import ipa-4.9.6-3.module+el8.5.0+11817+d7405443
This commit is contained in:
parent
4aa72f14d4
commit
90260da3c6
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeipa-4.9.3.tar.gz
|
||||
SOURCES/freeipa-4.9.6.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz
|
||||
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
|
||||
|
@ -0,0 +1,136 @@
|
||||
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 22 Jun 2021 14:36:51 +0200
|
||||
Subject: [PATCH] paths: add IPA_SERVER_CONF
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8891
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaplatform/base/paths.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||||
index 91423b332..de217d9ef 100644
|
||||
--- a/ipaplatform/base/paths.py
|
||||
+++ b/ipaplatform/base/paths.py
|
||||
@@ -71,6 +71,7 @@ class BasePathNamespace:
|
||||
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
|
||||
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
|
||||
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
|
||||
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
|
||||
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
|
||||
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
|
||||
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
|
||||
--
|
||||
2.31.1
|
||||
|
||||
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 22 Jun 2021 14:45:49 +0200
|
||||
Subject: [PATCH] ipatests: smoke test for server debug mode.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add a smoke test to make sure the server can be set in debug mode
|
||||
without issue.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8891
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../test_integration/test_installation.py | 27 +++++++++++++++++++
|
||||
1 file changed, 27 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index 301767b8d..0c96536f0 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
|
||||
def test_install_master(self):
|
||||
tasks.install_master(self.master, setup_dns=False)
|
||||
|
||||
+ @pytest.mark.skip_if_platform(
|
||||
+ "debian", reason="This test hardcodes the httpd service name"
|
||||
+ )
|
||||
+ def test_smoke_test_for_debug_mode(self):
|
||||
+ """Test if an IPA server works in debug mode.
|
||||
+ Related: https://pagure.io/freeipa/issue/8891
|
||||
+
|
||||
+ Note: this test hardcodes the "httpd" service name.
|
||||
+ """
|
||||
+
|
||||
+ target_fname = paths.IPA_SERVER_CONF
|
||||
+ assert not self.master.transport.file_exists(target_fname)
|
||||
+
|
||||
+ # set the IPA server in debug mode
|
||||
+ server_conf = "[global]\ndebug=True"
|
||||
+ self.master.put_file_contents(target_fname, server_conf)
|
||||
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
||||
+
|
||||
+ # smoke test in debug mode
|
||||
+ tasks.kdestroy_all(self.master)
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ self.master.run_command(["ipa", "user-show", "admin"])
|
||||
+
|
||||
+ # rollback
|
||||
+ self.master.run_command(["rm", target_fname])
|
||||
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
||||
+
|
||||
def test_schema_compat_attribute_and_tree_disable(self):
|
||||
"""Test if schema-compat-entry-attribute is set
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
||||
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 23 Jun 2021 06:35:19 +0200
|
||||
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
perf_counter_ns is only available in Python 3.7 and later.
|
||||
Define a lambda for 3.6 and lower.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8891
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/rpcserver.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index b121316bf..e612528e0 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -31,6 +31,7 @@ import os
|
||||
import time
|
||||
import traceback
|
||||
from io import BytesIO
|
||||
+from sys import version_info
|
||||
from urllib.parse import parse_qs
|
||||
from xmlrpc.client import Fault
|
||||
|
||||
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
|
||||
+# time.perf_counter_ns appeared in Python 3.7.
|
||||
+if version_info < (3, 7):
|
||||
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
|
||||
+
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
HTTP_STATUS_SUCCESS = '200 Success'
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,272 @@
|
||||
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 8 Mar 2021 18:15:50 +0100
|
||||
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
|
||||
services
|
||||
|
||||
Authentication indicators should not be enforced against internal
|
||||
IPA services, since not all users of those services are able to produce
|
||||
Kerberos tickets with all the auth indicator options. This includes
|
||||
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
|
||||
If a client that is being promoted to replica has an auth indicator
|
||||
in its host principal then the promotion is aborted.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8206
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
|
||||
ipaserver/plugins/host.py | 5 ++++-
|
||||
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
|
||||
3 files changed, 41 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||
index 73967a224..f1fb91036 100644
|
||||
--- a/ipaserver/install/server/replicainstall.py
|
||||
+++ b/ipaserver/install/server/replicainstall.py
|
||||
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
|
||||
))
|
||||
|
||||
|
||||
+def promotion_check_host_principal_auth_ind(conn, hostdn):
|
||||
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
|
||||
+ if 'krbprincipalauthind' in entry:
|
||||
+ raise RuntimeError(
|
||||
+ "Client cannot be promoted to a replica if the host principal "
|
||||
+ "has an authentication indicator set."
|
||||
+ )
|
||||
+
|
||||
+
|
||||
@common_cleanup
|
||||
@preserve_enrollment_state
|
||||
def promote_check(installer):
|
||||
@@ -956,6 +965,10 @@ def promote_check(installer):
|
||||
config.master_host_name, None)
|
||||
|
||||
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
||||
+ hostdn = DN(('fqdn', api.env.host),
|
||||
+ api.env.container_host,
|
||||
+ api.env.basedn)
|
||||
+ promotion_check_host_principal_auth_ind(conn, hostdn)
|
||||
|
||||
# Make sure that domain fulfills minimal domain level
|
||||
# requirement
|
||||
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||
index eb1f8ef04..41fa933e2 100644
|
||||
--- a/ipaserver/plugins/host.py
|
||||
+++ b/ipaserver/plugins/host.py
|
||||
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
||||
LDAPAddAttributeViaOption,
|
||||
LDAPRemoveAttributeViaOption)
|
||||
from .service import (
|
||||
- validate_realm, normalize_principal,
|
||||
+ validate_realm, validate_auth_indicator, normalize_principal,
|
||||
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
|
||||
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
|
||||
rename_ipaallowedtoperform_to_ldap, revoke_certs)
|
||||
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
|
||||
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
|
||||
if 'krbticketflags' in entry_attrs:
|
||||
entry_attrs['objectclass'].append('krbticketpolicyaux')
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
+
|
||||
return dn
|
||||
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
|
||||
if 'krbprincipalaux' not in (item.lower() for item in
|
||||
entry_attrs['objectclass']):
|
||||
entry_attrs['objectclass'].append('krbprincipalaux')
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
||||
|
||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||
index 1c9347804..cfbbff3c6 100644
|
||||
--- a/ipaserver/plugins/service.py
|
||||
+++ b/ipaserver/plugins/service.py
|
||||
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
|
||||
raise errors.RealmMismatch()
|
||||
|
||||
|
||||
+def validate_auth_indicator(entry):
|
||||
+ new_value = entry.get('krbprincipalauthind', None)
|
||||
+ if not new_value:
|
||||
+ return
|
||||
+ # The following services are considered internal IPA services
|
||||
+ # and shouldn't be allowed to have auth indicators.
|
||||
+ # https://pagure.io/freeipa/issue/8206
|
||||
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||
+ principal = kerberos.Principal(pkey)
|
||||
+ server = api.Command.server_find(principal.hostname)['result']
|
||||
+ if server:
|
||||
+ prefixes = ("host", "cifs", "ldap", "HTTP")
|
||||
+ else:
|
||||
+ prefixes = ("cifs",)
|
||||
+ if principal.service_name in prefixes:
|
||||
+ raise errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=_('authentication indicators not allowed '
|
||||
+ 'in service "%s"' % principal.service_name)
|
||||
+ )
|
||||
+
|
||||
+
|
||||
def normalize_principal(value):
|
||||
"""
|
||||
Ensure that the name in the principal is lower-case. The realm is
|
||||
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
|
||||
hostname)
|
||||
|
||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
if not options.get('force', False):
|
||||
# We know the host exists if we've gotten this far but we
|
||||
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
# verify certificates
|
||||
certs = entry_attrs.get('usercertificate') or []
|
||||
--
|
||||
2.31.1
|
||||
|
||||
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 8 Mar 2021 18:20:35 +0100
|
||||
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
|
||||
IPA services
|
||||
|
||||
Authentication indicators should not be added to internal IPA services,
|
||||
since this can lead to a broken IPA setup. In case a client with
|
||||
an auth indicator set in its host principal, promoting it to a replica
|
||||
should fail.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8206
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
.../test_replica_promotion.py | 38 +++++++++++++++++++
|
||||
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
|
||||
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
|
||||
3 files changed, 69 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||
index 0a137dbdc..b9c56f775 100644
|
||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||
assert result.returncode == 1
|
||||
assert expected_err in result.stderr_text
|
||||
|
||||
+ @replicas_cleanup
|
||||
+ def test_install_with_host_auth_ind_set(self):
|
||||
+ """ A client shouldn't be able to be promoted if it has
|
||||
+ any auth indicator set in the host principal.
|
||||
+ https://pagure.io/freeipa/issue/8206
|
||||
+ """
|
||||
+
|
||||
+ client = self.replicas[0]
|
||||
+ # Configure firewall first
|
||||
+ Firewall(client).enable_services(["freeipa-ldap",
|
||||
+ "freeipa-ldaps"])
|
||||
+
|
||||
+ client.run_command(['ipa-client-install', '-U',
|
||||
+ '--domain', self.master.domain.name,
|
||||
+ '--realm', self.master.domain.realm,
|
||||
+ '-p', 'admin',
|
||||
+ '-w', self.master.config.admin_password,
|
||||
+ '--server', self.master.hostname,
|
||||
+ '--force-join'])
|
||||
+
|
||||
+ tasks.kinit_admin(client)
|
||||
+
|
||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
||||
+ client.hostname])
|
||||
+
|
||||
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||
+ self.master.config.dirman_password],
|
||||
+ raiseonerr=False)
|
||||
+
|
||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
||||
+ client.hostname])
|
||||
+
|
||||
+ expected_err = ("Client cannot be promoted to a replica if the host "
|
||||
+ "principal has an authentication indicator set.")
|
||||
+ assert res.returncode == 1
|
||||
+ assert expected_err in res.stderr_text
|
||||
+
|
||||
+
|
||||
@replicas_cleanup
|
||||
def test_one_command_installation(self):
|
||||
"""
|
||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
index c66bbc865..9cfde3565 100644
|
||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
||||
error=u'An IPA master host cannot be deleted or disabled')):
|
||||
command()
|
||||
|
||||
+ def test_try_add_auth_ind_master(self, this_host):
|
||||
+ command = this_host.make_update_command({
|
||||
+ u'krbprincipalauthind': u'radius'})
|
||||
+ with raises_exact(errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=u'authentication indicators not allowed '
|
||||
+ 'in service "host"'
|
||||
+ )):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestValidation(XMLRPC_test):
|
||||
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
index 4c845938c..ed634a045 100644
|
||||
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
@@ -25,6 +25,7 @@ from ipalib import api, errors
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
||||
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
||||
from ipatests.test_xmlrpc import objectclasses
|
||||
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
||||
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
||||
@@ -1552,6 +1553,15 @@ def indicators_host(request):
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
|
||||
+@pytest.fixture(scope='function')
|
||||
+def this_host(request):
|
||||
+ """Fixture for the current master"""
|
||||
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
|
||||
+ fqdn=api.env.host)
|
||||
+ tracker.exists = True
|
||||
+ return tracker
|
||||
+
|
||||
+
|
||||
@pytest.fixture(scope='function')
|
||||
def indicators_service(request):
|
||||
tracker = ServiceTracker(
|
||||
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
||||
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||
)
|
||||
|
||||
+ def test_update_indicator_internal_service(self, this_host):
|
||||
+ command = this_host.make_command('service_mod',
|
||||
+ 'ldap/' + this_host.fqdn,
|
||||
+ **dict(krbprincipalauthind='otp'))
|
||||
+ with raises_exact(errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=u'authentication indicators not allowed '
|
||||
+ 'in service "ldap"'
|
||||
+ )):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.fixture(scope='function')
|
||||
def managing_host(request):
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,89 @@
|
||||
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 5 Jul 2021 09:51:41 +0200
|
||||
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
|
||||
|
||||
The command
|
||||
ipa stageuser-add --user-auth-type=xxx
|
||||
is currently failing because the objectclass ipauserauthtypeclass
|
||||
is missing from the created entry.
|
||||
|
||||
There is code adding the missing objectclass in the
|
||||
pre_common_callback method of user_add, and this code should
|
||||
be common to user_add and stageuser_add. In order to avoid code
|
||||
duplication, it makes more sense to move the existing code to
|
||||
pre_common_callback of baseuser_add, that is called by both
|
||||
classes.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8909
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/baseuser.py | 3 +++
|
||||
ipaserver/plugins/user.py | 4 ----
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||
index ae16a978a..6035228f1 100644
|
||||
--- a/ipaserver/plugins/baseuser.py
|
||||
+++ b/ipaserver/plugins/baseuser.py
|
||||
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
|
||||
if entry_attrs.get('ipatokenradiususername', None):
|
||||
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
||||
entry_attrs, update=False)
|
||||
+ if entry_attrs.get('ipauserauthtype', None):
|
||||
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
|
||||
+ entry_attrs, update=False)
|
||||
|
||||
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||
index 6f7facb53..e4ee572b2 100644
|
||||
--- a/ipaserver/plugins/user.py
|
||||
+++ b/ipaserver/plugins/user.py
|
||||
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
|
||||
'ipauser' not in entry_attrs['objectclass']:
|
||||
entry_attrs['objectclass'].append('ipauser')
|
||||
|
||||
- if 'ipauserauthtype' in entry_attrs and \
|
||||
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
|
||||
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
|
||||
-
|
||||
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
|
||||
if rcl:
|
||||
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
||||
--
|
||||
2.31.1
|
||||
|
||||
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 5 Jul 2021 10:22:31 +0200
|
||||
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8909
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
index 5586fc607..bc606b093 100644
|
||||
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
|
||||
result = command()
|
||||
assert result['count'] == 1
|
||||
|
||||
+ def test_create_withuserauthtype(self, stageduser):
|
||||
+ stageduser.ensure_missing()
|
||||
+ command = stageduser.make_create_command(
|
||||
+ options={u'ipauserauthtype': u'password'})
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestCreateInvalidAttributes(XMLRPC_test):
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,35 @@
|
||||
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 7 Jul 2021 14:11:40 +0200
|
||||
Subject: [PATCH] man page: update ipa-server-upgrade.1
|
||||
|
||||
The man page needs to clarify in which case the command needs
|
||||
to be run.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8913
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
|
||||
index 3db19b0f1..f01e21c6b 100644
|
||||
--- a/install/tools/man/ipa-server-upgrade.1
|
||||
+++ b/install/tools/man/ipa-server-upgrade.1
|
||||
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
|
||||
.SH "SYNOPSIS"
|
||||
ipa\-server\-upgrade [options]
|
||||
.SH "DESCRIPTION"
|
||||
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
|
||||
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
|
||||
+the IPA packages are being updated. It is not intended to be executed by
|
||||
+end\-users, unless the automatic execution reports an error. In this case,
|
||||
+the administrator needs to identify and fix the issue that is causing the
|
||||
+upgrade failure (with the help of /var/log/ipaupgrade.log)
|
||||
+and manually re\-run ipa\-server\-upgrade.
|
||||
|
||||
ipa\-server\-upgrade will:
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 12 Jul 2021 11:02:10 -0400
|
||||
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
|
||||
indicators
|
||||
|
||||
When adding a new host the principal cannot be determined because it
|
||||
relies on either:
|
||||
|
||||
a) an entry to already exist
|
||||
b) krbprincipalname be a component of the dn
|
||||
|
||||
As a result the full dn is being passed into ipapython.Kerberos
|
||||
which can't parse it.
|
||||
|
||||
Look into the entry in validate_validate_auth_indicator() for
|
||||
krbprincipalname in this case.
|
||||
|
||||
https://pagure.io/freeipa/issue/8206
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/service.py | 5 +++++
|
||||
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||
index cfbbff3c6..498f5e444 100644
|
||||
--- a/ipaserver/plugins/service.py
|
||||
+++ b/ipaserver/plugins/service.py
|
||||
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
|
||||
# and shouldn't be allowed to have auth indicators.
|
||||
# https://pagure.io/freeipa/issue/8206
|
||||
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||
+ if pkey == str(entry.dn):
|
||||
+ # krbcanonicalname may not be set yet if this is a host entry,
|
||||
+ # try krbprincipalname
|
||||
+ if 'krbprincipalname' in entry:
|
||||
+ pkey = entry['krbprincipalname']
|
||||
principal = kerberos.Principal(pkey)
|
||||
server = api.Command.server_find(principal.hostname)['result']
|
||||
if server:
|
||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
index 9cfde3565..ff50e796c 100644
|
||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
|
||||
)):
|
||||
command()
|
||||
|
||||
+ def test_add_non_master_with_auth_ind(self, host5):
|
||||
+ host5.ensure_missing()
|
||||
+ command = host5.make_command(
|
||||
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
|
||||
+ force=True
|
||||
+ )
|
||||
+ result = command()
|
||||
+ # The fact that the command succeeds exercises the change but
|
||||
+ # let's check the indicator as well.
|
||||
+ assert result['result']['krbprincipalauthind'] == ('radius',)
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestValidation(XMLRPC_test):
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmBkFSoACgkQRxniuKu/
|
||||
Yhpz5Q//cbKbxQe2iIpCOyFnWtlwMGonj9OmeLP+dms8OnWvnpGBlLD0ftu+O9tf
|
||||
JoCzURMvjfJGMlEbG7FxW9coz4Fe6caDyZ5KJiM15qie75K5nIF44WgVXhTXx7/0
|
||||
2H6Q1MIgE8lxr+h4xcYB04KXPwLUpFGttGHDlbl9205M9dJi+WYNWEbHwCNwbl2w
|
||||
uXOFQm+AtAnUBuB0I0KJvgZMhtSV2FAx3NsPFO2DkMKB3KVS6cKEzxm8aBzCeNvP
|
||||
ndWvo51QFU0AheMt/Cahl97dzTorW8pqjt1+QBil4KxWCf0KyOI3OeTvKZ1bYtUs
|
||||
x32JDQP+UMkZ8y9NypK9TMcht3f8Wi7nvzg3kCuwltMr7spTVsqEP//WejdK5gmh
|
||||
dyU3qYPWz41SJargYwb8ehj1DOHBsNXEL57I2zY13oM1dC9T2YAc+OhSCWtMyknD
|
||||
vatLZSwVm27k79NADKF56RXUPur/m2UHnnYuk09AyDOIGZRM3Tn/10nRZgjs5eM8
|
||||
CLa4+5gn96BrkW1kP8mWPtWQqyv3buzj3xC7otmnjDgaxmXA/30wJ+2qebGTRAhf
|
||||
qo2rbwJsSkv0sC8l1luZgzgnvrQpri3qS96zhoeusooTqx6dTwUBGV8ea/sqvk0K
|
||||
Qu0q+iQk3CCgCfi/i6pc1UsB59tCy3KEZUc58Q6UUNewfcA3WW8=
|
||||
=Wgf7
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/freeipa-4.9.6.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.9.6.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
|
||||
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
|
||||
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
|
||||
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
|
||||
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
|
||||
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
|
||||
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
|
||||
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
|
||||
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
|
||||
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
|
||||
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
|
||||
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
|
||||
=TQFs
|
||||
-----END PGP SIGNATURE-----
|
@ -2,7 +2,7 @@
|
||||
%bcond_without ipatests
|
||||
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
|
||||
# On RHEL 8 we should use --with ipa_join_xml
|
||||
%bcond_without ipa_join_xml
|
||||
%bcond_with ipa_join_xml
|
||||
|
||||
# Linting is disabled by default, needed for upstream testing
|
||||
%bcond_with lint
|
||||
@ -49,7 +49,7 @@
|
||||
# lint is not executed during rpmbuild
|
||||
# %%global with_lint 1
|
||||
%if %{with lint}
|
||||
%global linter_options --enable-pylint --with-jslint --enable-rpmlint
|
||||
%global linter_options --enable-pylint --without-jslint --enable-rpmlint
|
||||
%else
|
||||
%global linter_options --disable-pylint --without-jslint --disable-rpmlint
|
||||
%endif
|
||||
@ -109,7 +109,7 @@
|
||||
%if 0%{?fedora} < 34
|
||||
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
|
||||
%else
|
||||
%global ds_version 2.0.3-3
|
||||
%global ds_version 2.0.4-1
|
||||
%endif
|
||||
|
||||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
||||
@ -160,6 +160,16 @@
|
||||
%global systemd_version 239
|
||||
%endif
|
||||
|
||||
# augeas support for new chrony options
|
||||
# see https://pagure.io/freeipa/issue/8676
|
||||
# Note: will need to be updated for RHEL9 when a fix is available for
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||||
%if 0%{?fedora} >= 33
|
||||
%global augeas_version 1.12.0-6
|
||||
%else
|
||||
%global augeas_version 1.12.0-3
|
||||
%endif
|
||||
|
||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||
%global gettext_domain ipa
|
||||
@ -168,7 +178,7 @@
|
||||
|
||||
# Work-around fact that RPM SPEC parser does not accept
|
||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||
%define IPA_VERSION 4.9.3
|
||||
%define IPA_VERSION 4.9.6
|
||||
# Release candidate version -- uncomment with one percent for RC versions
|
||||
#%%global rc_version %%nil
|
||||
%define AT_SIGN @
|
||||
@ -181,7 +191,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 3%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -201,12 +211,16 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
||||
# RHEL spec file only: START
|
||||
%if %{NON_DEVELOPER_BUILD}
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
|
||||
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
|
||||
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
|
||||
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
|
||||
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
# RHEL spec file only: END
|
||||
|
||||
|
||||
# For the timestamp trick in patch application
|
||||
BuildRequires: diffstat
|
||||
|
||||
@ -310,7 +324,10 @@ BuildRequires: python3-m2r
|
||||
#
|
||||
%if %{with lint}
|
||||
BuildRequires: git
|
||||
%if 0%{?fedora} < 34
|
||||
# jsl is orphaned in Fedora 34+
|
||||
BuildRequires: jsl
|
||||
%endif
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: rpmlint
|
||||
BuildRequires: softhsm
|
||||
@ -342,12 +359,8 @@ BuildRequires: python3-polib
|
||||
BuildRequires: python3-pyasn1
|
||||
BuildRequires: python3-pyasn1-modules
|
||||
BuildRequires: python3-pycodestyle
|
||||
%if 0%{?fedora} || 0%{?rhel} > 8
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
|
||||
BuildRequires: python3-pylint >= 2.1.1-2
|
||||
%else
|
||||
BuildRequires: python3-pylint >= 1.7
|
||||
%endif
|
||||
# .wheelconstraints.in limits pylint version in Azure and tox tests
|
||||
BuildRequires: python3-pylint
|
||||
BuildRequires: python3-pytest-multihost
|
||||
BuildRequires: python3-pytest-sourceorder
|
||||
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||
@ -434,7 +447,12 @@ Requires(pre): certmonger >= %{certmonger_version}
|
||||
Requires(pre): 389-ds-base >= %{ds_version}
|
||||
Requires: fontawesome-fonts
|
||||
Requires: open-sans-fonts
|
||||
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
|
||||
# https://pagure.io/freeipa/issue/8632
|
||||
Requires: openssl > 1.1.1i
|
||||
%else
|
||||
Requires: openssl
|
||||
%endif
|
||||
Requires: softhsm >= 2.0.0rc1-1
|
||||
Requires: p11-kit
|
||||
Requires: %{etc_systemd_dir}
|
||||
@ -486,6 +504,7 @@ Requires: %{name}-common = %{version}-%{release}
|
||||
# we need pre-requires since earlier versions may break upgrade
|
||||
Requires(pre): python3-ldap >= %{python_ldap_version}
|
||||
Requires: python3-augeas
|
||||
Requires: augeas-libs >= %{augeas_version}
|
||||
Requires: python3-custodia >= 0.3.1
|
||||
Requires: python3-dbus
|
||||
Requires: python3-dns >= 1.15
|
||||
@ -521,8 +540,8 @@ Requires: %{name}-client-common = %{version}-%{release}
|
||||
Requires: httpd >= %{httpd_version}
|
||||
Requires: systemd-units >= %{systemd_version}
|
||||
Requires: custodia >= 0.3.1
|
||||
%if 0%{?rhel} >= 8
|
||||
Requires: redhat-logos-ipa >= 80.4
|
||||
%if 0%{?rhel} >= 8 && ! 0%{?eln}
|
||||
Requires: system-logos-ipa >= 80.4
|
||||
%endif
|
||||
|
||||
Provides: %{alt_name}-server-common = %{version}
|
||||
@ -576,6 +595,7 @@ Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
Requires: samba >= %{samba_version}
|
||||
Requires: samba-winbind
|
||||
Requires: sssd-winbind-idmap
|
||||
Requires: libsss_idmap
|
||||
%if 0%{?rhel}
|
||||
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
|
||||
@ -709,6 +729,7 @@ Requires: %{name}-client-common = %{version}-%{release}
|
||||
Requires: %{name}-common = %{version}-%{release}
|
||||
Requires: python3-ipalib = %{version}-%{release}
|
||||
Requires: python3-augeas
|
||||
Requires: augeas-libs >= %{augeas_version}
|
||||
Requires: python3-dns >= 1.15
|
||||
Requires: python3-jinja2
|
||||
|
||||
@ -1680,6 +1701,53 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
|
||||
- man page: update ipa-server-upgrade.1
|
||||
Resolves: RHBZ#1973273
|
||||
- Fall back to krbprincipalname when validating host auth indicators
|
||||
Resolves: RHBZ#1979625
|
||||
- Add dependency for sssd-winbind-idmap to server-trust-ad
|
||||
Resolves: RHBZ#1982211
|
||||
|
||||
* Thu Jul 8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
|
||||
- IPA server in debug mode fails to run because time.perf_counter_ns is
|
||||
Python 3.7+
|
||||
Resolves: RHBZ#1974822
|
||||
- Add checks to prevent assigning authentication indicators to internal IPA
|
||||
services
|
||||
Resolves: RHBZ#1979625
|
||||
- Unable to set ipaUserAuthType with stageuser-add
|
||||
Resolves: RHBZ#1979605
|
||||
|
||||
* Thu Jul 1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
|
||||
- Upstream release FreeIPA 4.9.6
|
||||
Related: RHBZ#1945038
|
||||
- Revise PKINIT upgrade code
|
||||
Resolves: RHBZ#1886837
|
||||
- ipa-cert-fix man page: add note about certmonger renewal
|
||||
Resolves: RHBZ#1780317
|
||||
- Certificate Serial Number issue
|
||||
Resolves: RHBZ#1919384
|
||||
|
||||
* Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
|
||||
- Upstream release FreeIPA 4.9.5
|
||||
Related: RHBZ#1945038
|
||||
- IPA to allow setting a new range type
|
||||
Resolves: RHBZ#1688267
|
||||
- ipa-server-install displays debug output when --debug output is not
|
||||
specified.
|
||||
Resolves: RHBZ#1943151
|
||||
- ACME fails to generate a cert on migrated RHEL8.4 server
|
||||
Resolves: RHBZ#1934991
|
||||
- Switch ipa-client to use the JSON API
|
||||
Resolves: RHBZ#1937856
|
||||
- IDM - Allow specifying permanent logging settings for BIND
|
||||
Resolves: RHBZ#1951511
|
||||
- Cache LDAP data within a request
|
||||
Resolves: RHBZ#1953656
|
||||
- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
|
||||
Resolves: RHBZ#1957768
|
||||
|
||||
* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
|
||||
- Upstream release FreeIPA 4.9.3
|
||||
Resolves: RHBZ#1945038
|
||||
|
Loading…
Reference in New Issue
Block a user