diff --git a/0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch b/0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch new file mode 100644 index 0000000..8a4d23d --- /dev/null +++ b/0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch @@ -0,0 +1,58 @@ +From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 19 Jul 2021 17:51:44 -0400 +Subject: [PATCH] Use new method in check to prevent removal of last KRA + +It previously used a vault connection to determine if any +KRA servers were installed. This would fail if the last KRA +was not available. + +Use server roles instead to determine if the last KRA server +is to be removed. + +https://pagure.io/freeipa/issue/8397 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +--- + ipaserver/plugins/server.py | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py +index b3dda8469..5fa7a58bd 100644 +--- a/ipaserver/plugins/server.py ++++ b/ipaserver/plugins/server.py +@@ -508,17 +508,19 @@ class server_del(LDAPDelete): + + if self.api.Command.ca_is_enabled()['result']: + try: +- vault_config = self.api.Command.vaultconfig_show()['result'] +- kra_servers = vault_config.get('kra_server_server', []) +- except errors.InvocationError: +- # KRA is not configured +- pass +- else: +- if kra_servers == [hostname]: +- handler( +- _("Deleting this server is not allowed as it would " +- "leave your installation without a KRA."), +- ignore_last_of_role) ++ roles = self.api.Command.server_role_find( ++ server_server=hostname, ++ role_servrole='KRA server', ++ status='enabled', ++ include_master=True, ++ )['result'] ++ except errors.NotFound: ++ roles = () ++ if len(roles) == 1 and roles[0]['server_server'] == hostname: ++ handler( ++ _("Deleting this server is not allowed as it would " ++ "leave your installation without a KRA."), ++ ignore_last_of_role) + + ca_servers = ipa_config.get('ca_server_server', []) + ca_renewal_master = ipa_config.get( +-- +2.26.3 + diff --git a/0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch b/0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch new file mode 100644 index 0000000..5461afb --- /dev/null +++ b/0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch @@ -0,0 +1,49 @@ +From 8ea8f8b68b5a7217518f68065a5fc1df16126314 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 19 Jul 2021 21:54:22 -0400 +Subject: [PATCH] ipatests: test removing last KRA when it is not running + +Use the new role-based mechanism, one that doesn't rely +on direct communication to the server, to determine whether +the server being removed by `ipa server-del` contains the +last KRA server. + +https://pagure.io/freeipa/issue/8397 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +--- + ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py +index 5e627d5db..9d7f5ef7a 100644 +--- a/ipatests/test_integration/test_server_del.py ++++ b/ipatests/test_integration/test_server_del.py +@@ -302,6 +302,23 @@ class TestLastServices(ServerDelBase): + 1 + ) + ++ def test_removal_of_server_raises_error_about_last_kra(self): ++ """ ++ test that removal of server fails on the last KRA ++ ++ We shut it down to verify that it can be removed if it failed. ++ """ ++ tasks.install_kra(self.master) ++ self.master.run_command(['ipactl', 'stop']) ++ tasks.assert_error( ++ tasks.run_server_del(self.replicas[0], self.master.hostname), ++ "Deleting this server is not allowed as it would leave your " ++ "installation without a KRA.", ++ 1 ++ ) ++ # Restarting the server we stopped is not necessary as it will ++ # be removed in the next test. ++ + def test_forced_removal_of_master(self): + """ + Tests that we can still force remove the master using +-- +2.26.3 + diff --git a/0019-rhel-platform-add-a-named-crypto-policy-support.patch b/0019-rhel-platform-add-a-named-crypto-policy-support.patch new file mode 100644 index 0000000..241d293 --- /dev/null +++ b/0019-rhel-platform-add-a-named-crypto-policy-support.patch @@ -0,0 +1,30 @@ +From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 16 Jul 2021 09:20:33 +0300 +Subject: [PATCH] rhel platform: add a named crypto-policy support + +RHEL 8+ provides bind system-wide crypto policy support, enable it. + +Fixes: https://pagure.io/freeipa/issue/8925 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipaplatform/rhel/paths.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py +index c081ada32..3631550eb 100644 +--- a/ipaplatform/rhel/paths.py ++++ b/ipaplatform/rhel/paths.py +@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF + + + class RHELPathNamespace(RedHatPathNamespace): ++ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' + +-- +2.26.3 + diff --git a/0020-Index-Fix-definition-for-memberOf.patch b/0020-Index-Fix-definition-for-memberOf.patch new file mode 100644 index 0000000..3cf9357 --- /dev/null +++ b/0020-Index-Fix-definition-for-memberOf.patch @@ -0,0 +1,40 @@ +From b132956e42a88ab39bb8d6a854e7c5d28d544a11 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 16 Jul 2021 09:43:54 +0200 +Subject: [PATCH] Index: Fix definition for memberOf + +The index definition for memberOf is inconsistent: + +dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +cn: member +nsIndexType: eq +nsIndexType: sub +nsSystemIndex: false +objectClass: top +objectClass: nsIndex + +The cn attribute should be memberOf, not member. Fix the definition. + +Fixes: https://pagure.io/freeipa/issue/8920 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + install/updates/20-indices.update | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update +index d6df5b37d..cb1a11dd5 100644 +--- a/install/updates/20-indices.update ++++ b/install/updates/20-indices.update +@@ -434,7 +434,7 @@ add:nsIndexType: eq + add:nsIndexType: pres + + dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +-only:cn: member ++only:cn: memberOf + add:nsIndexType: sub + + dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +-- +2.26.3 + diff --git a/freeipa.spec b/freeipa.spec index 374e5b0..8dd05e2 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -196,7 +196,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -232,6 +232,11 @@ Patch0013: 0013-WebUI-Improve-subordinate-ids-user-workflow.patch Patch0014: 0014-Test-DNA-plugin-configuration.patch Patch0015: 0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch Patch0016: 0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch +Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch +Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch +Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch +Patch0020: 0020-Index-Fix-definition-for-memberOf.patch + Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1712,6 +1717,11 @@ fi %endif %changelog +* Fri Jul 23 2021 Rob Crittenden - 4.9.6-4 +- Use new method in check to prevent removal of last KRA (#1985072) +- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952) +- Fix index definition for memberOf (#1952028) + * Thu Jul 15 2021 Florence Blanc-Renaud - 4.9.6-3 - Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services - Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"