rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-15

Browse Source 
- Resolves: RHEL-84481 Protect all IPA service principals
- Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293
- Resolves: RHEL-84276 Ipa client --raw --structured throws internal error
- Resolves: RHEL-82707 Search size limit tooltip has Search time limit tooltip text
- Resolves: RHEL-82089 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet
- Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-30658 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2025-03-25 16:43:36 +01:00
parent 144db502e5
commit 9744eaabe1
13 changed files with 2404 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
0056-ipa-migrate-do-not-migrate-tombstone-entries-ignore-.patch Normal file
View File

@ -0,0 +1,66 @@
From 7fd4b940abd2084fd6ec7de73dfd68551fce73fe Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 29 Jan 2025 10:07:45 -0500
Subject: [PATCH] ipa-migrate - do not migrate tombstone entries, ignore
MidairCollisions, and krbpwdpolicyreference
Replication related entries should not be migrated. The main reason is
that we do not allow entries to be added that have an RDN of nsuniqueid
(only the server can internally add them).
Most midair collisions are transient issues and can be ignored for
migration purposes. In migration tests this only happens when an
attribute does not exist in the local server. This happens frequently
with COS attributes.
We should also ignore 'krbpwdpolicyreference' as it's an attribute that is
set by COS and does not need to be migrated.
Fixes: https://pagure.io/freeipa/issue/9737
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 8 ++++++++
ipaserver/install/ipa_migrate_constants.py | 1 +
2 files changed, 9 insertions(+)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index ece473bc8cb525e2d563356b5b274502d6b703e8..5ba140ce37156a6f2cb50d08427f5024925686e6 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -1462,6 +1462,10 @@ class IPAMigrate():
if DN(exclude_dn) in DN(entry_dn):
return
+ # Skip tombstones
+ if 'nsTombstone' in entry_attrs['objectClass']:
+ return
+
# Determine entry type: user, group, hbac, etc
entry_type = self.get_entry_type(entry_dn, entry_attrs)
if entry_type is None:
@@ -1568,6 +1572,10 @@ class IPAMigrate():
stats['custom'] += 1
else:
DB_OBJECTS[entry_type]['count'] += 1
+ except errors.MidairCollision as e:
+ # Typically means no such attribute, ok to ignore
+ self.log_debug(f'Failed to update "{local_dn}" error: '
+ f'{str(e)} - ok to ignore')
except errors.ExecutionError as e:
self.log_error(f'Failed to update "{local_dn}" error: '
f'{str(e)}')
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index e8192fb1aabae1c36669370eff242428a1f0355f..09856f07cabd124a7899bc5f355a56eb23023cc0 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -71,6 +71,7 @@ IGNORE_ATTRS = [
'serverhostname',
'krbpasswordexpiration',
'krblastadminunlock',
+ 'krbpwdpolicyreference', # COS attribute
]
# For production mode, bring everything over
--
2.48.1

35
0057-WebUI-fix-the-tooltip-for-Search-Size-limit.patch Normal file
View File

@ -0,0 +1,35 @@
From 100737fff5a0039cd883a92400d1495dd5bf7658 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 7 Mar 2025 09:01:35 +0100
Subject: [PATCH] WebUI: fix the tooltip for Search Size limit
The tooltip for IPA Server > Configuration > Search size limit
is using the doc from ipasearchtimelimit instead of
ipasearchrecordslimit.
Use the right tooltip to properly display:
Maximum number of records to search (-1 or 0 is unlimited)
Fixes: https://pagure.io/freeipa/issue/9758
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/serverconfig.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index e81e48cfb405c4ccc2591edb754fa88f5586c8e0..d7f67e885bdb2c884a5dedd615bade5fcedc863d 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -47,7 +47,7 @@ return {
fields: [
{
name: 'ipasearchrecordslimit',
- tooltip: '@mc-opt:config_mod:ipasearchtimelimit:doc'
+ tooltip: '@mc-opt:config_mod:ipasearchrecordslimit:doc'
},
{
name: 'ipasearchtimelimit',
--
2.48.1

56
0058-Leapp-upgrade-skip-systemctl-calls.patch Normal file
View File

@ -0,0 +1,56 @@
From 9b566fe458fb36eb5eb3212b01bc6ba48ac8349a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 11 Mar 2025 15:55:11 +0100
Subject: [PATCH] Leapp upgrade: skip systemctl calls
During LEAPP upgrade, the system is booted in a special mode
without systemd. As a consequence, any scriptlet calling
systemctl fails and may break the upgrade.
Skip the call to systemctl if a LEAPP upgrade is in progress
(this is easily checked using the env variable $LEAPP_IPU_IN_PROGRESS
that is set for instance to LEAPP_IPU_IN_PROGRESS=8to9).
Fixes: RHEL-82089
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b539f51f88a19a3686684dd0a9138add97bbd285..143ee5c83d16b59531feda011c087c0ab4c82786 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1241,8 +1241,11 @@ if [ $1 = 0 ]; then
# NOTE: systemd specific section
/bin/systemctl --quiet stop ipa.service || :
/bin/systemctl --quiet disable ipa.service || :
- /bin/systemctl reload-or-try-restart dbus
- /bin/systemctl reload-or-try-restart oddjobd
+ # Skip systemctl calls when leapp upgrade is in progress
+ if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+ fi
# END
fi
@@ -1306,8 +1309,11 @@ fi
%preun server-trust-ad
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
- /bin/systemctl reload-or-try-restart dbus
- /bin/systemctl reload-or-try-restart oddjobd
+ # Skip systemctl calls when leapp upgrade is in progress
+ if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
+ /bin/systemctl reload-or-try-restart dbus
+ /bin/systemctl reload-or-try-restart oddjobd
+ fi
fi
# ONLY_CLIENT
--
2.48.1

355
0059-Disable-raw-and-structured-together.patch Normal file
View File

@ -0,0 +1,355 @@
From 653b4b6971b1778988718840a301c10b3e35e700 Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Thu, 6 Mar 2025 09:32:01 +0100
Subject: [PATCH] Disable --raw and --structured together
Disables --raw and --structured for dnsrecord-* command.
This is being shown in help for structured, as raw is implemented in
almost every command, therefore people are more likely to view
structured. Also contains tests, even though this is newly noted, this
combination has never worked in the past.
Fixes: https://pagure.io/freeipa/issue/9756
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/remote_plugins/2_114/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_156/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_164/dns.py | 15 +++++++----
ipaclient/remote_plugins/2_49/dns.py | 15 +++++++----
ipaserver/plugins/dns.py | 28 ++++++++++++++++++++
ipatests/test_xmlrpc/test_dns_plugin.py | 35 +++++++++++++++++++++++++
6 files changed, 103 insertions(+), 20 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
index 6260420008e3371dc95317d67d2f37a46b4d5d42..2f414927bad2f0838bec42bab734d3a42e87005f 100644
--- a/ipaclient/remote_plugins/2_114/dns.py
+++ b/ipaclient/remote_plugins/2_114/dns.py
@@ -2625,7 +2625,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2991,7 +2992,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3405,7 +3407,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4290,7 +4293,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4363,7 +4367,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
index 4ebad93e79d38c1171b066cc5a1a0b8d6fce64b2..9ce8a7eef99eff7592f8550d0000506cc2d7824c 100644
--- a/ipaclient/remote_plugins/2_156/dns.py
+++ b/ipaclient/remote_plugins/2_156/dns.py
@@ -2540,7 +2540,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2861,7 +2862,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3230,7 +3232,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4065,7 +4068,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4138,7 +4142,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
index f5adb4d54e8501b6b4efed06404ff299aa918cfb..284ef2cdaa757341db4eed044be3bb051db83d99 100644
--- a/ipaclient/remote_plugins/2_164/dns.py
+++ b/ipaclient/remote_plugins/2_164/dns.py
@@ -2548,7 +2548,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2869,7 +2870,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3238,7 +3240,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4073,7 +4076,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4146,7 +4150,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
index 4b543a2c2539f7b67467b0a38ab8013a1ebe0840..1610f4af18ee46bc7304839ede2d587d61c6d0e2 100644
--- a/ipaclient/remote_plugins/2_49/dns.py
+++ b/ipaclient/remote_plugins/2_49/dns.py
@@ -2233,7 +2233,8 @@ class dnsrecord_add(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -2594,7 +2595,8 @@ class dnsrecord_del(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -3013,7 +3015,8 @@ class dnsrecord_find(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4025,7 +4028,8 @@ class dnsrecord_mod(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
@@ -4094,7 +4098,8 @@ class dnsrecord_show(Method):
parameters.Flag(
'structured',
label=_(u'Structured'),
- doc=_(u'Parse all raw DNS records and return them in a structured way'),
+ doc=_(u'Parse all raw DNS records and return them in a '
+ u'structured way. Can not be used with --raw.'),
default=False,
autofill=True,
),
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index 0d6260cd6c4edb8c1a9d7ac8927b7595588fae58..ff2d3ff8a7c2839645c9906300cba0d399f2325a 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -3587,6 +3587,12 @@ class dnsrecord_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
precallback_attrs = []
processed_attrs = []
for option, option_val in options.items():
@@ -3729,6 +3735,12 @@ class dnsrecord_mod(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
if options.get('rename') and self.obj.is_pkey_zone_record(*keys):
# zone rename is not allowed
raise errors.ValidationError(name='rename',
@@ -3883,6 +3895,7 @@ class dnsrecord_del(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+
try:
old_entry = ldap.get_entry(dn, _record_attributes)
except errors.NotFound:
@@ -3983,6 +3996,16 @@ class dnsrecord_show(LDAPRetrieve):
dnsrecord.structured_flag,
)
+ def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+ assert isinstance(dn, DN)
+
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
+ return dn
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
if self.obj.is_pkey_zone_record(*keys):
@@ -4013,6 +4036,11 @@ class dnsrecord_find(LDAPSearch):
dnszoneidnsname, *args, **options):
assert isinstance(base_dn, DN)
+ if options.get('structured') and options.get('raw'):
+ raise errors.MutuallyExclusiveError(
+ reason=_("cannot use structured together with raw")
+ )
+
# validate if zone is master zone
self.obj.check_zone(dnszoneidnsname, **options)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 39d42e306d12c4f6623a1ed657aeac3d3bfa3e22..803b0a9571c2888dd02c4595c68403f37be7fed7 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -3426,6 +3426,41 @@ class test_dns(Declarative):
},
),
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-add",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-mod",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-show",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
+
+ dict(
+ desc="Ensure --raw and --structure does not work "
+ "for ipa dnsrecord-find",
+ command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ expected=errors.MutuallyExclusiveError(
+ reason=u"cannot use structured together with raw"
+ ),
+ ),
]
--
2.48.1

435
0060-config-mod-allow-disabling-subordinate-ID-integratio.patch Normal file
View File

@ -0,0 +1,435 @@
From f906e3625491e9b6fc67fdd5ac6b429531658be1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 28 Feb 2025 14:57:25 +0200
Subject: [PATCH] config-mod: allow disabling subordinate ID integration
When full 32-bit ID range usage is required, subordinate ID support have
to be disabled. However, even if ID range for subordinate IDs were to be
removed, it will be restored during the next data upgrade.
Change upgrade code to only apply subID range creation when subID
support is enabled.
Do not allow allocating subIDs if their use is disabled.
Allow full 32-bit uidNumber/gidNumber values in JSON payload.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
API.txt | 2 +-
doc/api/config_mod.md | 2 +-
doc/designs/subordinate-ids.md | 22 +++++++++
install/share/Makefile.am | 1 +
install/share/subid-generators.uldif | 38 ++++++++++++++++
install/updates/73-subid.update | 37 ---------------
.../updates/90-post_upgrade_plugins.update | 1 +
ipalib/messages.py | 13 ++++++
ipaplatform/base/paths.py | 1 +
ipaserver/install/ipa_subids.py | 5 +++
.../install/plugins/update_subid_support.py | 45 +++++++++++++++++++
ipaserver/plugins/config.py | 34 +++++++++++++-
ipaserver/plugins/subid.py | 11 +++++
ipaserver/plugins/user.py | 4 +-
14 files changed, 174 insertions(+), 42 deletions(-)
create mode 100644 install/share/subid-generators.uldif
create mode 100644 ipaserver/install/plugins/update_subid_support.py
diff --git a/API.txt b/API.txt
index 61e8e463ab5c66b1609f8cc61f93ae2ded959bba..f19e3bf344cf6f23680c268c5081570ac629f851 100644
--- a/API.txt
+++ b/API.txt
@@ -1083,7 +1083,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
option: Str('delattr*', cli_name='delattr')
option: Flag('enable_sid?', autofill=True, default=False)
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP', u'SubID:Disable'])
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
index b3203c350605af5a386544c858a9a5f7f724342f..e18dd55c75993016afbcd8a15d33f13a38ef96b3 100644
--- a/doc/api/config_mod.md
+++ b/doc/api/config_mod.md
@@ -27,7 +27,7 @@ No arguments.
* ipauserobjectclasses : :ref:`Str<Str>`
* ipapwdexpadvnotify : :ref:`Int<Int>`
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP', 'SubID:Disable')
* ipaselinuxusermaporder : :ref:`Str<Str>`
* ipaselinuxusermapdefault : :ref:`Str<Str>`
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
diff --git a/doc/designs/subordinate-ids.md b/doc/designs/subordinate-ids.md
index b280df1a9eb2fc8e0ff53271b19a2d5b13399506..dac1c3292fecdebcc7f49118ea0b23d8c5aeff37 100644
--- a/doc/designs/subordinate-ids.md
+++ b/doc/designs/subordinate-ids.md
@@ -64,6 +64,18 @@ and don't auto-map or auto-assign subordinate ids by default. Instead
we give the admin several options to assign them manually, semi-manual,
or automatically.
+For deployments where there is a need to consume IDs above 2^31 for normal UID
+and GID assignments, one has to disable subordinate ID feature. This should be
+done with `ipa config-mod --addattr ipaconfigstring=SubID:Disable` command.
+After it is done, subordinate ID range can be removed with `ipa idrange-del`
+command and on the IPA server one have to run `ipa-server-upgrade` command to
+make sure internal DNA plugin configuration is removed as well.
+Finally, a new local ID range can be added to cover required part of the
+2^31..2^32-1 space. The range must have RID bases to make sure FreeIPA will
+generate SIDs properly to users and groups created with IDs from this range.
+
+**NOTE**: Disabling subordinate ID feature can only be done if no subordinate
+IDs were already allocated.
### Revision 1 limitation
@@ -340,6 +352,16 @@ subordinate id entries for new users:
$ ipa config-mod --user-default-subid=true
```
+Subordinate ID feature can be disabled completely. This is done with `ipa
+config-mod --addattr ipaconfigstring=SubID:Disable` command. After it is done,
+subordinate ID range can be removed with `ipa idrange-del` command and on the
+IPA server one have to run `ipa-server-upgrade` command to make sure internal
+DNA plugin configuration is removed as well. Finally, a new local ID range can
+be added to cover the required part of the full 32-bit ID space.
+
+**NOTE**: Disabling subordinate ID feature can only be done if no subordinate
+IDs were already allocated.
+
Subordinate ids are managed by a new plugin class. The ``subid-add``
and ``subid-del`` commands are hidden from command line. New subordinate
ids are generated and auto-assigned with ``subid-generate``.
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4029297b76cc2f30dc9eab606e5670667978dd27..d8d270ca9f4b13ed01e65c6460a3a6b0dbbc5ebe 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA = \
vault.ldif \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ subid-generators.uldif \
ipa-httpd.conf.template \
ipa-httpd-wsgi.conf.template \
gssapi.login \
diff --git a/install/share/subid-generators.uldif b/install/share/subid-generators.uldif
new file mode 100644
index 0000000000000000000000000000000000000000..118077382b860c655aa63907ab3db090110349d6
--- /dev/null
+++ b/install/share/subid-generators.uldif
@@ -0,0 +1,38 @@
+# DNA plugin and idrange configuration
+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: subordinate-ids
+
+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+default: objectclass: top
+default: objectclass: extensibleObject
+default: cn: Subordinate IDs
+default: dnaType: ipasubuidnumber
+default: dnaType: ipasubgidnumber
+default: dnaNextValue: eval($SUBID_RANGE_START)
+default: dnaMaxValue: eval($SUBID_RANGE_MAX)
+default: dnaMagicRegen: -1
+default: dnaFilter: (objectClass=ipaSubordinateId)
+default: dnaScope: $SUFFIX
+default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
+add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: ipaIDrange
+default: objectClass: ipaTrustedADDomainRange
+default: cn: ${REALM}_subid_range
+default: ipaBaseID: $SUBID_RANGE_START
+default: ipaIDRangeSize: $SUBID_RANGE_SIZE
+# HACK: RIDs to work around adtrust sidgen issue
+default: ipaBaseRID: eval($SUBID_BASE_RID)
+default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+default: ipaRangeType: ipa-ad-trust
+
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 3c030b41e6d01ed48a0e5cc5c0ed7e536c9d3412..18bca60bcd85b32350a456f71ef9d97ef35b9584 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -67,40 +67,3 @@ dn: cn=subids,cn=accounts,$SUFFIX
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
-# DNA plugin and idrange configuration
-dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
-default: objectClass: nsContainer
-default: objectClass: top
-default: cn: subordinate-ids
-
-dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
-default: objectclass: top
-default: objectclass: extensibleObject
-default: cn: Subordinate IDs
-default: dnaType: ipasubuidnumber
-default: dnaType: ipasubgidnumber
-default: dnaNextValue: eval($SUBID_RANGE_START)
-default: dnaMaxValue: eval($SUBID_RANGE_MAX)
-default: dnaMagicRegen: -1
-default: dnaFilter: (objectClass=ipaSubordinateId)
-default: dnaScope: $SUFFIX
-default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
-default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
-default: dnaExcludeScope: cn=provisioning,$SUFFIX
-default: dnaInterval: eval($SUBID_COUNT)
-add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
-
-dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaIDrange
-default: objectClass: ipaTrustedADDomainRange
-default: cn: ${REALM}_subid_range
-default: ipaBaseID: $SUBID_RANGE_START
-default: ipaIDRangeSize: $SUBID_RANGE_SIZE
-# HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_BASE_RID)
-default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
-# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
-# see https://github.com/SSSD/sssd/issues/5571
-default: ipaRangeType: ipa-ad-trust
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 9a9d80a9245654691ef96bb048dfbe950a4a7c6f..7c3bba3e0317162d4739513e16b9fac973495c66 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -34,6 +34,7 @@ plugin: update_dnsforward_emptyzones
plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_read_replication_agreements_permission
+plugin: update_subid_support
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
plugin: update_dnsserver_configuration_into_ldap
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 732de7cb92bb530a734a68440478dfda09062db8..6a70bbc7556126748cc2ec031fc2af36bfe76f74 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -506,6 +506,19 @@ class MissingTargetAttributesinPermission(PublicMessage):
"are set.")
+class ServerUpgradeRequired(PublicMessage):
+ """
+ **13033** Server upgrade required
+ """
+ errno = 13033
+ type = "warning"
+ format = _(
+ "Change of the state of '%(feature)s' feature requires to run "
+ "'ipa-server-upgrade' command on IPA server %(server)s "
+ "to apply configuration changes."
+ )
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f794aae6d7b19a60ba40282f83a41052584517cb..a5bca789bdb8d07b51779e28adf64c9b68892328 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -302,6 +302,7 @@ class BasePathNamespace:
NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
+ SUBID_GENERATORS_ULDIF = "/usr/share/ipa/subid-generators.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
DICT_WORDS = "/usr/share/dict/words"
diff --git a/ipaserver/install/ipa_subids.py b/ipaserver/install/ipa_subids.py
index 1537047c33431b59d776f9bfa6325d52561e1ac6..8c542e4eae4b6e378a99ed748cd3a2b311dc0ce8 100644
--- a/ipaserver/install/ipa_subids.py
+++ b/ipaserver/install/ipa_subids.py
@@ -116,6 +116,11 @@ class IPASubids(AdminTool):
api.finalize()
api.Backend.ldap2.connect()
self.ldap2 = api.Backend.ldap2
+
+ if api.Object.config.is_config_option_present('SubID:Disable'):
+ print("Support for subordinate IDs is disabled.")
+ return 2
+
subid_generate = api.Command.subid_generate
dry_run = self.safe_options.dry_run
diff --git a/ipaserver/install/plugins/update_subid_support.py b/ipaserver/install/plugins/update_subid_support.py
new file mode 100644
index 0000000000000000000000000000000000000000..54852d2034012bcac9d12b6e81a3025ac3fe7caf
--- /dev/null
+++ b/ipaserver/install/plugins/update_subid_support.py
@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
+#
+import logging
+from ipalib import Registry, Updater, errors
+from ipaserver.install import ldapupdate
+from ipaplatform.paths import paths
+from ipapython.dn import DN
+
+logger = logging.getLogger(__name__)
+
+register = Registry()
+
+
+@register()
+class update_subid_support(Updater):
+ """
+ Conditionally add SubID ranges when subID support is enabled
+ """
+
+ dna_plugin_dn = DN(
+ ('cn', 'Distributed Numeric Assignment Plugin'),
+ ('cn', 'plugins'),
+ ('cn', 'config')
+ )
+
+ def execute(self, **options):
+ subid_disabled = self.api.Object.config.is_config_option_present(
+ 'SubID:Disable')
+ if not subid_disabled:
+ ld = ldapupdate.LDAPUpdate(api=self.api)
+ ld.update([paths.SUBID_GENERATORS_ULDIF])
+ else:
+ # make sure to remove DNA configuration
+ conn = self.api.Backend.ldap2
+ try:
+ subid_dna_config = DN(
+ ('cn', 'Subordinate IDs'), self.dna_plugin_dn
+ )
+ entry = conn.get_entry(subid_dna_config)
+ conn.delete_entry(entry)
+ except errors.NotFound:
+ pass
+
+ return False, []
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index adf21ea0c59f70714298af74d7e92f7200f75085..c509c2c13adfb4950741f63ffcbc9f3f806c0c3b 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -33,7 +33,7 @@ from .baseldap import (
LDAPUpdate,
LDAPRetrieve)
from .selinuxusermap import validate_selinuxuser
-from ipalib import _
+from ipalib import _, messages
from ipapython.admintool import ScriptError
from ipapython.dn import DN
from ipaserver.plugins.privilege import principal_has_privilege
@@ -261,7 +261,7 @@ class config(LDAPObject):
values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
u'KDC:Disable Default Preauth for SPNs',
- u'EnforceLDAPOTP'),
+ u'EnforceLDAPOTP', u'SubID:Disable'),
),
Str('ipaselinuxusermaporder',
label=_('SELinux user map order'),
@@ -521,6 +521,12 @@ class config(LDAPObject):
for domain in submitted_domains:
self._validate_single_domain(attr_name, domain, known_domains)
+ def is_config_option_present(self, option):
+ dn = DN(('cn', 'ipaconfig'), ('cn', 'etc'), self.api.env.basedn)
+ configentry = self.api.Backend.ldap2.get_entry(dn, ['ipaconfigstring'])
+ configstring = configentry['ipaconfigstring']
+ return (option.lower() in map(str.lower, configstring))
+
@register()
class config_mod(LDAPUpdate):
@@ -695,6 +701,30 @@ class config_mod(LDAPUpdate):
raise errors.ValidationError(name=failedattr,
error=_('SELinux user map default user not in order list'))
+ if 'ipaconfigstring' in entry_attrs:
+ configstring = entry_attrs['ipaconfigstring']
+ if 'SubID:Disable'.lower() in map(str.lower, configstring):
+ # Check if SubIDs already allocated
+ try:
+ result = self.api.Command.subid_stats()
+ stats = result['result']
+ except errors.PublicError:
+ stats = {'assigned_subids': 0}
+ if stats["assigned_subids"] > 0:
+ error_message = _("Subordinate ID feature can not be "
+ "disabled when there are subIDs "
+ "already in use.")
+ raise errors.ValidationError(name='configuration state',
+ error=error_message)
+ # SubID:Disable enforces disabling default subid generation
+ entry_attrs['ipauserdefaultsubordinateid'] = False
+ self.add_message(
+ messages.ServerUpgradeRequired(
+ feature='Subordinate ID',
+ server=_('<all IPA servers>')
+ )
+ )
+
if 'ca_renewal_master_server' in options:
new_master = options['ca_renewal_master_server']
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 132c85c7f198217ba70f2332306ee2550be86035..2be2cdeff920ff79eb7df6e3cf635df96d7f3348 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -265,6 +265,12 @@ class subid(LDAPObject):
def handle_subordinate_ids(self, ldap, dn, entry_attrs):
"""Handle ipaSubordinateId object class"""
+
+ if self.api.Object.config.is_config_option_present('SubID:Disable'):
+ raise errors.ValidationError(
+ name="configuration state",
+ error=_("Support for subordinate IDs is disabled"))
+
new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
@@ -577,6 +583,11 @@ class subid_stats(LDAPQuery):
return int(entry.single_value["numSubordinates"])
def execute(self, *keys, **options):
+ if self.api.Object.config.is_config_option_present('SubID:Disable'):
+ raise errors.ValidationError(
+ name="configuration state",
+ error=_("Support for subordinate IDs is disabled"))
+
ldap = self.obj.backend
dna_remaining = self.get_remaining_dna(ldap, **options)
baseid, rangesize = self.get_idrange(ldap, **options)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index a3e9c29035161af40c29093b3792f2d97847e5d1..875f2b4babc526359d76778321ba7402198acac9 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -718,7 +718,9 @@ class user_add(baseuser_add):
default_subid = config.single_value.get(
'ipaUserDefaultSubordinateId', False
)
- if default_subid:
+ subid_disabled = self.api.Object.config.is_config_option_present(
+ 'SubID:Disable')
+ if default_subid and not subid_disabled:
result = self.api.Command.subid_generate(
ipaowner=entry_attrs.single_value['uid'],
version=options['version']
--
2.48.1

33
0061-update_dna_shared_config-do-not-fail-when-config-is-.patch Normal file
View File

@ -0,0 +1,33 @@
From b8b91dfe71d7d049f5e55a8195cb37f87837bbce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 12 Mar 2025 21:52:56 +0200
Subject: [PATCH] update_dna_shared_config: do not fail when config is not
found
The helper function was supposed to return a DN or None.
Related: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/plugins/update_dna_shared_config.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/update_dna_shared_config.py b/ipaserver/install/plugins/update_dna_shared_config.py
index 955bee5dd830f0dcad3f0810e7e2f1a1c725a0aa..42ee86d8b547fa9d6fb4cced5e36d243ba8cd4ff 100644
--- a/ipaserver/install/plugins/update_dna_shared_config.py
+++ b/ipaserver/install/plugins/update_dna_shared_config.py
@@ -49,7 +49,7 @@ class update_dna_shared_config(Updater):
except errors.NotFound:
logger.error("Could not find DNA config entry: %s",
dna_config_base)
- return False, ()
+ return None
else:
logger.debug('Found DNA config %s', dna_config_base)
--
2.48.1

71
0062-baseuser-allow-uidNumber-and-gidNumber-of-32-bit-ran.patch Normal file
View File

@ -0,0 +1,71 @@
From 65cb358c01568e9a11899dbfe21eaeb916af3cdf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 28 Feb 2025 15:34:12 +0200
Subject: [PATCH] baseuser: allow uidNumber and gidNumber of 32-bit range
JSON format allows to encode integers up to 2^53-1. Linux systems allow
for 32-bit IDs. Permit setting full 32-bit uidNumber and gidNumber
through IPA API. Administrators already can set 32-bit IDs via LDAP.
ID Range also needs to permit larger sizes of RID bases. SIDGEN plugin
already treats RID bases as 1..MAX_UINT32.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/plugins/baseuser.py | 4 +++-
ipaserver/plugins/idrange.py | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index b66016305276f7f66d2e9dd4c7946cf49ec5cd96..22393b8f6c5d3e40b57f11947d0a0358d3a087bc 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@ import six
from ipalib import api, errors, constants
from ipalib import (
Flag, Int, Password, Str, Bool, StrEnum, DateTime, DNParam)
-from ipalib.parameters import Principal, Certificate
+from ipalib.parameters import Principal, Certificate, MAX_UINT32
from ipalib.plugable import Registry
from .baseldap import (
DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
@@ -348,11 +348,13 @@ class baseuser(LDAPObject):
label=_('UID'),
doc=_('User ID Number (system will assign one if not provided)'),
minvalue=1,
+ maxvalue=MAX_UINT32,
),
Int('gidnumber?',
label=_('GID'),
doc=_('Group ID Number'),
minvalue=1,
+ maxvalue=MAX_UINT32,
),
Str('street?',
cli_name='street',
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index ec061a455ca26aa7b5354b5b4cc8318e2559d5af..26a3bb666273013912e80d49b56031869157375a 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -235,10 +235,14 @@ class idrange(LDAPObject):
Int('ipabaserid?',
cli_name='rid_base',
label=_('First RID of the corresponding RID range'),
+ minvalue=1,
+ maxvalue=Int.MAX_UINT32
),
Int('ipasecondarybaserid?',
cli_name='secondary_rid_base',
label=_('First RID of the secondary RID range'),
+ minvalue=1,
+ maxvalue=Int.MAX_UINT32
),
Str('ipanttrusteddomainsid?',
cli_name='dom_sid',
--
2.48.1

133
0063-ipatests-add-a-test-to-use-full-32-bit-ID-range-spac.patch Normal file
View File

@ -0,0 +1,133 @@
From 015d26bab4296dc18e97dd10054a3f668282ef88 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 5 Mar 2025 12:49:27 +0200
Subject: [PATCH] ipatests: add a test to use full 32-bit ID range space
The test reconfigures IPA deployment to disable subordinate IDs support
and then configures an additional ID range to cover upper half of the
2^32 ID space. It then makes sure that a user with an UID/GID from that
ID range can be created and used.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_32bit_idranges.py | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 ipatests/test_integration/test_32bit_idranges.py
diff --git a/ipatests/test_integration/test_32bit_idranges.py b/ipatests/test_integration/test_32bit_idranges.py
new file mode 100644
index 0000000000000000000000000000000000000000..e76e117e5f1627af02274a13d3ac12ca84eb7ad9
--- /dev/null
+++ b/ipatests/test_integration/test_32bit_idranges.py
@@ -0,0 +1,104 @@
+#
+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+
+
+class Test32BitIdRanges(IntegrationTest):
+ topology = "line"
+
+ def test_remove_subid_range(self):
+ """
+ Test that allocating subid will fail after disabling global option
+ """
+ master = self.master
+ tasks.kinit_admin(master)
+
+ idrange = f"{master.domain.realm}_subid_range"
+ master.run_command(
+ ["ipa", "config-mod", "--addattr", "ipaconfigstring=SubID:Disable"]
+ )
+ master.run_command(["ipa", "idrange-del", idrange])
+
+ tasks.user_add(master, 'subiduser')
+ result = master.run_command(
+ ["ipa", "subid-generate", "--owner", "subiduser"], raiseonerr=False
+ )
+ assert result.returncode > 0
+ assert "Support for subordinate IDs is disabled" in result.stderr_text
+ tasks.user_del(master, 'subiduser')
+
+ def test_invoke_upgrader(self):
+ """Test that ipa-server-upgrade does not add subid ranges back"""
+
+ master = self.master
+ master.run_command(['ipa-server-upgrade'], raiseonerr=True)
+ idrange = f"{master.domain.realm}_subid_range"
+ result = master.run_command(
+ ["ipa", "idrange-show", idrange], raiseonerr=False
+ )
+ assert result.returncode > 0
+ assert f"{idrange}: range not found" in result.stderr_text
+
+ result = tasks.ldapsearch_dm(
+ master,
+ 'cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,'
+ 'cn=plugins,cn=config',
+ ['dnaType'],
+ scope='base',
+ raiseonerr=False
+ )
+ assert result.returncode == 32
+ output = result.stdout_text.lower()
+ assert "dnatype: " not in output
+
+ def test_create_user_with_32bit_id(self):
+ """Test that ID range above 2^31 can be used to assign IDs
+ to users and groups. Also check that SIDs generated properly.
