rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.10.0-6 

- Resolves: rhbz#2110014
  ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901
  RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495
  group password policy by default does not allow grace logins
- Resolves: rhbz#2116966
  ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'
This commit is contained in:
Florence Blanc-Renaud 2022-08-19 17:02:13 +02:00
parent c4b1dec10b
commit caae578990
13 changed files with 16866 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15825
0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch Normal file
View File

File diff suppressed because it is too large Load Diff

69
0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch Normal file
View File

@ -0,0 +1,69 @@
From aca97507cd119ad55e0c3c18ca65087cb5576c82 Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Mon, 13 Jun 2022 13:49:08 +0530
Subject: [PATCH] Added a check while removing 'cert_dir'. The teardown method
is called even if all the tests are skipped since the required PKI version is
not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.
Pagure Issue: https://pagure.io/freeipa/issue/9179
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_caless.py | 12 +++++++++++-
.../test_integration/test_random_serial_numbers.py | 6 ++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 96f477bbe4b0e25184605a80659b5ec6529a2320..4c370f77e84215714e533b1b6ebeb89216319c0f 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -122,6 +122,15 @@ def replica_install_teardown(func):
class CALessBase(IntegrationTest):
+ # The teardown method is called even if all the tests are skipped
+ # since the required PKI version is not present.
+ # The teardown is trying to remove a non-existent directory.
+ # Currently the cert_dir attribute is only present if IPA installation was
+ # done. If IPA was not installed the attribute does not exist.
+ # In order that the uninstall code finds the attribute a class attribute
+ # is added.
+ cert_dir = None
+
@classmethod
def install(cls, mh):
cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
@@ -164,7 +173,8 @@ class CALessBase(IntegrationTest):
@classmethod
def uninstall(cls, mh):
# Remove the NSS database
- shutil.rmtree(cls.cert_dir)
+ if cls.cert_dir:
+ shutil.rmtree(cls.cert_dir)
super(CALessBase, cls).uninstall(mh)
@classmethod
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index a931c7b562f00f94e10d1e9e891fbf0624d5fd88..c52cfa4ed50e2718791b0844d743fb240d26b365 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -64,3 +64,9 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).install(mh)
+
+ @classmethod
+ def uninstall(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
--
2.37.2

55
0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch Normal file
View File

@ -0,0 +1,55 @@
From c55185d3dc3c6cd2ffebab77fbf8caa40a32bcd1 Mon Sep 17 00:00:00 2001
From: Erik <ebelko@redhat.com>
Date: Mon, 18 Jul 2022 11:59:24 +0200
Subject: [PATCH] ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 23af09f3a7eaa8012e7a898ce6a534d1fad45323..a0c85f79e6e84f9e63072c6d70276480e4af97ad 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -340,6 +340,31 @@ class TestIpaHealthCheck(IntegrationTest):
assert returncode == 0
assert output == "No issues found."
+ def test_ipa_healthcheck_fips_enabled(self):
+ """
+ Test if FIPS is enabled and the check exists.
+
+ https://pagure.io/freeipa/issue/8951
+ """
+ returncode, check = run_healthcheck(self.master,
+ source="ipahealthcheck.meta.core",
+ check="MetaCheck",
+ output_type="json",
+ failures_only=False)
+ assert returncode == 0
+
+ cmd = self.master.run_command(['fips-mode-setup', '--is-enabled'],
+ raiseonerr=False)
+ returncode = cmd.returncode
+
+ # If this produces IndexError, the check does not exist
+ if check[0]["kw"]["fips"] == "disabled":
+ assert returncode == 2
+ elif check[0]["kw"]["fips"] == "enabled":
+ assert returncode == 0
+ else:
+ assert returncode == 1
+
def test_ipa_healthcheck_after_certupdate(self):
"""
Verify that ipa-certupdate hasn't messed up tracking
--
2.37.2

125
0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch Normal file
View File

@ -0,0 +1,125 @@
From 1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Jul 2022 09:28:46 -0400
Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 2 +-
ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++-
2 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f..345e1dee7d163167373ca82dedb1e827f0e1bc8c 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
if (pwresponse_requested) {
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
}
- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
+ } else if (grace_user_time >= grace_limit) {
LOG_TRACE("%s password is expired and out of grace limit\n", dn);
errstr = "Password is expired.\n";
ret = LDAP_INVALID_CREDENTIALS;
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
index 6d66982848ac5a0061b47d30fad022be055c93e4..41d6e9070a90c2bde7b3182ad6ecf1a923bba203 100644
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
cls.master.run_command(['ipa', 'group-add-member', POLICY,
'--users', USER])
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
- '--priority', '1'])
+ '--priority', '1', '--gracelimit', '-1'])
cls.master.run_command(['ipa', 'passwd', USER],
stdin_text='{password}\n{password}\n'.format(
password=PASSWORD
@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_expired(self):
"""Test the LDAP bind grace period"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_not_replicated(self):
"""Test that the grace period is reset on password reset"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
)
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
self.reset_password(self.master)
+
+ def test_graceperiod_zero(self):
+ """Test the LDAP bind with zero grace period"""
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
+ )
+
+ # Resetting the password will mark it as expired
+ self.reset_password(self.master)
+
+ # Now grace is done and binds should fail.
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn], raiseonerr=False
+ )
+ assert result.returncode == 49
+
+ assert 'Password is expired' in result.stderr_text
+ assert 'Password expired, 0 grace logins remain' in result.stderr_text
+
+ def test_graceperiod_disabled(self):
+ """Test the LDAP bind with grace period disabled (-1)"""
+ str(self.master.domain.basedn)
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ # This can fail if gracelimit is already -1 so ignore it
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
+ raiseonerr=False,
+ )
+
+ # Ensure the password is expired
+ self.reset_password(self.master)
+
+ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
+
+ for _i in range(0, 10):
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn]
+ )
+
+ # With graceperiod disabled it should not increment
+ result = tasks.ldapsearch_dm(
+ self.master, dn, ['passwordgraceusertime',],
+ )
+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
--
2.37.2

144
0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch Normal file
View File

@ -0,0 +1,144 @@
From a39af6b7228d8ba85b9e97aa5decbc056d081c77 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Thu, 23 Jun 2022 16:14:39 +0530
Subject: [PATCH] ipatests: ipa-client-install --subid adds entry in
nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/prci_definitions/gating.yaml | 2 +-
.../nightly_ipa-4-10_latest.yaml | 2 +-
.../nightly_ipa-4-10_latest_selinux.yaml | 2 +-
.../nightly_ipa-4-10_previous.yaml | 2 +-
ipatests/test_integration/test_subids.py | 38 +++++++++++++++++++
5 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 4083c650a17ce76bdefa243f1a7c5924039ff0bb..db4875dcfae8676287ef771805b34d988330bb40 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -309,4 +309,4 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 24aa6e7cf29e448ba9d838d1cb98169213ea63ef..027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index f22cc08384b3d50e49278d38e73bf93cd7804e80..bcc17bef935666735bfb2c2e51209362a374b511 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1887,7 +1887,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index df98a66871fd90daaebd83f063e48f1580675049..37d38762e696a6394ef146a0e2b68bbc8ced515d 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-previous
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-previous-ipa-4-10/test_custom_plugins:
requires: [fedora-previous-ipa-4-10/build]
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index f6d8607f237bf03358baae008dd2a6ad819751c0..8158499e1a2b71bdc1a308dec0939fd0d491599d 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -17,6 +17,7 @@ from ipatests.test_integration.base import IntegrationTest
class TestSubordinateId(IntegrationTest):
num_replicas = 0
+ num_clients = 1
topology = "star"
def _parse_result(self, result):
@@ -268,3 +269,40 @@ class TestSubordinateId(IntegrationTest):
f"--subuid={subuid}"])
owner = self._parse_result(result)["owner"]
assert owner == uid
+
+ def test_nsswitch_doesnot_contain_subid_entry(self):
+ """
+ This testcase checks that when ipa-client-install
+ is installed without subid option, the nsswitch.conf
+ does not contain subid entry or does not use sss as
+ source for subid
+ """
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"],
+ raiseonerr=False
+ )
+ # a source is defined for the subid database.
+ # Ensure it is not "sss"
+ if cmd.returncode == 0:
+ assert 'sss' not in cmd.stdout_text
+ else:
+ # grep command returncode 1 means no matching line
+ # was found = no source is defined for the subid database,
+ # which is valid other return codes would
+ # mean an error occurred
+ assert cmd.returncode == 1
+
+ def test_nsswitch_is_updated_with_subid_entry(self):
+ """
+ This test case checks that when ipa-client-install
+ is installed with --subid option, the nsswitch.conf
+ file is modified with the entry 'subid: sss'
+ """
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_client(self.master, self.clients[0],
+ extra_args=['--subid'])
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"]
+ )
+ subid = cmd.stdout_text.split()
+ assert ['subid:', 'sss'] == subid
--
2.37.2

56
0008-webui-Allow-grace-login-limit.patch Normal file
View File

@ -0,0 +1,56 @@
From 7a1e1d9f1cb13679c28f12d05b156a08bcc4d856 Mon Sep 17 00:00:00 2001
From: Carla Martinez <carlmart@redhat.com>
Date: Fri, 29 Jul 2022 13:16:16 +0200
Subject: [PATCH] webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/ui/src/freeipa/policy.js | 3 +++
install/ui/src/freeipa/user.js | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
index fa2028a52b1118b6125f91153280da0a2ffe0584..7ec103636ced0cce34997d81a02b25ba73bda33f 100644
--- a/install/ui/src/freeipa/policy.js
+++ b/install/ui/src/freeipa/policy.js
@@ -72,6 +72,9 @@ return {
{
name: 'cospriority',
required: true
+ },
+ {
+ name: 'passwordgracelimit'
}
]
}]
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index a580db03599457eefd85f8c23d74c284946393c7..b47c97f72008f2f4e75b4cb88e9ff6756827b26e 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -318,6 +318,11 @@ return {
label: '@mo-param:pwpolicy:krbpwdlockoutduration:label',
read_only: true,
measurement_unit: 'seconds'
+ },
+ {
+ name: 'passwordgracelimit',
+ label: '@mo-param:pwpolicy:passwordgracelimit:label',
+ read_only: true
}
]
},
--
2.37.2

226
0009-Additional-tests-for-RSN-v3.patch Normal file
View File

@ -0,0 +1,226 @@
From bfe074ed478c20a9537dc2a714bba50dbc2cd34f Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Fri, 5 Aug 2022 11:22:59 +0530
Subject: [PATCH] Additional tests for RSN v3
New Tests include
TestRSNPKIConfig
TestRSNVault
The new tests are just extending existing classes to be run
with random serial numbers enabled
The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`
Added nightly definitions
Related Ticket: https://pagure.io/freeipa/issue/2016
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-10_latest.yaml | 24 +++++++++
.../nightly_ipa-4-10_latest_selinux.yaml | 26 ++++++++++
.../nightly_ipa-4-10_previous.yaml | 24 +++++++++
.../test_random_serial_numbers.py | 51 ++++++++++++++++++-
ipatests/test_integration/test_vault.py | 4 +-
5 files changed, 127 insertions(+), 2 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7..547320d258f51132266b56e9193533d2291c623c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
\ No newline at end of file
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index bcc17bef935666735bfb2c2e51209362a374b511..f6e5f1cff22de9db4df4577d1cd615499cf0fab3 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1966,3 +1966,29 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index 37d38762e696a6394ef146a0e2b68bbc8ced515d..463f4b92fecc7fbc0be969de422352fb7baeb797 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-previous
timeout: 5400
topology: *master_1repl
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index c52cfa4ed50e2718791b0844d743fb240d26b365..ab58b1c622b010994ed93a17dd80cfd02095508d 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -4,12 +4,15 @@
import pytest
+from ipaplatform.paths import paths
+
+from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.test_installation import (
TestInstallWithCA_DNS1,
TestInstallWithCA_KRA1,
)
from ipatests.test_integration.test_caless import TestServerCALessToExternalCA
-
+from ipatests.test_integration.test_vault import TestInstallKRA
from ipatests.test_integration.test_commands import TestIPACommand
@@ -26,6 +29,18 @@ def pki_supports_RSNv3(host):
return False
+def check_pki_config_params(host):
+ # Check CS.cfg
+ try:
+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
+ kra_cfg = host.get_file_contents(paths.KRA_CS_CFG_PATH)
+ assert "dbs.cert.id.generator=random".encode() in cs_cfg
+ assert "dbs.request.id.generator=random".encode() in cs_cfg
+ assert "dbs.key.id.generator=random".encode() in kra_cfg
+ except IOError:
+ pytest.skip("PKI config not present.Skipping test")
+
+
class TestInstallWithCA_DNS1_RSN(TestInstallWithCA_DNS1):
random_serial = True
@@ -70,3 +85,37 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RSNv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
+
+
+class TestRSNPKIConfig(TestInstallWithCA_KRA1):
+ random_serial = True
+ num_replicas = 3
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNPKIConfig, cls).install(mh)
+
+ def test_check_pki_config(self):
+ check_pki_config_params(self.master)
+ check_pki_config_params(self.replicas[0])
+ check_pki_config_params(self.replicas[1])
+
+ def test_check_rsn_version(self):
+ tasks.kinit_admin(self.master)
+ res = self.master.run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+ tasks.kinit_admin(self.replicas[0])
+ res = self.replicas[0].run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+
+
+class TestRSNVault(TestInstallKRA):
+ random_serial = True
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNVault, cls).install(mh)
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
index 548822d049070d6f9d42da772264eb24010fafda..6288e557f96cae60d031b44c49fbe830712eb7be 100644
--- a/ipatests/test_integration/test_vault.py
+++ b/ipatests/test_integration/test_vault.py
@@ -33,7 +33,9 @@ class TestInstallKRA(IntegrationTest):
@classmethod
def install(cls, mh):
- tasks.install_master(cls.master, setup_kra=True)
+ tasks.install_master(cls.master,
+ setup_kra=True,
+ random_serial=cls.random_serial)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
--
2.37.2

35
0010-check_repl_update-in-progress-is-a-boolean.patch Normal file
View File

@ -0,0 +1,35 @@
From 2003eb6b3d4a27a5de5eaa79418f115dd99886cd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 7 Aug 2022 12:44:47 +0200
Subject: [PATCH] check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/replication.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 16be3760cb14bfeb1cc9a761400752071639dc7c..9d9aa1c4bfc99109c0cf1e6d1619ec1b38e20c02 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1152,7 +1152,7 @@ class ReplicationManager:
except (ValueError, TypeError, KeyError):
end = 0
# incremental update is done if inprogress is false and end >= start
- done = inprogress and inprogress.lower() == 'false' and start <= end
+ done = inprogress is not None and not inprogress and start <= end
logger.info("Replication Update in progress: %s: status: %s: "
"start: %d: end: %d",
inprogress, status, start, end)
--
2.37.2

82
0011-ipatests-Fix-expected-object-classes.patch Normal file
View File

@ -0,0 +1,82 @@
From b6520bef2ef05dd87636d8b57e3247d451af81d8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 14 Dec 2021 16:33:29 +0100
Subject: [PATCH] ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
---
ipatests/test_xmlrpc/test_user_plugin.py | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 74d78b0c6d75590640da1357da1f9f4570307878..c156a8793c5765df96029753f4a278e961d4e895 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -125,7 +125,9 @@ def user_npg(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -139,7 +141,9 @@ def user_npg2(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -151,8 +155,9 @@ def user_radius(request, xmlrpc_setup):
sn=u'radiususer1',
ipatokenradiususername=u'radiususer')
tracker.track_create()
- tracker.attrs.update(
- objectclass=objectclasses.user + [u'ipatokenradiusproxyuser']
+ tracker.attrs.update(objectclass=fuzzy_set_optional_oc(
+ objectclasses.user + [u'ipatokenradiusproxyuser'],
+ 'ipantuserattrs'),
)
return tracker.make_fixture(request)
@@ -647,7 +652,8 @@ class TestCreate(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs']
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'),
)
command = testuser.make_create_command()
result = command()
@@ -865,7 +871,9 @@ class TestUserWithUPGDisabled(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
command = testuser.make_create_command()
result = command()
--
2.37.2

50
0012-doc-Update-LDAP-grace-period-design-with-default-val.patch Normal file
View File

@ -0,0 +1,50 @@
From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 Aug 2022 08:21:58 -0400
Subject: [PATCH] doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644
--- a/doc/designs/ldap_grace_period.md
+++ b/doc/designs/ldap_grace_period.md
@@ -51,7 +51,22 @@ The basic flow is:
On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
-The default value on install/upgrade will be -1 to retail existing behavior.
+Range values for passwordgracelimit are:
+
+-1 : password grace checking is disabled
+ 0 : no grace BIND are allowed at all post-expiration
+ 1..MAXINT: the number of BIND allowed post-expiration
+
+The default value for the global policy on install/upgrade will be -1 to
+retain existing behavior.
+
+New group password policies will default to -1 to retain previous
+behavior.
+
+Existing group policies with no grace limit set are updated to use
+the default unlimited value, -1. This is done because lack of value in
+LDAP is treated as 0 so any existing group policies would not allow
+post-expiration BIND so this will avoid confusion.
The per-user attempts will not be replicated.
--
2.37.2

74
0013-Set-default-gracelimit-on-group-password-policies-to.patch Normal file
View File

@ -0,0 +1,74 @@
From 45e6d49b94da78cd82eb016b3266a17a1359a087 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:22 -0400
Subject: [PATCH] Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
API.txt | 2 +-
ipaserver/plugins/pwpolicy.py | 2 ++
ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index 66929b921b197e27ede847fb6b10bf1e44c3464a..210bfc4950e6a7346dbdd6e29d1096b2f8750b1e 100644
--- a/API.txt
+++ b/API.txt
@@ -4076,7 +4076,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
option: Int('krbpwdminlength?', cli_name='minlength')
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('version?')
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 4428aede2dcc7a2a0b6128bf7f58eb47e4a8e07d..f4ebffd5c8f06a53b6c4d5e48ff6eeafa240e3a4 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
minvalue=-1,
maxvalue=Int.MAX_UINT32,
default=-1,
+ autofill=True,
),
)
@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
keys[-1], krbpwdpolicyreference=dn,
cospriority=options.get('cospriority')
)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
index 8eee69c185b15be72870050ed247f252c72d1c66..fc785223bfe56269ad8b211e8f1c3ac9f4064c3c 100644
--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
objectclass=objectclasses.pwpolicy,
),
summary=None,
@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
),
summary=None,
value=u'ipausers',
--
2.37.2

106
0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch Normal file
View File

@ -0,0 +1,106 @@
From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:41 -0400
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../updates/90-post_upgrade_plugins.update | 1 +
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
2 files changed, 67 insertions(+)
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
plugin: update_mapping_Guests_to_nobody
plugin: fix_kra_people_entry
plugin: update_pwpolicy
+plugin: update_pwpolicy_grace
# last
# DNS version 1
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644
--- a/ipaserver/install/plugins/update_pwpolicy.py
+++ b/ipaserver/install/plugins/update_pwpolicy.py
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
return False, []
return False, []
+
+
+@register()
+class update_pwpolicy_grace(Updater):
+ """
+ Ensure all group policies have a grace period set.
+ """
+
+ def execute(self, **options):
+ ldap = self.api.Backend.ldap2
+
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
+ self.api.env.basedn)
+ search_filter = (
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
+ )
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(
+ search_filter, ['objectclass'], base_dn, time_limit=0,
+ size_limit=0)
+
+ except errors.EmptyResult:
+ logger.debug("update_pwpolicy: no policies without "
+ "passwordgracelimit set")
+ return False, []
+
+ except errors.ExecutionError as e:
+ logger.error("update_pwpolicy: cannot retrieve list "
+ "of policies missing passwordgracelimit: %s", e)
+ return False, []
+
+ logger.debug("update_pwpolicy: found %d "
+ "policies to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ for entry in entries:
+ # Set unlimited BIND by default
+ entry['passwordgracelimit'] = -1
+ try:
+ ldap.update_entry(entry)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError as e:
+ logger.debug("update_pwpolicy: cannot "
+ "update policy: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ logger.error("update_pwpolicy: error(s) "
+ "detected during pwpolicy update")
+ return False, []
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ logger.debug("update_pwpolicy: all policies updated")
+ return False, []
+
+ return False, []
--
2.37.2

20
freeipa.spec
View File

@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 5%{?rc_version:.%rc_version}%{?dist}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -220,6 +220,18 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
%if 0%{?rhel} >= 8
Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch
Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch
Patch0003: 0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
Patch0004: 0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch
Patch0005: 0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch
Patch0006: 0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
Patch0007: 0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
Patch0008: 0008-webui-Allow-grace-login-limit.patch
Patch0009: 0009-Additional-tests-for-RSN-v3.patch
Patch0010: 0010-check_repl_update-in-progress-is-a-boolean.patch
Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1728,6 +1740,12 @@ fi
%endif
%changelog
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'
* Thu Jul 28 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-5
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-101.el9