca_nickname:
raise admintool.ScriptError(
@@ -508,13 +533,17 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
- for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, ca_trust_flags, serial in ca_certs:
+ if nickname == ca_nickname:
+ if options.serial and options.serial == serial:
+ continue
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
loaded = tmpdb.list_certs()
logger.debug("loaded raw certs '%s'", loaded)
- for nickname in nicknames:
- tmpdb.delete_cert(nickname)
+ if not options.serial:
+ for nickname in nicknames:
+ tmpdb.delete_cert(nickname)
for ca_nickname, _trust_flags in loaded:
if ca_nickname in nicknames:
@@ -526,8 +555,8 @@ class CACertManage(admintool.AdminTool):
try:
tmpdb.verify_ca_cert_validity(ca_nickname)
except ValueError as e:
- msg = "Verifying \'%s\' failed. Removing part of the " \
- "chain? %s" % (nickname, e)
+ msg = "Verifying removal of \'%s\' failed. Removing " \
+ "part of the chain? %s" % (nickname, e)
if options.force:
print(msg)
continue
@@ -535,15 +564,20 @@ class CACertManage(admintool.AdminTool):
else:
logger.debug("Verified %s", ca_nickname)
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, _ca_trust_flags, serial in ca_certs:
if ca_nickname in nicknames:
- container_dn = DN(('cn', 'certificates'), ('cn', 'ipa'),
- ('cn', 'etc'), api.env.basedn)
- dn = DN(('cn', nickname), container_dn)
+ if options.serial and options.serial != serial:
+ continue
logger.debug("Deleting %s", ca_nickname)
- conn.delete_entry(dn)
+ certstore.delete_ca_cert(conn, api.env.basedn, ca_cert)
+
return
+ raise admintool.ScriptError(
+ "Certificate with name %s and serial number %s not found"
+ % (ca_nickname, options.serial)
+ )
+
def delete(self):
nickname = self.args[1]
self._delete_by_nickname([nickname], self.options)
@@ -556,17 +590,17 @@ class CACertManage(admintool.AdminTool):
False)
now = datetime.datetime.now(tz=datetime.timezone.utc)
- for ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
if ca_cert.not_valid_after_utc < now:
expired_certs.append(ca_nickname)
-
+ del_options = self.options
+ del_options.force = True
if expired_certs:
- self._delete_by_nickname(expired_certs, self.options)
-
print("Expired certificates deleted:")
- for nickname in expired_certs:
- print(nickname)
+ for ca_cert in expired_certs:
+ self._delete_by_nickname([ca_cert], del_options)
+ print(ca_cert)
print("Run ipa-certupdate on enrolled machines to apply changes.")
else:
print("No certificates were deleted")
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 76ad37ca7bcc62364379d56b21ead43c5248f5f1..6eaf9d197c0e69161e751b21262e9112176f342c 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -276,8 +276,9 @@ class ServerCertInstall(admintool.AdminTool):
# import all the CA certs from nssdb into the temp db
for nickname, flags in nssdb.list_certs():
if not flags.has_key:
- cert = nssdb.get_cert_from_db(nickname)
- tempnssdb.add_cert(cert, nickname, flags)
+ certs = nssdb.get_cert_from_db(nickname, all=True)
+ for cert in certs:
+ tempnssdb.add_cert(cert, nickname, flags)
# now get the server certs from tempnssdb and check their validity
try:
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 99995ea0b2c9a176e1a157281fa8f64ee99cdbf5..a9887553840d944e0aa29d58d12c8582a32e46f8 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -536,7 +536,7 @@ class KrbInstance(service.Service):
self.api.env.basedn,
self.api.env.realm,
False)
- ca_certs = [c for c, _n, t, _u in ca_certs if t is not False]
+ ca_certs = [c for c, _n, t, _u, _s in ca_certs if t is not False]
x509.write_certificate_list(ca_certs, paths.CACERT_PEM, mode=0o644)
def issue_selfsigned_pkinit_certs(self):
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 7755a4f2ff5e33e61f85dc24b71fd05a1837cd5a..5e5c60b4bd1d941669cee460587230b3b84c6137 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -541,7 +541,7 @@ class Service:
pass
else:
with open(cafile, 'wb') as fd:
- for cert, _unused1, _unused2, _unused3 in ca_certs:
+ for cert, _unused1, _unused2, _unused3, _unused4 in ca_certs:
fd.write(cert.public_bytes(x509.Encoding.PEM))
def export_ca_certs_nssdb(self, db, ca_is_configured, conn=None):
@@ -561,7 +561,7 @@ class Service:
except errors.NotFound:
pass
else:
- for cert, nickname, trust_flags in ca_certs:
+ for cert, nickname, trust_flags, _serial in ca_certs:
db.add_cert(cert, nickname, trust_flags)
def is_configured(self):
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 47ef232563d67f86040e2c5944805e430ab2e26c..3c883b8bb63f0084b4b8c2e97543855572ef970b 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -123,6 +123,82 @@ letsencryptauthorityr3 = (
)
le_r3_nick = "CN=R3,O=Let's Encrypt,C=US"
+# Certificates for reproducing duplicate ipaCertSubject values.
+# The trick to creating the second intermediate is for the validity
+# period to be different. In this case the second CA certificate
+# was issued 3 years+1day after the original.
+originalsubjectchain = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDcjCCAlqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwRDEeMBwGA1UECgwVQ2Vy\n'
+ b'dGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBS\n'
+ b'b290IENBMB4XDTIxMDgwNzE4MDQyNloXDTQxMDgwMTE4MDQyNlowTDEeMBwGA1UE\n'
+ b'CgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSowKAYDVQQDDCFDZXJ0aWZpY2F0ZSBT\n'
+ b'aGFjayBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n'
+ b'AoIBAQC2RNo7atuVWC/6tDCGforNFvvSFdUwqHxltFmg61i2hmdHAjTaYI1ZJdgB\n'
+ b'y7ApGc8RYc7tfaNrUNA8Chd/9Cu4eW2KuTnAozxytXQneNXloK2xb9iLIhETa1FC\n'
+ b'Hw5BbrmJSWjiVYQsM6bzeiFsKJs4qnP1T9iFHuqmggTtCTPajoYhn6ZKfK3pmB8P\n'
+ b'6XRcp5O9vUhNHJWdpuUjOL32fsBEpV0vKWlsemqDhJrhzj3+YCKt6xrSdpK64HUW\n'
+ b'Kf3YM/K4G6vU5M8DgSFex6T1u2vCsQYJ4Mv8LVCho8awTZoBsimy1tiM0V7GmmBE\n'
+ b'0Uck/U0381NBpNYdv7eyF682SbihAgMBAAGjZjBkMB0GA1UdDgQWBBTtHQCp1dBF\n'
+ b'ypsegtWcXhXDdopIgDAfBgNVHSMEGDAWgBRJuz/14J1ZXqvpOuikJJ62NtuiGTAS\n'
+ b'BgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF\n'
+ b'AAOCAQEAkCBm6u+k/x4QoqqwOJvy8sjq7bUCh73qNPAFlqVSSB8UdCyu21EaXCj8\n'
+ b'dbZa3GNRGk6JACTEUVQ1SD8SkC1E1/IWuEzYOKOP6FmTFbC4V5zU9LAnGFJapS6Q\n'
+ b'CGwU2F44oflBbfOodFznqKPPuENX0gmm4ddvoT915WUOvVLKLuVujkU/ffGKAc8U\n'
+ b'RxRIJ3W2Ybjs9ANg7JqB3Ny8i5QAGHzjRVwU+IgTrJCYPS2DrRYtN3glKBTlyKyR\n'
+ b'xMy0PVKwVo/ItDO3fZ0fsAiIO+4pI51A0lFge5Bg/DzsotZxcWhdTelWjYI9JNca\n'
+ b'y2GPzV1wlxK+ui1uLCWEvKbPtaCfeQ==\n'
+ b'-----END CERTIFICATE-----\n'
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDeTCCAmGgAwIBAgIUUbo+eGRT5jiS2eIoEzRhXaUx4gwwDQYJKoZIhvcNAQEL\n'
+ b'BQAwRDEeMBwGA1UECgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlD\n'
+ b'ZXJ0aWZpY2F0ZSBTaGFjayBSb290IENBMB4XDTIxMDgwNzE4MDQyNloXDTQxMDgw\n'
+ b'MjE4MDQyNlowRDEeMBwGA1UECgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYD\n'
+ b'VQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF\n'
+ b'AAOCAQ8AMIIBCgKCAQEArh41PPmI6rg7nz3cRqsbCqGgD3+vAD4DNs/Cnp+vhM//\n'
+ b'7Di8FuMoyyLDpD+RdT/Vkvh2Xhp+OcjYSFLX8xeFRy0blfzel2Tq7PiD83BwewsG\n'
+ b'BOarlhkbQGxlGxkr4Fi6z0kNNAfbE2ZzBIs4XSppm7xl4YJyLQD0FkzdrU+zrZuK\n'
+ b'3ELQzk3UWfSSrnbYABY2LBgkny5m7y/kJOMyqn+/T1CUthXD3OpGtyQm2kuEooDZ\n'
+ b'xP1eq30gS8oGYAw2nR/8vJPuyeZaMxM4eNLuc35uq8/6pI+xNEpzGt7xAk1ul/xc\n'
+ b'ewOY2kjh4KJCNK/nCjALzxqhNRHhnH8bA6xtOcgdBwIDAQABo2MwYTAdBgNVHQ4E\n'
+ b'FgQUSbs/9eCdWV6r6TropCSetjbbohkwHwYDVR0jBBgwFoAUSbs/9eCdWV6r6Tro\n'
+ b'pCSetjbbohkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI\n'
+ b'hvcNAQELBQADggEBAC35stv/1WZhWblRTZP3XHhH0usHRGTUY7zNSrgS5sb3ERsf\n'
+ b'hgbmFbomra5jKaBqffToOZKLEo+n3tfIPokus35NUQn7ox/6qPp0rJEK8dfLx9jA\n'
+ b'0VTqREbgaAf5xLaX874++OTiM1sPVYG3Egsb1A/YCtDek8mZkKk21g+DZlFMOSDl\n'
+ b'Hw+c3gZUnv6bIT8P09z+9yca2Lvg/dpj2ln3PbOykXzwuGSoNxjUt2OSdCbwyN+f\n'
+ b'hO4NFtDvx74Ggi5bcTrz0ZKO6g8SQotii7cSKAdpIWDpXl8cfsK3SRbkCsg+Fg1S\n'
+ b'kMJEFyDEkKu8Qe6zwKXIAoeKULLO6ADgFVH9CmM=\n'
+ b'-----END CERTIFICATE-----\n'
+)
+interm_nick = "CN=Certificate Shack Intermediate CA,O=Certificate Shack Ltd"
+intermediate_serial = "4096"
+
+duplicatesubject = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDcjCCAlqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwRDEeMBwGA1UECgwVQ2Vy\n'
+ b'dGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBS\n'
+ b'b290IENBMB4XDTI0MDgwODE4MDQyNloXDTQ0MDgwMjE4MDQyNlowTDEeMBwGA1UE\n'
+ b'CgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSowKAYDVQQDDCFDZXJ0aWZpY2F0ZSBT\n'
+ b'aGFjayBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n'
+ b'AoIBAQCzUmUBEO/w1wslS8H304/qfsbeIJX0C5Tm8K2H9JXoauFFej1GZoHqeE+x\n'
+ b'YQvSMuMFcKks3ps9+9yVKuBPtMwbmXsqwlQXORU8DuKhtRzKIOj7nEGw6AQIsfkG\n'
+ b'Q4DjD1ytXliyM7vVfxYD+P1CFDK4NR+K1JLdi3WkYOdCelOQMwNspN/ebiqvwonl\n'
+ b'2asQ6+a13Y0ln1AdrLBvqtR5Z+Gq5+tiC5tA+LKea0e3neQGKjfp/BNPJ+ooNHPR\n'
+ b'86iKDjBKAabvfrHLG2t6oo9+N4xRBGtPYQh9LOQPZ4OedciCo1s2zs+F+4/6co6T\n'
+ b'DsbQt7NJKQ3BJKosvZBhC62lc4evAgMBAAGjZjBkMB0GA1UdDgQWBBTvALT5i2gq\n'
+ b'8yq2Uh8lZGgMoKVClzAfBgNVHSMEGDAWgBRJuz/14J1ZXqvpOuikJJ62NtuiGTAS\n'
+ b'BgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF\n'
+ b'AAOCAQEAVjx1aGNK08/Nhf0JYMxMb9Dqg5m7LNOVBs1jurPtwS3uN+84997GRqIQ\n'
+ b'i+gp/tQVF2YT/RAmt+X0aDLFiSkBcOk87zoFRkR7PZrhhtPo6pSVMN7ngD4/dmp9\n'
+ b'ESbiI8+iF5ZxqI7c3o2N/LtZpi+hWSCJ/xwbOl05jpNQ6ddl+UzDpJ0oNsyndiJA\n'
+ b'yciaCvluK027J4xNym166lqwm6CqiOkm8R/G6NJrEH2Xs5XBCyfeH9V0pkXDbrUe\n'
+ b'Ldqc9ys7l7/MGZi6Qg2nA7J8ErCkrI6eZOocJktSF6SRfXd1NqiqCiNZZQjD6XKZ\n'
+ b'4fMKTKPX6Q2k10iriAIn4RgVjzM05A==\n'
+ b'-----END CERTIFICATE-----\n'
+)
+duplicate_serial = "4097"
+
class TestIPACommand(IntegrationTest):
"""
@@ -827,6 +903,12 @@ class TestIPACommand(IntegrationTest):
paths.IPA_CACERT_MANAGE,
'install',
filename])
+ # remove the subject of good_pkcs7 we just added to avoid
+ # future failures.
+ self.master.run_command([
+ paths.IPA_CACERT_MANAGE,
+ 'delete',
+ 'CN=Certificate Authority,O=EXAMPLE.COM'])
for contents in (badcert,):
self.master.put_file_contents(filename, contents)
@@ -1160,7 +1242,7 @@ class TestIPACommand(IntegrationTest):
raiseonerr=False
)
assert result.returncode != 0
- assert "Verifying \'%s\' failed. Removing part of the " \
+ assert "Verifying removal of \'%s\' failed. Removing part of the " \
"chain? certutil: certificate is invalid: Peer's " \
"Certificate issuer is not recognized." \
% isrgrootx1_nick in result.stderr_text
@@ -1735,6 +1817,68 @@ class TestIPACommand(IntegrationTest):
self.replicas[0], '/usr/sbin/ipa-replica-install'
)
+ def test_ipa_cacert_manage_duplicate_certsubject(self):
+ """Test for ipa-cacert-manage install with duplicated
+ certificate subjects. This relies on the behavior
+ of NSS to show the certificates separately rather than
+ lumping the duplicates together. This requires different
+ validity periods, say 3 years + 1 day.
+ """
+
+ certfile = os.path.join(self.master.config.test_dir, 'chain.pem')
+ self.master.put_file_contents(certfile, originalsubjectchain)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert f"{interm_nick} {intermediate_serial}" in certs
+
+ certfile = os.path.join(self.master.config.test_dir, 'interm.pem')
+ self.master.put_file_contents(certfile, duplicatesubject)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ # If the duplicate subject certificates are not sufficiently
+ # different in validity period, or prior to the this fix,
+ # the test will fail because only one of the duplicately named
+ # subject certificates will be visible: the second one (4097).
+ assert f"{interm_nick} {intermediate_serial}" in certs
+ assert f"{interm_nick} {duplicate_serial}" in certs
+
+ # Make sure we can install the new certs systemwide
+ # No assertions needed, it will work or it won't
+ self.master.run_command(["ipa-certupdate"])
+
+ # delete one of the duplicate subjects, no serial number
+ result = self.master.run_command(
+ ['ipa-cacert-manage', 'delete', interm_nick],
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ assert 'Multiple matching certificates' in result.stderr_text
+
+ # delete one of the duplicate subjects by the serial number
+ result = self.master.run_command(
+ ['ipa-cacert-manage', 'delete', interm_nick,
+ '--serial', intermediate_serial,],
+ raiseonerr=False
+ )
+ assert result.returncode == 0
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert f"{interm_nick} {intermediate_serial}" not in certs
+ assert f"{interm_nick} {duplicate_serial}" in certs
+
class TestIPACommandWithoutReplica(IntegrationTest):
"""
@@ -1970,7 +2114,10 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert re.search(new_err_msg, dirsrv_error_log)
def test_ipa_cacert_manage_prune(self):
- """Test for ipa-cacert-manage prune"""
+ """Test for ipa-cacert-manage prune
+
+ This twiddles with time so should be run last in the class.
+ """
certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
self.master.put_file_contents(certfile, isrgrootx1)
--
2.48.1

49
0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch Normal file
View File

@ -0,0 +1,49 @@
From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 17 Feb 2025 10:21:53 +0100
Subject: [PATCH] dns: don't populate forwarders with DoT forwarders
DNS over TLS setup overrides global forwarder to point to Unbound, so no
need to setup regular forwarders.
Resolves: https://pagure.io/freeipa/issue/9748
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dns.py | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname):
if options.no_forwarders:
options.forwarders = []
- elif (options.forwarders
- or options.dot_forwarders or options.auto_forwarders):
+ elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
- if options.dot_forwarders:
- options.forwarders = [fw.split("#")[0]
- for fw in options.dot_forwarders]
- else:
- options.forwarders = []
+ options.forwarders = []
if options.auto_forwarders:
options.forwarders.extend(dnsforwarders.get_nameservers())
elif standalone or not replica:
@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api):
"and IPA CA is not present."
)
- if not options.forwarders and options.dot_forwarders:
- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders]
-
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
--
2.49.0

90
0085-Correct-dnsrecord_-tests-for-raw-structured.patch Normal file
View File

@ -0,0 +1,90 @@
From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Fri, 28 Mar 2025 10:33:15 +0100
Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured
Fixes typo in the tests, --raw --structured is only checked if rest of
the command is correct as well, therefore test changes were required.
Fixes: https://pagure.io/freeipa/issue/9768
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++-----------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -3416,20 +3416,11 @@ class test_dns(Declarative):
},
),
- dict(
- desc='Delete zone %r' % zone1,
- command=('dnszone_del', [zone1], {}),
- expected={
- 'value': [zone1_absolute_dnsname],
- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
- 'result': {'failed': []},
- },
- ),
-
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-add",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_add', [zone1, name1],
+ {'arecord': arec2, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3438,7 +3429,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-mod",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_mod', [zone1, name1],
+ {'arecord': arec1, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3447,7 +3439,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-show",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_show', [zone1, name1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3456,11 +3449,22 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-find",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_find', [zone1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
),
+
+ dict(
+ desc='Delete zone %r' % zone1,
+ command=('dnszone_del', [zone1], {}),
+ expected={
+ 'value': [zone1_absolute_dnsname],
+ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
+ 'result': {'failed': []},
+ },
+ ),
]
--
2.49.0

36
0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch Normal file
View File

@ -0,0 +1,36 @@
From d77c4597a841729cb7c890bb57cc548a70c8724b Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 1 Apr 2025 12:31:18 +0530
Subject: [PATCH] ipatests: Fix for ipa-healthcheck test in FIPS Mode
Fix https://github.com/freeipa/freeipa-healthcheck/pull/349
was added for RHEL10 only causing the tests to
fail in RHEL10.1.
Hence the if condition has been changed in the testcode.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index d72808f0f9b6dc7e438a16f9bd7e676f473fd323..8d1b9fce32f8e2e6ac78f9b26f9daf19445c3c8b 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -374,10 +374,10 @@ class TestIpaHealthCheck(IntegrationTest):
if (
parse_version(healthcheck_version) < parse_version("0.17")
and osinfo.id == 'rhel'
- and osinfo.version_number == (10,0)
+ and osinfo.version_number >= (10,0)
):
# Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349
- pytest.xfail("Patch is unavailable for RHEL 10.0 and "
+ pytest.xfail("Patch is unavailable for RHEL 10.0 and above"
"freeipa-healtheck version 0.16 or less")
returncode, check = run_healthcheck(self.master,
--
2.49.0

42
0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch Normal file
View File

@ -0,0 +1,42 @@
From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 31 Mar 2025 11:50:41 +0200
Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op
Also remove unused "search_pb" variable and its associated free
functions.
Fixes: https://pagure.io/freeipa/issue/9772
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
const char *dn_str;
Slapi_DN *dn = NULL;
struct ipa_sidgen_ctx *ctx;
- Slapi_PBlock *search_pb = NULL;
char *errmsg = NULL;
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
ret = 0;
done:
- slapi_free_search_results_internal(search_pb);
- slapi_pblock_destroy(search_pb);
slapi_sdn_free(&dn);
+ slapi_entry_free(entry);
if (ret != 0) {
if (errmsg == NULL) {
--
2.49.0

46
0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch Normal file
View File

@ -0,0 +1,46 @@
From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 14:55:09 +0100
Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if
CA is close to being expired.
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
cert_nicknames = {
+ 'ca_issuing': 'caSigningCert cert-pki-ca',
'sslserver': 'Server-Cert cert-pki-ca',
'subsystem': 'subsystemCert cert-pki-ca',
'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
print("Nothing to do.")
return 0
+ if any(key == 'ca_issuing' for key, _ in certs):
+ logger.debug("CA signing cert is expired, exiting!")
+ print(
+ "The CA signing certificate is expired or will expire within "
+ "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+ "refer to the ipa-cacert-manage tool to renew the CA "
+ "certificate before proceeding."
+ )
+ return 1
+
print(msg)
print_intentions(certs, extra_certs, non_renewed)
--
2.49.0

41
0089-Test-fix-for-the-update.patch Normal file
View File

@ -0,0 +1,41 @@
From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 15:04:57 +0100
Subject: [PATCH] Test fix for the update
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
valid. If CA cert expired, ipa-cert-fix won't work.
related: https://pagure.io/freeipa/issue/8721
+
+ If CA cert is close to expiry, there's no reason to issue new certs
+ with short validity period. So, ipa-cert-fix should fail in this case.
+
+ related: https://pagure.io/freeipa/issue/9760
"""
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
# check that pki-server cert-fix command fails
- err_msg = ("ERROR: CalledProcessError(Command "
- "['pki-server', 'cert-fix'")
+ err_msg = ("CA signing cert is expired, exiting!")
+ assert result.returncode == 1
assert err_msg in result.stderr_text
--
2.49.0

66
0090-ipa-migrate-remove-replication-state-information.patch Normal file
View File

@ -0,0 +1,66 @@
From 5f632d9d7813f89d498cfb21c8472ff3cac2538a Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 29 Apr 2025 13:55:23 -0400
Subject: [PATCH] ipa-migrate - remove replication state information
Remove replication state information (happens when LDIFs are used).
State information is written like:
attribute;adcsn=<CSN>
But we also support ";binary" which should not be removed so special
handling is needed in that case.
Signed-off-by: Mark Reynolds <mareynol@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 95ef0ac5adc830d04a6bb3a899b20aae86a77072..8ef0071f5c2edc1ce6cba780ac9a7d74122ea79d 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -202,6 +202,14 @@ def decode_attr_vals(entry_attrs):
decoded_attrs = {}
for attr in entry_attrs:
vals = ensure_list_str(entry_attrs[attr])
+ # Remove replication state data, but don't remove ";binary"
+ # e.g. userCertififccate;binary;adcsn=<CSN>
+ parts = attr.split(";")
+ if len(parts) > 1 and not attr.endswith(";binary"):
+ if parts[1] == "binary":
+ attr = parts[0] + ";binary"
+ else:
+ attr = parts[0]
decoded_attrs[attr] = vals
return decoded_attrs
@@ -269,19 +277,19 @@ class LDIFParser(ldif.LDIFParser):
if self.mc is None:
return
+ entry_attrs = decode_attr_vals(entry)
if self.get_realm:
# Get the realm from krb container
if DN(("cn", "kerberos"), self.mc.remote_suffix) in DN(dn):
# check objectclass krbrealmcontainer
oc_attr = 'objectClass'
- if 'objectclass' in entry:
+ if 'objectclass' in entry_attrs:
oc_attr = 'objectclass'
- if 'krbrealmcontainer' in ensure_list_str(entry[oc_attr]):
- self.mc.remote_realm = ensure_str(entry['cn'][0])
+ if 'krbrealmcontainer' in entry_attrs[oc_attr]:
+ self.mc.remote_realm = ensure_str(entry_attrs['cn'][0])
self.mc.log_debug("Found remote realm from ldif: "
f"{self.mc.remote_realm}")
else:
- entry_attrs = decode_attr_vals(entry)
self.mc.process_db_entry(entry_dn=dn, entry_attrs=entry_attrs)
--
2.49.0

32
0091-ipa-migrate-do-not-process-AD-entgries-in-staging-mo.patch Normal file
View File

@ -0,0 +1,32 @@
From 4e23fa92f1a07565618d49ed27b54d33618bba73 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 29 Apr 2025 14:00:51 -0400
Subject: [PATCH] ipa-migrate - do not process AD entgries in staging mode
Only migrate AD entries in production mode due to schema conflicts
created when removing certain AD attributes (e.g.
ipantsecurityidentifier)
SIgned-off-by: Mark Reynolds <mreynolds@redhat.com>
relates: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate_constants.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index 09856f07cabd124a7899bc5f355a56eb23023cc0..4beaa4f42a667ba83008213075b3ded782a83260 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -870,7 +870,7 @@ DB_OBJECTS = {
'oc': ['ipantdomainattrs'],
'subtree': ',cn=ad,cn=etc,$SUFFIX',
'label': 'AD',
- 'mode': 'all',
+ 'mode': 'production',
'count': 0,
},
--
2.49.0

47
0092-ipa-migrate-improve-suffix-replacement.patch Normal file
View File

@ -0,0 +1,47 @@
From c052bbbfd2737f88b6496be7d4849cf17d9a126f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 29 Apr 2025 14:05:15 -0400
Subject: [PATCH] ipa-migrate - improve suffix replacement
When values are "normalized/converted" to a new domain the order in
which the host/release/suffix are converted matters. Replacing the
suffix first can lead to incorrect results, so convert the host/realm
before converting the suffix
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
relates: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 8ef0071f5c2edc1ce6cba780ac9a7d74122ea79d..a24a2ab7a5ffd4cf1d59179f14e2f5d348fd57e2 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -1084,11 +1084,9 @@ class IPAMigrate():
if isinstance(val, bytes) or isinstance(val, DN):
return val
- # Replace base DN
- val = self.replace_suffix_value(val)
-
# For DNS DN we only replace suffix
if dns:
+ val = self.replace_suffix_value(val)
return val
# Replace host
@@ -1102,6 +1100,9 @@ class IPAMigrate():
# Replace realm
val = val.replace(self.remote_realm, self.realm)
+ # Lastly, replace base DN
+ val = self.replace_suffix_value(val)
+
return val
def convert_values(self, values, dns=False):
--
2.49.0

0
10001-kdb-keep-ipadb_get_connection-from-succeeding-with-n.patch → 0093-kdb-keep-ipadb_get_connection-from-succeeding-with-n.patch
View File

79
0032-Use-OpenSSL-provider-with-BIND-for-Fedora-41-and-RHE.patch → 0094-Use-OpenSSL-provider-with-BIND-for-Fedora-42-and-RHE.patch
View File

@ -1,22 +1,25 @@
From ace726cb83320d7fcb051751591817fd419a8f6b Mon Sep 17 00:00:00 2001
From 3e3af2d153f3fe8e8bfc0805e92cba0f5f649d73 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 6 Nov 2024 09:59:23 +0200
Subject: [PATCH] Use OpenSSL provider with BIND for Fedora 41+ and RHEL10+
Subject: [PATCH] Use OpenSSL provider with BIND for Fedora 42+ and RHEL10+
OpenSSL Engine API is deprecated and ability to compile against it is
removed in RHEL10. OpenSSL provider API is the future.
Fedora 41+ also defaults to OpenSSL provider. With pkcs11-provider, the
Fedora 42+ also defaults to OpenSSL provider. With pkcs11-provider, the
same PKCS#11 modules can be loaded transparently like with OpenSSL
engines. Thus, we can update configuration to use the provider API.
TODO:
- dnssec-keyfromlabel does not work without engine, needs backport from
bind 9.20
While Fedora 41 also defaults to OpenSSL provider, we need BIND version
that supports using OpenSSL provider API. This backport was only done in
Fedora 42.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 12 +++-
install/share/Makefile.am | 2 +
@ -25,18 +28,18 @@ Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
ipaplatform/base/constants.py | 1 +
ipaplatform/fedora/constants.py | 9 ++-
ipaplatform/rhel/constants.py | 7 ++-
ipaserver/dnssec/bindmgr.py | 21 ++++---
ipaserver/dnssec/bindmgr.py | 27 ++++++---
ipaserver/install/dnskeysyncinstance.py | 55 +++++++++++++++----
ipaserver/install/server/upgrade.py | 12 ++--
10 files changed, 136 insertions(+), 27 deletions(-)
10 files changed, 140 insertions(+), 29 deletions(-)
create mode 100644 install/share/bind.openssl.provider.cnf.template
create mode 100644 install/share/bind.openssl.provider.crp.cnf.template
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 72d7013a6c49873f4a59734c684c6c5510e669d0..3f6b133eee4ec40193b618882ad0813971beb5ec 100755
index 01193a39e439d07ae09b48242e514fe22f1536ca..558b3cfffa11a77c459ba80316a5e0413662575e 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -158,12 +158,20 @@
@@ -163,12 +163,20 @@
# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
@ -58,7 +61,7 @@ index 72d7013a6c49873f4a59734c684c6c5510e669d0..3f6b133eee4ec40193b618882ad08139
%if 0%{?rhel} == 8
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
@@ -623,7 +631,7 @@ Requires: bind-dnssec-utils >= %{bind_version}
@@ -628,7 +636,7 @@ Requires: bind-dnssec-utils >= %{bind_version}
Requires: bind-pkcs11 >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
@ -68,7 +71,7 @@ index 72d7013a6c49873f4a59734c684c6c5510e669d0..3f6b133eee4ec40193b618882ad08139
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
# RHEL 8.3+ and Fedora 32+ have 2.1
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 24664ca3bacb01fa4c57e9d7a5ea4ab48cfbdd90..0adebf8a3b0e01dbf62fe4b86190e60a3fbfea3b 100644
index d8d270ca9f4b13ed01e65c6460a3a6b0dbbc5ebe..ae69c7bb867b9da87dcc220a93d159cca03b504d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -50,6 +50,8 @@ dist_app_DATA = \
@ -82,7 +85,7 @@ index 24664ca3bacb01fa4c57e9d7a5ea4ab48cfbdd90..0adebf8a3b0e01dbf62fe4b86190e60a
kdc_extensions.template \
diff --git a/install/share/bind.openssl.provider.cnf.template b/install/share/bind.openssl.provider.cnf.template
new file mode 100644
index 0000000000000000000000000000000000000000..1bd5599cd32f9601416cbaca815dc73fca22b560
index 0000000000000000000000000000000000000000..699922d132ad6c3d7556ebfeff7b703cfdf6e1aa
--- /dev/null
+++ b/install/share/bind.openssl.provider.cnf.template
@@ -0,0 +1,19 @@
@ -91,7 +94,7 @@ index 0000000000000000000000000000000000000000..1bd5599cd32f9601416cbaca815dc73f
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_section
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
@ -137,10 +140,10 @@ index 0000000000000000000000000000000000000000..b52175e8f9971fa1a25a6c1c7a7121b2
+pkcs11-module-token-pin = file:$SOFTHSM_PIN
+activate = 1
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 1689efe52466f00fd8b014f720e1d21ebdbf2504..3f607ecbf961fbd78d78e05bcc1af3cd15a549d5 100644
index 4c8038a846f81dcaee7cdb6a2226f26b0b12674d..8caded5f902cf6902153d1af8d48c96fe0a49f6c 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -120,6 +120,7 @@ class BaseConstantsNamespace:
@@ -123,6 +123,7 @@ class BaseConstantsNamespace:
NAMED_DATA_DIR = "data/"
NAMED_OPTIONS_VAR = "OPTIONS"
NAMED_OPENSSL_ENGINE = None
@ -149,7 +152,7 @@ index 1689efe52466f00fd8b014f720e1d21ebdbf2504..3f607ecbf961fbd78d78e05bcc1af3cd
PKI_USER = User("pkiuser")
PKI_GROUP = Group("pkiuser")
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index 896e6f60737a904b06ac5fba6c1d1711577c79ec..78a53db28755d5394441ed6d5350648c80de54df 100644
index 896e6f60737a904b06ac5fba6c1d1711577c79ec..1360b03536923fbbf75da7abed4799e20a469322 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -19,6 +19,10 @@ from ipaplatform.osinfo import osinfo
@ -157,8 +160,8 @@ index 896e6f60737a904b06ac5fba6c1d1711577c79ec..78a53db28755d5394441ed6d5350648c
HAS_NFS_CONF = osinfo.version_number >= (30,)
+# Fedora 40 and later deprecated OpenSSL engine and recommend using OpenSSL
+# provider API.
+HAS_OPENSSL_PROVIDER = osinfo.version_number >= (40,)
+# provider API. However, only bind 9.18 in F42+ was built with OpenSSL provider.
+HAS_OPENSSL_PROVIDER = osinfo.version_number >= (42,)
+
__all__ = ("constants", "User", "Group")
@ -200,10 +203,23 @@ index bc8c65a5d35af9afd27bc728768e49cd937e79a5..f4b50352190811db9dc780e3cec9d02c
constants = RHELConstantsNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 0c79cc03d404f0fb54bc3c6ab591206127c5870c..aeb8b919c64361fd8175366827fecba9705af3c3 100644
index 0c79cc03d404f0fb54bc3c6ab591206127c5870c..4b0eccefc8842efedd226d46213764c2d4003fce 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -121,17 +121,24 @@ class BINDMgr:
@@ -68,7 +68,7 @@ class BINDMgr:
str_val,
ipalib.constants.LDAP_GENERALIZED_TIME_FORMAT
)
- return dt.strftime(time_bindfmt).encode('utf-8')
+ return dt.strftime(time_bindfmt)
def dates2params(self, ldap_attrs):
"""Convert LDAP timestamps to list of parameters suitable
@@ -117,21 +117,30 @@ class BINDMgr:
"""Run dnssec-keyfromlabel on given LDAP object.
:returns: base file name of output files, e.g. Kaaa.test.+008+19719
"""
- logger.info('attrs: %s', attrs)
assert attrs.get('idnsseckeyzone', [b'FALSE'])[0] == b'TRUE', \
b'object %s is not a DNS zone key' % attrs['dn']
@ -212,26 +228,29 @@ index 0c79cc03d404f0fb54bc3c6ab591206127c5870c..aeb8b919c64361fd8175366827fecba9
- paths.DNSSEC_SOFTHSM_PIN.encode('utf-8')
- )
+ uri = None
+ # LDAP object entries are all in binary encoding
+ keyref = attrs['idnsSecKeyRef'][0].decode('utf-8')
+ if platformconstants.NAMED_OPENSSL_ENGINE is not None:
+ uri = "%s;pin-source=%s" % (
+ attrs['idnsSecKeyRef'][0],
+ paths.DNSSEC_SOFTHSM_PIN.encode('utf-8')
+ keyref,
+ paths.DNSSEC_SOFTHSM_PIN
+ )
+ elif platformconstants.NAMED_OPENSSL_PROVIDER is not None:
+ uri = "%s;token=%s" % (
+ attrs['idnsSecKeyRef'][0],
+ ipalib.constants.SOFTHSM_DNSSEC_TOKEN_LABEL.encode('utf-8')
+ keyref,
+ ipalib.constants.SOFTHSM_DNSSEC_TOKEN_LABEL
+ )
+
+ assert uri is not None
cmd = [
paths.DNSSEC_KEYFROMLABEL,
- '-E', 'pkcs11',
'-K', workdir,
- '-a', attrs['idnsSecAlgorithm'][0],
- '-l', uri
+ '-a', attrs['idnsSecAlgorithm'][0].encode('utf-8'),
+ '-a', attrs['idnsSecAlgorithm'][0].decode('utf-8'),
]
+ if uri is not None:
+ cmd.extend(['-l', uri])
+ cmd.extend(['-l', uri])
cmd.extend(self.dates2params(attrs))
if attrs.get('idnsSecKeySep', [b'FALSE'])[0].upper() == b'TRUE':
cmd.extend(['-f', 'KSK'])
@ -331,7 +350,7 @@ index 36524655265130fca910eceb63fd4793ccc60d48..1979a472dd882a70cb0a41d782689deb
sysconfig,
'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index fb71df81a6bf8ecbb1631ca8f0a5fe55cc222782..e2aabb2845602aacda1ca3289b7d7e338bd2dba3 100644
index f26a08aefcabda0c518cd026ea9273d6bf7d5b66..fb716d4c2921b2658a6fc4c984600a4feb52afce 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -549,15 +549,19 @@ def ca_initialize_hsm_state(ca):
@ -359,5 +378,5 @@ index fb71df81a6bf8ecbb1631ca8f0a5fe55cc222782..e2aabb2845602aacda1ca3289b7d7e33
dnskeysyncd.setup_named_sysconfig()
dnskeysyncd.setup_ipa_dnskeysyncd_sysconfig()
--
2.47.0
2.49.0

50
0095-DNS-detect-when-OpenSSL-engine-should-be-removed-on-.patch Normal file
View File

@ -0,0 +1,50 @@
From 3094ef83b898bb7b7a3e835084e444fd403c6ee8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 1 Apr 2025 14:53:24 +0300
Subject: [PATCH] DNS: detect when OpenSSL engine should be removed on upgrade
For OpenSSL Provider API use we don't need 'named -E engine-name'
anymore, it has to be removed. The removal process is slightly
complicated because we need to detect '-E engine-name' and compare it
with the engine we know about (pkcs11) but if we are upgrading to the
build that supports OpenSSL Provider API, we don't know the engine name
anymore.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dnskeysyncinstance.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1979a472dd882a70cb0a41d782689debc66017a9..ae8a67a007cab36f81bf931e24755d3744265b8c 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -149,7 +149,19 @@ class DNSKeySyncInstance(service.Service):
if options:
pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)"
engines = re.findall(pattern, options)
- if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE:
+
+ # if no '-E <engine-name>' and we switched to the provider API,
+ # just exist, no named configuration to adjust
+ if len(engines) == 0 and constants.NAMED_OPENSSL_ENGINE is None:
+ return False
+
+ # Something is configured in '-E <engine-name>' but we don't have
+ # an engine name to compare because we already switched to the
+ # provider API, we only need to ensure old engine ref is removed.
+ if constants.NAMED_OPENSSL_ENGINE is None:
+ return True
+
+ if engines[-1] == constants.NAMED_OPENSSL_ENGINE:
return True
return False
--
2.49.0

205
0096-ipa-dnskeysyncd-use-systemd-tmpfiles-to-handle-token.patch Normal file
View File

@ -0,0 +1,205 @@
From efbe63a6ff2cbdab128c6d3c879862dba22ac1cb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 25 Apr 2025 14:47:02 +0300
Subject: [PATCH] ipa-dnskeysyncd: use systemd-tmpfiles to handle tokens
ipa-dnskeysyncd daemon relies on both OpenDNSSEC and BIND accessing the
same cryptographic token. We use SoftHSMv2 here and store token in
DNSSEC_TOKENS_DIR, defined by the IPA platform.
Configure ipa-dnskeysyncd service to update permissions of the token
files using custom systemd-tmpfiles configuration.
Extend SELinux policy to handle access to the token under a separate
file context. Both token and its pin file need to be accessed by the BIND
rndc tool.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/dnssec/Makefile.am | 1 +
daemons/dnssec/ipa-dnskeysyncd.service.in | 1 +
freeipa.spec.in | 1 +
init/tmpfilesd/Makefile.am | 11 ++++++++---
init/tmpfilesd/ipa-dnssec.conf.in | 4 ++++
ipaserver/install/dnskeysyncinstance.py | 10 ++++++++++
ipaserver/install/server/upgrade.py | 10 +++++-----
selinux/ipa.fc | 3 +++
selinux/ipa.te | 7 +++++++
9 files changed, 40 insertions(+), 8 deletions(-)
create mode 100644 init/tmpfilesd/ipa-dnssec.conf.in
diff --git a/daemons/dnssec/Makefile.am b/daemons/dnssec/Makefile.am
index 0edab98be9d4dfd2221bcc3220785622a6545761..d270f0f9a5c06e9d9d455671157c3d1f32973419 100644
--- a/daemons/dnssec/Makefile.am
+++ b/daemons/dnssec/Makefile.am
@@ -33,6 +33,7 @@ CLEANFILES = $(systemdsystemunit_DATA) $(nodist_app_SCRIPTS)
-e 's|@ODS_USER[@]|$(ODS_USER)|g' \
-e 's|@ODS_GROUP[@]|$(ODS_GROUP)|g' \
-e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
+ -e 's|@IPA_DATA_DIR[@]|$(IPA_DATA_DIR)|g' \
'$(srcdir)/$@.in' >$@
dnssecconfdir = $(IPA_SYSCONF_DIR)/dnssec
diff --git a/daemons/dnssec/ipa-dnskeysyncd.service.in b/daemons/dnssec/ipa-dnskeysyncd.service.in
index cd07275ad323649e305a96ad36488e93bd248d7b..6730c9676d272e38a8f69d2d23f5d29b86ff7d83 100644
--- a/daemons/dnssec/ipa-dnskeysyncd.service.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.service.in
@@ -4,6 +4,7 @@ Description=IPA key daemon
[Service]
Environment=LC_ALL=C.UTF-8
EnvironmentFile=@sysconfenvdir@/ipa-dnskeysyncd
+ExecStartPre=/bin/sh -c '/bin/sed -e "s,@DNSSEC_TOKENS_DIR@,${DNSSEC_TOKENS_DIR},g;s,@DNSSEC_SOFTHSM_PIN@,${DNSSEC_SOFTHSM_PIN},g" @IPA_DATA_DIR@/ipa-dnssec.conf | /usr/bin/systemd-tmpfiles --create -'
ExecStart=@libexecdir@/ipa/ipa-dnskeysyncd
User=@ODS_USER@
Group=@NAMED_GROUP@
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 558b3cfffa11a77c459ba80316a5e0413662575e..78004dc4fcec87079efcd235dcbf61ae2c20c669 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1771,6 +1771,7 @@ fi
%{_libexecdir}/ipa/ipa-ods-exporter
%{_sbindir}/ipa-dns-install
%{_mandir}/man1/ipa-dns-install.1*
+%{_usr}/share/ipa/ipa-dnssec.conf
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
diff --git a/init/tmpfilesd/Makefile.am b/init/tmpfilesd/Makefile.am
index 5d6e96f2c07ff2b73752e46d6dbfe363a2a18821..8d264aaab06bff4c3be622d779c7fc3f4930b64d 100644
--- a/init/tmpfilesd/Makefile.am
+++ b/init/tmpfilesd/Makefile.am
@@ -1,12 +1,17 @@
dist_noinst_DATA = \
- ipa.conf.in
+ ipa.conf.in \
+ ipa-dnssec.conf.in
systemdtmpfiles_DATA = \
ipa.conf
-CLEANFILES = $(systemdtmpfiles_DATA)
+appdir = $(IPA_DATA_DIR)
+dist_app_DATA = \
+ ipa-dnssec.conf
+
+CLEANFILES = $(systemdtmpfiles_DATA) $(app_DATA)
%: %.in Makefile
sed \
- -e 's|@HTTPD_GROUP[@]|$(HTTPD_GROUP)|g' \
+ -e 's|@HTTPD_GROUP[@]|$(HTTPD_GROUP)|g;s|@ODS_USER[@]|$(ODS_USER)|g;s|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
'$(srcdir)/$@.in' >$@
diff --git a/init/tmpfilesd/ipa-dnssec.conf.in b/init/tmpfilesd/ipa-dnssec.conf.in
new file mode 100644
index 0000000000000000000000000000000000000000..1dd2b617045c405430749b304504dab1300583d4
--- /dev/null
+++ b/init/tmpfilesd/ipa-dnssec.conf.in
@@ -0,0 +1,4 @@
+d @DNSSEC_TOKENS_DIR@ 2770 @ODS_USER@ @NAMED_GROUP@
+A+ @DNSSEC_TOKENS_DIR@ - - - - group:@NAMED_GROUP@:rw,user:@ODS_USER@:rw
+Z @DNSSEC_TOKENS_DIR@ - - - - -
+z @DNSSEC_SOFTHSM_PIN@ - @ODS_USER@ @NAMED_GROUP@ - -
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index ae8a67a007cab36f81bf931e24755d3744265b8c..9c2bba11c08efb1ad1a9c537feced98463b6f398 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -258,6 +258,16 @@ class DNSKeySyncInstance(service.Service):
'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
+ directivesetter.set_directive(
+ sysconfig,
+ 'DNSSEC_TOKENS_DIR', paths.DNSSEC_TOKENS_DIR,
+ quotes=False, separator='=')
+
+ directivesetter.set_directive(
+ sysconfig,
+ 'DNSSEC_SOFTHSM_PIN', paths.DNSSEC_SOFTHSM_PIN,
+ quotes=False, separator='=')
+
if any([constants.NAMED_OPENSSL_ENGINE is not None,
constants.NAMED_OPENSSL_PROVIDER is not None]):
directivesetter.set_directive(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index fb716d4c2921b2658a6fc4c984600a4feb52afce..58896e33097dd1accb1c957066958f43caea8fbf 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -547,7 +547,7 @@ def ca_initialize_hsm_state(ca):
ca.set_hsm_state(config)
-def dnssec_set_openssl_engine(dnskeysyncd):
+def dnssec_set_openssl_provider(dnskeysyncd):
"""
Setup OpenSSL engine or provider for BIND
"""
@@ -555,9 +555,9 @@ def dnssec_set_openssl_engine(dnskeysyncd):
constants.NAMED_OPENSSL_PROVIDER is None]):
return False
- # Nothing to do if we are using OpenSSL engine already and not on the OS
+ # Nothing to do if we are using OpenSSL provider already and not on the OS
# that requires OpenSSL provider instead.
- if all([sysupgrade.get_upgrade_state('dns', 'openssl_engine'),
+ if all([sysupgrade.get_upgrade_state('dns', 'openssl_provider'),
constants.NAMED_OPENSSL_PROVIDER is None]):
return False
@@ -565,7 +565,7 @@ def dnssec_set_openssl_engine(dnskeysyncd):
dnskeysyncd.setup_named_openssl_conf()
dnskeysyncd.setup_named_sysconfig()
dnskeysyncd.setup_ipa_dnskeysyncd_sysconfig()
- sysupgrade.set_upgrade_state('dns', 'openssl_engine', True)
+ sysupgrade.set_upgrade_state('dns', 'openssl_provider', True)
return True
@@ -1892,7 +1892,7 @@ def upgrade_configuration():
dnskeysyncd.create_instance(fqdn, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
else:
- if dnssec_set_openssl_engine(dnskeysyncd):
+ if dnssec_set_openssl_provider(dnskeysyncd):
dnskeysyncd.start_dnskeysyncd()
dnskeysyncd.set_dyndb_ldap_workdir_permissions()
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
index 15e8e41aa50228ff560e338044240b46bc24cc40..ffab59933c56791e5561d9d3a5888b6b96499337 100644
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@@ -24,6 +24,9 @@
/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0)
+/var/lib/ipa/dnssec/tokens -- gen_context(system_u:object_r:ipa_dnskey_t,s0)
+/var/lib/ipa/dnssec/softhsm_pin -- gen_context(system_u:object_r:ipa_dnskey_t,s0)
+
/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index e4ce66687a48b27e85591cdd8352f7cac94d3151..c6d40b148325ac317437e1bd6e7c6d50e609bf5a 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -265,6 +265,13 @@ corenet_tcp_bind_generic_node(ipa_dnskey_t)
corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
corenet_tcp_connect_rndc_port(ipa_dnskey_t)
+# Allow rndc to access SoftHSM token in IPA directory
+gen_require(`
+ type ndc_t;
+')
+allow ndc_t ipa_dnskey_t:file { getattr open read };
+
+
dev_read_rand(ipa_dnskey_t)
dev_read_sysfs(ipa_dnskey_t)
--
2.49.0

74
0097-freeipa.spec.in-update-BIND-related-dependencies.patch Normal file
View File

@ -0,0 +1,74 @@
From a66adf2618d8d92b80c79537c7bcaaedea2bd9a4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 29 Apr 2025 09:37:44 +0300
Subject: [PATCH] freeipa.spec.in: update BIND-related dependencies
BIND in Fedora 42+ includes a custom backport for DNSSEC support when
using OpenSSL provider API. Make sure we have that support included.
For RHEL 10 we should be using a similar build but it is not yet
available, so make sure we include the version that is up to date prior
to enabling DNSSEC with OpenSSL provider API. Once new BIND build is
available, we can enable OpenSSL provider API usage in ipaplatform.rhel.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78004dc4fcec87079efcd235dcbf61ae2c20c669..78b044b026de6181264a3572779596325af89158 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -90,7 +90,13 @@
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
+
+# DNSSEC support with OpenSSL provider API in RHEL 10
+%if 0%{?rhel} < 10
%global bind_version 9.11.20-6
+%else
+%global bind_version 9.18.33-3
+%endif
# support for passkey
%global sssd_version 2.9.0
@@ -139,11 +145,11 @@
# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9
-# Fix for RHBZ#2117342
-%if 0%{?fedora} < 37
-%global bind_version 9.11.24-1
+%if 0%{?fedora} < 42
+%global bind_version 32:9.18.33-1
%else
-%global bind_version 32:9.18.7-1
+# BIND version with backport of DNSSEC support over OpenSSL provider API
+%global bind_version 32:9.18.35-2
%endif
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
@@ -626,7 +632,12 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.2-2
+# Both Fedora 42+ and RHEL support newer bind-dyndb-ldap 11.11
+%if 0%{?fedora} < 42
+Requires: bind-dyndb-ldap >= 11.10-33
+%else
+Requires: bind-dyndb-ldap >= 11.11
+%endif
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
--
2.49.0

43
0098-freeipa.spec.in-do-not-recommend-encrypted-DNS-on-pr.patch Normal file
View File

@ -0,0 +1,43 @@
From 13332be5931b2492b19121c083ab0e37aa1ae88f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 5 May 2025 11:18:59 +0300
Subject: [PATCH] freeipa.spec.in: do not recommend encrypted DNS on pre-F42
systems
Fedora 41 or earlier do not have infrastructure to run encrypted DNS
server side.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78b044b026de6181264a3572779596325af89158..ccb37ff0a7e46292ea0b5c50346f6aff984eecc7 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -652,7 +652,9 @@ Requires: %{openssl_pkcs11_name} >= %{openssl_pkcs11_version}
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
# RHEL 8.3+ and Fedora 32+ have 2.1
Requires: opendnssec >= 2.1.6-5
+%if 0%{?fedora} >= 42 || 0%{?rhel} > 9
Recommends: %{name}-server-encrypted-dns
+%endif
%{?systemd_requires}
Provides: %{alt_name}-server-dns = %{version}
@@ -670,6 +672,8 @@ Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
%package server-encrypted-dns
Summary: support for encrypted DNS in IPA integrated DNS server
Requires: %{name}-client-encrypted-dns
+# Will need newer bind-dyndb-ldap to allow use of OpenSSL provider API
+Requires: bind-dyndb-ldap >= 11.11
%description server-encrypted-dns
Provides support for enabling DNS over TLS in the IPA integrated DNS
--
2.49.0

61
0099-dns-install-fix-selinux-avc-relabelto.patch Normal file
View File

@ -0,0 +1,61 @@
From 0aff65d9453d456c7a99c1294dde8c2e2ab57ca8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 12 May 2025 16:22:46 +0200
Subject: [PATCH] dns install: fix selinux avc relabelto
During the DNS server installation in SELinux enforcing mode,
ipa-dnskeysyncd.service fails to restart because of the AVC:
avc: denied { relabelto } for pid=29955 comm="systemd-tmpfile" name="softhsm_pin" dev="vda4" ino=38440 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ipa_dnskey_t:s0 tclass=file permissive=0
Add the missing policies
allow systemd_tmpfiles_t ipa_dnskey_t:file relabelto;
allow ipa_dnskey_t fs_t:filesystem associate;
allow ipa_ods_exporter_t ipa_dnskey_t:file { getattr ioctl open read };
allow named_t ipa_dnskey_t:file { getattr open read };
Fixes: https://pagure.io/freeipa/issue/9782
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
selinux/ipa.te | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index c6d40b148325ac317437e1bd6e7c6d50e609bf5a..b5354051830f6bd216e7b0caa9338de9f43b25a9 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -271,6 +271,19 @@ gen_require(`
')
allow ndc_t ipa_dnskey_t:file { getattr open read };
+# Allow relabel from systemd_tmpfiles_t
+gen_require(`
+ type systemd_tmpfiles_t;
+')
+allow systemd_tmpfiles_t ipa_dnskey_t:file { getattr relabelfrom relabelto };
+gen_require(`
+ type fs_t;
+')
+allow ipa_dnskey_t fs_t:filesystem associate;
+gen_require(`
+ type named_t;
+')
+allow named_t ipa_dnskey_t:file { getattr open read };
dev_read_rand(ipa_dnskey_t)
dev_read_sysfs(ipa_dnskey_t)
@@ -320,6 +333,7 @@ optional_policy(`
allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow ipa_ods_exporter_t self:udp_socket { connect create getattr };
allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt };
+allow ipa_ods_exporter_t ipa_dnskey_t:file { getattr ioctl open read };
manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
--
2.49.0

35
0100-ipatests-test_manual_renewal_master_transfer-must-wa.patch Normal file
View File

@ -0,0 +1,35 @@
From 17fdff8f2f1664a387147e13a851bc1248abc29c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 19 May 2025 09:56:36 +0200
Subject: [PATCH] ipatests: test_manual_renewal_master_transfer must wait for
replication
The test is transferring the CA renewal role from master to replica.
It calls ipa config-mod on the replica then checks with ipa config-show
on the master.
Wait for replication to complete between the 2 steps.
Fixes: https://pagure.io/freeipa/issue/9790
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_replica_promotion.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index c754cef88cb275987f5afdaad43f2ea07e3b7476..3c67833d3101aef095539953e04c31d028c746d3 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -417,6 +417,9 @@ class TestRenewalMaster(IntegrationTest):
replica = self.replicas[0]
replica.run_command(['ipa', 'config-mod',
'--ca-renewal-master-server', replica.hostname])
+ # wait for replication to complete before checking on the master
+ tasks.wait_for_replication(replica.ldap_connect())
+
result = self.master.run_command(["ipa", "config-show"]).stdout_text
assert("IPA CA renewal master: %s" % replica.hostname in result), (
"Replica hostname not found among CA renewal masters"
--
2.49.0

225
0101-Require-baserid-and-secondarybaserid.patch Normal file
View File

@ -0,0 +1,225 @@
From 6f1b9a4228e400ef23f0f411ebf8a98c30cd2f9f Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Mon, 5 May 2025 17:31:18 +0200
Subject: [PATCH] Require baserid and secondarybaserid
This has been already required for some time, just not really enforced.
Also adds few new tests, and removes test without providing rid.
Fixes: https://pagure.io/freeipa/issue/9779
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaclient/plugins/idrange.py | 31 +++------------
ipaserver/plugins/idrange.py | 35 +++++++----------
ipatests/test_cmdline/test_cli.py | 13 -------
ipatests/test_xmlrpc/test_range_plugin.py | 46 +++++++++++++++++++++++
4 files changed, 66 insertions(+), 59 deletions(-)
diff --git a/ipaclient/plugins/idrange.py b/ipaclient/plugins/idrange.py
index 1a8d68ed7ff724854d5ea2f3dd43ec9644b5c671..b62cb1e3526d33a0d762809142b6e372f6f608ea 100644
--- a/ipaclient/plugins/idrange.py
+++ b/ipaclient/plugins/idrange.py
@@ -19,7 +19,6 @@
from ipaclient.frontend import MethodOverride
from ipalib.plugable import Registry
-from ipalib import api
register = Registry()
@@ -33,8 +32,7 @@ class idrange_add(MethodOverride):
Also ensure that secondary-rid-base is prompted for when rid-base is
specified and vice versa, in case that dom-sid was not specified.
- Also ensure that rid-base and secondary-rid-base is prompted for
- if ipa-adtrust-install has been run on the system.
+ Also ensure that rid-base and secondary-rid-base is prompted for.
"""
# dom-sid can be specified using dom-sid or dom-name options
@@ -63,27 +61,10 @@ class idrange_add(MethodOverride):
else:
# This is a local range
- # Find out whether ipa-adtrust-install has been ran
- adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
- if adtrust_is_enabled:
- # If ipa-adtrust-install has been ran, all local ranges
- # require both RID base and secondary RID base
-
- if rid_base is None:
- set_from_prompt('ipabaserid')
-
- if secondary_rid_base is None:
- set_from_prompt('ipasecondarybaserid')
-
- else:
- # This is a local range on a server with no adtrust support
-
- # Prompt for secondary RID base only if RID base was given
- if rid_base is not None and secondary_rid_base is None:
- set_from_prompt('ipasecondarybaserid')
+ # All local ranges require both RID base and secondary RID base
+ if rid_base is None:
+ set_from_prompt('ipabaserid')
- # Symetrically, prompt for RID base if secondary RID base was
- # given
- if rid_base is None and secondary_rid_base is not None:
- set_from_prompt('ipabaserid')
+ if secondary_rid_base is None:
+ set_from_prompt('ipasecondarybaserid')
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index d155fb46da8240449a077d35e86a91ee9f95c132..1c8b5c6899ec927d753b7d9b116d35396b536339 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -73,10 +73,14 @@ Both types have the following attributes in common:
With those two attributes a range object can reserve the Posix IDs starting
with base-id up to but not including base-id+range-size exclusively.
-Additionally an ID range of the local domain may set
+Additionally an ID range of the local domain must set
- rid-base: the first RID(*) of the corresponding RID range
- secondary-rid-base: first RID of the secondary RID range
+If the server is updated from a previous version and defines local ID ranges
+missing the rid-base and secondary-rid-base, it is recommended to use
+`ipa-idrange-fix` command to identify the missing values and fix the ID ranges.
+
and an ID range of a trusted domain must set
- rid-base: the first RID of the corresponding RID range
- sid: domain SID of the trusted domain
@@ -519,11 +523,15 @@ class idrange_add(LDAPCreate):
'or ipa-ad-trust-posix when '
'auto-private-groups is specified'))
- # secondary base rid must be set if and only if base rid is set
- if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
- raise errors.ValidationError(name='ID Range setup',
- error=_('Options secondary-rid-base and rid-base must '
- 'be used together'))
+ # base rid and secondary base rid must be set for sidgen
+ if not (is_set('ipabaserid') and is_set('ipasecondarybaserid')):
+ raise errors.ValidationError(
+ name='ID Range setup',
+ error=_(
+ 'You must specify both rid-base and '
+ 'secondary-rid-base options.'
+ )
+ )
# and they must not overlap
if is_set('ipabaserid') and is_set('ipasecondarybaserid'):
@@ -534,21 +542,6 @@ class idrange_add(LDAPCreate):
raise errors.ValidationError(name='ID Range setup',
error=_("Primary RID range and secondary RID range"
" cannot overlap"))
-
- # rid-base and secondary-rid-base must be set if
- # ipa-adtrust-install has been run on the system
- adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
-
- if adtrust_is_enabled and not (
- is_set('ipabaserid') and is_set('ipasecondarybaserid')):
- raise errors.ValidationError(
- name='ID Range setup',
- error=_(
- 'You must specify both rid-base and '
- 'secondary-rid-base options, because '
- 'ipa-adtrust-install has already been run.'
- )
- )
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
index 718798d68083285ce8aefe23af951bc819bdefdb..6c86bbb657a0d9a7b74ef34ad20a796a10073315 100644
--- a/ipatests/test_cmdline/test_cli.py
+++ b/ipatests/test_cmdline/test_cli.py
@@ -276,25 +276,12 @@ class TestCLIParsing:
ipasecondarybaserid=u'500000',
)
- def test_without_options():
- self.check_command(
- 'idrange_add range1 --base-id=1 --range-size=1',
- 'idrange_add',
- cn=u'range1',
- ipabaseid=u'1',
- ipaidrangesize=u'1',
- )
-
adtrust_dn = 'cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % \
(api.env.host, api.env.basedn)
adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
mockldap = None
if not adtrust_is_enabled:
- # ipa-adtrust-install not run - no need to pass rid-base
- # and secondary-rid-base
- test_without_options()
-
# Create a mock service object to test against
adtrust_add = dict(
ipaconfigstring=b'enabledService',
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index 36469525b14ee507f2d8580b1f021ff09b82c99d..ffc89c028168740e7b8ae217259af512abff2d8a 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -1086,4 +1086,50 @@ class test_range(Declarative):
),
),
+ # Fail without baserid and secondarybaserid
+
+ dict(
+ desc='Try creating ID range %r without both rid' % (testrange9),
+ command=('idrange_add', [testrange9],
+ dict(ipabaseid=testrange9_base_id,
+ ipaidrangesize=testrange9_size)),
+ expected=errors.ValidationError(
+ name='ID Range setup',
+ error=(
+ 'You must specify both rid-base and '
+ 'secondary-rid-base options.'
+ )
+ )
+ ),
+
+ dict(
+ desc='Try creating ID range %r without'
+ 'secondarybaserid' % (testrange9),
+ command=('idrange_add', [testrange9],
+ dict(ipabaseid=testrange9_base_id,
+ ipaidrangesize=testrange9_size,
+ ipabaserid=testrange9_base_rid)),
+ expected=errors.ValidationError(
+ name='ID Range setup',
+ error=(
+ 'You must specify both rid-base and '
+ 'secondary-rid-base options.'
+ )
+ )
+ ),
+
+ dict(
+ desc='Try creating ID range %r without baserid' % (testrange9),
+ command=('idrange_add', [testrange9],
+ dict(ipabaseid=testrange9_base_id,
+ ipaidrangesize=testrange9_size,
+ ipasecondarybaserid=testrange9_secondary_base_rid)),
+ expected=errors.ValidationError(
+ name='ID Range setup',
+ error=(
+ 'You must specify both rid-base and '
+ 'secondary-rid-base options.'
+ )
+ )
+ ),
]
--
2.49.0

90
0102-ipa-config-mod-fix-internalerror-when-setting-an-emp.patch Normal file
View File

@ -0,0 +1,90 @@
From 1c069653806ce8224132a35d6d3bd01ac53098b6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 26 May 2025 18:24:12 +0200
Subject: [PATCH] ipa config-mod: fix internalerror when setting an empty
ipaconfigstring
When ipa config-mod is called with --ipaconfigstring="", the command
fails with an InternalError.
This happens because the code added for 32bits uid did not properly
handle this case.
Same issue if ipa subid-stats is called with a null ipaconfigstring.
This commit now handles when ipaconfigstring is empty or None, and adds
a test.
Fixes: https://pagure.io/freeipa/issue/9794
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipaserver/plugins/config.py | 4 +--
ipatests/test_integration/test_commands.py | 30 ++++++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index c509c2c13adfb4950741f63ffcbc9f3f806c0c3b..d9769ab1fb8498c24ce41ad32af40938bdaee804 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -524,7 +524,7 @@ class config(LDAPObject):
def is_config_option_present(self, option):
dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'), self.api.env.basedn)
configentry = self.api.Backend.ldap2.get_entry(dn, ['ipaconfigstring'])
- configstring = configentry['ipaconfigstring']
+ configstring = configentry.get('ipaconfigstring') or []
return (option.lower() in map(str.lower, configstring))
@@ -702,7 +702,7 @@ class config_mod(LDAPUpdate):
error=_('SELinux user map default user not in order list'))
if 'ipaconfigstring' in entry_attrs:
- configstring = entry_attrs['ipaconfigstring']
+ configstring = entry_attrs['ipaconfigstring'] or []
if 'SubID:Disable'.lower() in map(str.lower, configstring):
# Check if SubIDs already allocated
try:
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index f64152908b3e1cbca451697043c1fcc8ad37fee6..9cad5772127bcd860aeecc8dabe73d5f160faf7b 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -2123,6 +2123,36 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert old_err_msg not in dirsrv_error_log
assert re.search(new_err_msg, dirsrv_error_log)
+ @pytest.fixture
+ def update_ipaconfigstring(self):
+ """
+ This fixture stores the value of ipaconfigstring parameter
+ and reverts to the initial value
+ """
+ ldap = self.master.ldap_connect()
+ dn = DN(
+ ("cn", "ipaconfig"), ('cn', 'etc'),
+ self.master.domain.basedn
+ )
+ entry = ldap.get_entry(dn)
+ val = entry.get("ipaconfigstring")
+ yield
+
+ # re-read the entry as the value may have been changed by the test
+ entry = ldap.get_entry(dn)
+ entry["ipaconfigstring"] = val
+ ldap.update_entry(entry)
+
+ def test_empty_ipaconfigstring(self, update_ipaconfigstring):
+ """
+ Test for https://pagure.io/freeipa/issue/9794
+
+ Test that setting an empty ipaconfigstring does not fail.
+ Subsequent calls to ipa subid-stats should also succeed.
+ """
+ self.master.run_command(['ipa', 'config-mod', "--ipaconfigstring="])
+ self.master.run_command(['ipa', 'subid-stats'])
+
def test_ipa_cacert_manage_prune(self):
"""Test for ipa-cacert-manage prune
--
2.49.0

52
0103-ipatests-Test-to-check-dot-forwarders-are-added-to-u.patch Normal file
View File

@ -0,0 +1,52 @@
From 383574be4e645155fb58a79612138e51c3bdc4eb Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 13 May 2025 15:58:56 +0530
Subject: [PATCH] ipatests: Test to check dot forwarders are added to unbound.
This test checks that dns forwarder is listed in
dnsserver-show command and also the dot forwarder is
added to unbound and included in /etc/unbound/conf.d/zzz-ipa.conf
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
---
ipatests/test_integration/test_edns.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/ipatests/test_integration/test_edns.py b/ipatests/test_integration/test_edns.py
index b42570ffa2c1cba8271ff08e084da0107e57d054..dd046f226926d09074d8d6ce536999c5d452fcc4 100644
--- a/ipatests/test_integration/test_edns.py
+++ b/ipatests/test_integration/test_edns.py
@@ -247,6 +247,7 @@ class TestDNSOverTLS(IntegrationTest):
class TestDNS_DoT(TestDNS):
+
@classmethod
def install(cls, mh):
tasks.install_packages(cls.master, ['*ipa-server-encrypted-dns'])
@@ -255,3 +256,20 @@ class TestDNS_DoT(TestDNS):
"--dot-forwarder", "1.1.1.1#cloudflare-dns.com"
]
tasks.install_master(cls.master, extra_args=args)
+
+ def test_check_dot_forwarder_added_in_ipa_conf(self):
+ """
+ This test checks that forwarders is listed in
+ dnsserver-show command and also the dot forwarder is
+ added to unbound and included in
+ /etc/unbound/conf.d/zzz-ipa.conf
+ """
+ msg = 'Forwarders: 127.0.0.55'
+ cmd1 = self.master.run_command(
+ ["ipa", "dnsserver-show", self.master.hostname]
+ )
+ assert msg in cmd1.stdout_text
+ contents = self.master.get_file_contents(
+ paths.UNBOUND_CONF, encoding='utf-8'
+ )
+ assert 'forward-addr: 1.1.1.1#cloudflare-dns.com' in contents
--
2.49.0

147
0104-Fix-some-issues-identified-by-a-static-analyzer.patch Normal file
View File

@ -0,0 +1,147 @@
From 777f4c0ed631f70b64f6a972e7e6cb140155ef1f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 May 2025 13:55:34 -0400
Subject: [PATCH] Fix some issues identified by a static analyzer
Remove resource leak when reading the IPA config in ipa-getkeytab
Free popt in ipa-getkeytab
Initialize ret in ipa-otpd/passkey.c
Use the correct free function in util/ipa_krb5.c
Related: https://pagure.io/freeipa/issue/9468
Fixes: https://pagure.io/freeipa/issue/9365
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
---
client/ipa-getkeytab.c | 13 ++++++++++++-
daemons/ipa-otpd/passkey.c | 2 +-
util/ipa_krb5.c | 2 +-
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 228b981c2c38c5f9227d84cbae20f598564b5dcf..8ca4b8130cd668cbbc03e969399b5fe47ce42f1e 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -866,6 +866,7 @@ static int read_ipa_config(struct ipa_config **ipacfg)
(*ipacfg)->domain = ini_get_string_config_value(obj, &ret);
}
+ ini_config_destroy(cfgctx);
return 0;
}
@@ -984,7 +985,7 @@ int main(int argc, const char *argv[])
krb5_context krbctx;
krb5_ccache ccache;
krb5_principal uprinc = NULL;
- krb5_principal sprinc;
+ krb5_principal sprinc = NULL;
krb5_error_code krberr;
struct keys_container keys = { 0 };
krb5_keytab kt;
@@ -1026,6 +1027,7 @@ int main(int argc, const char *argv[])
fprintf(stdout, "%s\n", enc);
}
ipa_krb5_free_ktypes(krbctx, ktypes);
+ poptFreeContext(pc);
exit (0);
}
@@ -1033,6 +1035,7 @@ int main(int argc, const char *argv[])
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
+ poptFreeContext(pc);
exit(2);
}
@@ -1041,12 +1044,14 @@ int main(int argc, const char *argv[])
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
+ poptFreeContext(pc);
exit(2);
}
if (askbindpw) {
bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false);
if (!bindpw) {
+ poptFreeContext(pc);
exit(2);
}
}
@@ -1056,6 +1061,7 @@ int main(int argc, const char *argv[])
_("Bind password required when using a bind DN (-w or -W).\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
+ poptFreeContext(pc);
exit(10);
}
@@ -1064,6 +1070,7 @@ int main(int argc, const char *argv[])
"and bind DN simultaneously.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
+ poptFreeContext(pc);
exit(2);
}
@@ -1071,6 +1078,7 @@ int main(int argc, const char *argv[])
fprintf(stderr, _("Invalid SASL bind mechanism\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
+ poptFreeContext(pc);
exit(2);
}
@@ -1083,8 +1091,10 @@ int main(int argc, const char *argv[])
"simultaneously.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
+ poptFreeContext(pc);
exit(2);
}
+ poptFreeContext(pc);
if (server && (strcasecmp(server, "_srv_") == 0)) {
struct srvrec *srvrecs, *srv;
@@ -1119,6 +1129,7 @@ int main(int argc, const char *argv[])
/* Discovery failed, fall through to option methods */
server = NULL;
}
+ free(ipacfg);
}
if (!server && !ldap_uri) {
diff --git a/daemons/ipa-otpd/passkey.c b/daemons/ipa-otpd/passkey.c
index 8351f0fcf9e2245a83563eefe2c17b04c5b9f4e3..ad3c45467ba9af46cf2e333e2dbfd938c8c8d643 100644
--- a/daemons/ipa-otpd/passkey.c
+++ b/daemons/ipa-otpd/passkey.c
@@ -307,7 +307,7 @@ bool is_passkey(struct otpd_queue_item *item)
static json_t *ipa_passkey_to_json_array(char **ipa_passkey)
{
- int ret;
+ int ret = 0;
const char *sep;
char *start;
size_t c;
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index bb98ab897cf8ea933c025bdb9abf7d394cae4583..0087e53e689fc4dc5549908b3eadd6d963d94489 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -80,7 +80,7 @@ static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
void
ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val)
{
- free(val);
+ krb5_free_enctypes(context, val);
}
/*
--
2.49.0

30
0105-ipatests-Ignore-run-log-journal-in-test_uninstallati.patch Normal file
View File

@ -0,0 +1,30 @@
From a31654e5c4ba61177928abede5885a247365d067 Mon Sep 17 00:00:00 2001
From: PRANAV THUBE <pthube@redhat.com>
Date: Mon, 19 May 2025 14:46:19 +0530
Subject: [PATCH] ipatests: Ignore /run/log/journal in test_uninstallation.py
Update - Add /run/log/journal to the allowed list for leftover files/directories
Fixes: https://pagure.io/freeipa/issue/9788
Signed-off-by: PRANAV THUBE <pthube@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_uninstallation.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_integration/test_uninstallation.py b/ipatests/test_integration/test_uninstallation.py
index 049c50db536ae1070f5f958e76b12a1518da0aba..f1cc1917dd0f216be3b11803554e86d1d22c3888 100644
--- a/ipatests/test_integration/test_uninstallation.py
+++ b/ipatests/test_integration/test_uninstallation.py
@@ -178,6 +178,7 @@ class TestUninstallCleanup(IntegrationTest):
'/var/log',
'/var/tmp/systemd-private',
'/run/systemd',
+ '/run/log/journal',
'/var/lib/authselect/backups/pre_ipaclient',
'/var/named/data/named.run',
paths.DNSSEC_SOFTHSM_PIN_SO, # See commit eb54814741
--
2.49.0

77
0106-ipatests-Tests-for-krbLastSuccessfulAuth-warning.patch Normal file
View File

@ -0,0 +1,77 @@
From 3ba0f6a34cb018a36bc548667e2b433d05da6a45 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 6 May 2025 15:37:54 +0530
Subject: [PATCH] ipatests: Tests for krbLastSuccessfulAuth warning
This testcase checks that ipa-healthcheck issues
warning when ipaconfigstring=AllowNThash
Ref: https://github.com/freeipa/freeipa-healthcheck/issues/315
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 40 ++++++++++++++++++-
1 file changed, 39 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index b8ee2884de51a2e0b2dcf2991452486c29c4ed00..0ebc7149f88394bf6b6355adbb88b3ad92697517 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1526,6 +1526,45 @@ class TestIpaHealthCheck(IntegrationTest):
]
)
+ @pytest.fixture
+ def change_pwd_plugin_default(self):
+ """
+ Fixture to change the password plugin feature
+ to AllowNThash and change it to default
+ """
+ self.master.run_command(
+ [
+ "ipa", "config-mod", "--delattr",
+ "ipaconfigstring=KDC:Disable Last Success"
+ ]
+ )
+ yield
+ self.master.run_command(
+ [
+ "ipa", "config-mod", "--addattr",
+ "ipaconfigstring=KDC:Disable Last Success"
+ ]
+ )
+
+ def test_krbLastSuccessfulAuth_warning(self, change_pwd_plugin_default):
+ """
+ This test checks that warning message is displayed
+ when password plugin feature is modified to
+ AllowNThash
+ """
+ err_msg = (
+ "Last Successful Auth is enabled. "
+ "It may cause performance problems."
+ )
+ returncode, data = run_healthcheck(
+ self.master, "ipahealthcheck.ipa.config",
+ "IPAkrbLastSuccessfulAuth",
+ )
+ assert returncode == 1
+ for check in data:
+ assert check["result"] == "WARNING"
+ assert check["kw"]["msg"] == err_msg
+
@pytest.fixture
def expire_cert_critical(self):
"""
@@ -1553,7 +1592,6 @@ class TestIpaHealthCheck(IntegrationTest):
assert "Expired Certificate" in check["kw"]["items"]
assert check["kw"]["msg"] == msg
-
def test_ipa_healthcheck_expiring(self, restart_service):
"""
There are two overlapping tests for expiring certs, check both.
--
2.49.0

82
0107-ipatests-ipahealthcheck-warns-for-user-provided-cert.patch Normal file
View File

@ -0,0 +1,82 @@
From cef199631109b91462bf25ae8893ca8980faf5bf Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 21 May 2025 17:20:04 +0530
Subject: [PATCH] ipatests: ipahealthcheck warns for user provided certificates
about to expire
This patch tests that ipa-healthcheck tools warns when IPA server is
installed CALess and user provided certificates are about to expire.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 0ebc7149f88394bf6b6355adbb88b3ad92697517..13fcc3d43545590e025598fcc9c9ee40f62dae76 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -26,6 +26,7 @@ from ipatests.pytest_ipa.integration import tasks
from ipaplatform.paths import paths
from ipaplatform.osinfo import osinfo
from ipaserver.install.installutils import resolve_ip_addresses_nss
+from ipatests.test_integration.test_caless import CALessBase
from ipatests.test_integration.base import IntegrationTest
from pkg_resources import parse_version
from ipatests.test_integration.test_cert import get_certmonger_fs_id
@@ -3135,3 +3136,50 @@ class TestIpaHealthCheckSingleMaster(IntegrationTest):
finally:
# cleanup
tasks.uninstall_master(self.master)
+
+
+class TestIPAHealthcheckWithCALess(CALessBase):
+ """
+ Install CALess server with user provided certificate.
+ """
+ num_replicas = 0
+
+ @classmethod
+ def install(cls, mh):
+ super(TestIPAHealthcheckWithCALess, cls).install(mh)
+ cls.create_pkcs12('ca1/server')
+ cls.prepare_cacert('ca1')
+ result = cls.install_server()
+ assert result.returncode == 0
+
+ @pytest.fixture
+ def expire_cert_warn(self):
+ """
+ Fixture to move the cert to about to expire, by moving the
+ system date using date -s command and revert it back
+ """
+ self.master.run_command(['date','-s', '+11Months10Days'])
+ yield
+ self.master.run_command(['date','-s', '-11Months10Days'])
+ self.master.run_command(['ipactl', 'restart'])
+
+ def test_ipahealthcheck_warns_on_expired_user_certs(self, expire_cert_warn):
+ """
+ This testcase checks that ipa-healthcheck warns
+ on expiring user-provided certificates.
+ """
+ msg = (
+ 'Request id {key} expires in {days} days. '
+ 'You need to manually renew this certificate.'
+ )
+ returncode, data = run_healthcheck(
+ self.master, "ipahealthcheck.ipa.certs",
+ "IPAUserProvidedExpirationCheck",
+ )
+ assert returncode == 1
+ certs = [d["kw"]["key"] for d in data]
+ assert set(certs) == {'HTTP', 'LDAP', 'KDC'}
+ for check in data:
+ assert check["result"] == "WARNING"
+ assert check["kw"]["key"] in ("LDAP", "HTTP", "KDC")
+ assert check["kw"]["msg"] == msg
--
2.49.0

278
0108-Warn-when-UID-is-out-of-local-ID-ranges.patch Normal file
View File

@ -0,0 +1,278 @@
From 0c98af9f70c62da3d3dea02b91a9330a5f9f669a Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Thu, 22 May 2025 08:25:07 +0200
Subject: [PATCH] Warn when UID is out of local ID ranges
Provides simple warning when creating new user with uid out of
all local ranges, as this is the main culprit of breaking Kerberos, by
not generating ipantsecurityidentifier. We don't have to check for
user-mod, because modification never changes ipantsecurityidentifier.
We do not have to check groups, as groups are ignored for ipa without
AD trust. It's reasonable to revisit this in the future for group
creation and warn against groups out of ranges as well as
warn for users with groups without SID, in case AD trust is enabled.
Fixes: https://pagure.io/freeipa/issue/9781
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipalib/messages.py | 12 +++++
ipaserver/plugins/baseuser.py | 29 +++++++++++-
ipatests/test_xmlrpc/test_stageuser_plugin.py | 45 ++++++++++++++++++-
ipatests/test_xmlrpc/test_user_plugin.py | 43 ++++++++++++++++++
.../test_xmlrpc/tracker/stageuser_plugin.py | 22 +++++++++
5 files changed, 148 insertions(+), 3 deletions(-)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 6a70bbc7556126748cc2ec031fc2af36bfe76f74..a440ca6221d00e6d753c94f87396fc5d7ae177b5 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -519,6 +519,18 @@ class ServerUpgradeRequired(PublicMessage):
)
+class UidNumberOutOfLocalIDRange(PublicMessage):
+ """
+ **13034** UID Number is out of all local ID Ranges
+ """
+ errno = 13034
+ type = "warning"
+ format = _(
+ "User '%(user)s', with UID Number '%(uidnumber)d' is out of all ID "
+ "Ranges, 'SID' will not be correctly generated."
+ )
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 22393b8f6c5d3e40b57f11947d0a0358d3a087bc..21e05d4d983502fde76af549594d678d51451e9c 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -23,7 +23,7 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key
import re
import six
-from ipalib import api, errors, constants
+from ipalib import api, errors, constants, messages
from ipalib import (
Flag, Int, Password, Str, Bool, StrEnum, DateTime, DNParam)
from ipalib.parameters import Principal, Certificate, MAX_UINT32
@@ -198,6 +198,22 @@ def validate_passkey(ugettext, key):
return None
+def is_in_local_idrange(uidnumber):
+ result = api.Command.idrange_find(
+ iparangetype='ipa-local',
+ sizelimit=0,
+ )
+
+ for r in result['result']:
+ if 'ipabaserid' in r:
+ ipabaseid = int(r['ipabaseid'][0])
+ ipaidrangesize = int(r['ipaidrangesize'][0])
+ if ipabaseid <= uidnumber < ipabaseid + ipaidrangesize:
+ return True
+
+ return False
+
+
class baseuser(LDAPObject):
"""
baseuser object.
@@ -621,6 +637,17 @@ class baseuser_add(LDAPCreate):
add_missing_object_class(ldap, 'ipaidpuser', dn,
entry_attrs, update=False)
+ # Check and warn if we're out of local idrange
+ # Skip dynamically assigned uid, old clients say 999
+ uidnumber = entry_attrs.get('uidnumber')
+ if (
+ uidnumber != -1
+ and uidnumber != 999
+ and not is_in_local_idrange(uidnumber)
+ ):
+ self.add_message(messages.UidNumberOutOfLocalIDRange(
+ user=entry_attrs.get('uid'), uidnumber=uidnumber))
+
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
self.obj.convert_usercertificate_post(entry_attrs, **options)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 6ed593fbf24dd2e8ce087625b9cb4c21c9a3c145..dc4940a9983a410640d93efb1185ed4d394a8c2c 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -80,9 +80,7 @@ options_def = OrderedDict([
('car license', {u'carlicense': u'abc1234'}),
('SSH key', {u'ipasshpubkey': sshpubkey}),
('manager', {u'manager': u'auser1'}),
- ('user ID number', {u'uidnumber': uid}),
('group ID number', {u'gidnumber': gid}),
- ('UID and GID numbers', {u'uidnumber': uid, u'gidnumber': gid}),
('password', {u'userpassword': u'Secret123'}),
('random password', {u'random': True}),
])
@@ -90,6 +88,13 @@ options_def = OrderedDict([
options_ok = list(options_def.values())
options_ids = list(options_def.keys())
+warn_options_def = OrderedDict([
+ ('user ID number', {u'uidnumber': uid}),
+ ('UID and GID numbers', {u'uidnumber': uid, u'gidnumber': gid}),
+])
+
+warn_options_ok = list(warn_options_def.values())
+warn_options_ids = list(warn_options_def.keys())
@pytest.fixture(scope='class')
def stageduser(request, xmlrpc_setup):
@@ -108,6 +113,12 @@ def stageduser2(request, xmlrpc_setup):
return tracker.make_fixture_activate(request)
+@pytest.fixture(scope='class', params=warn_options_ok, ids=warn_options_ids)
+def warn_stageduser(request, xmlrpc_setup):
+ tracker = StageUserTracker(u'warnuser', u'staged', u'user', **request.param)
+ return tracker.make_fixture_activate(request)
+
+
@pytest.fixture(scope='class')
def user_activated(request, xmlrpc_setup):
tracker = UserTracker(u'suser2', u'staged', u'user')
@@ -273,6 +284,36 @@ class TestStagedUser(XMLRPC_test):
user_activated.delete()
+ def test_warn_create_with_attr(self, warn_stageduser, user, user_activated):
+ """ Tests creating a user with various valid attributes that throw
+ a warning listed in 'warn_options_ok' list"""
+ # create staged user with specified parameters
+ user.ensure_exists() # necessary for manager test
+ warn_stageduser.ensure_missing()
+ command = warn_stageduser.make_create_command()
+ result = command()
+ warn_stageduser.track_create()
+ warn_stageduser.check_create_with_warning(result, (13034,))
+
+ # activate user, verify that specified values were preserved
+ # after activation
+ user_activated.ensure_missing()
+ user_activated = UserTracker(
+ warn_stageduser.uid, warn_stageduser.givenname,
+ warn_stageduser.sn, **warn_stageduser.kwargs)
+ user_activated.create_from_staged(warn_stageduser)
+ command = warn_stageduser.make_activate_command()
+ result = command()
+ user_activated.check_activate(result)
+
+ # verify the staged user does not exist after activation
+ command = warn_stageduser.make_retrieve_command()
+ with raises_exact(errors.NotFound(
+ reason=u'%s: stage user not found' % warn_stageduser.uid)):
+ command()
+
+ user_activated.delete()
+
def test_delete_stageduser(self, stageduser):
stageduser.delete()
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index c0415cae6eb0389c91b804ab28dc2d9f131930c6..420c80213177dc513e10451c0c53506e879ba93f 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -826,6 +826,49 @@ class TestCreate(XMLRPC_test):
user_idp.check_create(result, ['ipaidpsub'])
user_idp.delete()
+ def test_out_of_idrange(self):
+ """Test ensuring warning is thrown when uid is out of range"""
+ uidnumber = 2000
+ testuser = UserTracker(
+ name="testwarning", givenname="test",
+ sn="warning", uidnumber=uidnumber
+ )
+ testuser.attrs.update(
+ uidnumber=[u'2000'],
+ )
+ command = testuser.make_create_command()
+ result = command()
+ result_messages = result['messages']
+ assert len(result_messages) == 1
+ assert result_messages[0]['type'] == 'warning'
+ assert result_messages[0]['code'] == 13034
+ testuser.delete()
+
+ def test_in_idrange(self):
+ """Test ensuring no warning is thrown when uid is in range"""
+ result = api.Command.idrange_find(
+ iparangetype='ipa-local',
+ sizelimit=0,
+ )
+
+ assert len(result) >= 1
+ ipabaseid = int(result['result'][0]['ipabaseid'][0])
+ ipaidrangesize = int(result['result'][0]['ipaidrangesize'][0])
+
+ # Take the last valid id, as we're not sure which has not yet been used
+ valid_id = ipabaseid + ipaidrangesize - 1
+ testuser = UserTracker(
+ name="testnowarning", givenname="test",
+ sn="nowarning", uidnumber=valid_id
+ )
+ testuser.attrs.update(
+ uidnumber=[str(valid_id)],
+ )
+ command = testuser.make_create_command()
+ result = command()
+ assert "messages" not in result
+ testuser.delete()
+
@pytest.mark.tier1
class TestUserWithGroup(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 17744a98e9d4a8c5939e9c912b348689674becd9..93157ba3a44362c56a955c3d52d0d18678a9bc5d 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -3,6 +3,7 @@
#
import six
+import copy
from ipalib import api, errors
from ipaplatform.constants import constants as platformconstants
@@ -187,6 +188,27 @@ class StageUserTracker(PasskeyMixin, KerberosAliasMixin, Tracker):
result=self.filter_attrs(expected),
), result)
+ def check_create_with_warning(self, result,
+ warning_codes=(), extra_keys=()):
+ """ Check 'stageuser-add' command result """
+ expected = self.filter_attrs(self.create_keys | set(extra_keys))
+
+ result = copy.deepcopy(result)
+ assert 'messages' in result
+ assert len(result['messages']) == len(warning_codes)
+ codes = [message['code'] for message in result['messages']]
+ for code in warning_codes:
+ assert code in codes
+ codes.pop(codes.index(code))
+
+ del result['messages']
+
+ assert_deepequal(dict(
+ value=self.uid,
+ summary=u'Added stage user "%s"' % self.uid,
+ result=self.filter_attrs(expected),
+ ), result)
+
def check_delete(self, result):
""" Check 'stageuser-del' command result """
assert_deepequal(dict(
--
2.49.0

80
0109-ipatests-fix-invalid-range-creation-in-test_ipa_idra.patch Normal file
View File

@ -0,0 +1,80 @@
From 0155718308fa58f43f2ec8df240c1df1c929195e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 2 Jun 2025 14:47:48 +0200
Subject: [PATCH] ipatests: fix invalid range creation in
test_ipa_idrange_fix.py
The test is creating a local ID range without rid-base and
secondary-rid-base in order to test the behavior of ipa-idrange-fix.
Since the patch for ticket #9779 it is not possible any more to call
ipa idrange-add for local range without these parameters. The test needs
to create the invalid local range using a direct ldapmodify instead.
Fixes: https://pagure.io/freeipa/issue/9801
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
---
.../test_integration/test_ipa_idrange_fix.py | 39 ++++++++++++-------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_idrange_fix.py b/ipatests/test_integration/test_ipa_idrange_fix.py
index 0c915bd0931ed11a3aa86c533ee8748aa8a7ec07..6559818d3b290211ed421b652be7a424a3b51052 100644
--- a/ipatests/test_integration/test_ipa_idrange_fix.py
+++ b/ipatests/test_integration/test_ipa_idrange_fix.py
@@ -40,13 +40,18 @@ class TestIpaIdrangeFix(IntegrationTest):
def test_idrange_no_rid_bases(self):
"""Test ipa-idrange-fix command with IDrange with no RID bases."""
- self.master.run_command([
- "ipa",
- "idrange-add",
- "idrange_no_rid_bases",
- "--base-id", '10000',
- "--range-size", '20000',
- ])
+ # Use ldapmodify to create the range without rid bases
+ idrange_ldif = (
+ "dn: cn=idrange_no_rid_bases,cn=ranges,cn=etc,{suffix}\n"
+ "changetype: add\n"
+ "objectclass: top\n"
+ "objectclass: ipaIDrange\n"
+ "objectclass: ipadomainidrange\n"
+ "ipaRangeType: ipa-local\n"
+ "ipaBaseID: 10000\n"
+ "ipaIDRangeSize: 20000\n"
+ ).format(suffix=str(self.master.domain.basedn))
+ tasks.ldapmodify_dm(self.master, idrange_ldif)
result = self.master.run_command(["ipa-idrange-fix", "--unattended"])
expected_text = "RID bases updated for range 'idrange_no_rid_bases'"
@@ -62,13 +67,19 @@ class TestIpaIdrangeFix(IntegrationTest):
previously had a range with RID bases reversed - secondary lower than
primary. It is a valid configuration, so we should fix no-RID range.
"""
- self.master.run_command([
- "ipa",
- "idrange-add",
- "idrange_no_rid_bases",
- "--base-id", '10000',
- "--range-size", '20000',
- ])
+ # Use ldapmodify to create the range without rid bases
+ idrange_ldif = (
+ "dn: cn=idrange_no_rid_bases,cn=ranges,cn=etc,{suffix}\n"
+ "changetype: add\n"
+ "objectclass: top\n"
+ "objectclass: ipaIDrange\n"
+ "objectclass: ipadomainidrange\n"
+ "ipaRangeType: ipa-local\n"
+ "ipaBaseID: 10000\n"
+ "ipaIDRangeSize: 20000\n"
+ ).format(suffix=str(self.master.domain.basedn))
+ tasks.ldapmodify_dm(self.master, idrange_ldif)
+
self.master.run_command([
"ipa",
"idrange-add",
--
2.49.0

43
0110-ipatests-fix-xfail-annotation-for-test_ipa_healthche.patch Normal file
View File

@ -0,0 +1,43 @@
From 982569fcb3d23d6e6578e5efbaafb99c32542a8d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 20 May 2025 13:58:54 +0200
Subject: [PATCH] ipatests: fix xfail annotation for
test_ipa_healthcheck_fips_enabled
The test is expected to fail
- on rhel 10.0 with ipa-healthcheck < 0.17
On Fedora 41, the command fips-mode-check is still available.
On Fedora 42, it has been removed but ipa-healthcheck 0.18 has
been adapted.
Fixes: https://pagure.io/freeipa/issue/9791
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 13fcc3d43545590e025598fcc9c9ee40f62dae76..3dcc22411347b98853ef8b9551cc33f05ff13195 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -375,11 +375,11 @@ class TestIpaHealthCheck(IntegrationTest):
if (
parse_version(healthcheck_version) < parse_version("0.17")
and osinfo.id == 'rhel'
- and osinfo.version_number >= (10,0)
+ and osinfo.version_number == (10,0)
):
# Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349
- pytest.xfail("Patch is unavailable for RHEL 10.0 and above"
- "freeipa-healtheck version 0.16 or less")
+ pytest.skip("Patch is unavailable for RHEL 10.0 "
+ "freeipa-healthcheck version 0.16 or less")
returncode, check = run_healthcheck(self.master,
source="ipahealthcheck.meta.core",
--
2.49.0

34
0111-ipatests-certbot-removed-the-manual-public-ip-loggin.patch Normal file
View File

@ -0,0 +1,34 @@
From 8ecf75b29429aa6f9e0fc0abfb1d74068b5d4f48 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 6 Jan 2025 14:37:42 +0100
Subject: [PATCH] ipatests: certbot removed the --manual-public-ip-logging-ok
parameter
The certbot CLI has deprecated the parameter --manual-public-ip-logging-ok
and finally removed it from certbot 3.0.
The test test_acme.py is using this parameter and fails in rawhide.
Do not use this parameter any more.
Fixes: https://pagure.io/freeipa/issue/9724
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_acme.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 4032d266a8dc72fae6ee11857c306aa3a21e51bc..b0d79182cfc98d23333266ee4c3d710bfffb4d73 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -311,7 +311,6 @@ class TestACME(CALessBase):
'--domain', self.clients[0].hostname,
'--preferred-challenges', 'dns',
'--manual',
- '--manual-public-ip-logging-ok',
'--manual-auth-hook', CERTBOT_DNS_IPA_SCRIPT,
'--manual-cleanup-hook', CERTBOT_DNS_IPA_SCRIPT,
'--key-type', 'rsa',
--
2.50.0

45
0112-ipatests-adapt-error-code-and-message-for-samba-4.22.patch Normal file
View File

@ -0,0 +1,45 @@
From d03164fc104588e88ad75483e7233b7fccacabb6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 6 Mar 2025 15:58:53 +0100
Subject: [PATCH] ipatests: adapt error code and message for samba 4.22
When establishing trust with an unreachable AD domain controller,
the error code and message have changed with samba 4.22.
Update the test to be compatible with any version of samba.
Fixes: https://pagure.io/freeipa/issue/9751
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index f71ec377b429b104241e85a3d04ee42c6721494c..4086cb30ac5d52ee595c1ecdbe86a8d511cbb704 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1072,8 +1072,18 @@ class TestTrust(BaseTestTrust):
paths.VAR_LOG_HTTPD_ERROR,
encoding='utf-8'
)
- assert 'CIFS server communication error: code "3221225653", ' \
- 'message "{Device Timeout}' in httpd_error_log
+
+ # The error code and message changed in samba 4.22
+ old_msg = 'CIFS server communication error: code "3221225653", ' \
+ 'message "{Device Timeout}'
+ new_msg = 'CIFS server communication error: code "3221226021", ' \
+ 'message "The object was not found."'
+ result = self.master.run_command(["smbstatus", "-V"]).stdout_text
+ version = result.split()[1]
+ if tasks.parse_version(version) < tasks.parse_version('4.22.0rc4'):
+ assert old_msg in httpd_error_log
+ else:
+ assert new_msg in httpd_error_log
# Check that trust is successfully established with --server option
tasks.establish_trust_with_ad(
--
2.50.0

59
0113-Fix-inconsistency-in-manpage-for-DoT-forwarder-optio.patch Normal file
View File

@ -0,0 +1,59 @@
From d0f6979c0250bdf5299404bf711cef74dd458042 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Wed, 4 Jun 2025 09:36:55 +0200
Subject: [PATCH] Fix inconsistency in manpage for DoT forwarder option
The example given in manpages for --dot-forwarder option is inconsistent
to the format that is required.
Fixes: https://pagure.io/freeipa/issue/9804
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/tools/man/ipa-dns-install.1 | 2 +-
install/tools/man/ipa-replica-install.1 | 2 +-
install/tools/man/ipa-server-install.1 | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 6008d2028e1d91a39c8cbffc9e240121d8fd18f5..96eee1ef713a5069804088d68785f333c76b2369 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -74,7 +74,7 @@ An unattended installation that will never prompt for user input
Configure DNS over TLS.
.TP
\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR
-Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times.
+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: 1.2.3.4#dns.example.com. This option can be used multiple times.
.TP
\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR
Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA.
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index c55d21253f8d565e04605ea7d632ab9794cdd938..637c5c1b55031c3c1636477f867e519fbe98efeb 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -228,7 +228,7 @@ Disable DNSSEC validation on this server.
Configure DNS over TLS.
.TP
\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR
-Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times.
+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: 1.2.3.4#dns.example.com. This option can be used multiple times.
.TP
\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR
Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA.
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 84d82531c50f05b9756eee967e13de90caf578f8..b9367ce1194724147a3f88d24f2d42854aff31a3 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -257,7 +257,7 @@ Allow creation of (reverse) zone even if the zone is already resolvable. Using t
Configure DNS over TLS.
.TP
\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR
-Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times.
+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: 1.2.3.4#dns.example.com. This option can be used multiple times.
.TP
\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR
Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA.
--
2.50.0

18
10002-Set-krbCanonicalName-admin-REALM-on-the-admin-user.patch → 0114-Set-krbCanonicalName-admin-REALM-on-the-admin-user.patch
View File

@ -1,4 +1,4 @@
From d6d2282f9f1b93ae7fb6e074920e41e64f35ab12 Mon Sep 17 00:00:00 2001
From 796ed20092d554ee0c9e23295e346ec1e8a0bf6e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 28 Apr 2025 13:43:40 -0400
Subject: [PATCH] Set krbCanonicalName=admin@REALM on the admin user
@ -26,7 +26,7 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
create mode 100644 ipaserver/install/plugins/add_admin_krbcanonicalname.py
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 325eb8450..94972eb72 100644
index 325eb8450c786899e7b5e4ae2ef8978f42a8425b..94972eb7270fc9224650bd414c740fc2e8f6c149 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -239,6 +239,7 @@ objectClass: ipasshuser
@ -38,7 +38,7 @@ index 325eb8450..94972eb72 100644
sn: Administrator
uidNumber: $IDSTART
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 7c3bba3e0..3d78c7b5a 100644
index 7c3bba3e0317162d4739513e16b9fac973495c66..3d78c7b5a983f418502a7902a53ff8cd8d6847c4 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -25,6 +25,7 @@ plugin: update_mapping_Guests_to_nobody
@ -51,7 +51,7 @@ index 7c3bba3e0..3d78c7b5a 100644
# DNS version 1
diff --git a/ipaserver/install/plugins/add_admin_krbcanonicalname.py b/ipaserver/install/plugins/add_admin_krbcanonicalname.py
new file mode 100644
index 000000000..e9ffdf55a
index 0000000000000000000000000000000000000000..e9ffdf55a3f9a1e182bcadda352eda99e536cf16
--- /dev/null
+++ b/ipaserver/install/plugins/add_admin_krbcanonicalname.py
@@ -0,0 +1,79 @@
@ -135,12 +135,12 @@ index 000000000..e9ffdf55a
+
+ return False, []
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 621982c4f..1526a6e0d 100644
index 9cad5772127bcd860aeecc8dabe73d5f160faf7b..ad97affe62e15c68442239d669032f0c84e7f5c9 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1883,6 +1883,44 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert old_err_msg not in dirsrv_error_log
assert re.search(new_err_msg, dirsrv_error_log)
@@ -2179,6 +2179,44 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert isrgrootx1_nick in result
+ def test_unique_krbcanonicalname(self):
+ """Verify that the uniqueness for krbcanonicalname is working"""
@ -184,5 +184,5 @@ index 621982c4f..1526a6e0d 100644
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.48.1
2.50.0

43
0115-ipa-client-install-Fix-nsupdate-issues-when-dns_over.patch Normal file
View File

@ -0,0 +1,43 @@
From 7b4317979080cb8efe901e2ab491f6f4e4ccad15 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 12 Jun 2025 17:44:44 +0200
Subject: [PATCH] ipa-client-install: Fix nsupdate issues when dns_over_tls is
enabled
The server commands for nsupdate.txt to define the server with the port
853 have been added for dns_over_tls. These commands do not have a leading
newline. This results in a syntax error as the next line is added to the
command.
Fixes: https://pagure.io/freeipa/issue/9806
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
---
ipaclient/install/client.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 372daa51e4647023dde76e183189eeebdd9525b8..43a71828335ad655ad067b5320572d40bee1a44b 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1540,7 +1540,7 @@ def update_dns(server, hostname, options):
update_txt = "debug\n"
if options.dns_over_tls:
- update_txt += "server %s 853" % server
+ update_txt += "server %s 853\n" % server
update_txt += ipautil.template_str(DELETE_TEMPLATE_A,
dict(HOSTNAME=hostname))
update_txt += ipautil.template_str(DELETE_TEMPLATE_AAAA,
@@ -1788,7 +1788,7 @@ def update_ssh_keys(hostname, ssh_dir, options, server):
update_txt = 'debug\n'
if options.dns_over_tls:
- update_txt += "server %s 853" % server
+ update_txt += "server %s 853\n" % server
update_txt += 'update delete %s. IN SSHFP\nshow\nsend\n' % hostname
for pubkey in pubkeys:
sshfp = pubkey.fingerprint_dns_sha1()
--
2.50.0

90
0116-ipatests-fix-test_adtrust_install_with_non_ipa_user.patch Normal file
View File

@ -0,0 +1,90 @@
From 39e92c4033d0ecd702281f3ecbeac3b5f654e973 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Jun 2025 17:17:44 +0200
Subject: [PATCH] ipatests: fix test_adtrust_install_with_non_ipa_user
Fix the test scenario:
create a user with a second krbprincipalname but no
krbcanonical name.
kinit -E with the other name
try ipa-adtrust-install with the other name
It should fail with the error message 'user not found'
Fixes: https://pagure.io/freeipa/issue/9812
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
.../test_integration/test_adtrust_install.py | 48 ++++++++++++++-----
1 file changed, 36 insertions(+), 12 deletions(-)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index 99d3029443ea39bb5f0e333a5087d30291191968..09e227ec8125e90b37d1d92f0512f9819f5b48c3 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -360,27 +360,51 @@ class TestIpaAdTrustInstall(IntegrationTest):
assert msg in result.stdout_text
assert result.returncode == 0
- def test_adtrust_install_with_non_ipa_user(self):
+ @pytest.fixture
+ def create_user(self):
+ # create a user with 'othername' as 2nd krbprincipalname but
+ # no krbcanonicalname
+ basedn = self.master.domain.basedn
+ self.test_user = 'idmuser'
+ self.test_alias = 'othername'
+ tasks.create_active_user(
+ self.master, self.test_user, self.master.config.admin_password,
+ first=self.test_user, last=self.test_user)
+ user_update_ldif = textwrap.dedent("""
+ dn: uid={user},cn=users,cn=accounts,{base_dn}
+ changetype: modify
+ add: krbprincipalname
+ krbprincipalname: {alias}@{realm}
+ -
+ delete: krbcanonicalname
+ """.format(base_dn=basedn, user=self.test_user,
+ alias=self.test_alias, realm=self.master.domain.realm))
+ tasks.ldapmodify_dm(self.master, user_update_ldif)
+ yield
+ tasks.kinit_admin(self.master)
+ self.master.run_command(["ipa", "user-del", self.test_user])
+
+ def test_adtrust_install_with_user_missing_krbcanonical(self, create_user):
"""
Test that ipa-adtrust-install command returns
- an error when kinit is done as alias
- i.e root which is not an ipa user.
+ an error when kinit is done as an alias
+ for which there is no krbcanonicalname.
"""
- msg = (
- 'Unrecognized error during check of admin rights: '
- 'root: user not found'
- )
- user = 'root'
+ self.master.run_command(["kdestroy", "-A"])
self.master.run_command(
- ["kinit", "-E", user],
- stdin_text=self.master.config.admin_password
- )
+ ["kinit", "-E", self.test_alias],
+ stdin_text=self.master.config.admin_password)
+
result = self.master.run_command(
- ["ipa-adtrust-install", "-A", user,
+ ["ipa-adtrust-install", "-A", self.test_alias,
"-a", self.master.config.admin_password,
"-U"], raiseonerr=False
)
assert result.returncode != 0
+ msg = (
+ 'Unrecognized error during check of admin rights: '
+ '{alias}: user not found'
+ ).format(alias=self.test_alias)
assert msg in result.stderr_text
def test_adtrust_install_as_regular_ipa_user(self):
--
2.50.0

63
0117-ipa-idrange-fix-check-that-IPA-server-is-installed.patch Normal file
View File

@ -0,0 +1,63 @@
From fba7aa10c8487116075d56c8dedeebefc40b74eb Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 16 Jun 2025 18:15:22 +0200
Subject: [PATCH] ipa-idrange-fix: check that IPA server is installed
If ipa-idrange-fix is called on a system where the server is not configured,
it crashes with a Traceback when trying to access api.env.basedn.
Check that IPA server is configured before processing further
ipatests: add test launching ipa-idrange-fix on unconfigured server
Fixes: https://pagure.io/freeipa/issue/9809
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
---
ipaserver/install/ipa_idrange_fix.py | 3 +++
.../test_integration/test_cli_ipa_not_configured.py | 10 ++++++++++
2 files changed, 13 insertions(+)
diff --git a/ipaserver/install/ipa_idrange_fix.py b/ipaserver/install/ipa_idrange_fix.py
index c6c67ae9330e2d0184efc09d09a84216ef0772a6..cd21ed4281d37b013537174fb4ab9e773382990e 100644
--- a/ipaserver/install/ipa_idrange_fix.py
+++ b/ipaserver/install/ipa_idrange_fix.py
@@ -10,6 +10,7 @@ from ipalib import api, errors
from ipapython.admintool import AdminTool
from ipapython.dn import DN
from ipapython import ipautil
+from ipaserver.install.installutils import check_server_configuration
from typing import List, Tuple
logger = logging.getLogger(__name__)
@@ -169,6 +170,8 @@ for confirmation",
super().validate_options(needs_root)
def run(self):
+ check_server_configuration()
+
api.bootstrap(in_server=True)
api.finalize()
diff --git a/ipatests/test_integration/test_cli_ipa_not_configured.py b/ipatests/test_integration/test_cli_ipa_not_configured.py
index 1bf36d8ee6e9d1e6019786f3b62d79dbce22655e..7c5601247d7d3c98cf6513eecc333de6aa59d704 100644
--- a/ipatests/test_integration/test_cli_ipa_not_configured.py
+++ b/ipatests/test_integration/test_cli_ipa_not_configured.py
@@ -22,3 +22,13 @@ class TestIPANotConfigured(IntegrationTest):
assert (exp_str in cmd.stderr_text and
cmd.returncode == SERVER_NOT_CONFIGURED and
unexp_str not in cmd.stderr_text)
+
+ def test_ipa_idrange_fix(self):
+ """
+ Test for https://pagure.io/freeipa/issue/9809
+ Launch ipa-idrange-fix command when the server is not configured.
+ """
+ exp_str = "IPA is not configured"
+ cmd = self.master.run_command(["ipa-idrange-fix"], raiseonerr=False)
+ assert (exp_str in cmd.stderr_text
+ and cmd.returncode == SERVER_NOT_CONFIGURED)
--
2.50.0

