From a3a1bed87ffd45752fa8edd340e9d2fe65e8eea9 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 23 Feb 2023 12:41:36 -0500 Subject: [PATCH] Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963 --- .gitignore | 2 +- ...-from-a-specified-group_rhbz#2056009.patch | 41 +++++ ...ipa.spec-depend-on-bind-dnssec-utils.patch | 69 ++++++++ ...-arrow-notation-due-to-uglify-js-lim.patch | 60 +++++++ ...er-Fix-use-of-nameservers-with-ports.patch | 114 +++++++++++++ freeipa-4.9.11.tar.gz.asc | 16 ++ ipa.spec | 160 +++++++++++++++--- sources | 2 +- 8 files changed, 435 insertions(+), 29 deletions(-) create mode 100644 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch create mode 100644 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch create mode 100644 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch create mode 100644 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch create mode 100644 freeipa-4.9.11.tar.gz.asc diff --git a/.gitignore b/.gitignore index d9c893f..a08d1d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.8.tar.gz +SOURCES/freeipa-4.9.11.tar.gz diff --git a/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch b/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch new file mode 100644 index 0000000..ecbb24f --- /dev/null +++ b/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch @@ -0,0 +1,41 @@ +From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Dec 02 2022 12:21:22 +0000 +Subject: updates: fix memberManager ACI to allow managers from a specified group + + +The original implementation of the member manager added support for both +user and group managers but left out upgrade scenario. This means when +upgrading existing installation a manager whose rights defined by the +group membership would not be able to add group members until the ACI is +fixed. + +Remove old ACI and add a full one during upgrade step. + +Fixes: https://pagure.io/freeipa/issue/9286 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update +index a168bb9..4a7ba13 100644 +--- a/install/updates/20-aci.update ++++ b/install/updates/20-aci.update +@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can + + # Allow member managers to modify members of user groups + dn: cn=groups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Allow member managers to modify members of host groups + dn: cn=hostgroups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Hosts can add and delete their own services + dn: cn=services,cn=accounts,$SUFFIX + diff --git a/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch new file mode 100644 index 0000000..e1a74ff --- /dev/null +++ b/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -0,0 +1,69 @@ +From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 10 Dec 2021 12:15:36 -0300 +Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" + +This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. +--- + freeipa.spec.in | 4 +--- + ipaplatform/base/paths.py | 2 +- + ipaplatform/fedora/paths.py | 1 + + ipaserver/dnssec/bindmgr.py | 1 - + 4 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8f5c370e5..e20edb7bc 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} + Requires: bind-dyndb-ldap >= 11.2-2 + Requires: bind >= %{bind_version} + Requires: bind-utils >= %{bind_version} +-# bind-dnssec-utils is required by the OpenDNSSec integration +-# https://pagure.io/freeipa/issue/9026 +-Requires: bind-dnssec-utils >= %{bind_version} + %if %{with bind_pkcs11} + Requires: bind-pkcs11 >= %{bind_version} ++Requires: bind-pkcs11-utils >= %{bind_version} + %else + Requires: softhsm >= %{softhsm_version} + Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 7d21367ec..42a47f1df 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -259,7 +259,6 @@ class BasePathNamespace: + IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" + IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" + IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" +- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" +- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel" + GETSEBOOL = "/usr/sbin/getsebool" + GROUPADD = "/usr/sbin/groupadd" +diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py +index 4e993c063..92a948966 100644 +--- a/ipaplatform/fedora/paths.py ++++ b/ipaplatform/fedora/paths.py +@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): + NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" + + + paths = FedoraPathNamespace() +diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py +index 0c79cc03d..a15c0e601 100644 +--- a/ipaserver/dnssec/bindmgr.py ++++ b/ipaserver/dnssec/bindmgr.py +@@ -127,7 +127,6 @@ class BINDMgr: + ) + cmd = [ + paths.DNSSEC_KEYFROMLABEL, +- '-E', 'pkcs11', + '-K', workdir, + '-a', attrs['idnsSecAlgorithm'][0], + '-l', uri +-- +2.31.1 diff --git a/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch b/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch new file mode 100644 index 0000000..7928884 --- /dev/null +++ b/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -0,0 +1,60 @@ +From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 17 Jun 2022 15:40:04 -0300 +Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation. + +uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>') +for callback definition. + +This patch changes the arrow definition callbacks for regular anonymous +function definitions. +--- + install/ui/src/freeipa/idp.js | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js +index ada09c075..be3c4f0e6 100644 +--- a/install/ui/src/freeipa/idp.js ++++ b/install/ui/src/freeipa/idp.js +@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() { + // For custom template we show custom fields + // and mark all of them required and passed to the RPC + // If show_custom is false, the opposite happens +- custom_fields.forEach(fname => { ++ custom_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_required(show_custom); + widget_f.set_enabled(show_custom); +@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() { + }); + + // For template fields we show them if custom aren't shown +- template_fields.forEach(fname => { ++ template_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_enabled(!show_custom); + widget_f.widget.set_visible(!show_custom); +@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() { + var value = prov_f.get_value()[0]; + + // First, clear template fields from the previous provider choice +- template_fields.forEach(fname => { ++ template_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.widget.set_visible(false); + widget_f.set_required(false); +@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() { + }); + + // Second, enable and get required template-specific fields +- idp.templates.forEach(idp_v => { ++ idp.templates.forEach(function(idp_v) { + if (idp_v['value'] == value) { +- idp_v['fields'].forEach(fname => { ++ idp_v['fields'].forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_required(true); + widget_f.set_enabled(true); +-- +2.36.1 + diff --git a/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch b/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch new file mode 100644 index 0000000..d5fe2d3 --- /dev/null +++ b/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch @@ -0,0 +1,114 @@ +From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Mon, 19 Dec 2022 14:57:03 -0300 +Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports" + +This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a. +--- + ipapython/dnsutil.py | 41 ------------------------- + ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------ + 2 files changed, 81 deletions(-) + +diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py +index 58de365ab..4baeaf8cc 100644 +--- a/ipapython/dnsutil.py ++++ b/ipapython/dnsutil.py +@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver): + nameservers.remove(ipv4_loopback) + self.nameservers = nameservers + +- @dns.resolver.Resolver.nameservers.setter +- def nameservers(self, nameservers): +- """ +- *nameservers*, a ``list`` of nameservers with optional ports: +- "SERVER_IP port PORT_NUMBER". +- +- Overloads dns.resolver.Resolver.nameservers setter to split off ports +- into nameserver_ports after setting nameservers successfully with the +- setter in dns.resolver.Resolver. +- """ +- # Get nameserver_ports if it is already set +- if hasattr(self, "nameserver_ports"): +- nameserver_ports = self.nameserver_ports +- else: +- nameserver_ports = {} +- +- # Check nameserver items in list and split out converted port number +- # into nameserver_ports: { nameserver: port } +- if isinstance(nameservers, list): +- _nameservers = [] +- for nameserver in nameservers: +- splits = nameserver.split() +- if len(splits) == 3 and splits[1] == "port": +- nameserver = splits[0] +- try: +- port = int(splits[2]) +- if port < 0 or port > 65535: +- raise ValueError() +- except ValueError: +- raise ValueError( +- "invalid nameserver: %s is not a valid port" % +- splits[2]) +- nameserver_ports[nameserver] = port +- _nameservers.append(nameserver) +- nameservers = _nameservers +- +- # Call dns.resolver.Resolver.nameservers setter +- dns.resolver.Resolver.nameservers.__set__(self, nameservers) +- # Set nameserver_ports after successfull call to setter +- self.nameserver_ports = nameserver_ports +- + + class DNSZoneAlreadyExists(dns.exception.DNSException): + supp_kwargs = {'zone', 'ns'} +diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py +index 09463c69d..5e7a46197 100644 +--- a/ipatests/test_ipapython/test_dnsutil.py ++++ b/ipatests/test_ipapython/test_dnsutil.py +@@ -101,43 +101,3 @@ class TestSortURI: + assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3] + assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3] + assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2] +- +- +-class TestDNSResolver: +- def test_nameservers(self): +- res = dnsutil.DNSResolver() +- res.nameservers = ["4.4.4.4", "8.8.8.8"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- +- def test_nameservers_with_ports(self): +- res = dnsutil.DNSResolver() +- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} +- +- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} +- +- def test_nameservers_with_bad_ports(self): +- res = dnsutil.DNSResolver() +- try: +- res.nameservers = ["4.4.4.4 port a"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port a") +- +- try: +- res.nameservers = ["4.4.4.4 port -1"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port -1") +- +- try: +- res.nameservers = ["4.4.4.4 port 65536"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port 65536") +-- +2.38.1 + diff --git a/freeipa-4.9.11.tar.gz.asc b/freeipa-4.9.11.tar.gz.asc new file mode 100644 index 0000000..47ddb7d --- /dev/null +++ b/freeipa-4.9.11.