ipa-4.12.2-9

- Resolves: RHEL-70759
Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges'
- Resolves: RHEL-70477
ipa-server-upgrade fails after established trust with ad
- Resolves: RHEL-70253
Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken
- Resolves: RHEL-69926
add support for python cryptography 44.0.0
- Resolves: RHEL-69635
All user groups are not being included during HSM token validation

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>

0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch

@@ -0,0 +1,66 @@
+From 184589fac4ff36b5583541f40dff91296c33370a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 2 Dec 2024 10:23:29 -0500
+Subject: [PATCH] Allow looking up constants.Group by gid in addition to name
+
+This adds flexibility so we can look up groups by both gid and
+by name in order to have a more consistent API for management.
+
+Related: https://pagure.io/freeipa/issue/9709
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaplatform/base/constants.py               |  5 ++++-
+ ipatests/test_ipaplatform/test_constants.py | 11 +++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
+index 1689efe52466f00fd8b014f720e1d21ebdbf2504..f1ef7efff502573bab82e890bcdf87c0ec52a399 100644
+--- a/ipaplatform/base/constants.py
++++ b/ipaplatform/base/constants.py
+@@ -86,7 +86,10 @@ class Group(_Entity):
+             try:
+                 self._entity = entity = grp.getgrnam(self)
+             except KeyError:
+-                raise ValueError(f"group '{self!s}' not found") from None
++                try:
++                    self._entity = entity = grp.getgrgid(int(self))
++                except (TypeError, ValueError):
++                    raise ValueError(f"group '{self!s}' not found") from None
+         return entity
+ 
+     @property
+diff --git a/ipatests/test_ipaplatform/test_constants.py b/ipatests/test_ipaplatform/test_constants.py
+index b57bfa48e5ccefe2b22cb00aca8436e0edc01a30..9bb12283609f87bcd875a2c55ee1e8b714dd8b3a 100644
+--- a/ipatests/test_ipaplatform/test_constants.py
++++ b/ipatests/test_ipaplatform/test_constants.py
+@@ -1,6 +1,7 @@
+ #
+ # Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+ #
++import grp
+ import pytest
+ 
+ from ipaplatform.base.constants import User, Group
+@@ -40,6 +41,16 @@ def test_group():
+     assert Group(str(group)) is not group
+ 
+ 
++def test_numeric_group():
++    g = grp.getgrnam('apache')
++    group = Group(g.gr_gid)
++    assert group.gid == g.gr_gid
++    assert type(str(group)) is str
++    assert repr(group) == '<Group "%d">' % g.gr_gid
++    assert group.gid == g.gr_gid
++    assert group.entity.gr_gid == g.gr_gid
++
++
+ def test_group_invalid():
+     invalid = Group("invalid")
+     with pytest.raises(ValueError) as e:
+-- 
+2.47.1
+

0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch

@@ -0,0 +1,72 @@
+From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 2 Dec 2024 10:27:15 -0500
+Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an
+ HSM
+
+We were doing a "best effort" when validating the HSM token is
+visible with a valid PIN when it came to groups. A specific
+workaround was added for softhsm2 but this didn't carry over
+to other HSMs that may have group-specific read/write access.
+
+Use the new capability in ipaplatform.constants.py::Group to be
+able to use generate a valid entry from a group GID. Pair this
+with os.getgrouplist() and all groups will be passed correctly
+via ipautil.run().
+
+Fixes: https://pagure.io/freeipa/issue/9709
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/ca.py | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password):
+         )
+     pkiuser = constants.PKI_USER
+     pkigroup = constants.PKI_GROUP
+-    if 'libsofthsm' in token_library:
+-        import grp
+-        group = grp.getgrnam(constants.ODS_GROUP)
+-        if str(constants.PKI_USER) in group.gr_mem:
+-            pkigroup = constants.ODS_GROUP
++    group_list = os.getgrouplist(pkiuser, pkigroup.gid)
+     with certdb.NSSDatabase() as tempnssdb:
+         tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
+         # Try adding the token library to the temporary database in
+@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password):
+         # It may fail if p11-kit has already registered the library, that's
+         # ok.
+         ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
+-                    runas=pkiuser, suplementary_groups=[pkigroup],
++                    runas=pkiuser, suplementary_groups=group_list,
+                     raiseonerr=False)
+ 
+         command = [
+@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password):
+         ]
+         lines = ipautil.run(
+             command, cwd=tempnssdb.secdir, capture_output=True,
+-            runas=pkiuser, suplementary_groups=[pkigroup]).output
++            runas=pkiuser, suplementary_groups=group_list).output
+         found = False
+         token_line = f'token: {token_name}'
+         for line in lines.split('\n'):
+@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password):
+         ]
+         result = ipautil.run(args, cwd=tempnssdb.secdir,
+                              runas=pkiuser,
+-                             suplementary_groups=[pkigroup],
++                             suplementary_groups=group_list,
+                              capture_error=True, raiseonerr=False)
+         if result.returncode != 0 and len(result.error_output):
+             if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
+-- 
+2.47.1
+

0046-ipalib-x509-support-PyCA-44.0.patch

@@ -0,0 +1,166 @@
+From d4d56a6705c870901bc73882e4804367f7c9c91a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sun, 1 Dec 2024 20:16:54 +0200
+Subject: [PATCH] ipalib/x509: support PyCA 44.0
+
+PyCA made x509.Certificate class concrete, it cannot be extended anymore
+by Python code. The intent is to use helper functions to instantiate
+certificate objects and never create them directly.
+
+FreeIPA wraps PyCA's x509.Certificate class and provides own shim
+on top of it. In most cases we load the certificate content via the
+helper functions and don't really need to derive from the certificate
+class.
+
+Move IPACertificate to be a normal Python object class that stores
+x509.Certificate internally. The only place where this breaks is when
+IPACertificate object needs to be passed to a code that expects
+x509.Certificate (Dogtag PKI). In such cases, expose the underlying
+certificate instance via IPACertificate.cert property.
+
+Fixes: https://pagure.io/freeipa/issue/9708
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipalib/ipajson.py           |  4 ++--
+ ipalib/x509.py              | 10 +++++++++-
+ ipapython/ipaldap.py        | 15 +++++++--------
+ ipaserver/plugins/dogtag.py |  3 ++-
+ 4 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/ipalib/ipajson.py b/ipalib/ipajson.py
+index 5551d12e5fec7e458fa6fe85560664b2fd897337..fd99c8219c722c52321336f28ff27e1573e906c7 100644
+--- a/ipalib/ipajson.py
++++ b/ipalib/ipajson.py
+@@ -9,7 +9,7 @@ from decimal import Decimal
+ import json
+ import six
+ from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
+-from ipalib import capabilities
++from ipalib import capabilities, x509
+ from ipalib.x509 import Encoding as x509_Encoding
+ from ipapython.dn import DN
+ from ipapython.dnsutil import DNSName
+@@ -72,7 +72,7 @@ class _JSONPrimer(dict):
+             list: self._enc_list,
+             tuple: self._enc_list,
+             dict: self._enc_dict,
+-            crypto_x509.Certificate: self._enc_certificate,
++            x509.IPACertificate: self._enc_certificate,
+             crypto_x509.CertificateSigningRequest: self._enc_certificate,
+         })
+ 
+diff --git a/ipalib/x509.py b/ipalib/x509.py
+index fd08238962b2b5e9cd056fb13c0a81ee8f31b092..6780bead00b50efdf03c62ce717572eeb9df2e5f 100644
+--- a/ipalib/x509.py
++++ b/ipalib/x509.py
+@@ -88,7 +88,7 @@ SAN_UPN = '1.3.6.1.4.1.311.20.2.3'
+ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
+ 
+ 
+-class IPACertificate(crypto_x509.Certificate):
++class IPACertificate:
+     """
+     A proxy class wrapping a python-cryptography certificate representation for
+     IPA purposes
+@@ -205,6 +205,10 @@ class IPACertificate(crypto_x509.Certificate):
+         """
+         return self._cert.fingerprint(algorithm)
+ 
++    @property
++    def cert(self):
++        return self._cert
++
+     @property
+     def serial_number(self):
+         return self._cert.serial_number
+@@ -457,6 +461,8 @@ def load_pem_x509_certificate(data):
+     :returns: a ``IPACertificate`` object.
+     :raises: ``ValueError`` if unable to load the certificate.
+     """
++    if isinstance(data, IPACertificate):
++        return data
+     return IPACertificate(
+         crypto_x509.load_pem_x509_certificate(data, backend=default_backend())
+     )
+@@ -469,6 +475,8 @@ def load_der_x509_certificate(data):
+     :returns: a ``IPACertificate`` object.
+     :raises: ``ValueError`` if unable to load the certificate.
+     """
++    if isinstance(data, IPACertificate):
++        return data
+     return IPACertificate(
+         crypto_x509.load_der_x509_certificate(data, backend=default_backend())
+     )
+diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
+index 1888e40916aa6e641542f08fb30ff2b0d4b850b1..5bb81c1bc844fce9b14251d3702e09099d85cdb5 100644
+--- a/ipapython/ipaldap.py
++++ b/ipapython/ipaldap.py
+@@ -33,7 +33,6 @@ import warnings
+ 
+ from collections import OrderedDict
+ 
+-from cryptography import x509 as crypto_x509
+ from cryptography.hazmat.primitives import serialization
+ 
+ import ldap
+@@ -748,10 +747,10 @@ class LDAPClient:
+         'dnszoneidnsname': DNSName,
+         'krbcanonicalname': Principal,
+         'krbprincipalname': Principal,
+-        'usercertificate': crypto_x509.Certificate,
+-        'usercertificate;binary': crypto_x509.Certificate,
+-        'cACertificate': crypto_x509.Certificate,
+-        'cACertificate;binary': crypto_x509.Certificate,
++        'usercertificate': x509.IPACertificate,
++        'usercertificate;binary': x509.IPACertificate,
++        'cACertificate': x509.IPACertificate,
++        'cACertificate;binary': x509.IPACertificate,
+         'nsds5replicalastupdatestart': unicode,
+         'nsds5replicalastupdateend': unicode,
+         'nsds5replicalastinitstart': unicode,
+@@ -1000,7 +999,7 @@ class LDAPClient:
+             return dct
+         elif isinstance(val, datetime):
+             return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8')
+-        elif isinstance(val, crypto_x509.Certificate):
++        elif isinstance(val, x509.IPACertificate):
+             return val.public_bytes(x509.Encoding.DER)
+         elif val is None:
+             return None
+@@ -1027,7 +1026,7 @@ class LDAPClient:
+                     return DNSName.from_text(val.decode('utf-8'))
+                 elif target_type in (DN, Principal):
+                     return target_type(val.decode('utf-8'))
+-                elif target_type is crypto_x509.Certificate:
++                elif target_type is x509.IPACertificate:
+                     return x509.load_der_x509_certificate(val)
+                 else:
+                     return target_type(val)
+@@ -1381,7 +1380,7 @@ class LDAPClient:
+             ]
+             return cls.combine_filters(flts, rules)
+         elif value is not None:
+-            if isinstance(value, crypto_x509.Certificate):
++            if isinstance(value, x509.IPACertificate):
+                 value = value.public_bytes(serialization.Encoding.DER)
+             if isinstance(value, bytes):
+                 value = binascii.hexlify(value).decode('ascii')
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index 78afb279795ecf74f296cbbb8724505075a6e4a9..ee6d0e347d640a2664e38ba64785c3d8af54bbad 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -1581,7 +1581,8 @@ class kra(Backend):
+ 
+         crypto = cryptoutil.CryptographyCryptoProvider(
+             transport_cert_nick="ra_agent",
+-            transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM)
++            transport_cert=x509.load_certificate_from_file(
++                paths.RA_AGENT_PEM).cert
+         )
+ 
+         # TODO: obtain KRA host & port from IPA service list or point to KRA load balancer
+-- 
+2.47.1
+

0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch

@@ -0,0 +1,120 @@
+From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Mon, 2 Dec 2024 15:04:30 +0300
+Subject: [PATCH] pyca: adapt import paths for TripleDES cipher
+
+https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES
+
+> This algorithm has been deprecated and moved to the Decrepit
+  cryptography module. If you need to continue using it then update your
+  code to use the new module path. It will be removed from this namespace
+  in 48.0.0.
+
+Fixes: https://pagure.io/freeipa/issue/9708
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaclient/plugins/vault.py               |  8 +++++++-
+ ipalib/constants.py                      | 24 +++++++++++-------------
+ ipaserver/install/ipa_otptoken_import.py |  8 +++++++-
+ 3 files changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
+index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644
+--- a/ipaclient/plugins/vault.py
++++ b/ipaclient/plugins/vault.py
+@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes
+ from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+ from cryptography.hazmat.primitives.asymmetric import padding
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
++try:
++    # cryptography>=43.0.0
++    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
++except ImportError:
++    # will be removed from this module in cryptography 48.0.0
++    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
+ from cryptography.hazmat.primitives.padding import PKCS7
+ from cryptography.hazmat.primitives.serialization import (
+     load_pem_public_key, load_pem_private_key)
+@@ -661,7 +667,7 @@ class ModVaultData(Local):
+         if name == constants.VAULT_WRAPPING_AES128_CBC:
+             return algorithms.AES(os.urandom(128 // 8))
+         elif name == constants.VAULT_WRAPPING_3DES:
+-            return algorithms.TripleDES(os.urandom(196 // 8))
++            return TripleDES(os.urandom(196 // 8))
+         else:
+             # unreachable
+             raise ValueError(name)
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -25,20 +25,19 @@ All constants centralised in one file.
+ import os
+ import string
+ import uuid
+-import warnings
+-
+-warnings.filterwarnings(
+-    "ignore",
+-    "TripleDES has been moved to "
+-    "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and "
+-    "will be removed from this module in 48.0.0",
+-    category=UserWarning)
+ 
+ from ipaplatform.constants import constants as _constants
+ from ipapython.dn import DN
+ from ipapython.fqdn import gethostfqdn
+ from ipapython.version import VERSION, API_VERSION
+-from cryptography.hazmat.primitives.ciphers import algorithms, modes
++from cryptography.hazmat.primitives.ciphers import modes
++try:
++    # cryptography>=43.0.0
++    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
++except ImportError:
++    # will be removed from this module in cryptography 48.0.0
++    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
++
+ from cryptography.hazmat.backends.openssl.backend import backend
+ 
+ 
+@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
+ VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
+ 
+ # Add 3DES for backwards compatibility if supported
+-if getattr(algorithms, 'TripleDES', None):
+-    if backend.cipher_supported(algorithms.TripleDES(
+-                                b"\x00" * 8), modes.CBC(b"\x00" * 8)):
+-        VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
++if backend.cipher_supported(TripleDES(
++                            b"\x00" * 8), modes.CBC(b"\x00" * 8)):
++    VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
+diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
+index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644
+--- a/ipaserver/install/ipa_otptoken_import.py
++++ b/ipaserver/install/ipa_otptoken_import.py
+@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac
+ from cryptography.hazmat.primitives.padding import PKCS7
+ from cryptography.hazmat.primitives.kdf import pbkdf2
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
++try:
++    # cryptography>=43.0.0
++    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
++except ImportError:
++    # will be removed from this module in cryptography 48.0.0
++    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
+ from cryptography.hazmat.backends import default_backend
+ 
+ from ipaplatform.paths import paths
+@@ -169,7 +175,7 @@ def convertAlgorithm(value):
+     # in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
+     if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
+         supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
+-            algorithms.TripleDES, modes.CBC, 64)
++            TripleDES, modes.CBC, 64)
+ 
+     return supported_algs.get(value.lower(), (None, None, None))
+ 
+-- 
+2.47.1
+

0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch

@@ -0,0 +1,134 @@
+From 3e7ec3dc49d0f559bdbe330e52019e59f0b57c18 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 3 Dec 2024 18:06:45 +0200
+Subject: [PATCH] ipa-pwd-extop: clarify OTP use over LDAP binds
+
+OTP use during LDAP bind can be enforced either explicitly via client
+specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload
+or implicitly through the global IPA configuration with EnforceLDAPOTP.
+
+OTP token enforcement overrides IPA user authentication types
+requirements:
+
+If OTP enforcement is required:
+
+ - if user authentication types still allow password authentication,
+   authentication with just a password is denied, regardless whether OTP
+   tokens are associated with the user or not.
+
+If OTP enforcement is not required:
+
+ - if user has no OTP tokens but user authentication types require OTP
+   use, authentication with just a password is allowed until a token is
+   added.
+
+ - if user has OTP tokens and user authentication types require OTP use
+   but not password, authentication with just a password is denied.
+
+Additionally, enforcement of OTP only applies to LDAP objects which
+don't use 'simpleSecurityObject' objectclass. This allows system service
+accounts to continue authenticate with a password regardless of the
+OTP enforcement.
+
+Fixes: https://pagure.io/freeipa/issue/9699
+Fixes: https://pagure.io/freeipa/issue/9711
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 38 +++++++++++++++----
+ 1 file changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 1c1340e31ac30cb01412a7065ea339cb5461e839..42e880fd0a5c8b4708b145b340209eb218f60c4e 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -1219,12 +1219,10 @@ typedef enum {
+ } otp_req_enum;
+ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
+                                 struct berval *creds, otp_req_enum otpreq,
+-                                bool *notokens)
++                                bool *notokens, uint32_t *auth_types)
+ {
+-    uint32_t auth_types;
+-
+     /* Get the configured authentication types. */
+-    auth_types = otp_config_auth_types(otp_config, entry);
++    *auth_types = otp_config_auth_types(otp_config, entry);
+     *notokens = false;
+ 
+     /*
+@@ -1237,7 +1235,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
+      * 2. If PWD is enabled or OTP succeeded, fall through to PWD validation.
+      */
+ 
+-    if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) {
++    if ((*auth_types & OTP_CONFIG_AUTH_TYPE_OTP) ||
++        (otpreq != OTP_IS_NOT_REQUIRED)) {
+         struct otp_token **tokens = NULL;
+ 
+         LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
+@@ -1270,7 +1269,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
+         otp_token_free_array(tokens);
+     }
+ 
+-    return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) &&
++    return (*auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) &&
+            (otpreq == OTP_IS_NOT_REQUIRED);
+ }
+ 
+@@ -1451,6 +1450,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     struct ipapwd_krbcfg *krbcfg = NULL;
+     struct berval *credentials = NULL;
+     Slapi_Entry *entry = NULL;
++    Slapi_Value *objectclass = NULL;
+     Slapi_DN *target_sdn = NULL;
+     Slapi_DN *sdn = NULL;
+     const char *dn = NULL;
+@@ -1465,6 +1465,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     int rc = LDAP_INVALID_CREDENTIALS;
+     char *errMesg = NULL;
+     bool notokens = false;
++    uint32_t auth_types = 0;
+ 
+     /* get BIND parameters */
+     ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn);
+@@ -1538,12 +1539,33 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+             otpreq = OTP_IS_REQUIRED_IMPLICITLY;
+         }
+     }
++    /* we only apply OTP policy to Kerberos principals */
++    objectclass = slapi_value_new_string("krbprincipalaux");
++    if (objectclass == NULL) {
++        goto invalid_creds;
++    }
++    if (!slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS,
++                                           objectclass)) {
++      otpreq = OTP_IS_NOT_REQUIRED;
++    }
++    slapi_value_free(&objectclass);
++
+     if (!syncreq && !ipapwd_pre_bind_otp(dn, entry,
+-                                         credentials, otpreq, &notokens)) {
++                                         credentials, otpreq,
++                                         &notokens, &auth_types)) {
+         /* We got here because ipapwd_pre_bind_otp() returned false,
+          * it means that either token verification failed or
+          * a rule for empty tokens failed current policy. */
+-        if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED)))
++
++	/* Check if there were any tokens associated, thus
++         * OTP token verification has really failed */
++	if (notokens == false)
++            goto invalid_creds;
++
++	/* No tokens, check if auth type does not include OTP but OTP is
++         * enforced by the current policy */
++        if (!(auth_types & OTP_CONFIG_AUTH_TYPE_OTP) &&
++            (otpreq != OTP_IS_NOT_REQUIRED))
+             goto invalid_creds;
+     }
+ 
+-- 
+2.47.1
+

0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch

@@ -0,0 +1,45 @@
+From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Wed, 4 Dec 2024 19:56:51 +0300
+Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass
+
+Per @abbra explanation:
+> When expected Kerberos principal names for this object were flipped to
+  follow requirements for cross-realm krbtgt objects expected by Active
+  Directory, trusted object changed its canonical Kerberos principal name.
+  The keytab for this Kerberos principal name is fetched by SSSD and it
+  needs to be permitted to read the key. We added the virtual permission
+  to allow the keytab retrieval but didn't add the objectclass that
+  actually allows adding an LDAP attribute to express the permission. When
+  an attribute is added to an LDAP object, objectclasses of the object
+  must allow presence of that attribute.
+
+This is the followup to #9471 and fixes the upgrade.
+
+Thanks @abbra!
+
+Related: https://pagure.io/freeipa/issue/9471
+Fixes: https://pagure.io/freeipa/issue/9712
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/plugins/adtrust.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater):
+                 self.set_krb_principal([tgt_principal, nbt_principal],
+                                        passwd_incoming,
+                                        t_dn,
+-                                       flags=self.KRB_PRINC_CREATE_DEFAULT)
++                                       flags=self.KRB_PRINC_CREATE_DEFAULT
++                                       | self.KRB_PRINC_CREATE_AGENT_PERMISSION)
+ 
+             # 3. INBOUND: krbtgt/<OUR REALM>@<REMOTE REALM> must exist
+             trust_principal = self.tgt_principal_template.format(
+-- 
+2.47.1
+

0050-Fix-the-typo-in-ipa_migrate_constants.patch

@@ -0,0 +1,37 @@
+From 6a2310eda39b1341258211c7630ef4baf4555df5 Mon Sep 17 00:00:00 2001
+From: Sudhir Menon <sumenon@redhat.com>
+Date: Mon, 9 Dec 2024 23:03:56 +0530
+Subject: [PATCH] Fix the typo in ipa_migrate_constants.
+
+ipa-migrate.log displays Privileges migrated as Privledges
+due to typo in labelling i.e 'label': 'Privledges'
+Hence changed that to 'label': 'Privileges'
+
+---- LOG FILE ----
+INFO  - Privledges: 3
+------------------
+
+Fixes: https://pagure.io/freeipa/issue/9715
+
+Signed-off-by: Sudhir Menon <sumenon@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/ipa_migrate_constants.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
+index c140414ea6c607a93e35ef0705480d1002b7945e..e8192fb1aabae1c36669370eff242428a1f0355f 100644
+--- a/ipaserver/install/ipa_migrate_constants.py
++++ b/ipaserver/install/ipa_migrate_constants.py
+@@ -886,7 +886,7 @@ DB_OBJECTS = {
+     'pbac_priv': {
+         'oc': ['groupofnames'],
+         'subtree': ',cn=privileges,cn=pbac,$SUFFIX',
+-        'label': 'Privledges',
++        'label': 'Privileges',
+         'mode': 'all',
+         'count': 0,
+     },
+-- 
+2.47.1
+

freeipa.spec

@@ -207,7 +207,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        8%{?rc_version:.%rc_version}%{?dist}
+Release:        9%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -281,6 +281,13 @@ Patch0040:      0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch
 Patch0041:      0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch
 Patch0042:      0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch
 Patch0043:      0043-webuitests-adapt-to-Random-Serial-Numbers.patch
+Patch0044:      0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch
+Patch0045:      0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch
+Patch0046:      0046-ipalib-x509-support-PyCA-44.0.patch
+Patch0047:      0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch
+Patch0048:      0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch
+Patch0049:      0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch
+Patch0050:      0050-Fix-the-typo-in-ipa_migrate_constants.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1899,6 +1906,13 @@ fi
 %endif
 
 %changelog
+* Wed Dec 11 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-9
+- Resolves: RHEL-70759 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges'
+- Resolves: RHEL-70477 ipa-server-upgrade fails after established trust with ad
+- Resolves: RHEL-70253 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken
+- Resolves: RHEL-69926 add support for python cryptography 44.0.0
+- Resolves: RHEL-69635 All user groups are not being included during HSM token validation
+
 * Wed Nov 27 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-8
 - Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
 - Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred