rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-9

Browse Source 
- Resolves: RHEL-70759
Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges'
- Resolves: RHEL-70477
ipa-server-upgrade fails after established trust with ad
- Resolves: RHEL-70253
Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken
- Resolves: RHEL-69926
add support for python cryptography 44.0.0
- Resolves: RHEL-69635
All user groups are not being included during HSM token validation

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-12-11 09:46:58 +01:00
parent 1e38d43370
commit 8f97c76dba
8 changed files with 655 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch Normal file
View File

@ -0,0 +1,66 @@
From 184589fac4ff36b5583541f40dff91296c33370a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2024 10:23:29 -0500
Subject: [PATCH] Allow looking up constants.Group by gid in addition to name
This adds flexibility so we can look up groups by both gid and
by name in order to have a more consistent API for management.
Related: https://pagure.io/freeipa/issue/9709
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaplatform/base/constants.py | 5 ++++-
ipatests/test_ipaplatform/test_constants.py | 11 +++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 1689efe52466f00fd8b014f720e1d21ebdbf2504..f1ef7efff502573bab82e890bcdf87c0ec52a399 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -86,7 +86,10 @@ class Group(_Entity):
try:
self._entity = entity = grp.getgrnam(self)
except KeyError:
- raise ValueError(f"group '{self!s}' not found") from None
+ try:
+ self._entity = entity = grp.getgrgid(int(self))
+ except (TypeError, ValueError):
+ raise ValueError(f"group '{self!s}' not found") from None
return entity
@property
diff --git a/ipatests/test_ipaplatform/test_constants.py b/ipatests/test_ipaplatform/test_constants.py
index b57bfa48e5ccefe2b22cb00aca8436e0edc01a30..9bb12283609f87bcd875a2c55ee1e8b714dd8b3a 100644
--- a/ipatests/test_ipaplatform/test_constants.py
+++ b/ipatests/test_ipaplatform/test_constants.py
@@ -1,6 +1,7 @@
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
+import grp
import pytest
from ipaplatform.base.constants import User, Group
@@ -40,6 +41,16 @@ def test_group():
assert Group(str(group)) is not group
+def test_numeric_group():
+ g = grp.getgrnam('apache')
+ group = Group(g.gr_gid)
+ assert group.gid == g.gr_gid
+ assert type(str(group)) is str
+ assert repr(group) == '<Group "%d">' % g.gr_gid
+ assert group.gid == g.gr_gid
+ assert group.entity.gr_gid == g.gr_gid
+
+
def test_group_invalid():
invalid = Group("invalid")
with pytest.raises(ValueError) as e:
--
2.47.1

72
0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch Normal file
View File

@ -0,0 +1,72 @@
From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2024 10:27:15 -0500
Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an
HSM
We were doing a "best effort" when validating the HSM token is
visible with a valid PIN when it came to groups. A specific
workaround was added for softhsm2 but this didn't carry over
to other HSMs that may have group-specific read/write access.
Use the new capability in ipaplatform.constants.py::Group to be
able to use generate a valid entry from a group GID. Pair this
with os.getgrouplist() and all groups will be passed correctly
via ipautil.run().
Fixes: https://pagure.io/freeipa/issue/9709
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password):
)
pkiuser = constants.PKI_USER
pkigroup = constants.PKI_GROUP
- if 'libsofthsm' in token_library:
- import grp
- group = grp.getgrnam(constants.ODS_GROUP)
- if str(constants.PKI_USER) in group.gr_mem:
- pkigroup = constants.ODS_GROUP
+ group_list = os.getgrouplist(pkiuser, pkigroup.gid)
with certdb.NSSDatabase() as tempnssdb:
tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
# Try adding the token library to the temporary database in
@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password):
# It may fail if p11-kit has already registered the library, that's
# ok.
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
- runas=pkiuser, suplementary_groups=[pkigroup],
+ runas=pkiuser, suplementary_groups=group_list,
raiseonerr=False)
command = [
@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password):
]
lines = ipautil.run(
command, cwd=tempnssdb.secdir, capture_output=True,
- runas=pkiuser, suplementary_groups=[pkigroup]).output
+ runas=pkiuser, suplementary_groups=group_list).output
found = False
token_line = f'token: {token_name}'
for line in lines.split('\n'):
@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password):
]
result = ipautil.run(args, cwd=tempnssdb.secdir,
runas=pkiuser,
- suplementary_groups=[pkigroup],
+ suplementary_groups=group_list,
capture_error=True, raiseonerr=False)
if result.returncode != 0 and len(result.error_output):
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
--
2.47.1

166
0046-ipalib-x509-support-PyCA-44.0.patch Normal file
View File

@ -0,0 +1,166 @@
From d4d56a6705c870901bc73882e4804367f7c9c91a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 1 Dec 2024 20:16:54 +0200
Subject: [PATCH] ipalib/x509: support PyCA 44.0
PyCA made x509.Certificate class concrete, it cannot be extended anymore
by Python code. The intent is to use helper functions to instantiate
certificate objects and never create them directly.
FreeIPA wraps PyCA's x509.Certificate class and provides own shim
on top of it. In most cases we load the certificate content via the
helper functions and don't really need to derive from the certificate
class.
Move IPACertificate to be a normal Python object class that stores
x509.Certificate internally. The only place where this breaks is when
IPACertificate object needs to be passed to a code that expects
x509.Certificate (Dogtag PKI). In such cases, expose the underlying
certificate instance via IPACertificate.cert property.
Fixes: https://pagure.io/freeipa/issue/9708
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipalib/ipajson.py | 4 ++--
ipalib/x509.py | 10 +++++++++-
ipapython/ipaldap.py | 15 +++++++--------
ipaserver/plugins/dogtag.py | 3 ++-
4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/ipalib/ipajson.py b/ipalib/ipajson.py
index 5551d12e5fec7e458fa6fe85560664b2fd897337..fd99c8219c722c52321336f28ff27e1573e906c7 100644
--- a/ipalib/ipajson.py
+++ b/ipalib/ipajson.py
@@ -9,7 +9,7 @@ from decimal import Decimal
import json
import six
from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
-from ipalib import capabilities
+from ipalib import capabilities, x509
from ipalib.x509 import Encoding as x509_Encoding
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
@@ -72,7 +72,7 @@ class _JSONPrimer(dict):
list: self._enc_list,
tuple: self._enc_list,
dict: self._enc_dict,
- crypto_x509.Certificate: self._enc_certificate,
+ x509.IPACertificate: self._enc_certificate,
crypto_x509.CertificateSigningRequest: self._enc_certificate,
})
diff --git a/ipalib/x509.py b/ipalib/x509.py
index fd08238962b2b5e9cd056fb13c0a81ee8f31b092..6780bead00b50efdf03c62ce717572eeb9df2e5f 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -88,7 +88,7 @@ SAN_UPN = '1.3.6.1.4.1.311.20.2.3'
SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
-class IPACertificate(crypto_x509.Certificate):
+class IPACertificate:
"""
A proxy class wrapping a python-cryptography certificate representation for
IPA purposes
@@ -205,6 +205,10 @@ class IPACertificate(crypto_x509.Certificate):
"""
return self._cert.fingerprint(algorithm)
+ @property
+ def cert(self):
+ return self._cert
+
@property
def serial_number(self):
return self._cert.serial_number
@@ -457,6 +461,8 @@ def load_pem_x509_certificate(data):
:returns: a ``IPACertificate`` object.
:raises: ``ValueError`` if unable to load the certificate.
"""
+ if isinstance(data, IPACertificate):
+ return data
return IPACertificate(
crypto_x509.load_pem_x509_certificate(data, backend=default_backend())
)
@@ -469,6 +475,8 @@ def load_der_x509_certificate(data):
:returns: a ``IPACertificate`` object.
:raises: ``ValueError`` if unable to load the certificate.
"""
+ if isinstance(data, IPACertificate):
+ return data
return IPACertificate(
crypto_x509.load_der_x509_certificate(data, backend=default_backend())
)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 1888e40916aa6e641542f08fb30ff2b0d4b850b1..5bb81c1bc844fce9b14251d3702e09099d85cdb5 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -33,7 +33,6 @@ import warnings
from collections import OrderedDict
-from cryptography import x509 as crypto_x509
from cryptography.hazmat.primitives import serialization
import ldap
@@ -748,10 +747,10 @@ class LDAPClient:
'dnszoneidnsname': DNSName,
'krbcanonicalname': Principal,
'krbprincipalname': Principal,
- 'usercertificate': crypto_x509.Certificate,
- 'usercertificate;binary': crypto_x509.Certificate,
- 'cACertificate': crypto_x509.Certificate,
- 'cACertificate;binary': crypto_x509.Certificate,
+ 'usercertificate': x509.IPACertificate,
+ 'usercertificate;binary': x509.IPACertificate,
+ 'cACertificate': x509.IPACertificate,
+ 'cACertificate;binary': x509.IPACertificate,
'nsds5replicalastupdatestart': unicode,
'nsds5replicalastupdateend': unicode,
'nsds5replicalastinitstart': unicode,
@@ -1000,7 +999,7 @@ class LDAPClient:
return dct
elif isinstance(val, datetime):
return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8')
- elif isinstance(val, crypto_x509.Certificate):
+ elif isinstance(val, x509.IPACertificate):
return val.public_bytes(x509.Encoding.DER)
elif val is None:
return None
@@ -1027,7 +1026,7 @@ class LDAPClient:
return DNSName.from_text(val.decode('utf-8'))
elif target_type in (DN, Principal):
return target_type(val.decode('utf-8'))
- elif target_type is crypto_x509.Certificate:
+ elif target_type is x509.IPACertificate:
return x509.load_der_x509_certificate(val)
else:
return target_type(val)
@@ -1381,7 +1380,7 @@ class LDAPClient:
]
return cls.combine_filters(flts, rules)
elif value is not None:
- if isinstance(value, crypto_x509.Certificate):
+ if isinstance(value, x509.IPACertificate):
value = value.public_bytes(serialization.Encoding.DER)
if isinstance(value, bytes):
value = binascii.hexlify(value).decode('ascii')
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 78afb279795ecf74f296cbbb8724505075a6e4a9..ee6d0e347d640a2664e38ba64785c3d8af54bbad 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1581,7 +1581,8 @@ class kra(Backend):
crypto = cryptoutil.CryptographyCryptoProvider(
transport_cert_nick="ra_agent",
- transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM)
+ transport_cert=x509.load_certificate_from_file(
+ paths.RA_AGENT_PEM).cert
)
# TODO: obtain KRA host & port from IPA service list or point to KRA load balancer
--
2.47.1

120
0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch Normal file
View File

@ -0,0 +1,120 @@
From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Mon, 2 Dec 2024 15:04:30 +0300
Subject: [PATCH] pyca: adapt import paths for TripleDES cipher
https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES
> This algorithm has been deprecated and moved to the Decrepit
cryptography module. If you need to continue using it then update your
code to use the new module path. It will be removed from this namespace
in 48.0.0.
Fixes: https://pagure.io/freeipa/issue/9708
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaclient/plugins/vault.py | 8 +++++++-
ipalib/constants.py | 24 +++++++++++-------------
ipaserver/install/ipa_otptoken_import.py | 8 +++++++-
3 files changed, 25 insertions(+), 15 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+try:
+ # cryptography>=43.0.0
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+ # will be removed from this module in cryptography 48.0.0
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
from cryptography.hazmat.primitives.padding import PKCS7
from cryptography.hazmat.primitives.serialization import (
load_pem_public_key, load_pem_private_key)
@@ -661,7 +667,7 @@ class ModVaultData(Local):
if name == constants.VAULT_WRAPPING_AES128_CBC:
return algorithms.AES(os.urandom(128 // 8))
elif name == constants.VAULT_WRAPPING_3DES:
- return algorithms.TripleDES(os.urandom(196 // 8))
+ return TripleDES(os.urandom(196 // 8))
else:
# unreachable
raise ValueError(name)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -25,20 +25,19 @@ All constants centralised in one file.
import os
import string
import uuid
-import warnings
-
-warnings.filterwarnings(
- "ignore",
- "TripleDES has been moved to "
- "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and "
- "will be removed from this module in 48.0.0",
- category=UserWarning)
from ipaplatform.constants import constants as _constants
from ipapython.dn import DN
from ipapython.fqdn import gethostfqdn
from ipapython.version import VERSION, API_VERSION
-from cryptography.hazmat.primitives.ciphers import algorithms, modes
+from cryptography.hazmat.primitives.ciphers import modes
+try:
+ # cryptography>=43.0.0
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+ # will be removed from this module in cryptography 48.0.0
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
+
from cryptography.hazmat.backends.openssl.backend import backend
@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
# Add 3DES for backwards compatibility if supported
-if getattr(algorithms, 'TripleDES', None):
- if backend.cipher_supported(algorithms.TripleDES(
- b"\x00" * 8), modes.CBC(b"\x00" * 8)):
- VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
+if backend.cipher_supported(TripleDES(
+ b"\x00" * 8), modes.CBC(b"\x00" * 8)):
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac
from cryptography.hazmat.primitives.padding import PKCS7
from cryptography.hazmat.primitives.kdf import pbkdf2
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+try:
+ # cryptography>=43.0.0
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+ # will be removed from this module in cryptography 48.0.0
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
from cryptography.hazmat.backends import default_backend
from ipaplatform.paths import paths
@@ -169,7 +175,7 @@ def convertAlgorithm(value):
# in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
- algorithms.TripleDES, modes.CBC, 64)
+ TripleDES, modes.CBC, 64)
return supported_algs.get(value.lower(), (None, None, None))
--
2.47.1

134
0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch Normal file
View File

@ -0,0 +1,134 @@
From 3e7ec3dc49d0f559bdbe330e52019e59f0b57c18 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 3 Dec 2024 18:06:45 +0200
Subject: [PATCH] ipa-pwd-extop: clarify OTP use over LDAP binds
OTP use during LDAP bind can be enforced either explicitly via client
specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload
or implicitly through the global IPA configuration with EnforceLDAPOTP.
OTP token enforcement overrides IPA user authentication types
requirements:
If OTP enforcement is required:
- if user authentication types still allow password authentication,
authentication with just a password is denied, regardless whether OTP
tokens are associated with the user or not.
If OTP enforcement is not required:
- if user has no OTP tokens but user authentication types require OTP
use, authentication with just a password is allowed until a token is
added.
- if user has OTP tokens and user authentication types require OTP use
but not password, authentication with just a password is denied.
Additionally, enforcement of OTP only applies to LDAP objects which
don't use 'simpleSecurityObject' objectclass. This allows system service
accounts to continue authenticate with a password regardless of the
OTP enforcement.
Fixes: https://pagure.io/freeipa/issue/9699
Fixes: https://pagure.io/freeipa/issue/9711
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 38 +++++++++++++++----
1 file changed, 30 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 1c1340e31ac30cb01412a7065ea339cb5461e839..42e880fd0a5c8b4708b145b340209eb218f60c4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1219,12 +1219,10 @@ typedef enum {
} otp_req_enum;
static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
struct berval *creds, otp_req_enum otpreq,
- bool *notokens)
+ bool *notokens, uint32_t *auth_types)
{
- uint32_t auth_types;
-
/* Get the configured authentication types. */
- auth_types = otp_config_auth_types(otp_config, entry);
+ *auth_types = otp_config_auth_types(otp_config, entry);
*notokens = false;
/*
@@ -1237,7 +1235,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
* 2. If PWD is enabled or OTP succeeded, fall through to PWD validation.
*/
- if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) {
+ if ((*auth_types & OTP_CONFIG_AUTH_TYPE_OTP) ||
+ (otpreq != OTP_IS_NOT_REQUIRED)) {
struct otp_token **tokens = NULL;
LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
@@ -1270,7 +1269,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
otp_token_free_array(tokens);
}
- return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) &&
+ return (*auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) &&
(otpreq == OTP_IS_NOT_REQUIRED);
}
@@ -1451,6 +1450,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
struct ipapwd_krbcfg *krbcfg = NULL;
struct berval *credentials = NULL;
Slapi_Entry *entry = NULL;
+ Slapi_Value *objectclass = NULL;
Slapi_DN *target_sdn = NULL;
Slapi_DN *sdn = NULL;
const char *dn = NULL;
@@ -1465,6 +1465,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
int rc = LDAP_INVALID_CREDENTIALS;
char *errMesg = NULL;
bool notokens = false;
+ uint32_t auth_types = 0;
/* get BIND parameters */
ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn);
@@ -1538,12 +1539,33 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
otpreq = OTP_IS_REQUIRED_IMPLICITLY;
}
}
+ /* we only apply OTP policy to Kerberos principals */
+ objectclass = slapi_value_new_string("krbprincipalaux");
+ if (objectclass == NULL) {
+ goto invalid_creds;
+ }
+ if (!slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS,
+ objectclass)) {
+ otpreq = OTP_IS_NOT_REQUIRED;
+ }
+ slapi_value_free(&objectclass);
+
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry,
- credentials, otpreq, &notokens)) {
+ credentials, otpreq,
+ &notokens, &auth_types)) {
/* We got here because ipapwd_pre_bind_otp() returned false,
* it means that either token verification failed or
* a rule for empty tokens failed current policy. */
- if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED)))
+
+ /* Check if there were any tokens associated, thus
+ * OTP token verification has really failed */
+ if (notokens == false)
+ goto invalid_creds;
+
+ /* No tokens, check if auth type does not include OTP but OTP is
+ * enforced by the current policy */
+ if (!(auth_types & OTP_CONFIG_AUTH_TYPE_OTP) &&
+ (otpreq != OTP_IS_NOT_REQUIRED))
goto invalid_creds;
}
--
2.47.1

45
0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch Normal file
View File

@ -0,0 +1,45 @@
From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Wed, 4 Dec 2024 19:56:51 +0300
Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass
Per @abbra explanation:
> When expected Kerberos principal names for this object were flipped to
follow requirements for cross-realm krbtgt objects expected by Active
Directory, trusted object changed its canonical Kerberos principal name.
The keytab for this Kerberos principal name is fetched by SSSD and it
needs to be permitted to read the key. We added the virtual permission
to allow the keytab retrieval but didn't add the objectclass that
actually allows adding an LDAP attribute to express the permission. When
an attribute is added to an LDAP object, objectclasses of the object
must allow presence of that attribute.
This is the followup to #9471 and fixes the upgrade.
Thanks @abbra!
Related: https://pagure.io/freeipa/issue/9471
Fixes: https://pagure.io/freeipa/issue/9712
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/plugins/adtrust.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater):
self.set_krb_principal([tgt_principal, nbt_principal],
passwd_incoming,
t_dn,
- flags=self.KRB_PRINC_CREATE_DEFAULT)
+ flags=self.KRB_PRINC_CREATE_DEFAULT
+ | self.KRB_PRINC_CREATE_AGENT_PERMISSION)
# 3. INBOUND: krbtgt/<OUR REALM>@<REMOTE REALM> must exist
trust_principal = self.tgt_principal_template.format(
--
2.47.1

37
0050-Fix-the-typo-in-ipa_migrate_constants.patch Normal file
View File

@ -0,0 +1,37 @@
From 6a2310eda39b1341258211c7630ef4baf4555df5 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Mon, 9 Dec 2024 23:03:56 +0530
Subject: [PATCH] Fix the typo in ipa_migrate_constants.
ipa-migrate.log displays Privileges migrated as Privledges
due to typo in labelling i.e 'label': 'Privledges'
Hence changed that to 'label': 'Privileges'
---- LOG FILE ----
INFO - Privledges: 3
------------------
Fixes: https://pagure.io/freeipa/issue/9715
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_migrate_constants.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index c140414ea6c607a93e35ef0705480d1002b7945e..e8192fb1aabae1c36669370eff242428a1f0355f 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -886,7 +886,7 @@ DB_OBJECTS = {
'pbac_priv': {
'oc': ['groupofnames'],
'subtree': ',cn=privileges,cn=pbac,$SUFFIX',
- 'label': 'Privledges',
+ 'label': 'Privileges',
'mode': 'all',
'count': 0,
},
--
2.47.1

16
freeipa.spec
View File

@ -207,7 +207,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 8%{?rc_version:.%rc_version}%{?dist}
Release: 9%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -281,6 +281,13 @@ Patch0040: 0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch
Patch0041: 0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch
Patch0042: 0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch
Patch0043: 0043-webuitests-adapt-to-Random-Serial-Numbers.patch
Patch0044: 0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch
Patch0045: 0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch
Patch0046: 0046-ipalib-x509-support-PyCA-44.0.patch
Patch0047: 0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch
Patch0048: 0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch
Patch0049: 0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch
Patch0050: 0050-Fix-the-typo-in-ipa_migrate_constants.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1899,6 +1906,13 @@ fi
%endif
%changelog
* Wed Dec 11 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-9
- Resolves: RHEL-70759 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges'
- Resolves: RHEL-70477 ipa-server-upgrade fails after established trust with ad
- Resolves: RHEL-70253 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken
- Resolves: RHEL-69926 add support for python cryptography 44.0.0
- Resolves: RHEL-69635 All user groups are not being included during HSM token validation
* Wed Nov 27 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-8
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred