diff --git a/SOURCES/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch b/SOURCES/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch new file mode 100644 index 0000000..98c8778 --- /dev/null +++ b/SOURCES/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch @@ -0,0 +1,294 @@ +From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 30 Jan 2024 11:17:27 +0200 +Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind + +When authentication indicators were introduced in 2016, ipa-pwd-extop +plugin gained ability to reject LDAP BIND when an LDAP client insists +the authentication must use an OTP token. This is used by ipa-otpd to +ensure Kerberos authentication using OTP method is done with at least +two factors (the token and the password). + +This enfrocement is only possible when an LDAP client sends the LDAP +control. There are cases when LDAP clients cannot be configured to send +a custom LDAP control during BIND operation. For these clients an LDAP +BIND against an account that only has password and no valid token would +succeed even if admins intend it to fail. + +Ability to do LDAP BIND without a token was added to allow users to add +their own OTP tokens securely. If administrators require full +enforcement over LDAP BIND, it is cannot be achieved with LDAP without +sending the LDAP control to do so. + +Add IPA configuration string, EnforceLDAPOTP, to allow administrators to +prevent LDAP BIND with a password only if user is required to have OTP +tokens. With this configuration enabled, it will be not possible for +users to add OTP token if one is missing, thus ensuring no user can +authenticate without OTP and admins will have to add initial OTP tokens +to users explicitly. + +Fixes: https://pagure.io/freeipa/issue/5169 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + API.txt | 2 +- + .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------ + .../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 + + .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++ + doc/api/config_mod.md | 2 +- + ipaserver/plugins/config.py | 3 +- + ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++ + 7 files changed, 98 insertions(+), 18 deletions(-) + +diff --git a/API.txt b/API.txt +index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644 +--- a/API.txt ++++ b/API.txt +@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False) + option: Str('ca_renewal_master_server?', autofill=False) + option: Str('delattr*', cli_name='delattr') + option: Flag('enable_sid?', autofill=True, default=False) +-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs']) ++option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP']) + option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain') + option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell') + option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup') +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) + char *tmpstr; + int ret; + size_t i; ++ bool fips_enabled = false; + + config = calloc(1, sizeof(struct ipapwd_krbcfg)); + if (!config) { +@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) + config->allow_nt_hash = false; + if (ipapwd_fips_enabled()) { + LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); ++ fips_enabled = true; ++ } ++ ++ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn); ++ ret = ipapwd_getEntry(sdn, &config_entry, NULL); ++ slapi_sdn_free(&sdn); ++ if (ret != LDAP_SUCCESS) { ++ LOG_FATAL("No config Entry?\n"); ++ goto free_and_error; + } else { +- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn); +- ret = ipapwd_getEntry(sdn, &config_entry, NULL); +- slapi_sdn_free(&sdn); +- if (ret != LDAP_SUCCESS) { +- LOG_FATAL("No config Entry?\n"); +- goto free_and_error; +- } else { +- tmparray = slapi_entry_attr_get_charray(config_entry, +- "ipaConfigString"); +- for (i = 0; tmparray && tmparray[i]; i++) { ++ tmparray = slapi_entry_attr_get_charray(config_entry, ++ "ipaConfigString"); ++ for (i = 0; tmparray && tmparray[i]; i++) { ++ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) { ++ config->enforce_ldap_otp = true; ++ continue; ++ } ++ if (!fips_enabled) { + if (strcasecmp(tmparray[i], "AllowNThash") == 0) { + config->allow_nt_hash = true; + continue; + } + } +- if (tmparray) slapi_ch_array_free(tmparray); + } +- +- slapi_entry_free(config_entry); ++ if (tmparray) slapi_ch_array_free(tmparray); + } + ++ slapi_entry_free(config_entry); ++ + return config; + + free_and_error: +@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, + rc = LDAP_OPERATIONS_ERROR; + } + ++ /* do not return the master key if asked */ ++ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) { ++ free((*config)->kmkey->contents); ++ free((*config)->kmkey); ++ (*config)->kmkey = NULL; ++ } ++ + done: + return rc; + } +@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg) + + krb5_free_default_realm(c->krbctx, c->realm); + krb5_free_context(c->krbctx); +- free(c->kmkey->contents); +- free(c->kmkey); ++ if (c->kmkey) { ++ free(c->kmkey->contents); ++ free(c->kmkey); ++ } + free(c->supp_encsalts); + free(c->pref_encsalts); + slapi_ch_array_free(c->passsync_mgrs); +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +@@ -70,6 +70,7 @@ + + #define IPAPWD_CHECK_CONN_SECURE 0x00000001 + #define IPAPWD_CHECK_DN 0x00000002 ++#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004 + + #define IPA_CHANGETYPE_NORMAL 0 + #define IPA_CHANGETYPE_ADMIN 1 +@@ -109,6 +110,7 @@ struct ipapwd_krbcfg { + char **passsync_mgrs; + int num_passsync_mgrs; + bool allow_nt_hash; ++ bool enforce_ldap_otp; + }; + + int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + "krbPasswordExpiration", "krblastpwchange", + NULL + }; ++ struct ipapwd_krbcfg *krbcfg = NULL; + struct berval *credentials = NULL; + Slapi_Entry *entry = NULL; + Slapi_DN *target_sdn = NULL; +@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + /* Try to do OTP first. */ + syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID); + otpreq = otpctrl_present(pb, OTP_REQUIRED_OID); ++ if (!syncreq && !otpreq) { ++ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG); ++ if (ret != 0) { ++ LOG_FATAL("ipapwd_gen_checks failed!?\n"); ++ slapi_entry_free(entry); ++ slapi_sdn_free(&sdn); ++ return 0; ++ } ++ if (krbcfg->enforce_ldap_otp) { ++ otpreq = true; ++ } ++ } + if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq)) + goto invalid_creds; + +@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + return 0; + + invalid_creds: ++ free_ipapwd_krbcfg(&krbcfg); + slapi_entry_free(entry); + slapi_sdn_free(&sdn); + slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); +diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md +index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644 +--- a/doc/api/config_mod.md ++++ b/doc/api/config_mod.md +@@ -27,7 +27,7 @@ No arguments. + * ipauserobjectclasses : :ref:`Str` + * ipapwdexpadvnotify : :ref:`Int` + * ipaconfigstring : :ref:`StrEnum` +- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs') ++ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP') + * ipaselinuxusermaporder : :ref:`Str` + * ipaselinuxusermapdefault : :ref:`Str` + * ipakrbauthzdata : :ref:`StrEnum` +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -247,7 +247,8 @@ class config(LDAPObject): + doc=_('Extra hashes to generate in password plug-in'), + values=(u'AllowNThash', + u'KDC:Disable Last Success', u'KDC:Disable Lockout', +- u'KDC:Disable Default Preauth for SPNs'), ++ u'KDC:Disable Default Preauth for SPNs', ++ u'EnforceLDAPOTP'), + ), + Str('ipaselinuxusermaporder', + label=_('SELinux user map order'), +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -21,6 +21,9 @@ from ipaplatform.paths import paths + from ipatests.pytest_ipa.integration import tasks + from ipapython.dn import DN + ++from ldap.controls.simple import BooleanControl ++ ++from ipalib import errors + + PASSWORD = "DummyPassword123" + USER = "opttestuser" +@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest): + assert "ipa-otpd" not in failed_services.stdout_text + finally: + del_otptoken(self.master, otpuid) ++ ++ def test_totp_ldap(self): ++ master = self.master ++ basedn = master.domain.basedn ++ USER1 = 'user-forced-otp' ++ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}") ++ ++ tasks.create_active_user(master, USER1, PASSWORD) ++ tasks.kinit_admin(master) ++ # Enforce use of OTP token for this user ++ master.run_command(['ipa', 'user-mod', USER1, ++ '--user-auth-type=otp']) ++ try: ++ conn = master.ldap_connect() ++ # First, attempt authenticating with a password but without LDAP ++ # control to enforce OTP presence and without server-side ++ # enforcement of the OTP presence check. ++ conn.simple_bind(binddn, f"{PASSWORD}") ++ # Add an OTP token now ++ otpuid, totp = add_otptoken(master, USER1, otptype="totp") ++ # Next, enforce Password+OTP for a user with OTP token ++ master.run_command(['ipa', 'config-mod', '--addattr', ++ 'ipaconfigstring=EnforceLDAPOTP']) ++ # Next, authenticate with Password+OTP and with the LDAP control ++ # this operation should succeed ++ otpvalue = totp.generate(int(time.time())).decode("ascii") ++ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}", ++ client_controls=[ ++ BooleanControl( ++ controlType="2.16.840.1.113730.3.8.10.7", ++ booleanValue=True)]) ++ # Remove token ++ del_otptoken(self.master, otpuid) ++ # Now, try to authenticate without otp and without control ++ # this operation should fail ++ try: ++ conn.simple_bind(binddn, f"{PASSWORD}") ++ except errors.ACIError: ++ pass ++ master.run_command(['ipa', 'config-mod', '--delattr', ++ 'ipaconfigstring=EnforceLDAPOTP']) ++ finally: ++ master.run_command(['ipa', 'user-del', USER1]) +-- +2.44.0 + diff --git a/SOURCES/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch b/SOURCES/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch new file mode 100644 index 0000000..cb4de30 --- /dev/null +++ b/SOURCES/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch @@ -0,0 +1,63 @@ +From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 2 Mar 2024 09:31:46 +0200 +Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind + with OTP + +In case there is a successful OTP authentication attempt, register it as +an operation note on the BIND operation in LDAP. 389-ds then will print +a multi-factor authentication note in both access and security logs +according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html + +Fixes: https://pagure.io/freeipa/issue/5169 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++ + server.m4 | 8 ++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + /* Attempt to write out kerberos keys for the user. */ + ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials); + ++#ifdef USE_OP_NOTE_MFA_AUTH ++ /* If it was a successful authentication with OTP required, mark it ++ * for access log to notice multi-factor authentication has happened ++ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html ++ */ ++ if (!syncreq && otpreq) { ++ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH); ++ } ++#endif ++ + slapi_entry_free(entry); + slapi_sdn_free(&sdn); + return 0; +diff --git a/server.m4 b/server.m4 +index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644 +--- a/server.m4 ++++ b/server.m4 +@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) + # slapi-plugin.h includes nspr.h + DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS" + ++bck_cflags="$CFLAGS" ++CFLAGS="$CFLAGS $DIRSRV_CFLAGS" ++AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [ ++ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1, ++ [Use LDAP operation note for multi-factor LDAP BIND])], ++ [], [[#include ]]) ++CFLAGS="$bck_cflags" ++ + dnl -- sss_idmap is needed by the extdom exop -- + PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) + PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) +-- +2.44.0 + diff --git a/SOURCES/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch b/SOURCES/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch new file mode 100644 index 0000000..ad83976 --- /dev/null +++ b/SOURCES/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch @@ -0,0 +1,42 @@ +From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 14 Mar 2024 12:19:12 +0200 +Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds + locally + +The function slapi_pblock_set_flag_operation_notes(); is defined in +ldap/servers/slapd/pblock.c in 389-ds but is only available through +slapi-private.h header, not through slapi-plugin.h public API. + +It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349. + +Since we only use it with an MFA note, all versions of the 389-ds that +will support MFA note will have this function. + +Fixes: https://pagure.io/freeipa/issue/9554 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -1414,6 +1414,11 @@ done: + } + + ++#ifdef USE_OP_NOTE_MFA_AUTH ++/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */ ++extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag); ++#endif ++ + /* PRE BIND Operation + * + * Used for: +-- +2.44.0 + diff --git a/SOURCES/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch b/SOURCES/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch new file mode 100644 index 0000000..a96d278 --- /dev/null +++ b/SOURCES/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch @@ -0,0 +1,53 @@ +From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 11 Mar 2024 11:48:01 +0200 +Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out + realm domains + +When get_realmdomains() method is called, it will filter out subdomains +of the IPA primary domain. This is required because Active Directory +domain controllers are assuming subdomains already covered by the main +domain namespace. + +[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the +method of validating the forest trust information. They are the same as +rules in [MS-ADTS] section 6.1.6. Specifically, + + - A top-level name must not be superior to an enabled top-level name + for another trusted domain object, unless the current trusted domain + object has a corresponding exclusion record. + +In practice, we filtered those subdomains already but the code wasn't +invalidating a previously retrieved forest trust information. + +Fixes: https://pagure.io/freeipa/issue/9551 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/dcerpc.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1103,6 +1103,7 @@ class TrustDomainInstance: + + info.count = len(ftinfo_records) + info.entries = ftinfo_records ++ another_domain.ftinfo_data = info + return info + + def clear_ftinfo_conflict(self, another_domain, cinfo): +@@ -1778,6 +1779,7 @@ class TrustDomainJoins: + return + + self.local_domain.ftinfo_records = [] ++ self.local_domain.ftinfo_data = None + + realm_domains = self.api.Command.realmdomains_show()['result'] + # Use realmdomains' modification timestamp +-- +2.44.0 + diff --git a/SOURCES/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch b/SOURCES/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch new file mode 100644 index 0000000..6b0faa6 --- /dev/null +++ b/SOURCES/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch @@ -0,0 +1,68 @@ +From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Wed, 20 Mar 2024 14:29:46 +0530 +Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation + testcases. + +Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt +which causes error in STIG mode. + +[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt +Incorrect password/PIN entered. + +Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt. + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest): + Fixture to remove Server cert and revert the change. + """ + instance = realm_to_serverid(self.master.domain.realm) ++ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance + self.master.run_command( + [ + "certutil", + "-L", + "-d", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, ++ instance_dir, + "-n", + "Server-Cert", + "-a", + "-o", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance ++ instance_dir + + "/Server-Cert.pem", + ] + ) +@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest): + [ + "certutil", + "-d", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, ++ instance_dir, + "-A", + "-i", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance ++ instance_dir + + "/Server-Cert.pem", + "-t", + "u,u,u", + "-f", +- paths.IPA_NSSDB_PWDFILE_TXT, ++ "%s/pwdfile.txt" % instance_dir, + "-n", + "Server-Cert", + ] +-- +2.44.0 + diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec index e68c085..3582077 100644 --- a/SPECS/freeipa.spec +++ b/SPECS/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 9%{?rc_version:.%rc_version}%{?dist} +Release: 10%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -309,6 +309,11 @@ Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch Patch0060: 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch Patch0061: 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch Patch0062: 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch +Patch0063: 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch +Patch0064: 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch +Patch0065: 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch +Patch0066: 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch +Patch0067: 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1801,6 +1806,11 @@ fi %endif %changelog +* Fri Mar 29 2024 Florence Blanc-Renaud - 4.11.0-10 +- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios) +- Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER +- Resolves: RHEL-30905 Backport latest test fixes in ipa + * Thu Mar 07 2024 Florence Blanc-Renaud - 4.11.0-9 - Resolves: RHEL-28258 vault fails on non-fips client if server is in FIPS mode - Resolves: RHEL-26154 ipa: freeipa: specially crafted HTTP requests potentially lead to DoS or data exposure