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi +00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ +4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG +KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7 +go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI +wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv +EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf ++y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr +WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc +oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut +IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd +umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E= +=8YVm +-----END PGP SIGNATURE----- diff --git a/ipa.spec b/ipa.spec index ec2a8c3..0c47ee0 100644 --- a/ipa.spec +++ b/ipa.spec @@ -68,8 +68,7 @@ %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 -# Require 4.14.5-13 which brings CVE-2020-25717 fixes -%global samba_version 4.14.5-13 +%global samba_version 4.17.2-1 %global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.4 %global python_ldap_version 3.1.0-1 @@ -93,8 +92,7 @@ # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 -# Require 4.14.6 which brings CVE-2020-25717 fixes -%global samba_version 2:4.14.6 +%global samba_version 2:4.17.2 # 3.14.5-45 or later includes a number of interfaces fixes for IPA interface %global selinux_policy_version 3.14.5-45 @@ -146,8 +144,8 @@ # RHEL 8.2+, F32+ has 3.58 %global nss_version 3.44.0-4 -# RHEL 8.3+, F32+ -%global sssd_version 2.4.0 +# RHEL 8.7+, F35+, adds IdP integration +%global sssd_version 2.7.0 %define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) %global kdcproxy_version 0.4-3 @@ -178,7 +176,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.8 +%define IPA_VERSION 4.9.11 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -191,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 7%{?rc_version:.%rc_version}%{?dist} +Release: 3%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -211,24 +209,19 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch -Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch -Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch -Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch -Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch -Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch -Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch -Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch -Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch -Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch -Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch -Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch -Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch +Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch +# Due to behavior changes in python3-dns 2.2.0, IPA overrides the setting of the +# nameserver property inherited from dns.resolver.Resolver class to allow the +# setting of nameservers with custom ports. The method used is only needed, and +# only works, on version 2.2.0, or later, of python3-dns. For RHEL 8, which uses +# series 1.xx, the method override is not needed to provide the same behavior. +Patch1004: 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch %endif %endif # RHEL spec file only: END -Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -298,6 +291,7 @@ BuildRequires: cracklib-dicts # Build dependencies for makeapi/makeaci # BuildRequires: python3-cffi +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. BuildRequires: python3-dns BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-libsss_nss_idmap @@ -325,7 +319,9 @@ BuildRequires: python3-wheel %if %{with doc} BuildRequires: python3-sphinx -BuildRequires: python3-m2r +BuildRequires: plantum1 +BuildRequires: fontconfig +BuildRequires: google-noto-sans-vf-fonts %endif # @@ -348,6 +344,7 @@ BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dateutil BuildRequires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. BuildRequires: python3-dns >= 1.15 BuildRequires: python3-docker BuildRequires: python3-gssapi >= 1.2.0 @@ -422,7 +419,6 @@ Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version} Requires: krb5-kdb-version = %{krb5_kdb_version} -Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: httpd >= %{httpd_version} @@ -474,6 +470,8 @@ Requires: libpwquality Requires: cracklib-dicts # NDR libraries are internal in Samba and change with version without changing SONAME Requires: samba-client-libs >= %{samba_version} +# Due to RHBZ#2100916, libvert-libev is required by ipa-otp. +Requires: libverto-libev >= 0.3.2-1 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -518,6 +516,7 @@ Requires: python3-augeas Requires: augeas-libs >= %{augeas_version} Requires: python3-custodia >= 0.3.1 Requires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-ipaclient = %{version}-%{release} @@ -648,7 +647,14 @@ Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} -Requires: authselect >= 0.4-2 +# Support pkinit with client install +Requires: krb5-pkinit-openssl >= %{krb5_version} +# authselect: sssd profile with-subid +%if 0%{?fedora} >= 36 +Requires: authselect >= 1.4.0 +%else +Requires: authselect >= 1.2.5 +%endif Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service # All Fedora 28+ and RHEL8+ contain the service in hostname package @@ -660,6 +666,7 @@ Requires: xmlrpc-c >= 1.27.4 Requires: jansson %endif Requires: sssd-ipa >= %{sssd_version} +Requires: sssd-idp >= %{sssd_version} Requires: certmonger >= %{certmonger_version} Requires: nss-tools >= %{nss_version} Requires: bind-utils @@ -741,6 +748,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-augeas Requires: augeas-libs >= %{augeas_version} +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-jinja2 @@ -821,6 +829,7 @@ Requires: python3-cffi Requires: python3-cryptography >= 1.6 Requires: python3-dateutil Requires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-jwcrypto >= 0.4.2 @@ -1051,6 +1060,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -1234,6 +1244,7 @@ if [ $1 -gt 1 ] ; then %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 + chmod 0600 /var/log/ipaupgrade.log SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" @@ -1409,6 +1420,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1* %{_mandir}/man1/ipa-replica-install.1* @@ -1708,12 +1720,106 @@ fi %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} # with selinux %endif - %changelog +* Mon Dec 19 2022 Rafael Jeffman - 4.9.11-3 +- Revert DNSResolver Fix use of nameservers with ports. + Related: RHBZ#2141316 + +* Fri Dec 16 2022 Rafael Jeffman - 4.9.11-2 +- webui IdP: Remove arrow notation due to uglify-js limitation + Related: RHBZ#2141316 + +* Wed Dec 14 2022 Rafael Jeffman - 4.9.11-1 +- Rebase ipa to 4.9.11 + Resolves: RHBZ#2141316 +- updates: fix memberManager ACI to allow managers from a specified group + Resolves: RHBZ#2056009 +- Defer creating the final krb5.conf on clients + Resolves: RHBZ#2148259 +- Exclude installed policy module file from RPM verification + Resolves: RHBZ#2149567 +- Spec file: ipa-client depends on krb5-pkinit-openssl + Resolves: RHBZ#2149889 + +* Thu Nov 24 2022 Rafael Jeffman - 4.9.10-8 +- ipa man page format the EXAMPLES section + Resolves: RHBZ#2129895 +- Fix canonicalization issue in Web UI + Resolves: RHBZ#2127035 +- Remove idnssoaserial argument from dns zone API. + Resolves: RHBZ#2108630 +- Warn for permissions with read/write/search/compare and no attrs + Resolves: RHBZ#2098187 +- Add PKINIT support to ipa-client-install + Resolves: RHBZ#2075452 +- Generate CNAMEs for TXT+URI location krb records + Resolves: RHBZ#2104185 +- Vault: fix interoperability issues with older RHEL systems + Resolves: RHBZ#2144737 +- Fix typo on ipaupgrade.log chmod during RPM %post snipppet + Resolves: RHBZ#2140994 + +* Tue Nov 1 2022 Rafael Jeffman - 4.9.10-7 +- Rebuild to samba 4.17.2. + Related: RHBZ#2132051 + +* Mon Aug 22 2022 Rafael Jeffman - 4.9.10-6 +- webui: Allow grace login limit + Resolves: RHBZ#2109243 +- check_repl_update: in progress is a boolean + Resolves: RHBZ#2117303 +- Disabling gracelimit does not prevent LDAP binds + Resolves: RHBZ#2109236 +- Set passwordgracelimit to match global policy on group pw policies + Resolves: RHBZ#2115475 + +* Tue Jul 19 2022 Rafael Jeffman - 4.9.10-5 +- webui: Do not allow empty pagination size + Resolves: RHBZ#2094672 + +* Tue Jul 12 2022 Rafael Jeffman - 4.9.10-4 +- Add end to end integration tests for external IdP + Resolves: RHBZ#2106346 + +* Thu Jul 07 2022 Rafael Jeffman - 4.9.10-3 +- Add explicit dependency for libvert-libev + Resolves: RHBZ#2104929 + +* Fri Jul 01 2022 Rafael Jeffman - 4.9.10-2 +- Preserve user: fix the confusing summary + Resolves: RHBZ#2022028 +- Only calculate LDAP password grace when the password is expired + Related: RHBZ#782917 + +* Wed Jun 15 2022 Rafael Jeffman - 4.9.10-1 +- Rebase to upstream release 4.9.10 + Remove upstream patches 0002 to 0016 that are part of version 4.9.10 + Remove patches 1101 that is part of version 4.9.10 + Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases + Add patches 0001 and 0002 to fix build on RHEL 8.7 + Resolves: RHBZ#2079466 + Resolves: RHBZ#2063155 + Resolves: RHBZ#1958777 + Resolves: RHBZ#2068088 + Resolves: RHBZ#2004646 + Resolves: RHBZ#782917 + Resolves: RHBZ#2059396 + Resolves: RHBZ#2092015 + +* Tue Apr 5 2022 Rafael Jeffman - 4.9.8-8 +- Backport latest test fixes in python3-ipatests + Resolves: RHBZ#2060841 +- extdom: user getorigby{user|group}name if available + Resolves: RHBZ#2062379 +- Set the mode on ipaupgrade.log during RPM post snipppet + Resolves: RHBZ#2061957 +- test_krbtpolicy: skip SPAKE-related tests in FIPS mode + Resolves: RHBZ#1909630 + * Thu Feb 24 2022 Rafael Jeffman - 4.9.8-7 - ipatests: Backport test fixes in python3-ipatests. Resolves: RHBZ#2057505 diff --git a/sources b/sources index ae8dded..e4f836a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (freeipa-4.9.8.tar.gz) = 2fc27c5eb6f3fd0ed8cdba7668f72da3c5a84ec089159bd1dfde44b1d4abefb1280a18d559979b2167ba942facbf33e6d80fa32ee1af2b6881ecdf9162b6b32e +SHA1 (freeipa-4.9.11.tar.gz) = 4ef188d43f5f2a09e214dd2bae68595a5977bb61