+ """
+
+ master = self.master
+ idrange = f"{master.domain.realm}_upper_32bit_range"
+ id_base = 1 << 31
+ id_length = (1 << 31) - 2
+ uid = id_base + 1
+ gid = id_base + 1
+ master.run_command(
+ [
+ "ipa",
+ "idrange-add",
+ idrange,
+ "--base-id", str(id_base),
+ "--range-size", str(id_length),
+ "--rid-base", str(int(id_base >> 3)),
+ "--secondary-rid-base", str(int(id_base >> 3) + id_length),
+ "--type=ipa-local"
+ ]
+ )
+
+ # We added new ID range, SIDGEN will only take it after
+ # restarting a directory server instance.
+ tasks.restart_ipa_server(master)
+
+ # Clear SSSD cache to pick up new ID range
+ tasks.clear_sssd_cache(master)
+
+ tasks.user_add(master, "user", extra_args=[
+ "--uid", str(uid), "--gid", str(gid)
+ ])
+
+ result = master.run_command(
+ ["ipa", "user-show", "user", "--all", "--raw"], raiseonerr=False
+ )
+ assert result.returncode == 0
+ assert "ipaNTSecurityIdentifier:" in result.stdout_text
+
+ result = master.run_command(
+ ["id", "user"], raiseonerr=False
+ )
+ assert result.returncode == 0
+ assert str(uid) in result.stdout_text
--
2.48.1

41
0064-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch Normal file
View File

@ -0,0 +1,41 @@
From 01f23216ab5b383710dad086a01bb73b2da383d1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 17 Mar 2025 16:21:23 +0100
Subject: [PATCH] idrange: use minvalue=0 for baserid and secondarybaserid
With the support of 32 bit idrange, the minvalue was set to 1
but this introduces a regression in the command ipa trust-add
as the range for AD trust is added with baserid=0
Lower the minvalue to 0
Fixes: https://pagure.io/freeipa/issue/9765
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/idrange.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 26a3bb666273013912e80d49b56031869157375a..d155fb46da8240449a077d35e86a91ee9f95c132 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -235,13 +235,13 @@ class idrange(LDAPObject):
Int('ipabaserid?',
cli_name='rid_base',
label=_('First RID of the corresponding RID range'),
- minvalue=1,
+ minvalue=0,
maxvalue=Int.MAX_UINT32
),
Int('ipasecondarybaserid?',
cli_name='secondary_rid_base',
label=_('First RID of the secondary RID range'),
- minvalue=1,
+ minvalue=0,
maxvalue=Int.MAX_UINT32
),
Str('ipanttrusteddomainsid?',
--
2.48.1

190
0065-ipatests-Tests-to-check-data-in-journal-log.patch Normal file
View File

@ -0,0 +1,190 @@
From 47770b8626c353b95d4ae89a0fb7e23b3791d3ea Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 22 Jan 2025 16:03:37 +0530
Subject: [PATCH] ipatests: Tests to check data in journal log
This testcase checks that ipa administrative user
password is not displayed in journal log.
Related: https://issues.redhat.com/browse/RHEL-67190
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 10 ++
ipatests/test_integration/test_commands.py | 116 +++++++++++++++++----
2 files changed, 104 insertions(+), 22 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 4ce33bb47cbc52641088f73cdb75d7bb184c274b..dccfaf30e708f18c81d3f1662d6df7b116ed36ac 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -3004,3 +3004,13 @@ def copy_files(source_host, dest_host, filelist):
dest_host.transport.mkdir_recursive(os.path.dirname(file))
data = source_host.get_file_contents(file)
dest_host.transport.put_file_contents(file, data)
+
+
+def check_journal_does_not_contain_secret(host, cmd):
+ """
+ Helper to check journal logs doesnt reveal secrets
+ """
+ journalctl_cmd = ['journalctl', '-t', cmd, '-n1', '-o', 'json-pretty']
+ result = host.run_command(journalctl_cmd, raiseonerr=False)
+ assert (host.config.admin_password not in result.stdout_text)
+ assert (host.config.dirman_password not in result.stdout_text)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 9c65b7c6bbf4c6378bdf0fa9da0242805ddd17aa..47ef232563d67f86040e2c5944805e430ab2e26c 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -39,6 +39,7 @@ from ipaplatform.tasks import tasks as platform_tasks
from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
+from ipatests.test_integration.test_topology import find_segment
from ipaserver.install.installutils import realm_to_serverid
from pkg_resources import parse_version
@@ -1662,28 +1663,77 @@ class TestIPACommand(IntegrationTest):
assert result.returncode == 1
assert 'cannot be deleted or disabled' in result.stderr_text
- def test_ipa_cacert_manage_prune(self):
- """Test for ipa-cacert-manage prune"""
-
- certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
- self.master.put_file_contents(certfile, isrgrootx1)
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'install', certfile])
-
- certs_before_prune = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
- ).stdout_text
+ def test_ipa_systemd_journal(self):
+ """
+ This testcase checks that administrative user credentials
+ is not leaked to journald log
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ tasks.kinit_admin(self.clients[0])
+ cmds = [
+ ['/usr/sbin/ipa-adtrust-install', '-a',
+ self.master.config.admin_password, '-U'],
+ ['/usr/sbin/ipa-replica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-csreplica-manage', 'del',
+ f"dummyhost.{self.master.domain.name}", '-p',
+ self.master.config.dirman_password],
+ ['/usr/sbin/ipa-kra-install', '-p',
+ self.master.config.dirman_password, '-U'],
+ ['/usr/sbin/ipa-server-certinstall', '-k', '--pin',
+ self.master.config.dirman_password, '-p',
+ self.master.config.dirman_password, paths.KDC_CERT,
+ paths.KDC_KEY]
+ ]
+ for cmd in cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.master, cmd[0]
+ )
+ for cmd in cmds:
+ self.replicas[0].run_command(cmd, raiseonerr=False)
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], cmd[0]
+ )
+ tasks.check_journal_does_not_contain_secret(
+ self.clients[0], 'python3'
+ )
+ # Backup and restore IPA and check secrets are not leaked.
+ backup_path = tasks.get_backup_dir(self.master)
+ restore_cmd = (
+ ['/usr/sbin/ipa-restore', '-p',
+ self.master.config.dirman_password,
+ backup_path, '-U']
+ )
+ self.master.run_command(restore_cmd)
- assert isrgrootx1_nick in certs_before_prune
+ # re-initializing topology after restore
+ for topo_suffix in 'domain', 'ca':
+ topo_name = find_segment(self.master, self.replicas[0], topo_suffix)
+ arg = ['ipa', 'topologysegment-reinitialize',
+ topo_suffix, topo_name]
+ if topo_name.split('-to-', maxsplit=1)[0] != self.master.hostname:
+ arg.append('--left')
+ else:
+ arg.append('--right')
+ self.replicas[0].run_command(arg)
- # Jump in time to make sure the cert is expired
- self.master.run_command(['date', '-s', '+15Years'])
- result = self.master.run_command(
- [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
- ).stdout_text
- self.master.run_command(['date', '-s', '-15Years'])
+ # wait sometime for re-initialization
+ tasks.wait_for_replication(self.replicas[0].ldap_connect())
- assert isrgrootx1_nick in result
+ tasks.check_journal_does_not_contain_secret(
+ self.master, restore_cmd[0]
+ )
+ # Checking for secrets in IPA server install
+ tasks.check_journal_does_not_contain_secret(
+ self.master, '/usr/sbin/ipa-server-install'
+ )
+ # Checking for secrets in IPA replica install
+ tasks.check_journal_does_not_contain_secret(
+ self.replicas[0], '/usr/sbin/ipa-replica-install'
+ )
class TestIPACommandWithoutReplica(IntegrationTest):
@@ -1719,10 +1769,9 @@ class TestIPACommandWithoutReplica(IntegrationTest):
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
def test_basesearch_compat_tree(self):
- """Test ldapsearch against compat tree is working
-
+ """
+ Test ldapsearch against compat tree is working
This to ensure that ldapsearch with base scope is not failing.
-
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
version = self.master.run_command(
@@ -1920,6 +1969,29 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert old_err_msg not in dirsrv_error_log
assert re.search(new_err_msg, dirsrv_error_log)
+ def test_ipa_cacert_manage_prune(self):
+ """Test for ipa-cacert-manage prune"""
+
+ certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
+ self.master.put_file_contents(certfile, isrgrootx1)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs_before_prune = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert isrgrootx1_nick in certs_before_prune
+
+ # Jump in time to make sure the cert is expired
+ self.master.run_command(['date', '-s', '+15Years'])
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'prune'], raiseonerr=False
+ ).stdout_text
+ self.master.run_command(['date', '-s', '-15Years'])
+
+ assert isrgrootx1_nick in result
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.48.1

69
0066-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch Normal file
View File

@ -0,0 +1,69 @@
From ac308ab8f5685465e755b4ba7e5d428fe38bea4d Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Mon, 17 Mar 2025 09:26:44 +0100
Subject: [PATCH] Disallow removal of dogtag and ipa-dnskeysyncd services on
IPA servers
Also removes dogtagldap from unremovable services
Fixes: https://pagure.io/freeipa/issue/9764
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/service.py | 2 +-
ipatests/test_xmlrpc/test_service_plugin.py | 26 +++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 075a1be8aab5d638cb632b64e766231d3761f731..f50406472a7c1d636bd8731dc550c0d850b2264d 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -323,7 +323,7 @@ def check_required_principal(ldap, principal):
try:
host_is_master(ldap, principal.hostname)
except errors.ValidationError:
- service_types = {'http', 'ldap', 'dns', 'dogtagldap'}
+ service_types = {'http', 'ldap', 'dns', 'dogtag', 'ipa-dnskeysyncd'}
if principal.service_name.lower() in service_types:
raise errors.ValidationError(
name='principal',
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index a3b245679a224572a999354bc7d63360b1f06eed..4aeeb9d89971a56a2ccfccd616b15392f5f0e0ee 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -864,6 +864,32 @@ class test_service(Declarative):
),
),
+ dict(
+ desc=('Delete the current host (master?) %s dogtag service,'
+ ' should be caught' % api.env.host),
+ command=('service_del', ['dogtag/%s' % api.env.host], {}),
+ expected=errors.ValidationError(
+ name='principal',
+ error='dogtag/%s@%s is required by the IPA master' % (
+ api.env.host,
+ api.env.realm
+ )
+ ),
+ ),
+
+ dict(
+ desc=('Delete the current host (master?) %s ipa-dnskeysyncd'
+ ' service, should be caught' % api.env.host),
+ command=('service_del', ['ipa-dnskeysyncd/%s' % api.env.host], {}),
+ expected=errors.ValidationError(
+ name='principal',
+ error='ipa-dnskeysyncd/%s@%s is required by the IPA master' % (
+ api.env.host,
+ api.env.realm
+ )
+ ),
+ ),
+
dict(
desc='Disable the current host (master?) %s HTTP service, should be caught' % api.env.host,
--
2.48.1

888
0067-Don-t-require-certificates-to-have-unique-ipaCertSub.patch Normal file
View File

@ -0,0 +1,888 @@
From 722a5a4e0f0c6948252d385da4ffef7c03338aec Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Aug 2024 16:48:19 -0400
Subject: [PATCH] Don't require certificates to have unique ipaCertSubject
In the wild a public CA issued a new subordinate CA certificate
with an identical subject to another, with a new private key.
This was uninstallable using ipa-cacert-manage because it would
fail with "subject public key info mismatch" during verification
because a different certificate with the same subject but
different public key was installed.
I'm not sure of the reasoning to prevent this situation but I
see it as giving users flexibility. This may be hurtful to them
but they can always remove any affected certs.
This is backwards compatible with older releases from the client
perspective. Older servers will choke on the duplicates and
won't be able to manage these.
A new serial number option is added for displaying the list of
certificates and for use when deleting one with a duplicate subject.
ipa-cacert-manage delete on systems without this patch will
successfully remove ALL of the requested certificates. There is no
way to distinguish. At least it won't break anything and the
deleted certificates can be re-added.
Fixes: https://pagure.io/freeipa/issue/9652
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/restart_scripts/renew_ca_cert.in | 4 +-
install/tools/man/ipa-cacert-manage.1 | 11 ++
install/updates/10-uniqueness.update | 21 +--
ipaclient/install/client.py | 6 +-
ipaclient/install/ipa_certupdate.py | 2 +-
ipalib/install/certstore.py | 46 +++++-
ipaplatform/debian/tasks.py | 2 +-
ipaplatform/redhat/tasks.py | 2 +-
ipapython/certdb.py | 110 ++++++++------
ipaserver/install/certs.py | 7 +-
ipaserver/install/installutils.py | 3 +-
ipaserver/install/ipa_cacert_manage.py | 82 +++++++----
ipaserver/install/ipa_server_certinstall.py | 5 +-
ipaserver/install/krbinstance.py | 2 +-
ipaserver/install/service.py | 4 +-
ipatests/test_integration/test_commands.py | 151 +++++++++++++++++++-
16 files changed, 351 insertions(+), 107 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in
index cbb2c89a81e15bf02c09d7d4328a866cb77f8837..814acdaa772acbf241a8169e273d5b7bbb5773b8 100644
--- a/install/restart_scripts/renew_ca_cert.in
+++ b/install/restart_scripts/renew_ca_cert.in
@@ -168,7 +168,7 @@ def _main():
ca_certs = []
realm_nickname = get_ca_nickname(api.env.realm)
- for ca_cert, ca_nick, ca_flags in ca_certs:
+ for ca_cert, ca_nick, ca_flags, _serial in ca_certs:
try:
if ca_nick == realm_nickname:
ca_nick = 'caSigningCert cert-pki-ca'
@@ -180,7 +180,7 @@ def _main():
# Pass Dogtag's self-tests
for ca_nick in db.find_root_cert(nickname)[-2:-1]:
- ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+ ca_flags = dict(cc[1:3] for cc in ca_certs)[ca_nick]
usages = ca_flags.usages or set()
ca_flags_modified = TrustFlags(ca_flags.has_key,
True, True,
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 8913fe5d2abab5e5b78cf51abd4fae5d7a0ad78f..1e15d47a55492b31c3198496050508dec3fb6a82 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -57,6 +57,14 @@ Important: this does not replace IPA CA but adds the provided certificate as a k
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.sp
The supported formats for the certificate files are DER, PEM and PKCS#7 format.
+.sp
+CA certificates with the same subject but different private keys maybe installed simultaneously with the following restrictions from NSS:
+.IP \[bu]
+The certificates cannot have different NSS trust flags.
+.IP \[bu]
+The nickname is not configurable between different certificates of the same subject. It will always be the same (even if you try).
+.sp
+Additionally CA certificates with the same subject should include the Authority Key Identifier extension in order to identify the public key of the certificate issuer (CA) that signed the certificate (it may be itself). Similarly it should have a Subject Key Identifier extension. This is used to create the trust chain not through subjects but by using the SKID and AKID which is what allows duplicate certificate subjects to be resolved correctly. Without an AKID multiple certificates of the same subject will not resolve as expected.
.RE
.TP
\fBdelete\fR
@@ -153,6 +161,9 @@ p \- not trusted
.TP
\fB\-f\fR, \fB\-\-force\fR
Force a CA certificate to be removed even if chain validation fails.
+.TP
+\fB\-s\fR \fISERIAL_NUMBER\fR, \fB\-\-serial\fR=\fISERIAL_NUMBER\fR
+Serial number of the certificate to delete (decimal). This is needed to determine which certificate to remove if there are multiple certificates stored with the same name.
.SH "EXIT STATUS"
0 if the command was successful
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 699de3b4d3305def5d81aeb945106b80eef0ef40..fa17911f2ed9c7bcaa851de0f0a4790a550e1c91 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -15,23 +15,6 @@ default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
-dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
-default:objectClass: top
-default:objectClass: nsSlapdPlugin
-default:objectClass: extensibleObject
-default:cn: certificate store subject uniqueness
-default:nsslapd-pluginDescription: Enforce unique attribute values
-default:nsslapd-pluginPath: libattr-unique-plugin
-default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
-default:nsslapd-pluginType: preoperation
-default:nsslapd-pluginEnabled: on
-default:uniqueness-attribute-name: ipaCertSubject
-default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
-default:nsslapd-plugin-depends-on-type: database
-default:nsslapd-pluginId: NSUniqueAttr
-default:nsslapd-pluginVersion: 1.1.0
-default:nsslapd-pluginVendor: Fedora Project
-
dn: cn=certificate store issuer/serial uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
@@ -128,3 +111,7 @@ default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+
+# A unique ipaCertSubject is no longer required
+dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
+deleteentry: cn=certificate store subject uniqueness,cn=plugins,cn=config
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 9e4d3bbe70826a18c55f4c4abe0ff1d42b0b509d..372daa51e4647023dde76e183189eeebdd9525b8 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -3200,15 +3200,15 @@ def _install(options, tdict):
ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
ca_subject)
ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
- for (c, n, t, u) in ca_certs]
+ for (c, n, t, u, s) in ca_certs]
x509.write_certificate_list(
- [c for c, n, t, u in ca_certs if t is not False],
+ [c for c, n, t, u, s in ca_certs if t is not False],
paths.KDC_CA_BUNDLE_PEM,
mode=0o644
)
x509.write_certificate_list(
- [c for c, n, t, u in ca_certs if t is not False],
+ [c for c, n, t, u, s in ca_certs if t is not False],
paths.CA_BUNDLE_PEM,
mode=0o644
)
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index bc70254e2b34f21889793d34724c13d73882418b..88618a9c23265e1ab1328361125acc3724cd329f 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -276,7 +276,7 @@ def update_db(path, certs):
for name, flags in db.list_certs():
if flags.ca:
db.delete_cert(name)
- for cert, nickname, trusted, eku in certs:
+ for cert, nickname, trusted, eku, _serial in certs:
trust_flags = certstore.key_policy_to_trust_flags(trusted, True, eku)
try:
db.add_cert(cert, nickname, trust_flags)
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 8b182958c26e066eaeca859f451073c83e82bd67..fb4f09a2b44aa5b65efb6e10afcd7c515535e56b 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -179,10 +179,9 @@ def update_ca_cert(ldap, base_dn, cert, trusted=None, ext_key_usage=None,
# We are adding a new cert, validate it
if entry.single_value['ipaCertSubject'].lower() != subject.lower():
raise ValueError("subject name mismatch")
- if entry.single_value['ipaPublicKey'] != public_key:
- raise ValueError("subject public key info mismatch")
entry['ipaCertIssuerSerial'].append(issuer_serial)
entry['cACertificate;binary'].append(cert)
+ entry['ipaPublicKey'].append(public_key)
# Update key trust
if trusted is not None:
@@ -224,6 +223,38 @@ def update_ca_cert(ldap, base_dn, cert, trusted=None, ext_key_usage=None,
clean_old_config(ldap, base_dn, dn, config_ipa, config_compat)
+def delete_ca_cert(ldap, base_dn, cert):
+ """
+ Remove a CA certificate in the certificate store.
+ """
+ subject, issuer_serial, _public_key = _parse_cert(cert)
+
+ filter = ldap.make_filter({'ipaCertSubject': subject})
+ result, _truncated = ldap.find_entries(
+ base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
+ base_dn),
+ filter=filter,
+ attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial',
+ 'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
+ 'ipaConfigString', 'cACertificate;binary'])
+ entry = result[0]
+
+ for old_cert in entry['cACertificate;binary']:
+ # Check if we are adding a new cert
+ if old_cert == cert:
+ break
+ else:
+ raise ValueError("certificate not found")
+
+ entry['ipaCertIssuerSerial'].remove(issuer_serial)
+ entry['cACertificate;binary'].remove(cert)
+
+ if len(entry['ipaCertIssuerSerial']) == 0:
+ ldap.delete_entry(entry.dn)
+ else:
+ ldap.update_entry(entry)
+
+
def put_ca_cert(ldap, base_dn, cert, nickname, trusted=None,
ext_key_usage=None, config_ipa=False, config_compat=False):
"""
@@ -309,11 +340,14 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
for cert in entry.get('cACertificate;binary', []):
try:
- _parse_cert(cert)
+ _subject, issuer_serial, _pkinfo = _parse_cert(cert)
except ValueError:
certs = []
break
- certs.append((cert, nickname, trusted, ext_key_usage))
+ serial_number = issuer_serial.split(';')[1]
+ certs.append(
+ (cert, nickname, trusted, ext_key_usage, serial_number)
+ )
except errors.NotFound:
try:
ldap.get_entry(container_dn, [''])
@@ -381,9 +415,9 @@ def get_ca_certs_nss(ldap, base_dn, compat_realm, compat_ipa_ca,
certs = get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
filter_subject=filter_subject)
- for cert, nickname, trusted, ext_key_usage in certs:
+ for cert, nickname, trusted, ext_key_usage, _serial_number in certs:
trust_flags = key_policy_to_trust_flags(trusted, True, ext_key_usage)
- nss_certs.append((cert, nickname, trust_flags))
+ nss_certs.append((cert, nickname, trust_flags, _serial_number))
return nss_certs
diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
index a7b5cdf38d23669bd8beaa9b85020355eaeb2af2..8a50c66bc1facac4a793db209d54fc59049a94c0 100644
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -126,7 +126,7 @@ used by ca-certificates and is provided for information only.\
logger.error("Could not create %s", path)
raise
- for cert, nickname, trusted, _ext_key_usage in ca_certs:
+ for cert, nickname, trusted, _ext_key_usage, _serial in ca_certs:
if not trusted:
continue
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 4fb6208073d7326b80042408fff98e4124e0dbed..d3eda01720655df4bebb317d636621a3dee9a24d 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -329,7 +329,7 @@ class RedHatTaskNamespace(BaseTaskNamespace):
raise
has_eku = set()
- for cert, nickname, trusted, _ext_key_usage in ca_certs:
+ for cert, nickname, trusted, _ext_key_usage, _serial in ca_certs:
try:
subject = cert.subject_bytes
issuer = cert.issuer_bytes
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index ec8f639051b0d4134fccc1c02aff6b4f3b43ebce..3314c3a03d815cc69a2c9036d434a00391dc378f 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -633,7 +633,7 @@ class NSSDatabase:
pkcs12_password_file.close()
def import_files(self, files, import_keys=False, key_password=None,
- key_nickname=None):
+ key_nickname=None, trust_flags=EMPTY_TRUST_FLAGS):
"""
Import certificates and a single private key from multiple files
@@ -809,7 +809,7 @@ class NSSDatabase:
for cert in extracted_certs:
nickname = str(DN(cert.subject))
- self.add_cert(cert, nickname, EMPTY_TRUST_FLAGS)
+ self.add_cert(cert, nickname, trust_flags)
if extracted_key:
with tempfile.NamedTemporaryFile() as in_file, \
@@ -867,6 +867,27 @@ class NSSDatabase:
cert, _start = find_cert_from_txt(result.output, start=0)
return cert
+ def get_all_certs(self, nickname):
+ """
+ :param nickname: nickname of the certificate in the NSS database
+ :returns: list of bytes of all certificates for the nickname
+ """
+ args = ['-L', '-n', nickname, '-a']
+ try:
+ result = self.run_certutil(args, capture_output=True)
+ except ipautil.CalledProcessError:
+ raise RuntimeError("Failed to get %s" % nickname)
+ certs = []
+
+ st = 0
+ while True:
+ try:
+ cert, st = find_cert_from_txt(result.output, start=st)
+ except RuntimeError:
+ break
+ certs.append(cert)
+ return certs
+
def has_nickname(self, nickname):
try:
self.get_cert(nickname)
@@ -990,53 +1011,58 @@ class NSSDatabase:
raise ValueError('invalid for server %s' % hostname)
def verify_ca_cert_validity(self, nickname, minpathlen=None):
- cert = self.get_cert(nickname)
- self._verify_cert_validity(cert)
+ def verify_ca_cert(cert, nickname, minpathlen):
+ self._verify_cert_validity(cert)
- if not cert.subject:
- raise ValueError("has empty subject")
+ if not cert.subject:
+ raise ValueError("has empty subject")
- try:
- bc = cert.extensions.get_extension_for_class(
+ try:
+ bc = cert.extensions.get_extension_for_class(
cryptography.x509.BasicConstraints)
- except cryptography.x509.ExtensionNotFound:
- raise ValueError("missing basic constraints")
-
- if not bc.value.ca:
- raise ValueError("not a CA certificate")
- if minpathlen is not None:
- # path_length is None means no limitation
- pl = bc.value.path_length
- if pl is not None and pl < minpathlen:
- raise ValueError(
- "basic contraint pathlen {}, must be at least {}".format(
- pl, minpathlen
+ except cryptography.x509.ExtensionNotFound:
+ raise ValueError("missing basic constraints")
+
+ if not bc.value.ca:
+ raise ValueError("not a CA certificate")
+ if minpathlen is not None:
+ # path_length is None means no limitation
+ pl = bc.value.path_length
+ if pl is not None and pl < minpathlen:
+ raise ValueError(
+ "basic contraint pathlen {}, "
+ "must be at least {}".format(
+ pl, minpathlen
+ )
)
- )
- try:
- ski = cert.extensions.get_extension_for_class(
+ try:
+ ski = cert.extensions.get_extension_for_class(
cryptography.x509.SubjectKeyIdentifier)
- except cryptography.x509.ExtensionNotFound:
- raise ValueError("missing subject key identifier extension")
- else:
- if len(ski.value.digest) == 0:
- raise ValueError("subject key identifier must not be empty")
+ except cryptography.x509.ExtensionNotFound:
+ raise ValueError("missing subject key identifier extension")
+ else:
+ if len(ski.value.digest) == 0:
+ raise ValueError("subject key identifier must not be empty")
- try:
- self.run_certutil(
- [
- '-V', # check validity of cert and attrs
- '-n', nickname,
- '-u', 'L', # usage; 'L' means "SSL CA"
- '-e', # check signature(s); this checks
- # key sizes, sig algorithm, etc.
- ],
- capture_output=True)
- except ipautil.CalledProcessError as e:
- # certutil output in case of error is
- # 'certutil: certificate is invalid: <ERROR_STRING>\n'
- raise ValueError(e.output)
+ try:
+ self.run_certutil(
+ [
+ '-V', # check validity of cert and attrs
+ '-n', nickname,
+ '-u', 'L', # usage; 'L' means "SSL CA"
+ '-e', # check signature(s); this checks
+ # key sizes, sig algorithm, etc.
+ ],
+ capture_output=True)
+ except ipautil.CalledProcessError as e:
+ # certutil output in case of error is
+ # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+ raise ValueError(e.output)
+
+ certlist = self.get_all_certs(nickname)
+ for cert in certlist:
+ verify_ca_cert(cert, nickname, minpathlen)
def verify_kdc_cert_validity(self, nickname, realm):
nicknames = self.get_trust_chain(nickname)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f8be1ef0641fa30567f0b95fe8aa00ccc68d27e5..a3e38cdaaf4c6b358ec93c8ca55646086812bf0e 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -373,7 +373,7 @@ class CertDB:
except RuntimeError:
break
- def get_cert_from_db(self, nickname):
+ def get_cert_from_db(self, nickname, all=False):
"""
Retrieve a certificate from the current NSS database for nickname.
"""
@@ -386,7 +386,10 @@ class CertDB:
if token:
args.extend(['-h', token])
result = self.run_certutil(args, capture_output=True)
- return x509.load_pem_x509_certificate(result.raw_output)
+ if all:
+ return x509.load_certificate_list(result.raw_output)
+ else:
+ return x509.load_pem_x509_certificate(result.raw_output)
except ipautil.CalledProcessError:
return None
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 3a31f8a98231bf5a2e0337de7be10b37626add86..f6f06c9a18d75f44e13f5d6bf5a3dc0976dc26a2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -901,7 +901,8 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
if ca_cert_files:
try:
- nssdb.import_files(ca_cert_files)
+ nssdb.import_files(ca_cert_files,
+ trust_flags=EXTERNAL_CA_TRUST_FLAGS)
except RuntimeError as e:
raise ScriptError(str(e))
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 048245237855212afe1f3ec4795b2253026ef864..6a03fa74e34bd068090ae1f4d5adfc79608fd02b 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -101,6 +101,9 @@ class CACertManage(admintool.AdminTool):
delete_group.add_option(
"-f", "--force", action='store_true',
help="Force removing the CA even if chain validation fails")
+ delete_group.add_option(
+ "-s", "--serial",
+ help="Serial number of the certificate to delete (decimal)")
parser.add_option_group(delete_group)
def validate_options(self):
@@ -413,6 +416,11 @@ class CACertManage(admintool.AdminTool):
"Nickname can only be used if only a single "
"certificate is loaded")
+ for nickname, trust_flags in imported:
+ if trust_flags.has_key:
+ continue
+ tmpdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
+
# If a nickname was provided re-import the cert
if options.nickname:
(nickname, trust_flags) = imported[0]
@@ -421,7 +429,7 @@ class CACertManage(admintool.AdminTool):
tmpdb.add_cert(cert, options.nickname, EXTERNAL_CA_TRUST_FLAGS)
imported = tmpdb.list_certs()
- for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, ca_trust_flags, _serial in ca_certs:
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
for nickname, trust_flags in imported:
@@ -461,10 +469,11 @@ class CACertManage(admintool.AdminTool):
for nickname, _trust_flags in imported:
try:
- cert = tmpdb.get_cert(nickname)
- certstore.put_ca_cert_nss(
- api.Backend.ldap2, api.env.basedn, cert, nickname,
- trust_flags)
+ certlist = tmpdb.get_all_certs(nickname)
+ for cert in certlist:
+ certstore.put_ca_cert_nss(
+ api.Backend.ldap2, api.env.basedn, cert, nickname,
+ trust_flags)
except ValueError as e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
@@ -476,8 +485,8 @@ class CACertManage(admintool.AdminTool):
api.env.basedn,
api.env.realm,
False)
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
- print(ca_nickname)
+ for _ca_cert, ca_nickname, _ca_trust_flags, serial in ca_certs:
+ print(f"{ca_nickname} {serial}")
def _delete_by_nickname(self, nicknames, options):
conn = api.Backend.ldap2
@@ -489,9 +498,25 @@ class CACertManage(admintool.AdminTool):
ipa_ca_nickname = get_ca_nickname(api.env.realm)
+ # Count the number of times the nickname appears in case we
+ # have a duplicate. If a serial number is provided we can skip
+ # this.
+ cert_count = 0
+ if not options.serial:
+ for nickname in nicknames:
+ for _ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
+ if ca_nickname == nickname:
+ cert_count += 1
+ if cert_count > 1:
+ raise admintool.ScriptError(
+ 'Multiple matching certificates found (%d). Use the '
+ '--serial option to specify which one to remove.' %
+ cert_count
+ )
+
for nickname in nicknames:
found = False
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for _ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
if ca_nickname == nickname:
if ca_nickname == ipa_ca_nickname:
raise admintool.ScriptError(
@@ -508,13 +533,17 @@ class CACertManage(admintool.AdminTool):
with certs.NSSDatabase() as tmpdb:
tmpdb.create_db()
- for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, ca_trust_flags, serial in ca_certs:
+ if nickname == ca_nickname:
+ if options.serial and options.serial == serial:
+ continue
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
loaded = tmpdb.list_certs()
logger.debug("loaded raw certs '%s'", loaded)
- for nickname in nicknames:
- tmpdb.delete_cert(nickname)
+ if not options.serial:
+ for nickname in nicknames:
+ tmpdb.delete_cert(nickname)
for ca_nickname, _trust_flags in loaded:
if ca_nickname in nicknames:
@@ -526,8 +555,8 @@ class CACertManage(admintool.AdminTool):
try:
tmpdb.verify_ca_cert_validity(ca_nickname)
except ValueError as e:
- msg = "Verifying \'%s\' failed. Removing part of the " \
- "chain? %s" % (nickname, e)
+ msg = "Verifying removal of \'%s\' failed. Removing " \
+ "part of the chain? %s" % (nickname, e)
if options.force:
print(msg)
continue
@@ -535,15 +564,20 @@ class CACertManage(admintool.AdminTool):
else:
logger.debug("Verified %s", ca_nickname)
- for _ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, _ca_trust_flags, serial in ca_certs:
if ca_nickname in nicknames:
- container_dn = DN(('cn', 'certificates'), ('cn', 'ipa'),
- ('cn', 'etc'), api.env.basedn)
- dn = DN(('cn', nickname), container_dn)
+ if options.serial and options.serial != serial:
+ continue
logger.debug("Deleting %s", ca_nickname)
- conn.delete_entry(dn)
+ certstore.delete_ca_cert(conn, api.env.basedn, ca_cert)
+
return
+ raise admintool.ScriptError(
+ "Certificate with name %s and serial number %s not found"
+ % (ca_nickname, options.serial)
+ )
+
def delete(self):
nickname = self.args[1]
self._delete_by_nickname([nickname], self.options)
@@ -556,17 +590,17 @@ class CACertManage(admintool.AdminTool):
False)
now = datetime.datetime.now(tz=datetime.timezone.utc)
- for ca_cert, ca_nickname, _ca_trust_flags in ca_certs:
+ for ca_cert, ca_nickname, _ca_trust_flags, _serial in ca_certs:
if ca_cert.not_valid_after_utc < now:
expired_certs.append(ca_nickname)
-
+ del_options = self.options
+ del_options.force = True
if expired_certs:
- self._delete_by_nickname(expired_certs, self.options)
-
print("Expired certificates deleted:")
- for nickname in expired_certs:
- print(nickname)
+ for ca_cert in expired_certs:
+ self._delete_by_nickname([ca_cert], del_options)
+ print(ca_cert)
print("Run ipa-certupdate on enrolled machines to apply changes.")
else:
print("No certificates were deleted")
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 76ad37ca7bcc62364379d56b21ead43c5248f5f1..6eaf9d197c0e69161e751b21262e9112176f342c 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -276,8 +276,9 @@ class ServerCertInstall(admintool.AdminTool):
# import all the CA certs from nssdb into the temp db
for nickname, flags in nssdb.list_certs():
if not flags.has_key:
- cert = nssdb.get_cert_from_db(nickname)
- tempnssdb.add_cert(cert, nickname, flags)
+ certs = nssdb.get_cert_from_db(nickname, all=True)
+ for cert in certs:
+ tempnssdb.add_cert(cert, nickname, flags)
# now get the server certs from tempnssdb and check their validity
try:
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 99995ea0b2c9a176e1a157281fa8f64ee99cdbf5..a9887553840d944e0aa29d58d12c8582a32e46f8 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -536,7 +536,7 @@ class KrbInstance(service.Service):
self.api.env.basedn,
self.api.env.realm,
False)
- ca_certs = [c for c, _n, t, _u in ca_certs if t is not False]
+ ca_certs = [c for c, _n, t, _u, _s in ca_certs if t is not False]
x509.write_certificate_list(ca_certs, paths.CACERT_PEM, mode=0o644)
def issue_selfsigned_pkinit_certs(self):
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 7755a4f2ff5e33e61f85dc24b71fd05a1837cd5a..5e5c60b4bd1d941669cee460587230b3b84c6137 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -541,7 +541,7 @@ class Service:
pass
else:
with open(cafile, 'wb') as fd:
- for cert, _unused1, _unused2, _unused3 in ca_certs:
+ for cert, _unused1, _unused2, _unused3, _unused4 in ca_certs:
fd.write(cert.public_bytes(x509.Encoding.PEM))
def export_ca_certs_nssdb(self, db, ca_is_configured, conn=None):
@@ -561,7 +561,7 @@ class Service:
except errors.NotFound:
pass
else:
- for cert, nickname, trust_flags in ca_certs:
+ for cert, nickname, trust_flags, _serial in ca_certs:
db.add_cert(cert, nickname, trust_flags)
def is_configured(self):
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 47ef232563d67f86040e2c5944805e430ab2e26c..3c883b8bb63f0084b4b8c2e97543855572ef970b 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -123,6 +123,82 @@ letsencryptauthorityr3 = (
)
le_r3_nick = "CN=R3,O=Let's Encrypt,C=US"
+# Certificates for reproducing duplicate ipaCertSubject values.
+# The trick to creating the second intermediate is for the validity
+# period to be different. In this case the second CA certificate
+# was issued 3 years+1day after the original.
+originalsubjectchain = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDcjCCAlqgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwRDEeMBwGA1UECgwVQ2Vy\n'
+ b'dGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBS\n'
+ b'b290IENBMB4XDTIxMDgwNzE4MDQyNloXDTQxMDgwMTE4MDQyNlowTDEeMBwGA1UE\n'
+ b'CgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSowKAYDVQQDDCFDZXJ0aWZpY2F0ZSBT\n'
+ b'aGFjayBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n'
+ b'AoIBAQC2RNo7atuVWC/6tDCGforNFvvSFdUwqHxltFmg61i2hmdHAjTaYI1ZJdgB\n'
+ b'y7ApGc8RYc7tfaNrUNA8Chd/9Cu4eW2KuTnAozxytXQneNXloK2xb9iLIhETa1FC\n'
+ b'Hw5BbrmJSWjiVYQsM6bzeiFsKJs4qnP1T9iFHuqmggTtCTPajoYhn6ZKfK3pmB8P\n'
+ b'6XRcp5O9vUhNHJWdpuUjOL32fsBEpV0vKWlsemqDhJrhzj3+YCKt6xrSdpK64HUW\n'
+ b'Kf3YM/K4G6vU5M8DgSFex6T1u2vCsQYJ4Mv8LVCho8awTZoBsimy1tiM0V7GmmBE\n'
+ b'0Uck/U0381NBpNYdv7eyF682SbihAgMBAAGjZjBkMB0GA1UdDgQWBBTtHQCp1dBF\n'
+ b'ypsegtWcXhXDdopIgDAfBgNVHSMEGDAWgBRJuz/14J1ZXqvpOuikJJ62NtuiGTAS\n'
+ b'BgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF\n'
+ b'AAOCAQEAkCBm6u+k/x4QoqqwOJvy8sjq7bUCh73qNPAFlqVSSB8UdCyu21EaXCj8\n'
+ b'dbZa3GNRGk6JACTEUVQ1SD8SkC1E1/IWuEzYOKOP6FmTFbC4V5zU9LAnGFJapS6Q\n'
+ b'CGwU2F44oflBbfOodFznqKPPuENX0gmm4ddvoT915WUOvVLKLuVujkU/ffGKAc8U\n'
+ b'RxRIJ3W2Ybjs9ANg7JqB3Ny8i5QAGHzjRVwU+IgTrJCYPS2DrRYtN3glKBTlyKyR\n'
+ b'xMy0PVKwVo/ItDO3fZ0fsAiIO+4pI51A0lFge5Bg/DzsotZxcWhdTelWjYI9JNca\n'
+ b'y2GPzV1wlxK+ui1uLCWEvKbPtaCfeQ==\n'
+ b'-----END CERTIFICATE-----\n'
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDeTCCAmGgAwIBAgIUUbo+eGRT5jiS2eIoEzRhXaUx4gwwDQYJKoZIhvcNAQEL\n'
+ b'BQAwRDEeMBwGA1UECgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlD\n'
+ b'ZXJ0aWZpY2F0ZSBTaGFjayBSb290IENBMB4XDTIxMDgwNzE4MDQyNloXDTQxMDgw\n'
+ b'MjE4MDQyNlowRDEeMBwGA1UECgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYD\n'
+ b'VQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF\n'
+ b'AAOCAQ8AMIIBCgKCAQEArh41PPmI6rg7nz3cRqsbCqGgD3+vAD4DNs/Cnp+vhM//\n'
+ b'7Di8FuMoyyLDpD+RdT/Vkvh2Xhp+OcjYSFLX8xeFRy0blfzel2Tq7PiD83BwewsG\n'
+ b'BOarlhkbQGxlGxkr4Fi6z0kNNAfbE2ZzBIs4XSppm7xl4YJyLQD0FkzdrU+zrZuK\n'
+ b'3ELQzk3UWfSSrnbYABY2LBgkny5m7y/kJOMyqn+/T1CUthXD3OpGtyQm2kuEooDZ\n'
+ b'xP1eq30gS8oGYAw2nR/8vJPuyeZaMxM4eNLuc35uq8/6pI+xNEpzGt7xAk1ul/xc\n'
+ b'ewOY2kjh4KJCNK/nCjALzxqhNRHhnH8bA6xtOcgdBwIDAQABo2MwYTAdBgNVHQ4E\n'
+ b'FgQUSbs/9eCdWV6r6TropCSetjbbohkwHwYDVR0jBBgwFoAUSbs/9eCdWV6r6Tro\n'
+ b'pCSetjbbohkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI\n'
+ b'hvcNAQELBQADggEBAC35stv/1WZhWblRTZP3XHhH0usHRGTUY7zNSrgS5sb3ERsf\n'
+ b'hgbmFbomra5jKaBqffToOZKLEo+n3tfIPokus35NUQn7ox/6qPp0rJEK8dfLx9jA\n'
+ b'0VTqREbgaAf5xLaX874++OTiM1sPVYG3Egsb1A/YCtDek8mZkKk21g+DZlFMOSDl\n'
+ b'Hw+c3gZUnv6bIT8P09z+9yca2Lvg/dpj2ln3PbOykXzwuGSoNxjUt2OSdCbwyN+f\n'
+ b'hO4NFtDvx74Ggi5bcTrz0ZKO6g8SQotii7cSKAdpIWDpXl8cfsK3SRbkCsg+Fg1S\n'
+ b'kMJEFyDEkKu8Qe6zwKXIAoeKULLO6ADgFVH9CmM=\n'
+ b'-----END CERTIFICATE-----\n'
+)
+interm_nick = "CN=Certificate Shack Intermediate CA,O=Certificate Shack Ltd"
+intermediate_serial = "4096"
+
+duplicatesubject = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIDcjCCAlqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwRDEeMBwGA1UECgwVQ2Vy\n'
+ b'dGlmaWNhdGUgU2hhY2sgTHRkMSIwIAYDVQQDDBlDZXJ0aWZpY2F0ZSBTaGFjayBS\n'
+ b'b290IENBMB4XDTI0MDgwODE4MDQyNloXDTQ0MDgwMjE4MDQyNlowTDEeMBwGA1UE\n'
+ b'CgwVQ2VydGlmaWNhdGUgU2hhY2sgTHRkMSowKAYDVQQDDCFDZXJ0aWZpY2F0ZSBT\n'
+ b'aGFjayBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n'
+ b'AoIBAQCzUmUBEO/w1wslS8H304/qfsbeIJX0C5Tm8K2H9JXoauFFej1GZoHqeE+x\n'
+ b'YQvSMuMFcKks3ps9+9yVKuBPtMwbmXsqwlQXORU8DuKhtRzKIOj7nEGw6AQIsfkG\n'
+ b'Q4DjD1ytXliyM7vVfxYD+P1CFDK4NR+K1JLdi3WkYOdCelOQMwNspN/ebiqvwonl\n'
+ b'2asQ6+a13Y0ln1AdrLBvqtR5Z+Gq5+tiC5tA+LKea0e3neQGKjfp/BNPJ+ooNHPR\n'
+ b'86iKDjBKAabvfrHLG2t6oo9+N4xRBGtPYQh9LOQPZ4OedciCo1s2zs+F+4/6co6T\n'
+ b'DsbQt7NJKQ3BJKosvZBhC62lc4evAgMBAAGjZjBkMB0GA1UdDgQWBBTvALT5i2gq\n'
+ b'8yq2Uh8lZGgMoKVClzAfBgNVHSMEGDAWgBRJuz/14J1ZXqvpOuikJJ62NtuiGTAS\n'
+ b'BgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF\n'
+ b'AAOCAQEAVjx1aGNK08/Nhf0JYMxMb9Dqg5m7LNOVBs1jurPtwS3uN+84997GRqIQ\n'
+ b'i+gp/tQVF2YT/RAmt+X0aDLFiSkBcOk87zoFRkR7PZrhhtPo6pSVMN7ngD4/dmp9\n'
+ b'ESbiI8+iF5ZxqI7c3o2N/LtZpi+hWSCJ/xwbOl05jpNQ6ddl+UzDpJ0oNsyndiJA\n'
+ b'yciaCvluK027J4xNym166lqwm6CqiOkm8R/G6NJrEH2Xs5XBCyfeH9V0pkXDbrUe\n'
+ b'Ldqc9ys7l7/MGZi6Qg2nA7J8ErCkrI6eZOocJktSF6SRfXd1NqiqCiNZZQjD6XKZ\n'
+ b'4fMKTKPX6Q2k10iriAIn4RgVjzM05A==\n'
+ b'-----END CERTIFICATE-----\n'
+)
+duplicate_serial = "4097"
+
class TestIPACommand(IntegrationTest):
"""
@@ -827,6 +903,12 @@ class TestIPACommand(IntegrationTest):
paths.IPA_CACERT_MANAGE,
'install',
filename])
+ # remove the subject of good_pkcs7 we just added to avoid
+ # future failures.
+ self.master.run_command([
+ paths.IPA_CACERT_MANAGE,
+ 'delete',
+ 'CN=Certificate Authority,O=EXAMPLE.COM'])
for contents in (badcert,):
self.master.put_file_contents(filename, contents)
@@ -1160,7 +1242,7 @@ class TestIPACommand(IntegrationTest):
raiseonerr=False
)
assert result.returncode != 0
- assert "Verifying \'%s\' failed. Removing part of the " \
+ assert "Verifying removal of \'%s\' failed. Removing part of the " \
"chain? certutil: certificate is invalid: Peer's " \
"Certificate issuer is not recognized." \
% isrgrootx1_nick in result.stderr_text
@@ -1735,6 +1817,68 @@ class TestIPACommand(IntegrationTest):
self.replicas[0], '/usr/sbin/ipa-replica-install'
)
+ def test_ipa_cacert_manage_duplicate_certsubject(self):
+ """Test for ipa-cacert-manage install with duplicated
+ certificate subjects. This relies on the behavior
+ of NSS to show the certificates separately rather than
+ lumping the duplicates together. This requires different
+ validity periods, say 3 years + 1 day.
+ """
+
+ certfile = os.path.join(self.master.config.test_dir, 'chain.pem')
+ self.master.put_file_contents(certfile, originalsubjectchain)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert f"{interm_nick} {intermediate_serial}" in certs
+
+ certfile = os.path.join(self.master.config.test_dir, 'interm.pem')
+ self.master.put_file_contents(certfile, duplicatesubject)
+ result = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'install', certfile])
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ # If the duplicate subject certificates are not sufficiently
+ # different in validity period, or prior to the this fix,
+ # the test will fail because only one of the duplicately named
+ # subject certificates will be visible: the second one (4097).
+ assert f"{interm_nick} {intermediate_serial}" in certs
+ assert f"{interm_nick} {duplicate_serial}" in certs
+
+ # Make sure we can install the new certs systemwide
+ # No assertions needed, it will work or it won't
+ self.master.run_command(["ipa-certupdate"])
+
+ # delete one of the duplicate subjects, no serial number
+ result = self.master.run_command(
+ ['ipa-cacert-manage', 'delete', interm_nick],
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ assert 'Multiple matching certificates' in result.stderr_text
+
+ # delete one of the duplicate subjects by the serial number
+ result = self.master.run_command(
+ ['ipa-cacert-manage', 'delete', interm_nick,
+ '--serial', intermediate_serial,],
+ raiseonerr=False
+ )
+ assert result.returncode == 0
+
+ certs = self.master.run_command(
+ [paths.IPA_CACERT_MANAGE, 'list'], raiseonerr=False
+ ).stdout_text
+
+ assert f"{interm_nick} {intermediate_serial}" not in certs
+ assert f"{interm_nick} {duplicate_serial}" in certs
+
class TestIPACommandWithoutReplica(IntegrationTest):
"""
@@ -1970,7 +2114,10 @@ class TestIPACommandWithoutReplica(IntegrationTest):
assert re.search(new_err_msg, dirsrv_error_log)
def test_ipa_cacert_manage_prune(self):
- """Test for ipa-cacert-manage prune"""
+ """Test for ipa-cacert-manage prune
+
+ This twiddles with time so should be run last in the class.
+ """
certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
self.master.put_file_contents(certfile, isrgrootx1)
--
2.48.1

37
freeipa.spec
View File

@ -218,7 +218,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 14%{?rc_version:.%rc_version}%{?dist}
Release: 15%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -297,6 +297,18 @@ Patch0052: 0052-Add-DNS-over-TLS-support.patch
Patch0053: 0053-Configure-the-pki-tomcatd-service-systemd-timeout.patch
Patch0054: 0054-Align-startup_timeout-with-the-systemd-default-and-d.patch
Patch0055: 0055-dns-only-disable-unbound-when-DoT-is-enabled.patch
Patch0056: 0056-ipa-migrate-do-not-migrate-tombstone-entries-ignore-.patch
Patch0057: 0057-WebUI-fix-the-tooltip-for-Search-Size-limit.patch
Patch0058: 0058-Leapp-upgrade-skip-systemctl-calls.patch
Patch0059: 0059-Disable-raw-and-structured-together.patch
Patch0060: 0060-config-mod-allow-disabling-subordinate-ID-integratio.patch
Patch0061: 0061-update_dna_shared_config-do-not-fail-when-config-is-.patch
Patch0062: 0062-baseuser-allow-uidNumber-and-gidNumber-of-32-bit-ran.patch
Patch0063: 0063-ipatests-add-a-test-to-use-full-32-bit-ID-range-spac.patch
Patch0064: 0064-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch
Patch0065: 0065-ipatests-Tests-to-check-data-in-journal-log.patch
Patch0066: 0066-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch
Patch0067: 0067-Don-t-require-certificates-to-have-unique-ipaCertSub.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1264,8 +1276,11 @@ if [ $1 = 0 ]; then
# NOTE: systemd specific section
/bin/systemctl --quiet stop ipa.service || :
/bin/systemctl --quiet disable ipa.service || :
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
# Skip systemctl calls when leapp upgrade is in progress
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
fi
# END
fi
@ -1329,8 +1344,11 @@ fi
%preun server-trust-ad
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
# Skip systemctl calls when leapp upgrade is in progress
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] ; then
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
fi
fi
# ONLY_CLIENT
@ -1943,6 +1961,15 @@ fi
%endif
%changelog
* Tue Mar 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-15
- Resolves: RHEL-84481 Protect all IPA service principals
- Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293
- Resolves: RHEL-84276 Ipa client --raw --structured throws internal error
- Resolves: RHEL-82707 Search size limit tooltip has Search time limit tooltip text
- Resolves: RHEL-82089 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet
- Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-30658 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)
* Thu Mar 20 2025 Thomas Woerner <twoerner@redhat.com> - 4.12.2-14
- Resolves: RHEL-80345 Use new bind9.18-dyndb-ldap and bind9.18 only for DNS over TLS with the ipa-server-encrypted-dns package