rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add support for KRB DAL 6.1 and bind-dyndb-ldap 11.0

Browse Source
This commit is contained in:
Tomas Krizek 2017-02-15 15:48:51 +01:00
parent 8a7de36eea
commit 99f783444d
No known key found for this signature in database
GPG Key ID: 22A2A94B5E49415A
3 changed files with 613 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

359
0003-bind-dyndb-ldap-DNS-fixes.patch Normal file
View File

@ -0,0 +1,359 @@
From 8ccf7266c6c37cc1e402f9a3fa4c0f15462a2e15 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 16 Jan 2017 13:48:54 +0100
Subject: [PATCH 1/6] Remove obsolete serial_autoincrement from named.conf
parsing
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
ipaserver/install/server/upgrade.py | 56 +++----------------------------------
1 file changed, 4 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index eb4950d394a6297c13159c9d2de91d17f97a8943..b4c15ba7600bcdadd7a6cc50c9aac2805548dbd5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -420,8 +420,8 @@ def named_remove_deprecated_options():
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
- Remove psearch, zone_refresh and cache_ttl options, as they have been
- deprecated in bind-dyndb-ldap configuration file.
+ Remove psearch, zone_refresh cache_ttl and serial_autoincrement options,
+ as they have been deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
@@ -433,7 +433,8 @@ def named_remove_deprecated_options():
root_logger.info('DNS is not configured')
return False
- deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
+ deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl',
+ 'serial_autoincrement']
removed_options = []
try:
@@ -510,54 +511,6 @@ def named_set_minimum_connections():
return changed
-def named_enable_serial_autoincrement():
- """
- Serial autoincrement is a requirement for zone transfers or DNSSEC. It
- should be enabled both for new installs and upgraded servers.
-
- When some change in named.conf is done, this functions returns True
- """
- changed = False
-
- root_logger.info('[Enabling serial autoincrement in DNS]')
-
- if not bindinstance.named_conf_exists():
- # DNS service may not be configured
- root_logger.info('DNS is not configured')
- return changed
-
- try:
- serial_autoincrement = bindinstance.named_conf_get_directive(
- 'serial_autoincrement')
- except IOError as e:
- root_logger.debug('Cannot retrieve psearch option from %s: %s',
- bindinstance.NAMED_CONF, e)
- return changed
- else:
- serial_autoincrement = None if serial_autoincrement is None \
- else serial_autoincrement.lower()
-
- # enable SOA serial autoincrement
- if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
- if serial_autoincrement != 'yes':
- try:
- bindinstance.named_conf_set_directive('serial_autoincrement',
- 'yes')
- except IOError as e:
- root_logger.error('Cannot enable serial_autoincrement in %s: %s',
- bindinstance.NAMED_CONF, e)
- return changed
- else:
- root_logger.debug('Serial autoincrement enabled')
- changed = True
- else:
- root_logger.debug('Serial autoincrement is alredy enabled')
- sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
- else:
- root_logger.debug('Skip serial autoincrement check')
-
- return changed
-
def named_update_gssapi_configuration():
"""
Update GSSAPI configuration in named.conf to a recent API.
@@ -1755,7 +1708,6 @@ def upgrade_configuration():
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
- named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
--
2.9.3
From 465c2a8df87a555162b91a9e34280b3d208ad8b3 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 2/6] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
install/share/bind.named.conf.template | 16 +++++++---------
ipaplatform/redhat/paths.py | 1 +
ipaserver/install/bindinstance.py | 1 +
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e8ea8fba022c4f539fb84a64875b0c5ca46c761b..b7c3a0b78e23f9b5ac2d221dad24a039af201035 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,13 +43,11 @@ zone "." IN {
include "$RFC1912_ZONES";
include "$ROOT_KEY";
-dynamic-db "ipa" {
- library "ldap.so";
- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
- arg "base cn=dns, $SUFFIX";
- arg "server_id $FQDN";
- arg "auth_method sasl";
- arg "sasl_mech GSSAPI";
- arg "sasl_user DNS/$FQDN";
- arg "serial_autoincrement yes";
+dyndb "ipa" "$BIND_LDAP_SO" {
+ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
+ base "cn=dns, $SUFFIX";
+ server_id "$FQDN";
+ auth_method "sasl";
+ sasl_mech "GSSAPI";
+ sasl_user "DNS/$FQDN";
};
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065ad52c49852231039a66c47c2b80df3a62..8212f40cf8afcbd9017018ed538befdaceeb2d9d 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+ BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
paths = RedHatPathNamespace()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 7aa9ed4f4baedc686b929e758d72bf992a68a967..478ec4a168667affe6bb00cdac965e39e1858ebb 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -798,6 +798,7 @@ class BindInstance(service.Service):
RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
NAMED_PID=paths.NAMED_PID,
NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
+ BIND_LDAP_SO=paths.BIND_LDAP_SO,
)
def __setup_dns_container(self):
--
2.9.3
From 8cba2c137bd7de298f41f001ab8b27687691fc44 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 19 Dec 2016 16:52:08 +0100
Subject: [PATCH 3/6] bump required version of BIND, bind-dyndb-ldap
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
freeipa.spec.in | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8a8e3a592cc0e414dc71202dc8c1f7d9b0526d5c..8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -257,18 +257,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 10.0
-%if 0%{?fedora} >= 21
-Requires: bind >= 9.9.6-3
-Requires: bind-utils >= 9.9.6-3
-Requires: bind-pkcs11 >= 9.9.6-3
-Requires: bind-pkcs11-utils >= 9.9.6-3
-%else
-Requires: bind >= 9.9.4-21
-Requires: bind-utils >= 9.9.4-21
-Requires: bind-pkcs11 >= 9.9.4-21
-Requires: bind-pkcs11-utils >= 9.9.4-21
-%endif
+Requires: bind-dyndb-ldap >= 11.0
+Requires: bind >= 9.11.0-6.P2
+Requires: bind-utils >= 9.11.0-6.P2
+Requires: bind-pkcs11 >= 9.11.0-6.P2
+Requires: bind-pkcs11-utils >= 9.11.0-6.P2
Requires: opendnssec >= 1.4.6-4
Provides: %{alt_name}-server-dns = %{version}
--
2.9.3
From b6eb03369a7546077f28ff45db27c76c5bc44584 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Fri, 10 Feb 2017 11:30:40 +0100
Subject: [PATCH 4/6] PEP8: fix line length for regexs in bindinstance
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
ipaserver/install/bindinstance.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 478ec4a168667affe6bb00cdac965e39e1858ebb..9c10ac98175e0dd5ea98c54eeadcb3452aac04e5 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -69,12 +69,15 @@ RESOLV_CONF = paths.RESOLV_CONF
named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{')
named_conf_section_options_start_re = re.compile('\s*options\s+{')
named_conf_section_end_re = re.compile('};')
-named_conf_arg_ipa_re = re.compile(r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<value>[^"]+)";')
-named_conf_arg_options_re = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
+named_conf_arg_ipa_re = re.compile(
+ r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<value>[^"]+)";')
+named_conf_arg_options_re = re.compile(
+ r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
# non string args for options section
-named_conf_arg_options_re_nonstr = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
+named_conf_arg_options_re_nonstr = re.compile(
+ r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
# include directive
named_conf_include_re = re.compile(r'\s*include\s+"(?P<path>)"\s*;')
--
2.9.3
From 06fd56b4f5f57a0cf9258ecede8af8ab40433364 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Fri, 10 Feb 2017 11:16:56 +0100
Subject: [PATCH 5/6] bindinstance: fix named.conf parsing regexs
Since named.conf API for bind-dyndb-ldap was updated, our parsing
regexes have to change.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
ipaserver/install/bindinstance.py | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 9c10ac98175e0dd5ea98c54eeadcb3452aac04e5..30123b74065c7a209c95baedec35ed25d3e112fd 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -66,14 +66,14 @@ if six.PY3:
NAMED_CONF = paths.NAMED_CONF
RESOLV_CONF = paths.RESOLV_CONF
-named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{')
+named_conf_section_ipa_start_re = re.compile('\s*dyndb\s+"ipa"\s+"[^"]+"\s+{')
named_conf_section_options_start_re = re.compile('\s*options\s+{')
named_conf_section_end_re = re.compile('};')
named_conf_arg_ipa_re = re.compile(
- r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<value>[^"]+)";')
+ r'(?P<indent>\s*)(?P<name>\S+)\s"(?P<value>[^"]+)";')
named_conf_arg_options_re = re.compile(
r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
-named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
+named_conf_arg_ipa_template = "%(indent)s%(name)s \"%(value)s\";\n"
named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
# non string args for options section
named_conf_arg_options_re_nonstr = re.compile(
@@ -92,13 +92,12 @@ def create_reverse():
def named_conf_exists():
try:
- named_fd = open(NAMED_CONF, 'r')
+ with open(NAMED_CONF, 'r') as named_fd:
+ lines = named_fd.readlines()
except IOError:
return False
- lines = named_fd.readlines()
- named_fd.close()
for line in lines:
- if line.startswith('dynamic-db "ipa"'):
+ if named_conf_section_ipa_start_re.match(line):
return True
return False
--
2.9.3
From 7d425b90ebb66f9c3e2f18e78709215b59e4a985 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 13 Feb 2017 18:36:12 +0100
Subject: [PATCH 6/6] Bump required version of bind-dyndb-ldap to 11.0-2
Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8..1dd8d0c60cacfc79554bb3c61fa8297e89b7b192 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -257,7 +257,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0
+Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2
--
2.9.3

233
0004-ipa-kdb-support-KDB-DAL-version-6.1.patch Normal file
View File

@ -0,0 +1,233 @@
From 985549be991c73c7455ed3b1393bd464ef4d197a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH 1/1] ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
Use explicit KDB version dependency in Fedora 26+ via BuildRequires.
With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.
https://fedorahosted.org/freeipa/ticket/6619
---
daemons/configure.ac | 21 ++++++++++++++++++
daemons/ipa-kdb/ipa_kdb.c | 42 ++++++++++++++++++++++++++++++++++--
daemons/ipa-kdb/ipa_kdb.h | 2 ++
daemons/ipa-kdb/ipa_kdb_principals.c | 42 ++++++++++++++++++++----------------
freeipa.spec.in | 9 ++++++++
5 files changed, 96 insertions(+), 20 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index 5c5a1046397aa97ba18cafc1b81dc2a6fb2dfd34..77a3be0397fac0364d364f2e4ac3f917cca7fff3 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -66,6 +66,27 @@ AC_SUBST(KRB5_LIBS)
AC_SUBST(KRAD_LIBS)
AC_SUBST(krb5rundir)
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+ [kdb_vftabl.free_principal],
+ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+ [KDB driver API has free_principal callback])],
+ [AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+ [[#include <kdb.h>]])
+AC_CHECK_MEMBER(
+ [kdb_vftabl.free_principal_e_data],
+ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+ [KDB driver API has free_principal_e_data callback])],
+ [AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+ [[#include <kdb.h>]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+ -a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+ AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+ AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+ AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
dnl ---------------------------------------------------------------------------
dnl - Check for Mozilla LDAP and OpenLDAP SDK
dnl ---------------------------------------------------------------------------
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353fe2602652dbf12f68745080b64665ffed2..e74ab56270500c2d3753d76754b8a5f1c28200a0 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr)
/* KDB Virtual Table */
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = {
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
+#endif
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = {
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
+#endif
-#else
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+kdb_vftabl kdb_function_table = {
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+ .min_ver = 1,
+ .init_library = ipadb_init_library,
+ .fini_library = ipadb_fini_library,
+ .init_module = ipadb_init_module,
+ .fini_module = ipadb_fini_module,
+ .create = ipadb_create,
+ .get_age = ipadb_get_age,
+ .get_principal = ipadb_get_principal,
+ .put_principal = ipadb_put_principal,
+ .delete_principal = ipadb_delete_principal,
+ .iterate = ipadb_iterate,
+ .create_policy = ipadb_create_pwd_policy,
+ .get_policy = ipadb_get_pwd_policy,
+ .put_policy = ipadb_put_pwd_policy,
+ .iter_policy = ipadb_iterate_pwd_policy,
+ .delete_policy = ipadb_delete_pwd_policy,
+ .fetch_master_key = ipadb_fetch_master_key,
+ .store_master_key_list = ipadb_store_master_key_list,
+ .change_pwd = ipadb_change_pwd,
+ .sign_authdata = ipadb_sign_authdata,
+ .check_transited_realms = ipadb_check_transited_realms,
+ .check_policy_as = ipadb_check_policy_as,
+ .audit_as_req = ipadb_audit_as_req,
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
+ /* The order is important, DAL version 6.1 added
+ * the free_principal_e_data callback */
+ .free_principal_e_data = ipadb_free_principal_e_data,
+};
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && (KRB5_KDB_DAL_MAJOR_VERSION != 6)
#error unsupported DAL major version
#endif
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1fdb409df92f1f8d9a82af3423e6e73313c62ab7..d5a343345562062b309d14c2e493f8d3028a6780 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -180,6 +180,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
unsigned int flags,
krb5_db_entry **entry);
void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry);
+/* Helper function for DAL API 6.1 or later */
+void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data);
krb5_error_code ipadb_put_principal(krb5_context kcontext,
krb5_db_entry *entry,
char **db_args);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 5b80909475565d6bb4fa8cba67629094daf51eb3..3bd8fb8c70c61b056a714bc0a8149bd8524beb1d 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1274,11 +1274,32 @@ done:
return kerr;
}
+void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
+{
+ struct ipadb_e_data *ied;
+ int i;
+
+ ied = (struct ipadb_e_data *)e_data;
+ if (ied->magic == IPA_E_DATA_MAGIC) {
+ ldap_memfree(ied->entry_dn);
+ free(ied->passwd);
+ free(ied->pw_policy_dn);
+ for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
+ free(ied->pw_history[i]);
+ }
+ free(ied->pw_history);
+ for (i = 0; ied->authz_data && ied->authz_data[i]; i++) {
+ free(ied->authz_data[i]);
+ }
+ free(ied->authz_data);
+ free(ied->pol);
+ free(ied);
+ }
+}
+
void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
{
- struct ipadb_e_data *ied;
krb5_tl_data *prev, *next;
- int i;
if (entry) {
krb5_free_principal(kcontext, entry->princ);
@@ -1292,22 +1313,7 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
ipa_krb5_free_key_data(entry->key_data, entry->n_key_data);
if (entry->e_data) {
- ied = (struct ipadb_e_data *)entry->e_data;
- if (ied->magic == IPA_E_DATA_MAGIC) {
- ldap_memfree(ied->entry_dn);
- free(ied->passwd);
- free(ied->pw_policy_dn);
- for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
- free(ied->pw_history[i]);
- }
- free(ied->pw_history);
- for (i = 0; ied->authz_data && ied->authz_data[i]; i++) {
- free(ied->authz_data[i]);
- }
- free(ied->authz_data);
- free(ied->pol);
- free(ied);
- }
+ ipadb_free_principal_e_data(kcontext, entry->e_data);
}
free(entry);
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1dd8d0c60cacfc79554bb3c61fa8297e89b7b192..52ad0d4c1f1cec95821e17401e709f05ea9d97f6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -57,7 +57,16 @@ BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: openssl-devel
BuildRequires: openldap-devel
+# For KDB DAL version, make explicit dependency so that increase of version
+# will cause the build to fail due to unsatisfied dependencies.
+# DAL version change may cause code crash or memory leaks, it is better to fail early.
+%if 0%{?fedora} > 25
+BuildRequires: krb5-devel >= 1.15-5
+BuildRequires: krb5-kdb-version = 6.1
+%else
+# 1.12+: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
BuildRequires: krb5-devel >= 1.13
+%endif
BuildRequires: krb5-workstation
BuildRequires: libuuid-devel
BuildRequires: libcurl-devel >= 7.21.7-2
--
2.9.3

34
freeipa.spec
View File

@ -38,7 +38,7 @@
Name: freeipa
Version: %{VERSION}
Release: 4%{?dist}
Release: 5%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -49,6 +49,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
Patch0002: 0002-Support-DAL-version-5-and-version-6.patch
Patch0003: 0003-bind-dyndb-ldap-DNS-fixes.patch
Patch0004: 0004-ipa-kdb-support-KDB-DAL-version-6.1.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.5.6
@ -64,7 +66,16 @@ BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: openssl-devel
BuildRequires: openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
%if 0%{?fedora} > 25
BuildRequires: krb5-devel >= 1.15-5
BuildRequires: krb5-kdb-version = 6.1
%else
# 1.12+: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
BuildRequires: krb5-devel >= 1.13
%endif
BuildRequires: krb5-workstation
BuildRequires: libuuid-devel
BuildRequires: libcurl-devel >= 7.21.7-2
@ -265,18 +276,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 10.0
%if 0%{?fedora} >= 21
Requires: bind >= 9.9.6-3
Requires: bind-utils >= 9.9.6-3
Requires: bind-pkcs11 >= 9.9.6-3
Requires: bind-pkcs11-utils >= 9.9.6-3
%else
Requires: bind >= 9.9.4-21
Requires: bind-utils >= 9.9.4-21
Requires: bind-pkcs11 >= 9.9.4-21
Requires: bind-pkcs11-utils >= 9.9.4-21
%endif
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2
Requires: opendnssec >= 1.4.6-4
Provides: %{alt_name}-server-dns = %{version}
@ -1476,6 +1480,10 @@ fi
%endif # ONLY_CLIENT
%changelog
* Wed Feb 15 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-5
- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11
- Fixes #1412739 - ipa-kdb: support DAL version 6.1
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild