diff --git a/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch b/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch new file mode 100644 index 0000000..0e4333b --- /dev/null +++ b/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch @@ -0,0 +1,66 @@ +From 184589fac4ff36b5583541f40dff91296c33370a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Dec 2024 10:23:29 -0500 +Subject: [PATCH] Allow looking up constants.Group by gid in addition to name + +This adds flexibility so we can look up groups by both gid and +by name in order to have a more consistent API for management. + +Related: https://pagure.io/freeipa/issue/9709 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaplatform/base/constants.py | 5 ++++- + ipatests/test_ipaplatform/test_constants.py | 11 +++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py +index 1689efe52466f00fd8b014f720e1d21ebdbf2504..f1ef7efff502573bab82e890bcdf87c0ec52a399 100644 +--- a/ipaplatform/base/constants.py ++++ b/ipaplatform/base/constants.py +@@ -86,7 +86,10 @@ class Group(_Entity): + try: + self._entity = entity = grp.getgrnam(self) + except KeyError: +- raise ValueError(f"group '{self!s}' not found") from None ++ try: ++ self._entity = entity = grp.getgrgid(int(self)) ++ except (TypeError, ValueError): ++ raise ValueError(f"group '{self!s}' not found") from None + return entity + + @property +diff --git a/ipatests/test_ipaplatform/test_constants.py b/ipatests/test_ipaplatform/test_constants.py +index b57bfa48e5ccefe2b22cb00aca8436e0edc01a30..9bb12283609f87bcd875a2c55ee1e8b714dd8b3a 100644 +--- a/ipatests/test_ipaplatform/test_constants.py ++++ b/ipatests/test_ipaplatform/test_constants.py +@@ -1,6 +1,7 @@ + # + # Copyright (C) 2020 FreeIPA Contributors see COPYING for license + # ++import grp + import pytest + + from ipaplatform.base.constants import User, Group +@@ -40,6 +41,16 @@ def test_group(): + assert Group(str(group)) is not group + + ++def test_numeric_group(): ++ g = grp.getgrnam('apache') ++ group = Group(g.gr_gid) ++ assert group.gid == g.gr_gid ++ assert type(str(group)) is str ++ assert repr(group) == '' % g.gr_gid ++ assert group.gid == g.gr_gid ++ assert group.entity.gr_gid == g.gr_gid ++ ++ + def test_group_invalid(): + invalid = Group("invalid") + with pytest.raises(ValueError) as e: +-- +2.47.1 + diff --git a/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch b/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch new file mode 100644 index 0000000..d916be8 --- /dev/null +++ b/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch @@ -0,0 +1,72 @@ +From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 2 Dec 2024 10:27:15 -0500 +Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an + HSM + +We were doing a "best effort" when validating the HSM token is +visible with a valid PIN when it came to groups. A specific +workaround was added for softhsm2 but this didn't carry over +to other HSMs that may have group-specific read/write access. + +Use the new capability in ipaplatform.constants.py::Group to be +able to use generate a valid entry from a group GID. Pair this +with os.getgrouplist() and all groups will be passed correctly +via ipautil.run(). + +Fixes: https://pagure.io/freeipa/issue/9709 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ca.py | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password): + ) + pkiuser = constants.PKI_USER + pkigroup = constants.PKI_GROUP +- if 'libsofthsm' in token_library: +- import grp +- group = grp.getgrnam(constants.ODS_GROUP) +- if str(constants.PKI_USER) in group.gr_mem: +- pkigroup = constants.ODS_GROUP ++ group_list = os.getgrouplist(pkiuser, pkigroup.gid) + with certdb.NSSDatabase() as tempnssdb: + tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup)) + # Try adding the token library to the temporary database in +@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password): + # It may fail if p11-kit has already registered the library, that's + # ok. + ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir, +- runas=pkiuser, suplementary_groups=[pkigroup], ++ runas=pkiuser, suplementary_groups=group_list, + raiseonerr=False) + + command = [ +@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password): + ] + lines = ipautil.run( + command, cwd=tempnssdb.secdir, capture_output=True, +- runas=pkiuser, suplementary_groups=[pkigroup]).output ++ runas=pkiuser, suplementary_groups=group_list).output + found = False + token_line = f'token: {token_name}' + for line in lines.split('\n'): +@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password): + ] + result = ipautil.run(args, cwd=tempnssdb.secdir, + runas=pkiuser, +- suplementary_groups=[pkigroup], ++ suplementary_groups=group_list, + capture_error=True, raiseonerr=False) + if result.returncode != 0 and len(result.error_output): + if 'SEC_ERROR_BAD_PASSWORD' in result.error_output: +-- +2.47.1 + diff --git a/0046-ipalib-x509-support-PyCA-44.0.patch b/0046-ipalib-x509-support-PyCA-44.0.patch new file mode 100644 index 0000000..2b3672f --- /dev/null +++ b/0046-ipalib-x509-support-PyCA-44.0.patch @@ -0,0 +1,166 @@ +From d4d56a6705c870901bc73882e4804367f7c9c91a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 1 Dec 2024 20:16:54 +0200 +Subject: [PATCH] ipalib/x509: support PyCA 44.0 + +PyCA made x509.Certificate class concrete, it cannot be extended anymore +by Python code. The intent is to use helper functions to instantiate +certificate objects and never create them directly. + +FreeIPA wraps PyCA's x509.Certificate class and provides own shim +on top of it. In most cases we load the certificate content via the +helper functions and don't really need to derive from the certificate +class. + +Move IPACertificate to be a normal Python object class that stores +x509.Certificate internally. The only place where this breaks is when +IPACertificate object needs to be passed to a code that expects +x509.Certificate (Dogtag PKI). In such cases, expose the underlying +certificate instance via IPACertificate.cert property. + +Fixes: https://pagure.io/freeipa/issue/9708 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipalib/ipajson.py | 4 ++-- + ipalib/x509.py | 10 +++++++++- + ipapython/ipaldap.py | 15 +++++++-------- + ipaserver/plugins/dogtag.py | 3 ++- + 4 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/ipalib/ipajson.py b/ipalib/ipajson.py +index 5551d12e5fec7e458fa6fe85560664b2fd897337..fd99c8219c722c52321336f28ff27e1573e906c7 100644 +--- a/ipalib/ipajson.py ++++ b/ipalib/ipajson.py +@@ -9,7 +9,7 @@ from decimal import Decimal + import json + import six + from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT +-from ipalib import capabilities ++from ipalib import capabilities, x509 + from ipalib.x509 import Encoding as x509_Encoding + from ipapython.dn import DN + from ipapython.dnsutil import DNSName +@@ -72,7 +72,7 @@ class _JSONPrimer(dict): + list: self._enc_list, + tuple: self._enc_list, + dict: self._enc_dict, +- crypto_x509.Certificate: self._enc_certificate, ++ x509.IPACertificate: self._enc_certificate, + crypto_x509.CertificateSigningRequest: self._enc_certificate, + }) + +diff --git a/ipalib/x509.py b/ipalib/x509.py +index fd08238962b2b5e9cd056fb13c0a81ee8f31b092..6780bead00b50efdf03c62ce717572eeb9df2e5f 100644 +--- a/ipalib/x509.py ++++ b/ipalib/x509.py +@@ -88,7 +88,7 @@ SAN_UPN = '1.3.6.1.4.1.311.20.2.3' + SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2' + + +-class IPACertificate(crypto_x509.Certificate): ++class IPACertificate: + """ + A proxy class wrapping a python-cryptography certificate representation for + IPA purposes +@@ -205,6 +205,10 @@ class IPACertificate(crypto_x509.Certificate): + """ + return self._cert.fingerprint(algorithm) + ++ @property ++ def cert(self): ++ return self._cert ++ + @property + def serial_number(self): + return self._cert.serial_number +@@ -457,6 +461,8 @@ def load_pem_x509_certificate(data): + :returns: a ``IPACertificate`` object. + :raises: ``ValueError`` if unable to load the certificate. + """ ++ if isinstance(data, IPACertificate): ++ return data + return IPACertificate( + crypto_x509.load_pem_x509_certificate(data, backend=default_backend()) + ) +@@ -469,6 +475,8 @@ def load_der_x509_certificate(data): + :returns: a ``IPACertificate`` object. + :raises: ``ValueError`` if unable to load the certificate. + """ ++ if isinstance(data, IPACertificate): ++ return data + return IPACertificate( + crypto_x509.load_der_x509_certificate(data, backend=default_backend()) + ) +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index 1888e40916aa6e641542f08fb30ff2b0d4b850b1..5bb81c1bc844fce9b14251d3702e09099d85cdb5 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -33,7 +33,6 @@ import warnings + + from collections import OrderedDict + +-from cryptography import x509 as crypto_x509 + from cryptography.hazmat.primitives import serialization + + import ldap +@@ -748,10 +747,10 @@ class LDAPClient: + 'dnszoneidnsname': DNSName, + 'krbcanonicalname': Principal, + 'krbprincipalname': Principal, +- 'usercertificate': crypto_x509.Certificate, +- 'usercertificate;binary': crypto_x509.Certificate, +- 'cACertificate': crypto_x509.Certificate, +- 'cACertificate;binary': crypto_x509.Certificate, ++ 'usercertificate': x509.IPACertificate, ++ 'usercertificate;binary': x509.IPACertificate, ++ 'cACertificate': x509.IPACertificate, ++ 'cACertificate;binary': x509.IPACertificate, + 'nsds5replicalastupdatestart': unicode, + 'nsds5replicalastupdateend': unicode, + 'nsds5replicalastinitstart': unicode, +@@ -1000,7 +999,7 @@ class LDAPClient: + return dct + elif isinstance(val, datetime): + return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8') +- elif isinstance(val, crypto_x509.Certificate): ++ elif isinstance(val, x509.IPACertificate): + return val.public_bytes(x509.Encoding.DER) + elif val is None: + return None +@@ -1027,7 +1026,7 @@ class LDAPClient: + return DNSName.from_text(val.decode('utf-8')) + elif target_type in (DN, Principal): + return target_type(val.decode('utf-8')) +- elif target_type is crypto_x509.Certificate: ++ elif target_type is x509.IPACertificate: + return x509.load_der_x509_certificate(val) + else: + return target_type(val) +@@ -1381,7 +1380,7 @@ class LDAPClient: + ] + return cls.combine_filters(flts, rules) + elif value is not None: +- if isinstance(value, crypto_x509.Certificate): ++ if isinstance(value, x509.IPACertificate): + value = value.public_bytes(serialization.Encoding.DER) + if isinstance(value, bytes): + value = binascii.hexlify(value).decode('ascii') +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index 78afb279795ecf74f296cbbb8724505075a6e4a9..ee6d0e347d640a2664e38ba64785c3d8af54bbad 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -1581,7 +1581,8 @@ class kra(Backend): + + crypto = cryptoutil.CryptographyCryptoProvider( + transport_cert_nick="ra_agent", +- transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM) ++ transport_cert=x509.load_certificate_from_file( ++ paths.RA_AGENT_PEM).cert + ) + + # TODO: obtain KRA host & port from IPA service list or point to KRA load balancer +-- +2.47.1 + diff --git a/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch b/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch new file mode 100644 index 0000000..04ae1fd --- /dev/null +++ b/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch @@ -0,0 +1,120 @@ +From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Mon, 2 Dec 2024 15:04:30 +0300 +Subject: [PATCH] pyca: adapt import paths for TripleDES cipher + +https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES + +> This algorithm has been deprecated and moved to the Decrepit + cryptography module. If you need to continue using it then update your + code to use the new module path. It will be removed from this namespace + in 48.0.0. + +Fixes: https://pagure.io/freeipa/issue/9708 +Signed-off-by: Stanislav Levin +Reviewed-By: Florence Blanc-Renaud +--- + ipaclient/plugins/vault.py | 8 +++++++- + ipalib/constants.py | 24 +++++++++++------------- + ipaserver/install/ipa_otptoken_import.py | 8 +++++++- + 3 files changed, 25 insertions(+), 15 deletions(-) + +diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py +index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644 +--- a/ipaclient/plugins/vault.py ++++ b/ipaclient/plugins/vault.py +@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes + from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC + from cryptography.hazmat.primitives.asymmetric import padding + from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes ++try: ++ # cryptography>=43.0.0 ++ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES ++except ImportError: ++ # will be removed from this module in cryptography 48.0.0 ++ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES + from cryptography.hazmat.primitives.padding import PKCS7 + from cryptography.hazmat.primitives.serialization import ( + load_pem_public_key, load_pem_private_key) +@@ -661,7 +667,7 @@ class ModVaultData(Local): + if name == constants.VAULT_WRAPPING_AES128_CBC: + return algorithms.AES(os.urandom(128 // 8)) + elif name == constants.VAULT_WRAPPING_3DES: +- return algorithms.TripleDES(os.urandom(196 // 8)) ++ return TripleDES(os.urandom(196 // 8)) + else: + # unreachable + raise ValueError(name) +diff --git a/ipalib/constants.py b/ipalib/constants.py +index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644 +--- a/ipalib/constants.py ++++ b/ipalib/constants.py +@@ -25,20 +25,19 @@ All constants centralised in one file. + import os + import string + import uuid +-import warnings +- +-warnings.filterwarnings( +- "ignore", +- "TripleDES has been moved to " +- "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and " +- "will be removed from this module in 48.0.0", +- category=UserWarning) + + from ipaplatform.constants import constants as _constants + from ipapython.dn import DN + from ipapython.fqdn import gethostfqdn + from ipapython.version import VERSION, API_VERSION +-from cryptography.hazmat.primitives.ciphers import algorithms, modes ++from cryptography.hazmat.primitives.ciphers import modes ++try: ++ # cryptography>=43.0.0 ++ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES ++except ImportError: ++ # will be removed from this module in cryptography 48.0.0 ++ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES ++ + from cryptography.hazmat.backends.openssl.backend import backend + + +@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = ( + VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC + + # Add 3DES for backwards compatibility if supported +-if getattr(algorithms, 'TripleDES', None): +- if backend.cipher_supported(algorithms.TripleDES( +- b"\x00" * 8), modes.CBC(b"\x00" * 8)): +- VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) ++if backend.cipher_supported(TripleDES( ++ b"\x00" * 8), modes.CBC(b"\x00" * 8)): ++ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) +diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py +index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644 +--- a/ipaserver/install/ipa_otptoken_import.py ++++ b/ipaserver/install/ipa_otptoken_import.py +@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac + from cryptography.hazmat.primitives.padding import PKCS7 + from cryptography.hazmat.primitives.kdf import pbkdf2 + from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes ++try: ++ # cryptography>=43.0.0 ++ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES ++except ImportError: ++ # will be removed from this module in cryptography 48.0.0 ++ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES + from cryptography.hazmat.backends import default_backend + + from ipaplatform.paths import paths +@@ -169,7 +175,7 @@ def convertAlgorithm(value): + # in the list of the vault wrapping algorithms, we cannot use 3DES anywhere + if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS: + supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = ( +- algorithms.TripleDES, modes.CBC, 64) ++ TripleDES, modes.CBC, 64) + + return supported_algs.get(value.lower(), (None, None, None)) + +-- +2.47.1 + diff --git a/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch b/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch new file mode 100644 index 0000000..2f77fbc --- /dev/null +++ b/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch @@ -0,0 +1,134 @@ +From 3e7ec3dc49d0f559bdbe330e52019e59f0b57c18 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 3 Dec 2024 18:06:45 +0200 +Subject: [PATCH] ipa-pwd-extop: clarify OTP use over LDAP binds + +OTP use during LDAP bind can be enforced either explicitly via client +specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload +or implicitly through the global IPA configuration with EnforceLDAPOTP. + +OTP token enforcement overrides IPA user authentication types +requirements: + +If OTP enforcement is required: + + - if user authentication types still allow password authentication, + authentication with just a password is denied, regardless whether OTP + tokens are associated with the user or not. + +If OTP enforcement is not required: + + - if user has no OTP tokens but user authentication types require OTP + use, authentication with just a password is allowed until a token is + added. + + - if user has OTP tokens and user authentication types require OTP use + but not password, authentication with just a password is denied. + +Additionally, enforcement of OTP only applies to LDAP objects which +don't use 'simpleSecurityObject' objectclass. This allows system service +accounts to continue authenticate with a password regardless of the +OTP enforcement. + +Fixes: https://pagure.io/freeipa/issue/9699 +Fixes: https://pagure.io/freeipa/issue/9711 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 38 +++++++++++++++---- + 1 file changed, 30 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 1c1340e31ac30cb01412a7065ea339cb5461e839..42e880fd0a5c8b4708b145b340209eb218f60c4e 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -1219,12 +1219,10 @@ typedef enum { + } otp_req_enum; + static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, + struct berval *creds, otp_req_enum otpreq, +- bool *notokens) ++ bool *notokens, uint32_t *auth_types) + { +- uint32_t auth_types; +- + /* Get the configured authentication types. */ +- auth_types = otp_config_auth_types(otp_config, entry); ++ *auth_types = otp_config_auth_types(otp_config, entry); + *notokens = false; + + /* +@@ -1237,7 +1235,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, + * 2. If PWD is enabled or OTP succeeded, fall through to PWD validation. + */ + +- if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) { ++ if ((*auth_types & OTP_CONFIG_AUTH_TYPE_OTP) || ++ (otpreq != OTP_IS_NOT_REQUIRED)) { + struct otp_token **tokens = NULL; + + LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME, +@@ -1270,7 +1269,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, + otp_token_free_array(tokens); + } + +- return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && ++ return (*auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && + (otpreq == OTP_IS_NOT_REQUIRED); + } + +@@ -1451,6 +1450,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + struct ipapwd_krbcfg *krbcfg = NULL; + struct berval *credentials = NULL; + Slapi_Entry *entry = NULL; ++ Slapi_Value *objectclass = NULL; + Slapi_DN *target_sdn = NULL; + Slapi_DN *sdn = NULL; + const char *dn = NULL; +@@ -1465,6 +1465,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + int rc = LDAP_INVALID_CREDENTIALS; + char *errMesg = NULL; + bool notokens = false; ++ uint32_t auth_types = 0; + + /* get BIND parameters */ + ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); +@@ -1538,12 +1539,33 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + otpreq = OTP_IS_REQUIRED_IMPLICITLY; + } + } ++ /* we only apply OTP policy to Kerberos principals */ ++ objectclass = slapi_value_new_string("krbprincipalaux"); ++ if (objectclass == NULL) { ++ goto invalid_creds; ++ } ++ if (!slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, ++ objectclass)) { ++ otpreq = OTP_IS_NOT_REQUIRED; ++ } ++ slapi_value_free(&objectclass); ++ + if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, +- credentials, otpreq, ¬okens)) { ++ credentials, otpreq, ++ ¬okens, &auth_types)) { + /* We got here because ipapwd_pre_bind_otp() returned false, + * it means that either token verification failed or + * a rule for empty tokens failed current policy. */ +- if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED))) ++ ++ /* Check if there were any tokens associated, thus ++ * OTP token verification has really failed */ ++ if (notokens == false) ++ goto invalid_creds; ++ ++ /* No tokens, check if auth type does not include OTP but OTP is ++ * enforced by the current policy */ ++ if (!(auth_types & OTP_CONFIG_AUTH_TYPE_OTP) && ++ (otpreq != OTP_IS_NOT_REQUIRED)) + goto invalid_creds; + } + +-- +2.47.1 + diff --git a/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch b/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch new file mode 100644 index 0000000..6921ab0 --- /dev/null +++ b/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch @@ -0,0 +1,45 @@ +From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Wed, 4 Dec 2024 19:56:51 +0300 +Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass + +Per @abbra explanation: +> When expected Kerberos principal names for this object were flipped to + follow requirements for cross-realm krbtgt objects expected by Active + Directory, trusted object changed its canonical Kerberos principal name. + The keytab for this Kerberos principal name is fetched by SSSD and it + needs to be permitted to read the key. We added the virtual permission + to allow the keytab retrieval but didn't add the objectclass that + actually allows adding an LDAP attribute to express the permission. When + an attribute is added to an LDAP object, objectclasses of the object + must allow presence of that attribute. + +This is the followup to #9471 and fixes the upgrade. + +Thanks @abbra! + +Related: https://pagure.io/freeipa/issue/9471 +Fixes: https://pagure.io/freeipa/issue/9712 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/plugins/adtrust.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater): + self.set_krb_principal([tgt_principal, nbt_principal], + passwd_incoming, + t_dn, +- flags=self.KRB_PRINC_CREATE_DEFAULT) ++ flags=self.KRB_PRINC_CREATE_DEFAULT ++ | self.KRB_PRINC_CREATE_AGENT_PERMISSION) + + # 3. INBOUND: krbtgt/@ must exist + trust_principal = self.tgt_principal_template.format( +-- +2.47.1 + diff --git a/0050-Fix-the-typo-in-ipa_migrate_constants.patch b/0050-Fix-the-typo-in-ipa_migrate_constants.patch new file mode 100644 index 0000000..c75955a --- /dev/null +++ b/0050-Fix-the-typo-in-ipa_migrate_constants.patch @@ -0,0 +1,37 @@ +From 6a2310eda39b1341258211c7630ef4baf4555df5 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Mon, 9 Dec 2024 23:03:56 +0530 +Subject: [PATCH] Fix the typo in ipa_migrate_constants. + +ipa-migrate.log displays Privileges migrated as Privledges +due to typo in labelling i.e 'label': 'Privledges' +Hence changed that to 'label': 'Privileges' + +---- LOG FILE ---- +INFO - Privledges: 3 +------------------ + +Fixes: https://pagure.io/freeipa/issue/9715 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ipa_migrate_constants.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py +index c140414ea6c607a93e35ef0705480d1002b7945e..e8192fb1aabae1c36669370eff242428a1f0355f 100644 +--- a/ipaserver/install/ipa_migrate_constants.py ++++ b/ipaserver/install/ipa_migrate_constants.py +@@ -886,7 +886,7 @@ DB_OBJECTS = { + 'pbac_priv': { + 'oc': ['groupofnames'], + 'subtree': ',cn=privileges,cn=pbac,$SUFFIX', +- 'label': 'Privledges', ++ 'label': 'Privileges', + 'mode': 'all', + 'count': 0, + }, +-- +2.47.1 + diff --git a/freeipa.spec b/freeipa.spec index 054db3b..9757712 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -207,7 +207,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist} +Release: 9%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -281,6 +281,13 @@ Patch0040: 0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch Patch0041: 0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch Patch0042: 0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch Patch0043: 0043-webuitests-adapt-to-Random-Serial-Numbers.patch +Patch0044: 0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch +Patch0045: 0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch +Patch0046: 0046-ipalib-x509-support-PyCA-44.0.patch +Patch0047: 0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch +Patch0048: 0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch +Patch0049: 0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch +Patch0050: 0050-Fix-the-typo-in-ipa_migrate_constants.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1899,6 +1906,13 @@ fi %endif %changelog +* Wed Dec 11 2024 Florence Blanc-Renaud - 4.12.2-9 +- Resolves: RHEL-70759 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges' +- Resolves: RHEL-70477 ipa-server-upgrade fails after established trust with ad +- Resolves: RHEL-70253 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken +- Resolves: RHEL-69926 add support for python cryptography 44.0.0 +- Resolves: RHEL-69635 All user groups are not being included during HSM token validation + * Wed Nov 27 2024 Florence Blanc-Renaud - 4.12.2-8 - Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers - Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred