rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.10.1-1

Browse Source 
- Resolves: rhbz#2141315
[Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
- Resolves: rhbz#2094673
ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
- Resolves: rhbz#2117167
After leapp upgrade on ipa-client ipa-server package installation failed. (`REQ_FULL_WITH_MEMBERS` returns object from wrong domain)
- Resolves: rhbz#2127833
Password Policy Grace login limit allows invalid maximum value
- Resolves: rhbz#2143224
[RFE] add certificate support to ipa-client instead of one time password
- Resolves: rhbz#2144736
vault interoperability with older RHEL systems is broken
- Resolves: rhbz#2148258
ipa-client-install does not maintain server affinity during installation
- Resolves: rhbz#2148379
Add warning for empty targetattr when creating ACI with RBAC
- Resolves: rhbz#2148380
OTP token sync always returns OK even with random numbers
- Resolves: rhbz#2148381
Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
- Resolves: rhbz#2148382
Introduction of URI records for kerberos breaks location functionality

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2022-11-25 13:43:35 +01:00
parent 0e045611f2
commit b01c9f88f3
18 changed files with 44 additions and 17056 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -116,3 +116,5 @@
/freeipa-4.9.10.tar.gz.asc
/freeipa-4.10.0.tar.gz
/freeipa-4.10.0.tar.gz.asc
/freeipa-4.10.1.tar.gz
/freeipa-4.10.1.tar.gz.asc

56
0001-Only-calculate-LDAP-password-grace-when-the-password.patch
View File

@ -1,56 +0,0 @@
From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Jun 2022 13:25:55 +0000
Subject: [PATCH] Only calculate LDAP password grace when the password is
expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
Slapi_ValueSet *values = NULL;
long grace_limit = 0;
int grace_user_time;
- char *pwd_expiration = NULL;
+ char *tmpstr = NULL;
+ time_t pwd_expiration;
int pwresponse_requested = 0;
Slapi_PBlock *pbtm = NULL;
Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
}
slapi_value_free(&objectclass);
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
- if (pwd_expiration == NULL) {
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+ if (tmpstr == NULL) {
/* No expiration means nothing to do */
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
goto done;
}
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+ if (pwd_expiration > time(NULL)) {
+ /* Not expired, nothing to see here */
+ goto done;
+ }
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
&values, &actual_type_name,
--
2.36.1

67
0002-webui-Do-not-allow-empty-pagination-size.patch
View File

@ -1,67 +0,0 @@
From 02d3fb8266d8199fd1ed983de6c57b269546df82 Mon Sep 17 00:00:00 2001
From: Armando Neto <abiagion@redhat.com>
Date: Fri, 8 Jul 2022 15:56:31 -0300
Subject: [PATCH] webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.
Fixes: https://pagure.io/freeipa/issue/9192
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../ui/src/freeipa/Application_controller.js | 1 +
ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 46aabc9c4dd47aa3874cb3ddf27da048607b7516..140ee8fe0d7adc274396248aae0be2f4559db27a 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -318,6 +318,7 @@ define([
$type: 'text',
name: 'pagination_size',
label: '@i18n:customization.table_pagination',
+ required: true,
validators: ['positive_integer']
}
]
diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py
index 5f7ffb54ee33e9b453d6b987b7bf84d6f4311ebd..aca9e1a99e1e2cf60790fe8c33a65430e0d535e2 100644
--- a/ipatests/test_webui/test_misc_cases.py
+++ b/ipatests/test_webui/test_misc_cases.py
@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot
import pytest
import re
+try:
+ from selenium.webdriver.common.by import By
+except ImportError:
+ pass
+
@pytest.mark.tier1
class TestMiscCases(UI_driver):
@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver):
ver_re = re.compile('version: .*')
assert re.search(ver_re, about_text), 'Version not found'
self.dialog_button_click('ok')
+
+ @screenshot
+ def test_customization_pagination_input_required(self):
+ """Test if 'pagination size' is required when submitting the form."""
+ self.init_app()
+
+ self.profile_menu_action('configuration')
+ self.fill_input('pagination_size', '')
+ self.dialog_button_click('save')
+
+ pagination_size_elem = self.find(
+ ".widget[name='pagination_size']", By.CSS_SELECTOR)
+
+ self.assert_field_validation_required(parent=pagination_size_elem)
--
2.36.1

