diff --git a/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch b/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch new file mode 100644 index 0000000..39d9e7f --- /dev/null +++ b/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch @@ -0,0 +1,85 @@ +From b5793c854035a122ed4c66f917cc427e5024e46a Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Aug 02 2023 11:52:30 +0000 +Subject: ipa-kdb: fix error handling of is_master_host() + + +Adding proper error handling to the is_master_host() function to allow +it to make the difference between the absence of a master host object +and a connection failure. This will keep the krb5kdc daemon from +continuing to run with a NULL LDAP context. + +Fixes: https://pagure.io/freeipa/issue/9422 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 8da7543..83cb991 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx, + return 0; + } + +-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) ++static krb5_error_code ++is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result) + { +- int ret; ++ int err; + char *master_host_base = NULL; +- LDAPMessage *result = NULL; +- krb5_error_code err; ++ LDAPMessage *ldap_res = NULL; + +- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", ++ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", + fqdn, ipactx->base); +- if (ret == -1) { +- return false; +- } ++ if (err == -1) ++ return ENOMEM; ++ + err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE, +- NULL, NULL, &result); ++ NULL, NULL, &ldap_res); + free(master_host_base); +- ldap_msgfree(result); +- if (err == 0) { +- return true; +- } ++ ldap_msgfree(ldap_res); ++ if (err != KRB5_KDB_NOENTRY && err != 0) ++ return err; ++ ++ if (result) ++ *result = err != KRB5_KDB_NOENTRY; + +- return false; ++ return 0; + } + + static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, +@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + if ((is_host || is_service)) { + /* it is either host or service, so get the hostname first */ + char *sep = strchr(info3->base.account_name.string, '/'); +- bool is_master = is_master_host( +- ipactx, +- sep ? sep + 1 : info3->base.account_name.string); ++ bool is_master; ++ ++ ret = is_master_host(ipactx, ++ sep ? sep + 1 : info3->base.account_name.string, ++ &is_master); ++ if (ret) ++ return ret; ++ + if (is_master) { + /* Well known RID of domain controllers group */ + if (info3->base.rid == 0) { + diff --git a/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch b/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch new file mode 100644 index 0000000..041905c --- /dev/null +++ b/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch @@ -0,0 +1,39 @@ +From f68468718c1e01df4a9180e17d7e24d961850e19 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Wed, 14 Jun 2023 17:32:02 +0530 +Subject: [PATCH] ipatests: enable firewall rule for http service on acme + client + +when system hardning done i.e in case of STIG, sometimes http challanges +can't be validated by CA if port 80 is not open. This fix enable it to facilitate +the communication. + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_acme.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py +index c69e810da70..414fae8d751 100644 +--- a/ipatests/test_integration/test_acme.py ++++ b/ipatests/test_integration/test_acme.py +@@ -10,6 +10,7 @@ + + from ipalib.constants import IPA_CA_RECORD + from ipatests.test_integration.base import IntegrationTest ++from ipatests.pytest_ipa.integration.firewall import Firewall + from ipatests.pytest_ipa.integration import tasks + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup + from ipaplatform.osinfo import osinfo +@@ -82,6 +83,9 @@ def prepare_acme_client(master, client): + acme_host = f'{IPA_CA_RECORD}.{master.domain.name}' + acme_server = f'https://{acme_host}/acme/directory' + ++ # enable firewall rule on client ++ Firewall(client).enable_services(["http", "https"]) ++ + # install acme client packages + if not skip_certbot_tests: + tasks.install_packages(client, ['certbot']) diff --git a/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch b/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch new file mode 100644 index 0000000..6109658 --- /dev/null +++ b/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch @@ -0,0 +1,193 @@ +From 99aa03413421cf2839e89e10ca279ec19233dd01 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jul 20 2023 08:23:36 +0000 +Subject: User plugin: improve error related to non existing idp + + +The user and stageuser commands return the following error +when the user is created/updated with a non existing idp: +$ ipa user-add testuser --first test --last user --idp dummy +ipa: ERROR: no such entry + +The error is not descriptive enough and has been modified to +display instead: +$ ipa user-add testuser --first test --last user --idp dummy +ipa: ERROR: External IdP configuration dummy not found + +Fixes: https://pagure.io/freeipa/issue/9416 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index 73b76d3..ba5f9b7 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -708,7 +708,11 @@ class baseuser_mod(LDAPUpdate): + if 'ipaidpuser' not in obj_classes: + entry_attrs['objectclass'].append('ipaidpuser') + +- answer = self.api.Object['idp'].get_dn_if_exists(cl) ++ try: ++ answer = self.api.Object['idp'].get_dn_if_exists(cl) ++ except errors.NotFound: ++ reason = "External IdP configuration {} not found" ++ raise errors.NotFound(reason=_(reason).format(cl)) + entry_attrs['ipaidpconfiglink'] = answer + + # Note: we could have used the method add_missing_object_class +diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py +index 51438a8..852e51b 100644 +--- a/ipaserver/plugins/stageuser.py ++++ b/ipaserver/plugins/stageuser.py +@@ -404,7 +404,11 @@ class stageuser_add(baseuser_add): + if 'ipaidpuser' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('ipaidpuser') + +- answer = self.api.Object['idp'].get_dn_if_exists(cl) ++ try: ++ answer = self.api.Object['idp'].get_dn_if_exists(cl) ++ except errors.NotFound: ++ reason = "External IdP configuration {} not found" ++ raise errors.NotFound(reason=_(reason).format(cl)) + entry_attrs['ipaidpconfiglink'] = answer + + self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index 643b44f..a337e1f 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -638,7 +638,11 @@ class user_add(baseuser_add): + if 'ipaidpuser' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('ipaidpuser') + +- answer = self.api.Object['idp'].get_dn_if_exists(rcl) ++ try: ++ answer = self.api.Object['idp'].get_dn_if_exists(rcl) ++ except errors.NotFound: ++ reason = "External IdP configuration {} not found" ++ raise errors.NotFound(reason=_(reason).format(rcl)) + entry_attrs['ipaidpconfiglink'] = answer + + self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, + +From dbcbe9a39c99008c6858bab53e2807b7bf01ba65 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jul 20 2023 08:23:36 +0000 +Subject: xmlrpc tests: add a test for user plugin with non-existing idp + + +Add new tests checking the error returned for +ipa user-add ... --idp nonexistingidp +ipa user-mod ... --idp nonexistingidp +ipa stageuser-add ... --idp nonexistingidp +ipa stageuser-mod ... --idp nonexistingidp + +The expected error message is: +ipa: ERROR: External IdP configuration nonexistingidp not found + +Related: https://pagure.io/freeipa/issue/9416 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index 394015f..9ae5561 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -39,6 +39,8 @@ gid = u'456' + invalidrealm1 = u'suser1@NOTFOUND.ORG' + invalidrealm2 = u'suser1@BAD@NOTFOUND.ORG' + ++nonexistentidp = 'IdPDoesNotExist' ++ + invaliduser1 = u'+tuser1' + invaliduser2 = u'tuser1234567890123456789012345678901234567890' + invaliduser3 = u'1234' +@@ -431,6 +433,15 @@ class TestCreateInvalidAttributes(XMLRPC_test): + invalidrealm2))): + command() + ++ def test_create_invalid_idp(self, stageduser): ++ stageduser.ensure_missing() ++ command = stageduser.make_create_command( ++ options={u'ipaidpconfiglink': nonexistentidp}) ++ with raises_exact(errors.NotFound( ++ reason="External IdP configuration {} not found".format( ++ nonexistentidp))): ++ command() ++ + + @pytest.mark.tier1 + class TestUpdateInvalidAttributes(XMLRPC_test): +@@ -466,6 +477,15 @@ class TestUpdateInvalidAttributes(XMLRPC_test): + message=u'invalid \'gidnumber\': must be at least 1')): + command() + ++ def test_update_invalididp(self, stageduser): ++ stageduser.ensure_exists() ++ command = stageduser.make_update_command( ++ updates={u'ipaidpconfiglink': nonexistentidp}) ++ with raises_exact(errors.NotFound( ++ reason="External IdP configuration {} not found".format( ++ nonexistentidp))): ++ command() ++ + + @pytest.mark.tier1 + class TestActive(XMLRPC_test): +diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py +index 8ac19a4..baa2867 100644 +--- a/ipatests/test_xmlrpc/test_user_plugin.py ++++ b/ipatests/test_xmlrpc/test_user_plugin.py +@@ -86,6 +86,8 @@ expired_expiration_string = "1991-12-07T19:54:13Z" + # Date in ISO format (2013-12-10T12:00:00) + isodate_re = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$') + ++nonexistentidp = 'IdPDoesNotExist' ++ + + @pytest.fixture(scope='class') + def user_min(request, xmlrpc_setup): +@@ -542,6 +544,18 @@ class TestUpdate(XMLRPC_test): + command() + user.delete() + ++ def test_update_invalid_idp(self, user): ++ """ Test user-mod --idp with a non-existent idp """ ++ user.ensure_exists() ++ command = user.make_update_command( ++ updates=dict(ipaidpconfiglink=nonexistentidp) ++ ) ++ with raises_exact(errors.NotFound( ++ reason="External IdP configuration {} not found".format( ++ nonexistentidp) ++ )): ++ command() ++ + + @pytest.mark.tier1 + class TestCreate(XMLRPC_test): +@@ -770,6 +784,17 @@ class TestCreate(XMLRPC_test): + user_radius.check_create(result) + user_radius.delete() + ++ def test_create_with_invalididp(self): ++ testuser = UserTracker( ++ name='idpuser', givenname='idp', sn='user', ++ ipaidpconfiglink=nonexistentidp ++ ) ++ with raises_exact(errors.NotFound( ++ reason="External IdP configuration {} not found".format( ++ nonexistentidp) ++ )): ++ testuser.create() ++ + + @pytest.mark.tier1 + class TestUserWithGroup(XMLRPC_test): + diff --git a/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch b/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch new file mode 100644 index 0000000..be8d65f --- /dev/null +++ b/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch @@ -0,0 +1,169 @@ +From f215d3f45396fa29bdd69f56096b50842df14908 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Aug 01 2023 22:03:03 +0000 +Subject: Prevent the admin user from being deleted + + +admin is required for trust operations + +Note that testing for removing the last member is now +irrelevant because admin must always exist so the test +for it was removed, but the code check remains. It is done +after the protected member check. + +Fixes: https://pagure.io/freeipa/issue/8878 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index a337e1f..6f5e349 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -138,14 +138,23 @@ MEMBEROF_ADMINS = "(memberOf={})".format( + ) + + NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS) ++PROTECTED_USERS = ('admin',) + + + def check_protected_member(user, protected_group_name=u'admins'): + ''' +- Ensure the last enabled member of a protected group cannot be deleted or +- disabled by raising LastMemberError. ++ Ensure admin and the last enabled member of a protected group cannot ++ be deleted or disabled by raising ProtectedEntryError or ++ LastMemberError as appropriate. + ''' + ++ if user in PROTECTED_USERS: ++ raise errors.ProtectedEntryError( ++ label=_("user"), ++ key=user, ++ reason=_("privileged user"), ++ ) ++ + # Get all users in the protected group + result = api.Command.user_find(in_group=protected_group_name) + +@@ -868,6 +877,12 @@ class user_mod(baseuser_mod): + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + dn, oc = self.obj.get_either_dn(*keys, **options) ++ if options.get('rename') and keys[-1] in PROTECTED_USERS: ++ raise errors.ProtectedEntryError( ++ label=_("user"), ++ key=keys[-1], ++ reason=_("privileged user"), ++ ) + if 'objectclass' not in entry_attrs and 'rename' not in options: + entry_attrs.update({'objectclass': oc}) + self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, +diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py +index baa2867..df105a2 100644 +--- a/ipatests/test_xmlrpc/test_user_plugin.py ++++ b/ipatests/test_xmlrpc/test_user_plugin.py +@@ -978,22 +978,32 @@ class TestManagers(XMLRPC_test): + + @pytest.mark.tier1 + class TestAdmins(XMLRPC_test): +- def test_remove_original_admin(self): +- """ Try to remove the only admin """ ++ def test_delete_admin(self): ++ """ Try to delete the protected admin user """ + tracker = Tracker() +- command = tracker.make_command('user_del', [admin1]) ++ command = tracker.make_command('user_del', admin1) + +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): ++ with raises_exact(errors.ProtectedEntryError(label=u'user', ++ key=admin1, reason='privileged user')): ++ command() ++ ++ def test_rename_admin(self): ++ """ Try to rename the admin user """ ++ tracker = Tracker() ++ command = tracker.make_command('user_mod', admin1, ++ **dict(rename=u'newadmin')) ++ ++ with raises_exact(errors.ProtectedEntryError(label=u'user', ++ key=admin1, reason='privileged user')): + command() + + def test_disable_original_admin(self): +- """ Try to disable the only admin """ ++ """ Try to disable the original admin """ + tracker = Tracker() + command = tracker.make_command('user_disable', admin1) + +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): ++ with raises_exact(errors.ProtectedEntryError(label=u'user', ++ key=admin1, reason='privileged user')): + command() + + def test_create_admin2(self, admin2): +@@ -1011,21 +1021,11 @@ class TestAdmins(XMLRPC_test): + admin2.disable() + tracker = Tracker() + +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): ++ with raises_exact(errors.ProtectedEntryError(label=u'user', ++ key=admin1, reason='privileged user')): + tracker.run_command('user_disable', admin1) +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): +- tracker.run_command('user_del', admin1) + admin2.delete() + +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): +- tracker.run_command('user_disable', admin1) +- with raises_exact(errors.LastMemberError( +- key=admin1, label=u'group', container=admin_group)): +- tracker.run_command('user_del', admin1) +- + + @pytest.mark.tier1 + class TestPreferredLanguages(XMLRPC_test): + +From 7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Aug 08 2023 14:50:32 +0000 +Subject: ipatests: update expected webui msg for admin deletion + + +The deletion of the admin is now forbidden (even if it is +not the last member of the admins group) and the error +message has changed from "admin cannot be deleted or +disabled because it is the last member of group admins" +to " user admin cannot be deleted/modified: privileged user". + +Update the expected message in the webui test. + +Related: https://pagure.io/freeipa/issue/8878 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py +index 8d44fbd..a8a92d0 100644 +--- a/ipatests/test_webui/test_user.py ++++ b/ipatests/test_webui/test_user.py +@@ -50,8 +50,7 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are " + FIELD_REQ = 'Required field' + ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $' + ERR_MISMATCH = 'Passwords must match' +-ERR_ADMIN_DEL = ('admin cannot be deleted or disabled because it is the last ' +- 'member of group admins') ++ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user') + USR_EXIST = 'user with name "{}" already exists' + ENTRY_EXIST = 'This entry already exists' + ACTIVE_ERR = 'active user with name "{}" already exists' + diff --git a/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch b/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch new file mode 100644 index 0000000..773b553 --- /dev/null +++ b/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch @@ -0,0 +1,114 @@ +From 9438ce9207445e4ad4a9c7bdf0c9e569cabac571 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Aug 01 2023 06:07:06 +0000 +Subject: Fix memory leak in the OTP last token plugin + + +Three memory leaks are addressed: + +1. String values retrieved from the pblock need to be manually +freed. + +2. The list of objectclasses retreived from the pblock need to be +freed. + +3. Internal search results need to be freed. + +Fixes: https://pagure.io/freeipa/issue/9403 + +Signed-off-by: Rob Crittenden +Reviewed-By: Rafael Guterres Jeffman +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c +index b7a2ba7..11106b2 100644 +--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c ++++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c +@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id; + + static bool entry_is_token(Slapi_Entry *entry) + { +- char **ocls; ++ char **ocls = NULL; + + ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS); + for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) { +@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry) + } + } + ++ slapi_ch_array_free(ocls); + return false; + } + +@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn) + static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) + { + Slapi_DN *target_sdn = NULL; +- const char *bind_dn; ++ char *bind_dn; ++ bool rv = false; + + /* Ignore internal operations. */ + if (slapi_op_internal(pb)) +@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) + /* Load parameters. */ + (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn); +- if (target_sdn == NULL || bind_dn == NULL) { +- LOG_FATAL("Missing parameters!\n"); +- return false; ++ if (bind_dn == NULL) { ++ LOG_FATAL("bind_dn parameter missing!\n"); ++ goto done; ++ } ++ if (target_sdn == NULL) { ++ LOG_FATAL("target_sdn parameter missing!\n"); ++ goto done; + } + + if (entry != NULL + ? !entry_is_token(entry) +- : !sdn_in_otp_container(target_sdn)) +- return true; ++ : !sdn_in_otp_container(target_sdn)) { ++ rv = true; ++ goto done; ++ } + +- if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) +- return true; ++ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) { ++ rv = true; ++ goto done; ++ } + +- if (is_pwd_enabled(bind_dn)) +- return true; ++ if (is_pwd_enabled(bind_dn)) { ++ rv = true; ++ goto done; ++ } + +- return false; ++done: ++ slapi_ch_free_string(&bind_dn); ++ return rv; + } + + static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr) +diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c +index a3cbfb0..4be4ede 100644 +--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c ++++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c +@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn + } + + error: ++ slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + return tokens; + } + diff --git a/ipa.spec b/ipa.spec index 6ecf9cf..3816810 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -215,6 +215,11 @@ Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch +Patch0007: 0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch +Patch0008: 0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch +Patch0009: 0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch +Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch +Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1729,6 +1734,18 @@ fi %endif %changelog +* Thu Aug 10 2023 Rafael Jeffman - 4.9.12-6 +- ipa-kdb: fix error handling of is_master_host() + Resolves: RHBZ#2214638 +- ipatests: enable firewall rule for http service on acme client + Resolves: RHBZ#2230256 +- User plugin: improve error related to non existing idp + Resolves: RHBZ#2224572 +- Prevent admin user from being deleted + Resolves: RHBZ#1821181 +- Fix memory leak in the OTP last token plugin + Resolves: RHBZ#2227783 + * Mon Jul 17 2023 Rafael Jeffman - 4.9.12-5 - Upgrade: fix replica agreement, fix backported patch Related: RHBZ#2216551