74
0118-ipa-migrate-only-remove-repl-state-attribute-options.patch Normal file
View File

@ -0,0 +1,74 @@
From ceaa1c9a244499534343dc667227e47a923212ee Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 17 Jun 2025 12:50:36 -0400
Subject: [PATCH] ipa-migrate - only remove repl state attribute options
Improve how we process attributes that might include replication state
data. Previously we only cared about ";binary" but there are other
attribute options that are used in IPA. Now we completely break down the
attribute into each option and rebuild it without any repl state options
Fixes: https://pagure.io/freeipa/issue/9784
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 17 +++++++++--------
ipaserver/install/ipa_migrate_constants.py | 2 ++
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index a24a2ab7a5ffd4cf1d59179f14e2f5d348fd57e2..b26fb66853ce91a139c3193753b34bed1ce2f586 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -33,7 +33,7 @@ from ipaserver.install.ipa_migrate_constants import (
DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS,
DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS,
- DB_EXCLUDE_TREES, POLICY_OP_ATTRS
+ DB_EXCLUDE_TREES, POLICY_OP_ATTRS, STATE_OPTIONS
)
"""
@@ -202,14 +202,15 @@ def decode_attr_vals(entry_attrs):
decoded_attrs = {}
for attr in entry_attrs:
vals = ensure_list_str(entry_attrs[attr])
- # Remove replication state data, but don't remove ";binary"
- # e.g. userCertififccate;binary;adcsn=<CSN>
+ # Remove "only" replication state data, but don't remove other attr
+ # options like ";binary"
+ # e.g. userCertificate;binary;adcsn=<CSN>
parts = attr.split(";")
- if len(parts) > 1 and not attr.endswith(";binary"):
- if parts[1] == "binary":
- attr = parts[0] + ";binary"
- else:
- attr = parts[0]
+ attr_parts = [
+ parts[0]] + [p for p in parts[1:]
+ if not any(p.startswith(opt)
+ for opt in STATE_OPTIONS)]
+ attr = (';').join(attr_parts)
decoded_attrs[attr] = vals
return decoded_attrs
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index 4beaa4f42a667ba83008213075b3ded782a83260..19cd5141316d018cf1d81f8db174197f4c5f15ff 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -117,6 +117,8 @@ AD_TRUST_ATTRS = [ # ipaNTTrustedDomain objectclass
'ipantadditionalsuffixes',
]
+STATE_OPTIONS = ('adcsn-', 'mdcsn-', 'vucsn-', 'vdcsn-')
+
DNA_REGEN_VAL = "-1"
DNA_REGEN_ATTRS = [
--
2.50.0

108
0122-ipa-client-install-New-no-dnssec-validation-option.patch Normal file
View File

@ -0,0 +1,108 @@
From 5db3bfafe6c12222b656f67d5ae3f6745e5f2644 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 12 Jun 2025 16:23:13 +0200
Subject: [PATCH] ipa-client-install: New --no-dnssec-validation option
The new option is needed to be able to deactivate DNSSEC validation
for unbound.
Unbound is by default configured to do DNSSEC validation with the
validator module.
The solution is to set module-config to "iterator".
When the server is built with EDNS client subnet support this should be
changed to "subnetcache iterator" according to the unbound man page.
Fixes: https://pagure.io/freeipa/issue/9805
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
client/man/ipa-client-install.1 | 3 +++
client/share/unbound.conf.template | 1 +
ipaclient/install/client.py | 22 +++++++++++++++++++++-
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 6833991b83bf60718fc74a12657342715c0fda91..5432c48a993eec6aaf819d9ce2e0e82ff7c1e62a 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -204,6 +204,9 @@ Create DNS A/AAAA record for each IP address on this host.
.TP
\fB\-\-dns\-over\-tls\fR
Configure DNS over TLS.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation for DNS over TLS.
.SS "SSSD OPTIONS"
.TP
diff --git a/client/share/unbound.conf.template b/client/share/unbound.conf.template
index 166036f651ddc5ba88235a41b2c06579348e5286..f611ebb7effc83fa07e797dfbe78568c27847851 100644
--- a/client/share/unbound.conf.template
+++ b/client/share/unbound.conf.template
@@ -3,6 +3,7 @@ server:
tls-upstream: yes
interface: 127.0.0.55
log-servfail: yes
+ ${MODULE_CONFIG_ITERATOR}module-config: "iterator"
forward-zone:
name: "."
forward-tls-upstream: yes
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 43a71828335ad655ad067b5320572d40bee1a44b..96e91268f54aecf08e0791c91811072e8d6f459f 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1675,13 +1675,17 @@ def client_dns(server, hostname, options):
# setup and enable Unbound as resolver
server_ip = str(list(dnsutil.resolve_ip_addresses(server))[0])
forward_addr = "forward-addr: %s#%s" % (server_ip, server)
+ # module_config_iterator is commented out if DNSSEC validation is
+ # not disabled.
+ module_config_iterator = '' if options.no_dnssec_validation else '# '
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
dict(
TLS_CERT_BUNDLE_PATH=os.path.join(
paths.OPENSSL_CERTS_DIR, "ca-bundle.crt"),
- FORWARD_ADDRS=forward_addr
+ FORWARD_ADDRS=forward_addr,
+ MODULE_CONFIG_ITERATOR=module_config_iterator
)
)
sr = services.knownservices["systemd-resolved"]
@@ -2419,6 +2423,16 @@ def install_check(options):
if not check_ip_addresses(options):
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ if options.dns_over_tls \
+ and not services.knownservices["unbound"].is_installed():
+ raise ScriptError(
+ "To enable DNS over TLS, package ipa-client-encrypted-dns must "
+ "be installed.")
+ if options.no_dnssec_validation and not options.dns_over_tls:
+ raise ScriptError(
+ "You can not specify --no-dnssec-validation option without the"
+ "--dns-over-tls option.")
+
# Create the discovery instance
ds = discovery.IPADiscovery()
@@ -4061,6 +4075,12 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface,
)
dns_over_tls = enroll_only(dns_over_tls)
+ no_dnssec_validation = knob(
+ None,
+ description="Disable DNSSEC validation for DNS over TLS",
+ )
+ no_dnssec_validation = enroll_only(no_dnssec_validation)
+
request_cert = knob(
None,
deprecated=True,
--
2.50.0

46
0123-ipaserver-install-dns.py-Allow-to-Turn-off-DNSSEC-va.patch Normal file
View File

@ -0,0 +1,46 @@
From 0412252dd9a27138411e942305cdf54e70c06f27 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 23 Jun 2025 14:36:51 +0200
Subject: [PATCH] ipaserver/install/dns.py: Allow to Turn off DNSSEC validation
for unbound
Unbound is by default configured to do DNSSEC validation with the validator
module. The solution is to set module-config to "iterator".
When the server is built with EDNS client subnet support this should be
changed to "subnetcache iterator" according to the unbound man page.
Fixes: https://pagure.io/freeipa/issue/9805
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
ipaserver/install/dns.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 470e1915971f66d84e4e4f279caaf81bd3a85cd3..ccec9d8019a250a275cbfac5a360fc3046bcb69c 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -133,13 +133,17 @@ def _setup_dns_over_tls(options):
if options.dot_forwarders:
forward_addrs = ["forward-addr: %s" % fw
for fw in options.dot_forwarders]
+ # module_config_iterator is commented out if DNSSEC validation is
+ # not disabled.
+ module_config_iterator = '' if options.no_dnssec_validation else '# '
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
dict(
TLS_CERT_BUNDLE_PATH=os.path.join(
paths.OPENSSL_CERTS_DIR, "ca-bundle.crt"),
- FORWARD_ADDRS="\n".join(forward_addrs)
+ FORWARD_ADDRS="\n".join(forward_addrs),
+ MODULE_CONFIG_ITERATOR=module_config_iterator
)
)
--
2.50.0

55
0124-ipatests-Tests-for-32BitIdranges.patch Normal file
View File

@ -0,0 +1,55 @@
From 15adc2679dabc97fdc4514fc0775be7308bd922a Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Mon, 9 Jun 2025 17:20:32 +0530
Subject: [PATCH] ipatests: Tests for 32BitIdranges.
Running 32BitIdrange tests in AD enviornment
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_32bit_idranges.py | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/ipatests/test_integration/test_32bit_idranges.py b/ipatests/test_integration/test_32bit_idranges.py
index e76e117e5f1627af02274a13d3ac12ca84eb7ad9..a928628d399d3a94901f0220c3af3e97c5115ffe 100644
--- a/ipatests/test_integration/test_32bit_idranges.py
+++ b/ipatests/test_integration/test_32bit_idranges.py
@@ -6,6 +6,7 @@ from __future__ import absolute_import
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_trust import BaseTestTrust
class Test32BitIdRanges(IntegrationTest):
@@ -102,3 +103,24 @@ class Test32BitIdRanges(IntegrationTest):
)
assert result.returncode == 0
assert str(uid) in result.stdout_text
+
+
+class Test32BitIdrangeInTrustEnv(Test32BitIdRanges, BaseTestTrust):
+ """
+ Tests to check 32BitIdrange functionality
+ in IPA-AD trust enviornment
+ """
+ topology = 'line'
+ num_ad_domains = 1
+ num_ad_subdomains = 0
+ num_ad_treedomains = 0
+ num_clients = 0
+
+ @classmethod
+ def install(cls, mh):
+ super(BaseTestTrust, cls).install(mh)
+ cls.ad = cls.ads[0]
+ cls.ad_domain = cls.ad.domain.name
+ tasks.configure_dns_for_trust(cls.master, cls.ad)
+ tasks.install_adtrust(cls.master)
+ tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
--
2.50.0

59
0125-Replica-Request-cert-for-DoT-before-setting-up-bind.patch Normal file
View File

@ -0,0 +1,59 @@
From f4cbea00fde8dada84bfd1262b5271035d3ca7a4 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 12 Jun 2025 18:34:49 +0200
Subject: [PATCH] Replica: Request cert for DoT before setting up bind
Deploying a replica with DNS support using an IPA server DNS with DoT
fails while setting up DNS over TLS. The request for the certificate for
DoT using IPA CA is done after the DNS server for the replica is configured.
The nameserver in /etc/resolv.conf has been changed to 127.0.0.1, but
unbound was not yet configured as a forwarder.
The solution is to move the cert request before the DNS server
configuration. The unbound config from the client deployment is still
working at that moment.
Fixes: https://pagure.io/freeipa/issue/9808
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dns.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index ccec9d8019a250a275cbfac5a360fc3046bcb69c..9740faeddb244a56b2dc8a274ff82158f6dd2204 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -114,7 +114,7 @@ def _disable_dnssec():
conn.update_entry(entry)
-def _setup_dns_over_tls(options):
+def _request_cert_for_dns_over_tls(options):
if os.path.isfile(paths.IPA_CA_CRT) and not options.dns_over_tls_cert:
# request certificate for DNS over TLS, using IPA CA
cert = paths.BIND_DNS_OVER_TLS_CRT
@@ -128,6 +128,8 @@ def _setup_dns_over_tls(options):
constants.NAMED_USER.chown(cert, gid=constants.NAMED_GROUP.gid)
constants.NAMED_USER.chown(key, gid=constants.NAMED_GROUP.gid)
+
+def _setup_dns_over_tls(options):
# setup and enable Unbound as resolver
forward_addrs = ["# forward-addr: specify here forwarders"]
if options.dot_forwarders:
@@ -435,6 +437,10 @@ def install(standalone, replica, options, api=api):
"and IPA CA is not present."
)
+ if options.dns_over_tls:
+ print("Request certificate for DNS over TLS, using IPA CA")
+ _request_cert_for_dns_over_tls(options)
+
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
--
2.50.0

40
0126-ipatests-use-sos-report-instead-of-sosreport-command.patch Normal file
View File

@ -0,0 +1,40 @@
From 1c789f5ffde5d443fa2ce6ccfc4eb55f9a8afb4c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 25 Feb 2025 10:24:56 +0100
Subject: [PATCH] ipatests: use "sos report" instead of "sosreport" command
The "soscommand" has been deprecated and "sos report" should be
used instead. The redirector was removed in sos 4.9.
Fixes: https://pagure.io/freeipa/issue/9752
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 7c3f5857a477070d8a9b52c04d41f35ac580c97f..05a0adb24a3f26d70d0690462e7c0fefbf98c6e6 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1405,7 +1405,7 @@ class TestIpaHealthCheck(IntegrationTest):
msg = "[plugin:ipa] collecting path '{}'".format(HEALTHCHECK_LOG)
cmd = self.master.run_command(
[
- "sosreport",
+ "sos", "report",
"-o",
"ipa",
"--case-id",
@@ -1508,7 +1508,7 @@ class TestIpaHealthCheck(IntegrationTest):
caseid = "123456"
self.master.run_command(
[
- "sosreport",
+ "sos", "report",
"-o",
"ipa",
"--case-id",
--
2.50.1

57
0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch Normal file
View File

@ -0,0 +1,57 @@
From a6ae9f740991888bede82884bd9609db220430e3 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 23 Jun 2025 10:49:34 +0200
Subject: [PATCH] dns: only overwrite resolv.conf during eDNS setup when needed
Don't overwrite resolv.conf if it already points to 127.0.0.1. This
ensures compatibility with read-only containers.
Fixes: https://pagure.io/freeipa/issue/9813
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dns.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 9740faeddb244a56b2dc8a274ff82158f6dd2204..0f7a3073f4de1641afb7fdfa77413b978fd23974 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -33,7 +33,7 @@ from ipapython import ipautil
from ipapython import dnsutil
from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS
from ipapython.dn import DN
-from ipapython.dnsutil import check_zone_overlap
+from ipapython.dnsutil import check_zone_overlap, get_ipa_resolver
from ipapython.install import typing
from ipapython.install.core import group, knob
from ipapython.admintool import ScriptError
@@ -171,17 +171,19 @@ def _setup_dns_over_tls(options):
f.write("\n".join(dns_none))
nm.reload_or_restart()
- # Overwrite resolv.conf to point to IPA
+ # Ensure resolv.conf points to IPA
cfg = [
"# auto-generated by IPA installer",
"search .",
"nameserver 127.0.0.1\n"
]
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
- fstore.backup_file(paths.RESOLV_CONF)
- with open(paths.RESOLV_CONF, 'w') as f:
- f.write('\n'.join(cfg))
- os.chmod(paths.RESOLV_CONF, 0o644)
+ nameservers = get_ipa_resolver().nameservers
+ if not nameservers or nameservers[0] != "127.0.0.1":
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+ fstore.backup_file(paths.RESOLV_CONF)
+ with open(paths.RESOLV_CONF, 'w') as f:
+ f.write('\n'.join(cfg))
+ os.chmod(paths.RESOLV_CONF, 0o644)
services.knownservices.unbound.enable()
services.knownservices.unbound.restart()
--
2.50.1

151
0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch Normal file
View File

@ -0,0 +1,151 @@
From 6bb7ebd40f3fa9c266e62caef961c1078440751d Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 17 Jun 2025 17:15:49 -0300
Subject: [PATCH] Use correct capitalization for GitHub and GitLab
The correct third party trademarks are GitHub and GitLab, and this is
the capitalization that needs to be used for documentation and messages,
when referring to each service.
Fixes: https://pagure.io/freeipa/issue/9811
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
doc/designs/external-idp/idp-api.md | 22 +++++++++++-----------
doc/workshop/12-external-idp-support.rst | 4 ++--
ipaserver/plugins/internal.py | 2 +-
ipatests/test_integration/test_cert.py | 2 +-
po/ipa.pot | 2 +-
5 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/doc/designs/external-idp/idp-api.md b/doc/designs/external-idp/idp-api.md
index fe2ba8d67389b89216b128c253695e3d1da363be..59d2ccb5707cda549130fc0f4e05c8e8ee9bb86b 100644
--- a/doc/designs/external-idp/idp-api.md
+++ b/doc/designs/external-idp/idp-api.md
@@ -156,13 +156,13 @@ List of pre-populated IdP types is currently limited by the following provider
Some IdP providers support parametrized URIs which include organization or a
realm name, or specific base URL, or both.
-One notable omission in the pre-populated IdP types above is Gitlab.
+One notable omission in the pre-populated IdP types above is GitLab.
FreeIPA only supports IdPs that implement OAuth 2.0 Device authorization
grant flow as defined by the [RFC 8628](https://www.rfc-editor.org/rfc/rfc8628).
If required IdP cannot be made to support Device authorization grant flow, it
is recommended to use OAuth 2.0 federation within an IdP that supports this
-method. Gitlab does not support OAuth 2.0 Device authorization grant flow and
+method. GitLab does not support OAuth 2.0 Device authorization grant flow and
thus is not supported directly.
SSSD 2.7.0 implements Kerberos pre-authentication method `idp` (registered as a
@@ -193,7 +193,7 @@ Choosing `--provider=google` would expand to use the following options:
| `--scope`=STR | `openid email` |
| `--idp-user-id`=STR | `email` |
-#### Github IdPs
+#### GitHub IdPs
Choosing `--provider=github` would expand to use the following options:
@@ -207,17 +207,17 @@ Choosing `--provider=github` would expand to use the following options:
| `--scope`=STR | `user` |
| `--idp-user-id`=STR | `login` |
-Please note that Github explicitly states that a user login is not unique and
+Please note that GitHub explicitly states that a user login is not unique and
can be reused after a user account was deleted. The configuration above aims
-for an easy setup for testing. If production deployment with Github IdP would
+for an easy setup for testing. If production deployment with GitHub IdP would
be required, it is recommended to change `--idp-user-id` to a more unique subject
-like `id`. Unfortunately, Github UI does not give an easy way to discover a
+like `id`. Unfortunately, GitHub UI does not give an easy way to discover a
user ID. Other IdPs also lack an easy way to resolve these internal identifiers
when not authorized by the user themselves.
-For Github, user's ID can be looked up without authentication through the Users
+For GitHub, user's ID can be looked up without authentication through the Users
API. Assuming we have `curl` and `jq` utilities available, a request to
-discover an ID of a Github user named `test` would look like:
+discover an ID of a GitHub user named `test` would look like:
```
$ curl --silent \
@@ -386,10 +386,10 @@ scope is used, this typically maps to `sub` value. Since there are no ways to
pull this value for all users in advance, pre-populated IdP templates set OAuth
2.0 scopes to include `email` and then use `email` to map IdP subject where possible.
There are some well-known IdPs which allow reuse of user accounts and emails, this
-applies to both Github and Gitlab. Since Gitlab does not support OAuth 2.0
+applies to both GitHub and GitLab. Since GitLab does not support OAuth 2.0
Device authorization grant flow, it is not an issue in itself for this project. However,
-for Github it is known that user accounts can be recycled after their removal. In
-this case we would recommend to use internal Github identifier instead.
+for GitHub it is known that user accounts can be recycled after their removal. In
+this case we would recommend to use internal GitHub identifier instead.
## Upgrade and backward compatibility
diff --git a/doc/workshop/12-external-idp-support.rst b/doc/workshop/12-external-idp-support.rst
index 022c26483fa5b08fa02b69ff63fac7d08c53d110..66c714c257f0dacc724753cbc73968a588aa3a07 100644
--- a/doc/workshop/12-external-idp-support.rst
+++ b/doc/workshop/12-external-idp-support.rst
@@ -94,7 +94,7 @@ authorization grant flow:
* Microsoft Identity Platform, including Azure AD
* Google
-* Github
+* GitHub
* Keycloak, including Red Hat SSO
* Okta
@@ -389,7 +389,7 @@ IPA. Option ``--provider keycloak`` allows us to fill-in pre-defined template
for Keycloak or Red Hat SSO IdPs. The template expects both Keycloak's realm
(``--org`` option) and a base URL (``--base-url`` option) because Keycloak is
typically deployed as a part of a larger solution. These options may not be
-needed for other pre-defined templates like Google or Github.
+needed for other pre-defined templates like Google or GitHub.
The `openid` scope is mandatory since
[Keycloak 19.0.2](https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes).
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index e8642b6f03754fbdc6a099b72407ed2df25da86f..283b430778c37861c417c7829ac04bd2fb966be0 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1100,7 +1100,7 @@ class i18n_messages(Command):
"idp": {
"template_keycloak": _("Keycloak or Red Hat SSO"),
"template_google": _("Google"),
- "template_github": _("Github"),
+ "template_github": _("GitHub"),
"template_microsoft": _("Microsoft or Azure"),
"template_okta": _("Okta"),
"label_idpclient": _("OAuth 2.0 client details"),
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 88859e67f5653bc91f25152c414350c0ba41e036..05b20b910b249af24039a497538f96dad07162aa 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -540,7 +540,7 @@ class TestCAShowErrorHandling(IntegrationTest):
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
- PKI Github Link: https://github.com/dogtagpki/pki/pull/3605/
+ PKI GitHub Link: https://github.com/dogtagpki/pki/pull/3605/
"""
self.replicas[0].run_command(['systemctl', 'stop', 'ipa-custodia'])
lwca = 'lwca1'
diff --git a/po/ipa.pot b/po/ipa.pot
index 41ee14059f1dc00f22c53d59f82ba9c4df439d1a..07413d546241149fcde36c38c0750d040916ba0f 100644
--- a/po/ipa.pot
+++ b/po/ipa.pot
@@ -23944,7 +23944,7 @@ msgid "Google"
msgstr ""
#: ipaserver/plugins/internal.py:1103
-msgid "Github"
+msgid "GitHub"
msgstr ""
#: ipaserver/plugins/internal.py:1104
--
2.50.1

35
0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch Normal file
View File

@ -0,0 +1,35 @@
From 45cce31e2596de2c9b6048674510572c248e2ec9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 15 Jul 2025 10:52:01 +0300
Subject: [PATCH] kdb: prevent double crash in RBCD ACL free
acl_list was set to prev->tl_data_contents and its value is freed but
then is is freed again outside of the if(). Just reset acl_list pointer
as prev->tl_data_contents is removed unconditionally outside of the RBCD
ACL removal.
Related: https://pagure.io/freeipa/issue/9367
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 19998c2a38b5d8ae80aeedeb003f54241d2c2a9f..a7e77e940ab61b27407076a834f3804b0e69c122 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -2160,7 +2160,8 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
for (i = 0; (acl_list != NULL) && (acl_list[i] != NULL); i++) {
free(acl_list[i]);
}
- free(acl_list);
+ /* prev->tl_data_contents will be removed below */
+ acl_list = NULL;
}
free(prev->tl_data_contents);
free(prev);
--
2.50.1

110
0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch Normal file
View File

@ -0,0 +1,110 @@
From 0c9ba2a0075f02315810521357cf2e5b52fc7d41 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 9 Apr 2025 13:10:58 +0530
Subject: [PATCH] ipatests: Tests for ipa-migrate tool with ldif file
This test checks that when ipa-migrate tool
uses ldif file it works without any error.
Related: https://pagure.io/freeipa/issue/9776
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_ipa_ipa_migration.py | 80 +++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 95c29234fc7893d3eae5d900a58aa7b1162ed61d..c6247e772b257748aa0c0f58bd04b53d3756125c 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -1265,3 +1265,83 @@ class TestIPAMigrationWithADtrust(IntegrationTest):
["ipa", "idrange-show", ad_domain_name + "_id_range"]
)
assert cmd1.stdout_text == cmd2.stdout_text
+
+
+class TestIPAMigratewithBackupRestore(IntegrationTest):
+ """
+ Test for ipa-migrate tool with backup files.
+ The master and replicas[1] are used to create the data source.
+ The replicas[0] is used as new server, retrieving data from the source.
+ replicas[1] is needed to make sure that the source LDIF
+ file contains replication attributes with
+ options (for instance objectClass;vucsn-67f7b3de000300030000).
+ """
+ num_replicas = 2
+ topology = "line"
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+ prepare_ipa_server(cls.master)
+ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True)
+ tasks.install_replica(cls.master, cls.replicas[1],
+ setup_dns=True, setup_kra=True)
+
+ @pytest.fixture
+ def create_delete_user(self):
+ """
+ This fixtures creates a ldapuser using the
+ ldif file and then delete the users
+ """
+ self.master.run_command(['ipa', 'user-add', 'testuser',
+ '--first', 'test',
+ '--last', 'user'])
+ self.master.run_command(['ipa', 'user-del', 'testuser'])
+ yield
+
+ def test_ipa_migrate_stage_mode(self, create_delete_user):
+ """
+ This test checks ipa-migrate with LDIF file
+ from backup of remote server is successful.
+ """
+ ERR_MSG = (
+ "error: change collided with another change"
+ )
+ dashed_domain_name = self.master.domain.realm.replace(
+ ".", '-'
+ )
+ DB_LDIF_FILE = '{}-userRoot.ldif'.format(
+ dashed_domain_name
+ )
+ SCHEMA_LDIF_FILE = '{}''/config_files/schema/99user.ldif'.format(
+ dashed_domain_name)
+ CONFIG_LDIF_FILE = '{}''/config_files/dse.ldif'.format(
+ dashed_domain_name)
+ param = [
+ '-n', '-g', CONFIG_LDIF_FILE, '-m', SCHEMA_LDIF_FILE,
+ '-f', DB_LDIF_FILE
+ ]
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ backup_path = tasks.get_backup_dir(self.master)
+ remote_ipa_tar_file = backup_path + '/ipa-full.tar'
+ ipa_tar_file = self.master.get_file_contents(
+ remote_ipa_tar_file
+ )
+ replica_file_name = "/tmp/ipa-full.tar"
+ self.replicas[0].put_file_contents(
+ replica_file_name, ipa_tar_file
+ )
+ self.replicas[0].run_command(
+ ['/usr/bin/tar', '-xvf', replica_file_name]
+ )
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ assert result.returncode == 0
+ assert ERR_MSG not in result.stderr_text
--
2.50.1

174
0131-dns-disable-all-previous-Unbound-configuration-befor.patch Normal file
View File

@ -0,0 +1,174 @@
From bae780843ef26da1d0876086205cda9f590e9c01 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 24 Jun 2025 13:41:17 +0200
Subject: [PATCH] dns: disable all previous Unbound configuration before
deploying ours
Previous configuration from another packages might break our Unbound
setup. Rename the config files to disable them before deploying our
configuration.
Fixes: https://pagure.io/freeipa/issue/9814
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/install/client.py | 29 ++++++++++++++++++++++++++---
ipaplatform/base/paths.py | 1 +
ipaserver/install/bindinstance.py | 17 +++++++++++++++--
ipaserver/install/dns.py | 11 ++++++++++-
4 files changed, 52 insertions(+), 6 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 96e91268f54aecf08e0791c91811072e8d6f459f..1885e4a8d4d1ae97ee70c163d5a47bb819288065 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1656,7 +1656,7 @@ def get_server_connection_interface(server):
raise RuntimeError(msg)
-def client_dns(server, hostname, options):
+def client_dns(server, hostname, options, statestore):
try:
verify_host_resolvable(hostname)
@@ -1672,12 +1672,22 @@ def client_dns(server, hostname, options):
# Setup DNS over TLS
if options.dns_over_tls:
+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+ statestore.backup_state("dns_over_tls", "enabled", True)
+ save_state(services.knownservices["unbound"], statestore)
# setup and enable Unbound as resolver
server_ip = str(list(dnsutil.resolve_ip_addresses(server))[0])
forward_addr = "forward-addr: %s#%s" % (server_ip, server)
# module_config_iterator is commented out if DNSSEC validation is
# not disabled.
module_config_iterator = '' if options.no_dnssec_validation else '# '
+ # backup and remove all previous Unbound configuration
+ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR):
+ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename)
+ if filepath == paths.UNBOUND_CONF:
+ continue
+ fstore.backup_file(filepath)
+ remove_file(filepath)
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
@@ -1710,7 +1720,6 @@ def client_dns(server, hostname, options):
"search .",
"nameserver 127.0.0.55\n"
]
- fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
fstore.backup_file(paths.RESOLV_CONF)
with open(paths.RESOLV_CONF, 'w') as f:
f.write('\n'.join(cfg))
@@ -3242,7 +3251,7 @@ def _install(options, tdict):
tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
if not options.on_master:
- client_dns(cli_server[0], hostname, options)
+ client_dns(cli_server[0], hostname, options, statestore)
update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options, cli_server[0])
@@ -3632,6 +3641,20 @@ def uninstall(options):
except Exception:
pass
+ # Restore unbound to its original status
+ if statestore.restore_state("dns_over_tls", "enabled"):
+ unbound = services.knownservices['unbound']
+ if not statestore.restore_state('unbound', 'running'):
+ unbound.stop()
+ if not statestore.restore_state('unbound', 'enabled'):
+ unbound.disable()
+ # restore unbound config files that were removed during IPA install
+ remove_file(paths.UNBOUND_CONF)
+ for filename, fileinfo in fstore.files.items():
+ if paths.UNBOUND_CONFIG_DIR in fileinfo:
+ fstore.restore_file(
+ os.path.join(paths.UNBOUND_CONFIG_DIR, filename))
+
logger.info("Disabling client Kerberos and LDAP configurations")
was_sssd_installed = False
was_sshd_configured = False
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a5bca789bdb8d07b51779e28adf64c9b68892328..8b62971f98cb282a7bcbe30019d39bcdfadec7a9 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -102,6 +102,7 @@ class BasePathNamespace:
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NAMED_CRYPTO_POLICY_FILE = None
UNBOUND_CONF_SRC = '/usr/share/ipa/client/unbound.conf.template'
+ UNBOUND_CONFIG_DIR = "/etc/unbound/conf.d/"
UNBOUND_CONF = "/etc/unbound/conf.d/zzz-ipa.conf"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 0cc1f1325ce0a9dbdb09f4100a1a22bc4f24924a..ea4d4bf0e8a2d189cc0e59835db2423d7ff1cfeb 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -690,6 +690,10 @@ class BindInstance(service.Service):
self.reverse_zones = reverse_zones
self.sstore.backup_state("dns_over_tls", "enabled", dns_over_tls)
+ self.sstore.backup_state("unbound", "running",
+ services.knownservices["unbound"].is_running())
+ self.sstore.backup_state("unbound", "enabled",
+ services.knownservices["unbound"].is_enabled())
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
@@ -1382,8 +1386,17 @@ class BindInstance(service.Service):
if self.sstore.restore_state("dns_over_tls", "enabled"):
if not self.sstore.restore_state("dns_over_tls", "external_crt"):
certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT)
- services.knownservices["unbound"].disable()
- services.knownservices["unbound"].stop()
+ # only disable unbound if it was before IPA was deployed
+ if not self.sstore.restore_state("unbound", "enabled"):
+ services.knownservices["unbound"].disable()
+ if not self.sstore.restore_state("unbound", "running"):
+ services.knownservices["unbound"].stop()
+ # restore unbound config files that were removed during IPA install
+ ipautil.remove_file(paths.UNBOUND_CONF)
+ for filename, fileinfo in self.fstore.files.items():
+ if paths.UNBOUND_CONFIG_DIR in fileinfo:
+ self.fstore.restore_file(
+ os.path.join(paths.UNBOUND_CONFIG_DIR, filename))
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 0f7a3073f4de1641afb7fdfa77413b978fd23974..39c2f677b659ef578ab0f14322465e9d9f036c99 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -138,6 +138,16 @@ def _setup_dns_over_tls(options):
# module_config_iterator is commented out if DNSSEC validation is
# not disabled.
module_config_iterator = '' if options.no_dnssec_validation else '# '
+
+ # backup and remove all previous Unbound configuration
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+ for filename in os.listdir(paths.UNBOUND_CONFIG_DIR):
+ filepath = os.path.join(paths.UNBOUND_CONFIG_DIR, filename)
+ if filepath == paths.UNBOUND_CONF:
+ continue
+ fstore.backup_file(filepath)
+ ipautil.remove_file(filepath)
+
ipautil.copy_template_file(
paths.UNBOUND_CONF_SRC,
paths.UNBOUND_CONF,
@@ -179,7 +189,6 @@ def _setup_dns_over_tls(options):
]
nameservers = get_ipa_resolver().nameservers
if not nameservers or nameservers[0] != "127.0.0.1":
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
fstore.backup_file(paths.RESOLV_CONF)
with open(paths.RESOLV_CONF, 'w') as f:
f.write('\n'.join(cfg))
--
2.50.1

106
0132-Enforce-uniqueness-across-krbprincipalname-and-krbca.patch Normal file
View File

@ -0,0 +1,106 @@
From 943032c9491df751d230132d6aa881ff9284cf21 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Jul 2025 11:44:36 -0400
Subject: [PATCH] Enforce uniqueness across krbprincipalname and
krbcanonicalname
This relies on a fix in 389-ds that extends the uniqueness plugin
to be able to compare attributes with different matching syntax.
This will prevent privilege escalation attacks if one of the
attributes is not set on an entry if it is set elsewhere.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
install/share/unique-attributes.ldif | 28 +++++-----------------------
install/updates/10-uniqueness.update | 27 +++++++++++++++++++++++----
2 files changed, 28 insertions(+), 27 deletions(-)
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 60f2c3470b3f2be7860c2bcc20babb07904f9b0c..b28d981b574d84e24509c07195526e25eddc0b75 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -1,34 +1,16 @@
-dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
+dn: cn=kerberos name uniqueness,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
-cn: krbPrincipalName uniqueness
+cn: kerberos name uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-uniqueness-attribute-name: krbPrincipalName
-nsslapd-plugin-depends-on-type: database
-nsslapd-pluginId: NSUniqueAttr
-nsslapd-pluginVersion: 1.1.0
-nsslapd-pluginVendor: Fedora Project
-nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: $SUFFIX
-uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
-uniqueness-across-all-subtrees: on
-
-dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-changetype: add
-objectClass: top
-objectClass: nsSlapdPlugin
-objectClass: extensibleObject
-cn: krbCanonicalName uniqueness
-nsslapd-pluginPath: libattr-unique-plugin
-nsslapd-pluginInitfunc: NSUniqueAttr_Init
-nsslapd-pluginType: preoperation
-nsslapd-pluginEnabled: on
-uniqueness-attribute-name: krbCanonicalName
+uniqueness-attribute-name: krbPrincipalName:CaseIgnoreMatch:
+uniqueness-attribute-name: krbPrincipalAlias:CaseIgnoreMatch:
+uniqueness-attribute-name: krbCanonicalName:CaseIgnoreMatch:
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index fa17911f2ed9c7bcaa851de0f0a4790a550e1c91..5c5bfd3e0f4f7b65fffe47844f778d6909181181 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -63,13 +63,32 @@ add:uniqueness-subtree-entries-oc: posixAccount
# krbPrincipalName uniqueness scopes Active/Delete containers
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
-add:uniqueness-across-all-subtrees: on
+deleteentry: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
# krbCanonicalName uniqueness scopes Active/Delete containers
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
-add:uniqueness-across-all-subtrees: on
+deleteentry: dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
+
+dn: cn=kerberos name uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: kerberos name uniqueness
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: krbPrincipalName:CaseIgnoreMatch:
+default:uniqueness-attribute-name: krbPrincipalAlias:CaseIgnoreMatch:
+default:uniqueness-attribute-name: krbCanonicalName:CaseIgnoreMatch:
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+default:nsslapd-pluginDescription: Enforce unique attribute values
+default:uniqueness-subtrees: $SUFFIX
+default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
+default:uniqueness-across-all-subtrees: on
# ipaUniqueID uniqueness scopes Active/Delete containers
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
--
2.51.0

227
0133-ipa-kdb-enforce-PAC-presence-on-TGT-for-TGS-REQ.patch Normal file
View File

@ -0,0 +1,227 @@
From ee838b21200a7e61398bd6a60be848bc1fa96985 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 18 Jul 2025 10:26:37 +0200
Subject: [PATCH] ipa-kdb: enforce PAC presence on TGT for TGS-REQ
MS-KILE's PA-PAC-REQUEST sequence allows the Kerberos client to request
a TGT without a PAC. At the moment, there is no way to configure the MIT
KDC to reject such request.
This commit enforces the presence of the PAC when processing TGTs
provided by TGS-REQ. It ensures the server principal of the TGT is the
same as the one in PAC_CLIENT_INFO (i.e. enforces client principal
canonicalization) with integrity check.
Only one exception is applied: this check is skipped for local TGTs on
domain where the MS-PAC generator is not initialized (i.e. domains where
SID generation was not executed yet).
Signed-off-by: Julien Rische <jrische@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.h | 9 +++
daemons/ipa-kdb/ipa_kdb_common.c | 18 ++++++
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +-
daemons/ipa-kdb/ipa_kdb_mspac.c | 87 ++++++++++++++++++++++++++++
daemons/ipa-kdb/ipa_kdb_principals.c | 21 +------
5 files changed, 116 insertions(+), 21 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 58a0339fc984c9b421aed23c6c1e6084f132421b..8fa0509956dfc1d0f2ba0c5363da463ba1189199 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -431,6 +431,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm);
+/* Check the ticket provided in a TGS-REQ. In some situations, the ticket is
+ * expected to contain a PAC. If it is not the case, or if the function is
+ * enable to decode an authorization-data element, it fails.
+ * Any failure should result in the TGS-REQ to be rejected. */
+krb5_error_code ipadb_enforce_pac(krb5_context kcontext,
+ const krb5_ticket *ticket,
+ const char **status);
+
/* DELEGATION CHECKS */
krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
@@ -475,3 +483,4 @@ int ipadb_string_to_sid(const char *str, struct dom_sid *sid);
void alloc_sid(struct dom_sid **sid);
void free_sid(struct dom_sid **sid);
bool dom_sid_check(const struct dom_sid *sid1, const struct dom_sid *sid2, bool exact_check);
+bool ipadb_is_tgs_princ(krb5_context kcontext, krb5_const_principal princ);
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index ae7742a320ed714b703bf12a32811c0fd9eb75aa..fc603cbe2957f43698936e74a40fcbc0912f95bc 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -767,3 +767,21 @@ krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
return ipadb_simple_ldap_to_kerr(ret);
}
+bool
+ipadb_is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
+{
+ krb5_data *primary;
+ size_t l_tgs_name;
+
+ if (2 != krb5_princ_size(kcontext, princ))
+ return false;
+
+ primary = krb5_princ_component(kcontext, princ, 0);
+
+ l_tgs_name = strlen(KRB5_TGS_NAME);
+
+ if (l_tgs_name != primary->length)
+ return false;
+
+ return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
+}
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 2802221c79fe63ab4bd33bfbe4859517f3d91ec5..aa8de3edac279ecf822af2b807e9378e28b125d0 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -195,7 +195,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
*lifetime_out = 0;
*renew_lifetime_out = 0;
- return 0;
+ return ipadb_enforce_pac(context, ticket, status);
}
krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9723103d8a77294ed7457d9b48bfc0d98b9ccef1..9a7aedd84850ac4b51ba97415bad9d6c071d0d0b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3346,3 +3346,90 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
return KRB5_KDB_NOENTRY;
}
+
+static krb5_error_code
+check_for_pac(krb5_context kcontext, krb5_authdata **authdata, bool *pac_present)
+{
+ krb5_error_code kerr = ENOENT;
+ size_t i, j;
+ krb5_authdata **ifrel = NULL;
+
+ for (i = 0; authdata && authdata[i]; ++i) {
+ if (authdata[i]->ad_type != KRB5_AUTHDATA_IF_RELEVANT) {
+ continue;
+ }
+
+ kerr = krb5_decode_authdata_container(kcontext,
+ KRB5_AUTHDATA_IF_RELEVANT,
+ authdata[i], &ifrel);
+ if (kerr) {
+ goto end;
+ }
+
+ for (j = 0; ifrel[j]; ++j) {
+ if (ifrel[j]->ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
+ break;
+ }
+ }
+ if (ifrel[j]) {
+ break;
+ }
+
+ krb5_free_authdata(kcontext, ifrel);
+ ifrel = NULL;
+ }
+
+ *pac_present = ifrel;
+ kerr = 0;
+
+end:
+ krb5_free_authdata(kcontext, ifrel);
+ return kerr;
+}
+
+krb5_error_code
+ipadb_enforce_pac(krb5_context kcontext, const krb5_ticket *ticket,
+ const char **status)
+{
+ struct ipadb_context *ipactx;
+ bool pac_present;
+ krb5_error_code kerr;
+
+ /* Filter TGTs only */
+ if (!ipadb_is_tgs_princ(kcontext, ticket->server)) {
+ kerr = 0;
+ goto end;
+ }
+
+ /* Get IPA context */
+ ipactx = ipadb_get_context(kcontext);
+ if (!ipactx) {
+ kerr = KRB5_KDB_DBNOTINITED;
+ goto end;
+ }
+
+ /* If local TGT but PAC generator not initialized, skip PAC enforcement */
+ if (krb5_realm_compare(kcontext, ipactx->local_tgs, ticket->server) &&
+ !ipactx->mspac)
+ {
+ krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes "
+ "FreeIPA vulnerable to privilege escalation exploit "
+ "(CVE-2025-7493). Please generate SIDs to enable PAC "
+ "support.");
+ kerr = 0;
+ goto end;
+ }
+
+ /* Search for the PAC, fail if it cannot be found */
+ kerr = check_for_pac(kcontext, ticket->enc_part2->authorization_data,
+ &pac_present);
+ if (kerr) {
+ *status = "PAC_ENFORCEMENT_CANNOT_DECODE_TGT_AUTHDATA";
+ } else if (!pac_present) {
+ kerr = ENOENT;
+ *status = "PAC_ENFORCEMENT_TGT_WITHOUT_PAC";
+ }
+
+end:
+ return kerr;
+}
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index a7e77e940ab61b27407076a834f3804b0e69c122..bb9e039923e821e8a20d01fbc42d92b402d3f961 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -188,25 +188,6 @@ done:
return ret;
}
-static bool
-is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
-{
- krb5_data *primary;
- size_t l_tgs_name;
-
- if (2 != krb5_princ_size(kcontext, princ))
- return false;
-
- primary = krb5_princ_component(kcontext, princ, 0);
-
- l_tgs_name = strlen(KRB5_TGS_NAME);
-
- if (l_tgs_name != primary->length)
- return false;
-
- return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
-}
-
static krb5_error_code
cmp_local_tgs_princ(krb5_context kcontext, const char *local_realm,
krb5_const_principal princ, bool *result)
@@ -2080,7 +2061,7 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
return kerr;
/* If TGS principal, some virtual attributes may be added */
- if (is_tgs_princ(kcontext, (*entry)->princ)) {
+ if (ipadb_is_tgs_princ(kcontext, (*entry)->princ)) {
kerr = cmp_local_tgs_princ(kcontext, ipactx->realm, (*entry)->princ,
&is_local_tgs_princ);
if (kerr)
--
2.51.0

93
0134-ipatests-extend-test-for-unique-krbcanonicalname.patch Normal file
View File

@ -0,0 +1,93 @@
From 9f15d21bc0673696757406885e90647c3c7ad9a3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Aug 2025 15:31:39 +0200
Subject: [PATCH] ipatests: extend test for unique krbcanonicalname
Add a test ensuring that root@REALM cannot be added as
krbcanonicalname
Add a test for PAC enforcement:
try to access a service using a TGT obtained without PAC.
Should fail as PAC is now enforced.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_commands.py | 44 ++++++++++++++++++++--
1 file changed, 40 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 6aaf4f2995b61c538a9f99eed4a5a63b4df7cea7..dcffa6a8a00b5c9a7d41b8e131454666ef7eda85 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -2239,7 +2239,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):
hostname = master.hostname
realm = master.domain.realm
principal = f'test/{hostname}@{realm}'
- entry_ldif = textwrap.dedent("""
+ entry_ldif_template = textwrap.dedent("""
dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn}
changetype: add
ipakrbprincipalalias: test/{hostname}@{realm}
@@ -2250,13 +2250,15 @@ class TestIPACommandWithoutReplica(IntegrationTest):
objectclass: krbprincipal
objectclass: krbprincipalaux
objectclass: top
- krbcanonicalname: admin@{realm}
+ krbcanonicalname: {user}@{realm}
managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
- """).format(
+ """)
+ entry_ldif = entry_ldif_template.format(
base_dn=base_dn,
hostname=hostname,
principal=principal,
- realm=realm)
+ realm=realm,
+ user='admin')
tasks.kdestroy_all(master)
master.run_command(
['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}'])
@@ -2269,6 +2271,40 @@ class TestIPACommandWithoutReplica(IntegrationTest):
raiseonerr=False)
assert "entry with the same attribute value" in result.stderr_text
+ # Now try with root@realm instead of admin@realm
+ entry_ldif = entry_ldif_template.format(
+ base_dn=base_dn,
+ hostname=hostname,
+ principal=principal,
+ realm=realm,
+ user='root')
+ args = [
+ 'ldapmodify',
+ '-Y',
+ 'GSSAPI'
+ ]
+ result = master.run_command(args, stdin_text=entry_ldif,
+ raiseonerr=False)
+ assert "entry with the same attribute value" in result.stderr_text
+ tasks.kdestroy_all(master)
+
+ def test_no_request_pac(self):
+ # Try to use a TGT obtained without PAC
+ # Should fail as the presence of the PAC when processing TGTs
+ # provided by TGS-REQ is now enforced.
+ hostname = self.master.hostname
+ realm = self.master.domain.realm
+ self.master.run_command([
+ 'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}',
+ '--no-request-pac'
+ ])
+ result = self.master.run_command(
+ ['kvno', f'ldap/{hostname}@{realm}'],
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.51.0

16
freeipa-4.12.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEL88tWdi+3Yi1YO6/QPd0nE8v3u0FAmbGIAgACgkQQPd0nE8v
3u25Hg//cSLyagXQ6cDnpR4TiLBTrbRu8rycJt8qWK2c+VtnjFb5jWHz8P4dyQ2t
liduXvT9SLSuwaDRySNGgWrA1LDxm+VLv0pyjuCBX59T7EHwz3mtmBDA2WHpgOZ1
q2owCbhZRHtEd53T8bQBi8zUbqOqZoU/yc03Vt8h5XcrA5Pxxlm9sSIzC0RHToud
uTGLNyIUQR5el+kfvUkBuyuRB0LMqZNo/xFcmV4lc0VO37EA07nSleNliYE06fwi
soDR+qrpt4I4vpCVjtbQsJF5dtaFpmHbbshmIudyriBBlukmpXvlFXkBXdZruZKW
x/+abovaGgwdx2BdMBAPXrSByzXPNGQhF0jfC7VUS5NTehWQ3yjoTylOgwyYjsCp
zKAH4KJeDEnn6Epb+DhC8DxQy9JaviALYkYZDw6qt9JkMiZUudnPsEz/KZkk/F5C
VLKTI6vv+6wXUMt0NjUyuvcb3xHpks8RuZ7pbxoS09kceSC4jAsgeFc6JI+F5QC5
1IO+yrwGj/s22lusb8BPEEM9DQQI27V5Ljeb3NxdASZE4cgJAOIyIe8aUeEf8Q6Z
a696Slrhy8uuQkMXCUMKrrK1E7bHgIZszdy9rNM4JTYVWjLNXstkErqdmbeQ1zUN
VyT+DT8dK/fqvH9NBpyUNbXtzpSm+bfAqWOJKvQrTnyknfIGdKw=
=ReWc
-----END PGP SIGNATURE-----

214
freeipa.spec
View File

@ -66,11 +66,10 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.20.1-1
%global krb5_kdb_version 9.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
%global samba_version 4.21.1
%global samba_version 4.22.2
%global slapi_nis_version 0.70.0
%global python_ldap_version 3.1.0-1
%if 0%{?rhel} < 9
@ -78,14 +77,29 @@
%global ds_version 1.4.3.16-12
%global selinux_policy_version 3.14.3-107
%else
# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%global ds_version 3.0.4
# version for Allow Uniqueness plugin to search uniqueness attributes
# using custom matching rules
%global ds_version 3.1.3-5
%global selinux_policy_version 38.1.1-1
%endif
%if 0%{?rhel} >= 10
%global krb5_version 1.21.3-6
%elif 0%{?rhel} == 9
%global krb5_version 1.21.1-5
%else
%global krb5_version 1.18.2-31
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 32:9.18.33-2
# DNSSEC support with OpenSSL provider API in RHEL 10
%if 0%{?rhel} < 10
%global bind_version 9.11.20-6
%else
%global bind_version 9.18.33-3
%endif
# support for passkey
%global sssd_version 2.10.0
@ -105,7 +119,6 @@
%global slapi_nis_version 0.70.0
# Require new KDB ABI
%global krb5_version 1.21.2
%global krb5_kdb_version 9.0
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
@ -119,17 +132,28 @@
%elif 0%{?fedora} == 40
%global ds_version 3.0.4-3
%elif 0%{?fedora} >= 41
%global ds_version 3.1.1-3
%global ds_version 3.1.1-3
%else
%global ds_version 2.1.0
%endif
%if 0%{?fedora} >= 42
%global krb5_version 1.21.3-5
%elif 0%{?fedora} == 41
%global krb5_version 1.21.3-4
%else
%global krb5_version 1.21.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9
# Fix for RHBZ#2117342
%global bind_version 32:9.18.7-1
%if 0%{?fedora} < 42
%global bind_version 32:9.18.33-1
%else
# BIND version with backport of DNSSEC support over OpenSSL provider API
%global bind_version 32:9.18.35-2
%endif
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@ -207,7 +231,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 15%{?rc_version:.%rc_version}%{?dist}.1
Release: 24%{?rc_version:.%rc_version}.0.1%{?dist}.1
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -269,7 +293,6 @@ Patch0028: 0028-ipa-migrate-should-migrate-dns-forward-zones.patch
Patch0029: 0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch
Patch0030: 0030-ipatests-Tests-for-ipa-migrate-tool.patch
Patch0031: 0031-Fix-Organization-field-in-Okta-not-required.patch
Patch0032: 0032-Use-OpenSSL-provider-with-BIND-for-Fedora-41-and-RHE.patch
Patch0033: 0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch
Patch0034: 0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch
Patch0035: 0035-ipatests-install-master-with-allow-zone-overlap.patch
@ -307,8 +330,71 @@ Patch0066: 0066-ipatests-on-rhel10-do-not-install-firefox.patch
Patch0067: 0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch
Patch0068: 0068-Align-startup_timeout-with-the-systemd-default-and-d.patch
Patch0069: 0069-dns-only-disable-unbound-when-DoT-is-enabled.patch
Patch0070: 10001-kdb-keep-ipadb_get_connection-from-succeeding-with-n.patch
Patch0071: 10002-Set-krbCanonicalName-admin-REALM-on-the-admin-user.patch
Patch0070: 0070-ipa-migrate-do-not-migrate-tombstone-entries-ignore-.patch
Patch0071: 0071-Replace-fips-mode-setup.patch
Patch0072: 0072-Skip-for-unpatched-freeipa-healthcheck.patch
Patch0073: 0073-WebUI-fix-the-tooltip-for-Search-Size-limit.patch
Patch0074: 0074-Leapp-upgrade-skip-systemctl-calls.patch
Patch0075: 0075-Disable-raw-and-structured-together.patch
Patch0076: 0076-config-mod-allow-disabling-subordinate-ID-integratio.patch
Patch0077: 0077-update_dna_shared_config-do-not-fail-when-config-is-.patch
Patch0078: 0078-baseuser-allow-uidNumber-and-gidNumber-of-32-bit-ran.patch
Patch0079: 0079-ipatests-add-a-test-to-use-full-32-bit-ID-range-spac.patch
Patch0080: 0080-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch
Patch0081: 0081-ipatests-Tests-to-check-data-in-journal-log.patch
Patch0082: 0082-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch
Patch0083: 0083-Don-t-require-certificates-to-have-unique-ipaCertSub.patch
Patch0084: 0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
Patch0085: 0085-Correct-dnsrecord_-tests-for-raw-structured.patch
Patch0086: 0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch
Patch0087: 0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch
Patch0088: 0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch
Patch0089: 0089-Test-fix-for-the-update.patch
Patch0090: 0090-ipa-migrate-remove-replication-state-information.patch
Patch0091: 0091-ipa-migrate-do-not-process-AD-entgries-in-staging-mo.patch
Patch0092: 0092-ipa-migrate-improve-suffix-replacement.patch
Patch0093: 0093-kdb-keep-ipadb_get_connection-from-succeeding-with-n.patch
Patch0094: 0094-Use-OpenSSL-provider-with-BIND-for-Fedora-42-and-RHE.patch
Patch0095: 0095-DNS-detect-when-OpenSSL-engine-should-be-removed-on-.patch
Patch0096: 0096-ipa-dnskeysyncd-use-systemd-tmpfiles-to-handle-token.patch
Patch0097: 0097-freeipa.spec.in-update-BIND-related-dependencies.patch
Patch0098: 0098-freeipa.spec.in-do-not-recommend-encrypted-DNS-on-pr.patch
Patch0099: 0099-dns-install-fix-selinux-avc-relabelto.patch
Patch0100: 0100-ipatests-test_manual_renewal_master_transfer-must-wa.patch
Patch0101: 0101-Require-baserid-and-secondarybaserid.patch
Patch0102: 0102-ipa-config-mod-fix-internalerror-when-setting-an-emp.patch
Patch0103: 0103-ipatests-Test-to-check-dot-forwarders-are-added-to-u.patch
Patch0104: 0104-Fix-some-issues-identified-by-a-static-analyzer.patch
Patch0105: 0105-ipatests-Ignore-run-log-journal-in-test_uninstallati.patch
Patch0106: 0106-ipatests-Tests-for-krbLastSuccessfulAuth-warning.patch
Patch0107: 0107-ipatests-ipahealthcheck-warns-for-user-provided-cert.patch
Patch0108: 0108-Warn-when-UID-is-out-of-local-ID-ranges.patch
Patch0109: 0109-ipatests-fix-invalid-range-creation-in-test_ipa_idra.patch
Patch0110: 0110-ipatests-fix-xfail-annotation-for-test_ipa_healthche.patch
Patch0111: 0111-ipatests-certbot-removed-the-manual-public-ip-loggin.patch
Patch0112: 0112-ipatests-adapt-error-code-and-message-for-samba-4.22.patch
Patch0113: 0113-Fix-inconsistency-in-manpage-for-DoT-forwarder-optio.patch
Patch0114: 0114-Set-krbCanonicalName-admin-REALM-on-the-admin-user.patch
Patch0115: 0115-ipa-client-install-Fix-nsupdate-issues-when-dns_over.patch
Patch0116: 0116-ipatests-fix-test_adtrust_install_with_non_ipa_user.patch
Patch0117: 0117-ipa-idrange-fix-check-that-IPA-server-is-installed.patch
Patch0118: 0118-ipa-migrate-only-remove-repl-state-attribute-options.patch
# Patch0119: 0119-ipa-kdb-support-storing-multiple-KVNO-for-the-same-p.patch
# Patch0120: 0120-Use-ipaplatform-tasks-for-krb5-enctypes.patch
# Patch0121: 0121-Add-test-for-master-key-upgrade.patch
Patch0122: 0122-ipa-client-install-New-no-dnssec-validation-option.patch
Patch0123: 0123-ipaserver-install-dns.py-Allow-to-Turn-off-DNSSEC-va.patch
Patch0124: 0124-ipatests-Tests-for-32BitIdranges.patch
Patch0125: 0125-Replica-Request-cert-for-DoT-before-setting-up-bind.patch
Patch0126: 0126-ipatests-use-sos-report-instead-of-sosreport-command.patch
Patch0127: 0127-dns-only-overwrite-resolv.conf-during-eDNS-setup-whe.patch
Patch0128: 0128-Use-correct-capitalization-for-GitHub-and-GitLab.patch
Patch0129: 0129-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
Patch0130: 0130-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
Patch0131: 0131-dns-disable-all-previous-Unbound-configuration-befor.patch
Patch0132: 0132-Enforce-uniqueness-across-krbprincipalname-and-krbca.patch
Patch0133: 0133-ipa-kdb-enforce-PAC-presence-on-TGT-for-TGS-REQ.patch
Patch0134: 0134-ipatests-extend-test-for-unique-krbcanonicalname.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -362,8 +448,9 @@ BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
# Do not use nodejs-24
# Do not use nodejs22 on fedora < 41, https://pagure.io/freeipa/issue/9643
BuildRequires: nodejs(abi)
BuildRequires: nodejs(abi) == 127
%elif 0%{?fedora} >= 39
# Do not use nodejs20 on fedora < 39, https://pagure.io/freeipa/issue/9374
BuildRequires: nodejs(abi) < 127
@ -641,6 +728,7 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
Requires: bind >= %{bind_version}
%if 0%{?rhel} >= 8 && ! 0%{?eln}
Requires: system-logos-ipa >= 80.4
%endif
@ -662,7 +750,12 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.11-1
# Both Fedora 42+ and RHEL support newer bind-dyndb-ldap 11.11
%if 0%{?fedora} < 42
Requires: bind-dyndb-ldap >= 11.10-33
%else
Requires: bind-dyndb-ldap >= 11.11
%endif
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
@ -673,7 +766,9 @@ Requires: %{openssl_pkcs11_name} >= %{openssl_pkcs11_version}
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
# RHEL 8.3+ and Fedora 32+ have 2.1
Requires: opendnssec >= 2.1.6-5
%if 0%{?fedora} >= 42 || 0%{?rhel} > 9
Recommends: %{name}-server-encrypted-dns
%endif
%{?systemd_requires}
Provides: %{alt_name}-server-dns = %{version}
@ -691,6 +786,8 @@ Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
%package server-encrypted-dns
Summary: support for encrypted DNS in IPA integrated DNS server
Requires: %{name}-client-encrypted-dns
# Will need newer bind-dyndb-ldap to allow use of OpenSSL provider API
Requires: bind-dyndb-ldap >= 11.11
%description server-encrypted-dns
Provides support for enabling DNS over TLS in the IPA integrated DNS
@ -1112,7 +1209,8 @@ autoreconf -ivf
%{enable_server_option} \
%{with_ipatests_option} \
%{with_ipa_join_xml_option} \
%{linter_options}
%{linter_options} \
--with-ipaplatform=rhel
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@ -1277,8 +1375,11 @@ if [ $1 = 0 ]; then
# NOTE: systemd specific section
/bin/systemctl --quiet stop ipa.service || :
/bin/systemctl --quiet disable ipa.service || :
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
# Skip systemctl calls when leapp upgrade is in progress
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
fi
# END
fi
@ -1342,8 +1443,11 @@ fi
%preun server-trust-ad
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
# Skip systemctl calls when leapp upgrade is in progress
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
fi
fi
# ONLY_CLIENT
@ -1773,6 +1877,7 @@ fi
%{_libexecdir}/ipa/ipa-ods-exporter
%{_sbindir}/ipa-dns-install
%{_mandir}/man1/ipa-dns-install.1*
%{_usr}/share/ipa/ipa-dnssec.conf
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
@ -1954,12 +2059,67 @@ fi
%endif
%changelog
* Thu Jun 26 2025 Alex Burmashev <alexander.burmashev@oracle.com> - 4.12.2-15.el10_0.1
- Resolves: RHEL-89908
EMBARGOED CVE-2025-4404 ipa: Privilege escalation from host to domain admin in FreeIPA
- Resolves: RHEL-89144
kdb: ipadb_get_connection() succeeds but returns null LDAP context
* Tue Nov 25 2025 EL Errata <el-errata_ww@oracle.com> - 4.12.2-24.0.1.1
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
- Add bind to ipa-server-common Requires [Orabug: 36518596]
* Tue Sep 30 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-24.1
- Resolves: RHEL-118447 CVE-2025-7493 ipa: Privilege escalation from host to domain admin in FreeIPA
* Tue Aug 19 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-24
- Resolves: RHEL-109895 Revert allow update of Kerberos master key
* Wed Jul 30 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-23
- Resolves: RHEL-105973 Include fixes in python3-ipatests package
- Resolves: RHEL-105513 kdb: prevent double crash in RBCD ACL free
- Resolves: RHEL-101708 ipatests: use "sos report" instead of "sosreport" command
- Resolves: RHEL-95733 Incorrect use of external IdP GitHub trademark
- Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup
* Thu Jun 26 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
- Resolves: RHEL-95374 eDNS: multiple issues during encrypted DNS setup
- Resolves: RHEL-89893 ipa: Privilege escalation from host to domain admin in FreeIPA
- Resolves: RHEL-99316 Include latest fixes in python3-ipatests package
- Resolves: RHEL-97053 ipa-idrange-fix: 'Env' object has no attribute 'basedn'
- Resolves: RHEL-96936 Nightly test failure (rawhide) in test_trust.py::TestTrust::test_server_option_with_unreachable_ad
- Resolves: RHEL-49440 kdb: support storing and retrieving multiple master keys
* Thu Jun 12 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-21
- Related: RHEL-89870
Bump NVR, rebuild required after infra issue
* Wed Jun 11 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-20
- Related: RHEL-89870
* Thu Jun 05 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-19
- Related: RHEL-89979
Bump version and rebuild because of rpm issue
* Wed Jun 04 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-18
- Resolves: RHEL-89979 Support OpenSSL provider API
- Resolves: RHEL-25007 [RFE] Give warning when adding user with UID out of any ID range
- Resolves: RHEL-93484 Unable to modify IPA config; --ipaconfigstring="" causes internal error
- Resolves: RHEL-89834 Include latest fixes in python3-ipatests package
- Resolves: RHEL-88833 kdb: ipadb_get_connection() succeeds but returns null LDAP context
- Resolves: RHEL-79072 ipa idrange-add --help should be more clear about required options
- Resolves: RHEL-68803 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-30825 IDM - When creating an ID range, should require a RID
* Tue Apr 29 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-17
- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder
- Resolves: RHEL-86481 Include latest fixes in python3-ipatests package
- Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
- Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix
* Mon Mar 24 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-16
- Resolves: RHEL-84648 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)
- Resolves: RHEL-84279 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet
- Resolves: RHEL-84275 Search size limit tooltip has Search time limit tooltip text
- Resolves: RHEL-81200 Ipa client --raw --structured throws internal error
- Resolves: RHEL-68803 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-67686 [RFE] IDM support UIDs up to 4,294,967,293
- Resolves: RHEL-67633 ipa-healthcheck has tests which call fips-mode-setup
- Resolves: RHEL-4845 Protect *all* IPA service principals
* Wed Feb 12 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-15
- Resolves: RHEL-67912 Add DNS over TLS Support
@ -2475,7 +2635,7 @@ fi
* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-8
- Fixed: rhbz#1696963 (Failed to install replica)
* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-7
- Support Samba 4.10
- Support 389-ds 1.4.1.2-2.fc30 or later

1
sources
View File

@ -1,2 +1 @@
SHA512 (freeipa-4.12.2.tar.gz) = 2e1e67dbe73a458db5c59528799649629a1cb462283e4e9a4c56aff46d275782bcb3b0d57de615bbc7020a4350d4d383501e049ac19ed38250896b1e8fd27cb0
SHA512 (freeipa-4.12.2.tar.gz.asc) = 07309bfdafd2ba9b1ced71374df5a84d242a5bf8e806765b4c3374ee2ddea0484f140d615a24b3f73f39a8ac34727d82a066ea399f91654077170519a12e2d27