15825
0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
View File

File diff suppressed because it is too large Load Diff

69
0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch
View File

@ -1,69 +0,0 @@
From aca97507cd119ad55e0c3c18ca65087cb5576c82 Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Mon, 13 Jun 2022 13:49:08 +0530
Subject: [PATCH] Added a check while removing 'cert_dir'. The teardown method
is called even if all the tests are skipped since the required PKI version is
not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.
Pagure Issue: https://pagure.io/freeipa/issue/9179
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_caless.py | 12 +++++++++++-
.../test_integration/test_random_serial_numbers.py | 6 ++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 96f477bbe4b0e25184605a80659b5ec6529a2320..4c370f77e84215714e533b1b6ebeb89216319c0f 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -122,6 +122,15 @@ def replica_install_teardown(func):
class CALessBase(IntegrationTest):
+ # The teardown method is called even if all the tests are skipped
+ # since the required PKI version is not present.
+ # The teardown is trying to remove a non-existent directory.
+ # Currently the cert_dir attribute is only present if IPA installation was
+ # done. If IPA was not installed the attribute does not exist.
+ # In order that the uninstall code finds the attribute a class attribute
+ # is added.
+ cert_dir = None
+
@classmethod
def install(cls, mh):
cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
@@ -164,7 +173,8 @@ class CALessBase(IntegrationTest):
@classmethod
def uninstall(cls, mh):
# Remove the NSS database
- shutil.rmtree(cls.cert_dir)
+ if cls.cert_dir:
+ shutil.rmtree(cls.cert_dir)
super(CALessBase, cls).uninstall(mh)
@classmethod
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index a931c7b562f00f94e10d1e9e891fbf0624d5fd88..c52cfa4ed50e2718791b0844d743fb240d26b365 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -64,3 +64,9 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).install(mh)
+
+ @classmethod
+ def uninstall(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
--
2.37.2

55
0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch
View File

@ -1,55 +0,0 @@
From c55185d3dc3c6cd2ffebab77fbf8caa40a32bcd1 Mon Sep 17 00:00:00 2001
From: Erik <ebelko@redhat.com>
Date: Mon, 18 Jul 2022 11:59:24 +0200
Subject: [PATCH] ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 23af09f3a7eaa8012e7a898ce6a534d1fad45323..a0c85f79e6e84f9e63072c6d70276480e4af97ad 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -340,6 +340,31 @@ class TestIpaHealthCheck(IntegrationTest):
assert returncode == 0
assert output == "No issues found."
+ def test_ipa_healthcheck_fips_enabled(self):
+ """
+ Test if FIPS is enabled and the check exists.
+
+ https://pagure.io/freeipa/issue/8951
+ """
+ returncode, check = run_healthcheck(self.master,
+ source="ipahealthcheck.meta.core",
+ check="MetaCheck",
+ output_type="json",
+ failures_only=False)
+ assert returncode == 0
+
+ cmd = self.master.run_command(['fips-mode-setup', '--is-enabled'],
+ raiseonerr=False)
+ returncode = cmd.returncode
+
+ # If this produces IndexError, the check does not exist
+ if check[0]["kw"]["fips"] == "disabled":
+ assert returncode == 2
+ elif check[0]["kw"]["fips"] == "enabled":
+ assert returncode == 0
+ else:
+ assert returncode == 1
+
def test_ipa_healthcheck_after_certupdate(self):
"""
Verify that ipa-certupdate hasn't messed up tracking
--
2.37.2

125
0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
View File

@ -1,125 +0,0 @@
From 1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Jul 2022 09:28:46 -0400
Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 2 +-
ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++-
2 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f..345e1dee7d163167373ca82dedb1e827f0e1bc8c 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
if (pwresponse_requested) {
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
}
- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
+ } else if (grace_user_time >= grace_limit) {
LOG_TRACE("%s password is expired and out of grace limit\n", dn);
errstr = "Password is expired.\n";
ret = LDAP_INVALID_CREDENTIALS;
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
index 6d66982848ac5a0061b47d30fad022be055c93e4..41d6e9070a90c2bde7b3182ad6ecf1a923bba203 100644
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
cls.master.run_command(['ipa', 'group-add-member', POLICY,
'--users', USER])
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
- '--priority', '1'])
+ '--priority', '1', '--gracelimit', '-1'])
cls.master.run_command(['ipa', 'passwd', USER],
stdin_text='{password}\n{password}\n'.format(
password=PASSWORD
@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_expired(self):
"""Test the LDAP bind grace period"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_not_replicated(self):
"""Test that the grace period is reset on password reset"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
)
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
self.reset_password(self.master)
+
+ def test_graceperiod_zero(self):
+ """Test the LDAP bind with zero grace period"""
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
+ )
+
+ # Resetting the password will mark it as expired
+ self.reset_password(self.master)
+
+ # Now grace is done and binds should fail.
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn], raiseonerr=False
+ )
+ assert result.returncode == 49
+
+ assert 'Password is expired' in result.stderr_text
+ assert 'Password expired, 0 grace logins remain' in result.stderr_text
+
+ def test_graceperiod_disabled(self):
+ """Test the LDAP bind with grace period disabled (-1)"""
+ str(self.master.domain.basedn)
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ # This can fail if gracelimit is already -1 so ignore it
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
+ raiseonerr=False,
+ )
+
+ # Ensure the password is expired
+ self.reset_password(self.master)
+
+ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
+
+ for _i in range(0, 10):
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn]
+ )
+
+ # With graceperiod disabled it should not increment
+ result = tasks.ldapsearch_dm(
+ self.master, dn, ['passwordgraceusertime',],
+ )
+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
--
2.37.2

144
0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
View File

@ -1,144 +0,0 @@
From a39af6b7228d8ba85b9e97aa5decbc056d081c77 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Thu, 23 Jun 2022 16:14:39 +0530
Subject: [PATCH] ipatests: ipa-client-install --subid adds entry in
nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/prci_definitions/gating.yaml | 2 +-
.../nightly_ipa-4-10_latest.yaml | 2 +-
.../nightly_ipa-4-10_latest_selinux.yaml | 2 +-
.../nightly_ipa-4-10_previous.yaml | 2 +-
ipatests/test_integration/test_subids.py | 38 +++++++++++++++++++
5 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 4083c650a17ce76bdefa243f1a7c5924039ff0bb..db4875dcfae8676287ef771805b34d988330bb40 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -309,4 +309,4 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 24aa6e7cf29e448ba9d838d1cb98169213ea63ef..027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index f22cc08384b3d50e49278d38e73bf93cd7804e80..bcc17bef935666735bfb2c2e51209362a374b511 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1887,7 +1887,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index df98a66871fd90daaebd83f063e48f1580675049..37d38762e696a6394ef146a0e2b68bbc8ced515d 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-previous
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-previous-ipa-4-10/test_custom_plugins:
requires: [fedora-previous-ipa-4-10/build]
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index f6d8607f237bf03358baae008dd2a6ad819751c0..8158499e1a2b71bdc1a308dec0939fd0d491599d 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -17,6 +17,7 @@ from ipatests.test_integration.base import IntegrationTest
class TestSubordinateId(IntegrationTest):
num_replicas = 0
+ num_clients = 1
topology = "star"
def _parse_result(self, result):
@@ -268,3 +269,40 @@ class TestSubordinateId(IntegrationTest):
f"--subuid={subuid}"])
owner = self._parse_result(result)["owner"]
assert owner == uid
+
+ def test_nsswitch_doesnot_contain_subid_entry(self):
+ """
+ This testcase checks that when ipa-client-install
+ is installed without subid option, the nsswitch.conf
+ does not contain subid entry or does not use sss as
+ source for subid
+ """
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"],
+ raiseonerr=False
+ )
+ # a source is defined for the subid database.
+ # Ensure it is not "sss"
+ if cmd.returncode == 0:
+ assert 'sss' not in cmd.stdout_text
+ else:
+ # grep command returncode 1 means no matching line
+ # was found = no source is defined for the subid database,
+ # which is valid other return codes would
+ # mean an error occurred
+ assert cmd.returncode == 1
+
+ def test_nsswitch_is_updated_with_subid_entry(self):
+ """
+ This test case checks that when ipa-client-install
+ is installed with --subid option, the nsswitch.conf
+ file is modified with the entry 'subid: sss'
+ """
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_client(self.master, self.clients[0],
+ extra_args=['--subid'])
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"]
+ )
+ subid = cmd.stdout_text.split()
+ assert ['subid:', 'sss'] == subid
--
2.37.2

56
0008-webui-Allow-grace-login-limit.patch
View File

@ -1,56 +0,0 @@
From 7a1e1d9f1cb13679c28f12d05b156a08bcc4d856 Mon Sep 17 00:00:00 2001
From: Carla Martinez <carlmart@redhat.com>
Date: Fri, 29 Jul 2022 13:16:16 +0200
Subject: [PATCH] webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/ui/src/freeipa/policy.js | 3 +++
install/ui/src/freeipa/user.js | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
index fa2028a52b1118b6125f91153280da0a2ffe0584..7ec103636ced0cce34997d81a02b25ba73bda33f 100644
--- a/install/ui/src/freeipa/policy.js
+++ b/install/ui/src/freeipa/policy.js
@@ -72,6 +72,9 @@ return {
{
name: 'cospriority',
required: true
+ },
+ {
+ name: 'passwordgracelimit'
}
]
}]
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index a580db03599457eefd85f8c23d74c284946393c7..b47c97f72008f2f4e75b4cb88e9ff6756827b26e 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -318,6 +318,11 @@ return {
label: '@mo-param:pwpolicy:krbpwdlockoutduration:label',
read_only: true,
measurement_unit: 'seconds'
+ },
+ {
+ name: 'passwordgracelimit',
+ label: '@mo-param:pwpolicy:passwordgracelimit:label',
+ read_only: true
}
]
},
--
2.37.2

226
0009-Additional-tests-for-RSN-v3.patch
View File

@ -1,226 +0,0 @@
From bfe074ed478c20a9537dc2a714bba50dbc2cd34f Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Fri, 5 Aug 2022 11:22:59 +0530
Subject: [PATCH] Additional tests for RSN v3
New Tests include
TestRSNPKIConfig
TestRSNVault
The new tests are just extending existing classes to be run
with random serial numbers enabled
The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`
Added nightly definitions
Related Ticket: https://pagure.io/freeipa/issue/2016
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-10_latest.yaml | 24 +++++++++
.../nightly_ipa-4-10_latest_selinux.yaml | 26 ++++++++++
.../nightly_ipa-4-10_previous.yaml | 24 +++++++++
.../test_random_serial_numbers.py | 51 ++++++++++++++++++-
ipatests/test_integration/test_vault.py | 4 +-
5 files changed, 127 insertions(+), 2 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7..547320d258f51132266b56e9193533d2291c623c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
\ No newline at end of file
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index bcc17bef935666735bfb2c2e51209362a374b511..f6e5f1cff22de9db4df4577d1cd615499cf0fab3 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1966,3 +1966,29 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index 37d38762e696a6394ef146a0e2b68bbc8ced515d..463f4b92fecc7fbc0be969de422352fb7baeb797 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-previous
timeout: 5400
topology: *master_1repl
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index c52cfa4ed50e2718791b0844d743fb240d26b365..ab58b1c622b010994ed93a17dd80cfd02095508d 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -4,12 +4,15 @@
import pytest
+from ipaplatform.paths import paths
+
+from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.test_installation import (
TestInstallWithCA_DNS1,
TestInstallWithCA_KRA1,
)
from ipatests.test_integration.test_caless import TestServerCALessToExternalCA
-
+from ipatests.test_integration.test_vault import TestInstallKRA
from ipatests.test_integration.test_commands import TestIPACommand
@@ -26,6 +29,18 @@ def pki_supports_RSNv3(host):
return False
+def check_pki_config_params(host):
+ # Check CS.cfg
+ try:
+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
+ kra_cfg = host.get_file_contents(paths.KRA_CS_CFG_PATH)
+ assert "dbs.cert.id.generator=random".encode() in cs_cfg
+ assert "dbs.request.id.generator=random".encode() in cs_cfg
+ assert "dbs.key.id.generator=random".encode() in kra_cfg
+ except IOError:
+ pytest.skip("PKI config not present.Skipping test")
+
+
class TestInstallWithCA_DNS1_RSN(TestInstallWithCA_DNS1):
random_serial = True
@@ -70,3 +85,37 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RSNv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
+
+
+class TestRSNPKIConfig(TestInstallWithCA_KRA1):
+ random_serial = True
+ num_replicas = 3
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNPKIConfig, cls).install(mh)
+
+ def test_check_pki_config(self):
+ check_pki_config_params(self.master)
+ check_pki_config_params(self.replicas[0])
+ check_pki_config_params(self.replicas[1])
+
+ def test_check_rsn_version(self):
+ tasks.kinit_admin(self.master)
+ res = self.master.run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+ tasks.kinit_admin(self.replicas[0])
+ res = self.replicas[0].run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+
+
+class TestRSNVault(TestInstallKRA):
+ random_serial = True
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNVault, cls).install(mh)
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
index 548822d049070d6f9d42da772264eb24010fafda..6288e557f96cae60d031b44c49fbe830712eb7be 100644
--- a/ipatests/test_integration/test_vault.py
+++ b/ipatests/test_integration/test_vault.py
@@ -33,7 +33,9 @@ class TestInstallKRA(IntegrationTest):
@classmethod
def install(cls, mh):
- tasks.install_master(cls.master, setup_kra=True)
+ tasks.install_master(cls.master,
+ setup_kra=True,
+ random_serial=cls.random_serial)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
--
2.37.2

35
0010-check_repl_update-in-progress-is-a-boolean.patch
View File

@ -1,35 +0,0 @@
From 2003eb6b3d4a27a5de5eaa79418f115dd99886cd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 7 Aug 2022 12:44:47 +0200
Subject: [PATCH] check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/replication.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 16be3760cb14bfeb1cc9a761400752071639dc7c..9d9aa1c4bfc99109c0cf1e6d1619ec1b38e20c02 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1152,7 +1152,7 @@ class ReplicationManager:
except (ValueError, TypeError, KeyError):
end = 0
# incremental update is done if inprogress is false and end >= start
- done = inprogress and inprogress.lower() == 'false' and start <= end
+ done = inprogress is not None and not inprogress and start <= end
logger.info("Replication Update in progress: %s: status: %s: "
"start: %d: end: %d",
inprogress, status, start, end)
--
2.37.2

82
0011-ipatests-Fix-expected-object-classes.patch
View File

@ -1,82 +0,0 @@
From b6520bef2ef05dd87636d8b57e3247d451af81d8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 14 Dec 2021 16:33:29 +0100
Subject: [PATCH] ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
---
ipatests/test_xmlrpc/test_user_plugin.py | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 74d78b0c6d75590640da1357da1f9f4570307878..c156a8793c5765df96029753f4a278e961d4e895 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -125,7 +125,9 @@ def user_npg(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -139,7 +141,9 @@ def user_npg2(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -151,8 +155,9 @@ def user_radius(request, xmlrpc_setup):
sn=u'radiususer1',
ipatokenradiususername=u'radiususer')
tracker.track_create()
- tracker.attrs.update(
- objectclass=objectclasses.user + [u'ipatokenradiusproxyuser']
+ tracker.attrs.update(objectclass=fuzzy_set_optional_oc(
+ objectclasses.user + [u'ipatokenradiusproxyuser'],
+ 'ipantuserattrs'),
)
return tracker.make_fixture(request)
@@ -647,7 +652,8 @@ class TestCreate(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs']
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'),
)
command = testuser.make_create_command()
result = command()
@@ -865,7 +871,9 @@ class TestUserWithUPGDisabled(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
command = testuser.make_create_command()
result = command()
--
2.37.2

50
0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
View File

@ -1,50 +0,0 @@
From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 Aug 2022 08:21:58 -0400
Subject: [PATCH] doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644
--- a/doc/designs/ldap_grace_period.md
+++ b/doc/designs/ldap_grace_period.md
@@ -51,7 +51,22 @@ The basic flow is:
On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
-The default value on install/upgrade will be -1 to retail existing behavior.
+Range values for passwordgracelimit are:
+
+-1 : password grace checking is disabled
+ 0 : no grace BIND are allowed at all post-expiration
+ 1..MAXINT: the number of BIND allowed post-expiration
+
+The default value for the global policy on install/upgrade will be -1 to
+retain existing behavior.
+
+New group password policies will default to -1 to retain previous
+behavior.
+
+Existing group policies with no grace limit set are updated to use
+the default unlimited value, -1. This is done because lack of value in
+LDAP is treated as 0 so any existing group policies would not allow
+post-expiration BIND so this will avoid confusion.
The per-user attempts will not be replicated.
--
2.37.2

74
0013-Set-default-gracelimit-on-group-password-policies-to.patch
View File

@ -1,74 +0,0 @@
From 45e6d49b94da78cd82eb016b3266a17a1359a087 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:22 -0400
Subject: [PATCH] Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
API.txt | 2 +-
ipaserver/plugins/pwpolicy.py | 2 ++
ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index 66929b921b197e27ede847fb6b10bf1e44c3464a..210bfc4950e6a7346dbdd6e29d1096b2f8750b1e 100644
--- a/API.txt
+++ b/API.txt
@@ -4076,7 +4076,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
option: Int('krbpwdminlength?', cli_name='minlength')
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('version?')
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 4428aede2dcc7a2a0b6128bf7f58eb47e4a8e07d..f4ebffd5c8f06a53b6c4d5e48ff6eeafa240e3a4 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
minvalue=-1,
maxvalue=Int.MAX_UINT32,
default=-1,
+ autofill=True,
),
)
@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
keys[-1], krbpwdpolicyreference=dn,
cospriority=options.get('cospriority')
)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
index 8eee69c185b15be72870050ed247f252c72d1c66..fc785223bfe56269ad8b211e8f1c3ac9f4064c3c 100644
--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
objectclass=objectclasses.pwpolicy,
),
summary=None,
@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
),
summary=None,
value=u'ipausers',
--
2.37.2

106
0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
View File

@ -1,106 +0,0 @@
From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:41 -0400
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../updates/90-post_upgrade_plugins.update | 1 +
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
2 files changed, 67 insertions(+)
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
plugin: update_mapping_Guests_to_nobody
plugin: fix_kra_people_entry
plugin: update_pwpolicy
+plugin: update_pwpolicy_grace
# last
# DNS version 1
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644
--- a/ipaserver/install/plugins/update_pwpolicy.py
+++ b/ipaserver/install/plugins/update_pwpolicy.py
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
return False, []
return False, []
+
+
+@register()
+class update_pwpolicy_grace(Updater):
+ """
+ Ensure all group policies have a grace period set.
+ """
+
+ def execute(self, **options):
+ ldap = self.api.Backend.ldap2
+
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
+ self.api.env.basedn)
+ search_filter = (
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
+ )
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(
+ search_filter, ['objectclass'], base_dn, time_limit=0,
+ size_limit=0)
+
+ except errors.EmptyResult:
+ logger.debug("update_pwpolicy: no policies without "
+ "passwordgracelimit set")
+ return False, []
+
+ except errors.ExecutionError as e:
+ logger.error("update_pwpolicy: cannot retrieve list "
+ "of policies missing passwordgracelimit: %s", e)
+ return False, []
+
+ logger.debug("update_pwpolicy: found %d "
+ "policies to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ for entry in entries:
+ # Set unlimited BIND by default
+ entry['passwordgracelimit'] = -1
+ try:
+ ldap.update_entry(entry)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError as e:
+ logger.debug("update_pwpolicy: cannot "
+ "update policy: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ logger.error("update_pwpolicy: error(s) "
+ "detected during pwpolicy update")
+ return False, []
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ logger.debug("update_pwpolicy: all policies updated")
+ return False, []
+
+ return False, []
--
2.37.2

62
0015-fix-canonicalization-issue-in-Web-UI.patch
View File

@ -1,62 +0,0 @@
From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Aug 2022 16:58:07 +0300
Subject: [PATCH] fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
install/ui/src/freeipa/ipa.js | 8 +++++++-
ipaserver/rpcserver.py | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 758db1b00..a08d632e9 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -271,7 +271,13 @@ var IPA = function () {
var cn = that.whoami.data.krbcanonicalname;
if (cn) that.principal = cn[0];
if (!that.principal) {
- that.principal = that.whoami.data.krbprincipalname[0];
+ var principal = data.principal;
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
+ if (idx > -1) {
+ that.principal = principal;
+ } else {
+ that.principal = that.whoami.data.krbprincipalname[0];
+ }
}
} else if (entity === 'idoverrideuser') {
that.principal = that.whoami.data.ipaoriginaluid[0];
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1f85e9898..4e8a08b66 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
ccache_name,
armor_ccache_name=armor_path,
enterprise=True,
+ canonicalize=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path:
--
2.37.3

62
freeipa.spec
View File

@ -71,21 +71,25 @@
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
%global samba_version 4.17.2-103
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
%if 0%{?rhel} < 9
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
%global ds_version 1.4.3.16-12
%global selinux_policy_version 3.14.3-107
%else
# DNA interval enabled
%global ds_version 2.0.5-1
%global selinux_policy_version 38.1.1-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 9.11.20-6
# Fix for https://github.com/SSSD/sssd/issues/6331
%global sssd_version 2.8.0
%else
# Fedora
%global package_name freeipa
@ -99,7 +103,12 @@
%global samba_version 2:4.12.10
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
# 36.16-1 fixes BZ#2115691
%if 0%{?fedora} < 36
%global selinux_policy_version 3.14.5-45
%else
%global selinux_policy_version 36.16-1
%endif
%global slapi_nis_version 0.56.5
%global krb5_kdb_version 8.0
@ -118,11 +127,25 @@
# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9
# Fix for RHBZ#2117342
%if 0%{?fedora} < 37
%global bind_version 9.11.24-1
%else
%global bind_version 32:9.18.7-1
%endif
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}
%if 0%{?fedora} < 37
# F35+, adds IdP integration
%global sssd_version 2.7.0
%else
# Fix for https://github.com/SSSD/sssd/issues/6331
%global sssd_version 2.8.0
%endif
# Fedora
%endif
@ -149,9 +172,6 @@
# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4
# RHEL 8.7+, F35+, adds IdP integration
%global sssd_version 2.7.0
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3
@ -184,7 +204,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.10.0
%define IPA_VERSION 4.10.1
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -197,7 +217,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 8%{?rc_version:.%rc_version}%{?dist}
Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -217,21 +237,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch
Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch
Patch0003: 0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
Patch0004: 0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch
Patch0005: 0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch
Patch0006: 0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
Patch0007: 0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
Patch0008: 0008-webui-Allow-grace-login-limit.patch
Patch0009: 0009-Additional-tests-for-RSN-v3.patch
Patch0010: 0010-check_repl_update-in-progress-is-a-boolean.patch
Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1735,11 +1740,24 @@ fi
%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with selinux
%endif
%changelog
* Fri Nov 25 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-1
- Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
- Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
- Resolves: rhbz#2117167 After leapp upgrade on ipa-client ipa-server package installation failed. (`REQ_FULL_WITH_MEMBERS` returns object from wrong domain)
- Resolves: rhbz#2127833 Password Policy Grace login limit allows invalid maximum value
- Resolves: rhbz#2143224 [RFE] add certificate support to ipa-client instead of one time password
- Resolves: rhbz#2144736 vault interoperability with older RHEL systems is broken
- Resolves: rhbz#2148258 ipa-client-install does not maintain server affinity during installation
- Resolves: rhbz#2148379 Add warning for empty targetattr when creating ACI with RBAC
- Resolves: rhbz#2148380 OTP token sync always returns OK even with random numbers
- Resolves: rhbz#2148381 Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
- Resolves: rhbz#2148382 Introduction of URI records for kerberos breaks location functionality
* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.10.0.tar.gz) = e2e2e07263a5ae35149a7f320f41efa51c36d07d050c19c047350f764d8d2ba67c01f0d317c18e54d8d7ee0c750d15d14c5d49eafea650d94d6b833ff8aa6edc
SHA512 (freeipa-4.10.0.tar.gz.asc) = e53de8b9dd9d4c84aab6b7c604142389a53c42f42774a912c58d46bc84fa0556bf565434d786395a5730d9d1c15fb01739b305aeba163559ae7edbe827b73112
SHA512 (freeipa-4.10.1.tar.gz) = b06ff7d18aaf6345132eebba1cfe1b9653f71ba07e12f708a52253327961ff03eddd19b79bfdbee9d44f20f04d410fe860f2fd916e66c79fc6366ceb3f8ec5f2
SHA512 (freeipa-4.10.1.tar.gz.asc) = cc1e795a5e953b9bdd5e68ccbd7a46da0ab9bf236b96e1a6eae41e3100ebc46cdd93414cbad89bc35c3bf87b518b9bad74b8e4858f42f12b37c5734e1edb5efc