ipa-4.9.6-4

- Use new method in check to prevent removal of last KRA (#1985072)
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
- Fix index definition for memberOf (#1952028)

Resolves: #1985072, #1982952, #1952028

0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch

@@ -0,0 +1,58 @@
+From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 19 Jul 2021 17:51:44 -0400
+Subject: [PATCH] Use new method in check to prevent removal of last KRA
+
+It previously used a vault connection to determine if any
+KRA servers were installed. This would fail if the last KRA
+was not available.
+
+Use server roles instead to determine if the last KRA server
+is to be removed.
+
+https://pagure.io/freeipa/issue/8397
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ ipaserver/plugins/server.py | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
+index b3dda8469..5fa7a58bd 100644
+--- a/ipaserver/plugins/server.py
++++ b/ipaserver/plugins/server.py
+@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
+ 
+         if self.api.Command.ca_is_enabled()['result']:
+             try:
+-                vault_config = self.api.Command.vaultconfig_show()['result']
+-                kra_servers = vault_config.get('kra_server_server', [])
+-            except errors.InvocationError:
+-                # KRA is not configured
+-                pass
+-            else:
+-                if kra_servers == [hostname]:
+-                    handler(
+-                        _("Deleting this server is not allowed as it would "
+-                          "leave your installation without a KRA."),
+-                        ignore_last_of_role)
++                roles = self.api.Command.server_role_find(
++                    server_server=hostname,
++                    role_servrole='KRA server',
++                    status='enabled',
++                    include_master=True,
++                )['result']
++            except errors.NotFound:
++                roles = ()
++            if len(roles) == 1 and roles[0]['server_server'] == hostname:
++                handler(
++                    _("Deleting this server is not allowed as it would "
++                      "leave your installation without a KRA."),
++                    ignore_last_of_role)
+ 
+             ca_servers = ipa_config.get('ca_server_server', [])
+             ca_renewal_master = ipa_config.get(
+-- 
+2.26.3
+

0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch

@@ -0,0 +1,49 @@
+From 8ea8f8b68b5a7217518f68065a5fc1df16126314 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 19 Jul 2021 21:54:22 -0400
+Subject: [PATCH] ipatests: test removing last KRA when it is not running
+
+Use the new role-based mechanism, one that doesn't rely
+on direct communication to the server, to determine whether
+the server being removed by `ipa server-del` contains the
+last KRA server.
+
+https://pagure.io/freeipa/issue/8397
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py
+index 5e627d5db..9d7f5ef7a 100644
+--- a/ipatests/test_integration/test_server_del.py
++++ b/ipatests/test_integration/test_server_del.py
+@@ -302,6 +302,23 @@ class TestLastServices(ServerDelBase):
+             1
+         )
+ 
++    def test_removal_of_server_raises_error_about_last_kra(self):
++        """
++        test that removal of server fails on the last KRA
++
++        We shut it down to verify that it can be removed if it failed.
++        """
++        tasks.install_kra(self.master)
++        self.master.run_command(['ipactl', 'stop'])
++        tasks.assert_error(
++            tasks.run_server_del(self.replicas[0], self.master.hostname),
++            "Deleting this server is not allowed as it would leave your "
++            "installation without a KRA.",
++            1
++        )
++        # Restarting the server we stopped is not necessary as it will
++        # be removed in the next test.
++
+     def test_forced_removal_of_master(self):
+         """
+         Tests that we can still force remove the master using
+-- 
+2.26.3
+

0019-rhel-platform-add-a-named-crypto-policy-support.patch

@@ -0,0 +1,30 @@
+From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 16 Jul 2021 09:20:33 +0300
+Subject: [PATCH] rhel platform: add a named crypto-policy support
+
+RHEL 8+ provides bind system-wide crypto policy support, enable it.
+
+Fixes: https://pagure.io/freeipa/issue/8925
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipaplatform/rhel/paths.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
+index c081ada32..3631550eb 100644
+--- a/ipaplatform/rhel/paths.py
++++ b/ipaplatform/rhel/paths.py
+@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
+ 
+ 
+ class RHELPathNamespace(RedHatPathNamespace):
++    NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
+     if HAS_NFS_CONF:
+         SYSCONFIG_NFS = '/etc/nfs.conf'
+ 
+-- 
+2.26.3
+

0020-Index-Fix-definition-for-memberOf.patch

@@ -0,0 +1,40 @@
+From b132956e42a88ab39bb8d6a854e7c5d28d544a11 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 16 Jul 2021 09:43:54 +0200
+Subject: [PATCH] Index: Fix definition for memberOf
+
+The index definition for memberOf is inconsistent:
+
+dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+cn: member
+nsIndexType: eq
+nsIndexType: sub
+nsSystemIndex: false
+objectClass: top
+objectClass: nsIndex
+
+The cn attribute should be memberOf, not member. Fix the definition.
+
+Fixes: https://pagure.io/freeipa/issue/8920
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ install/updates/20-indices.update | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
+index d6df5b37d..cb1a11dd5 100644
+--- a/install/updates/20-indices.update
++++ b/install/updates/20-indices.update
+@@ -434,7 +434,7 @@ add:nsIndexType: eq
+ add:nsIndexType: pres
+ 
+ dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+-only:cn: member
++only:cn: memberOf
+ add:nsIndexType: sub
+ 
+ dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+-- 
+2.26.3
+

freeipa.spec

@@ -196,7 +196,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?rc_version:.%rc_version}%{?dist}
+Release:        4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -232,6 +232,11 @@ Patch0013:      0013-WebUI-Improve-subordinate-ids-user-workflow.patch
 Patch0014:      0014-Test-DNA-plugin-configuration.patch
 Patch0015:      0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
 Patch0016:      0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
+Patch0017:      0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
+Patch0018:      0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
+Patch0019:      0019-rhel-platform-add-a-named-crypto-policy-support.patch
+Patch0020:      0020-Index-Fix-definition-for-memberOf.patch
+
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1712,6 +1717,11 @@ fi
 %endif
 
 %changelog
+* Fri Jul 23 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.6-4
+- Use new method in check to prevent removal of last KRA (#1985072)
+- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
+- Fix index definition for memberOf (#1952028)
+
 * Thu Jul 15 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-3
 - Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
 - Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"