The Identity, Policy and Audit system
CentOS Sources
2017-01-17 34b6590b9ca2407ece6923509f1092b85bfbd8fa
import ipa-4.4.0-14.el7_3.4
5 files added
1 files deleted
3 files renamed
1 files modified
396 ■■■■ changed files
SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 54 ●●●●● patch | view | raw | blame | history
SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
New file
@@ -0,0 +1,37 @@
From 405446b0f08551fa82fd0f6d71f219d68641732b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 23 Nov 2016 16:58:39 +0100
Subject: [PATCH] replication: ensure bind DN group check interval is set on
 replica config
This is a safeguard ensuring valid replica configuration against incorrectly
upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on
their domain/ca topology config.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/replication.py | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index b8b665267ea8debba9f0ce01f54a78cd67d88292..e9624894d7d1e745be8072268fa76d51a8c117e3 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -452,6 +452,12 @@ class ReplicationManager(object):
             if replica_groupdn not in binddn_groups:
                 mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
                             replica_groupdn))
+
+            if 'nsds5replicabinddngroupcheckinterval' not in entry:
+                mod.append(
+                    (ldap.MOD_ADD,
+                     'nsds5replicabinddngroupcheckinterval',
+                     '60'))
             if mod:
                 conn.modify_s(dn, mod)
--
2.7.4
SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
New file
@@ -0,0 +1,38 @@
From b84a175ad6a8c2b25d6db388fa88e6441d97ae94 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 6 Dec 2016 12:13:34 +0100
Subject: [PATCH] bindinstance: use data in named.conf to determine
 configuration status
Instead of checking sysrestore status which leads to incorrect
evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
into named.conf to see whther it was already modified by IPA installer.
https://fedorahosted.org/freeipa/ticket/6503
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/bindinstance.py | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 7538e145cbe37dfc21963d97dea0e835e3bd5072..a65b065fd654655ff034e277eb7e0ad49e4a418e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1170,6 +1170,13 @@ class BindInstance(service.Service):
         self.api.Command.dnsconfig_show.output_for_cli(textui, result, None,
                                                        reverse=False)
+    def is_configured(self):
+        """
+        Override the default logic querying StateFile for configuration status
+        and look whether named.conf was already modified by IPA installer.
+        """
+        return named_conf_exists()
+
     def uninstall(self):
         if self.is_configured():
             self.print_msg("Unconfiguring %s" % self.service_name)
--
2.7.4
SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
New file
@@ -0,0 +1,93 @@
From 32b222610532b543d713d4d4b5ce02eed15a66d5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 6 Dec 2016 18:07:50 +0100
Subject: [PATCH] gracefully handle setting replica bind dn group on old
 masters
Pre-3.3 masters do not support setting 'nsds5replicabinddngroup'
attribute on existing replica entry during setup of initial replication.
In this case UNWILLING_TO_PERFORM is returned. The code can interpret
this error as an indication of old master and fall back to just adding
its LDAP principal to entry's 'nsds5replicabinddn' attribute.
https://fedorahosted.org/freeipa/ticket/6532
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/replication.py | 48 ++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e9624894d7d1e745be8072268fa76d51a8c117e3..5f03ddeadfc515255509a1f49d3b38687e561b9f 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -429,6 +429,34 @@ class ReplicationManager(object):
         return DN(('cn', 'replica'), ('cn', self.db_suffix),
                   ('cn', 'mapping tree'), ('cn', 'config'))
+    def set_replica_binddngroup(self, r_conn, entry, replica_groupdn):
+        """
+        Set nsds5replicabinddngroup attribute on remote master's replica entry.
+        Older masters (ipa < 3.3) may not support setting this attribute. In
+        this case log the error and fall back to setting replica's binddn
+        directly.
+        """
+        binddn_groups = {
+            DN(p) for p in entry.get('nsds5replicabinddngroup', [])}
+
+        mod = []
+        if replica_groupdn not in binddn_groups:
+            mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+                        replica_groupdn))
+
+        if 'nsds5replicabinddngroupcheckinterval' not in entry:
+            mod.append(
+                (ldap.MOD_ADD,
+                 'nsds5replicabinddngroupcheckinterval',
+                 '60'))
+        if mod:
+            try:
+                r_conn.modify_s(entry.dn, mod)
+            except ldap.UNWILLING_TO_PERFORM:
+                root_logger.debug(
+                    "nsds5replicabinddngroup attribute not supported on "
+                    "remote master.")
+
     def replica_config(self, conn, replica_id, replica_binddn):
         assert isinstance(replica_binddn, DN)
         dn = self.replica_dn()
@@ -440,27 +468,15 @@ class ReplicationManager(object):
         try:
             entry = conn.get_entry(dn)
             managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
-            binddn_groups = {
-                DN(p) for p in entry.get('nsds5replicabinddngroup', [])}
-            mod = []
             if replica_binddn not in managers:
                 # Add the new replication manager
-                mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
-                            replica_binddn))
-
-            if replica_groupdn not in binddn_groups:
-                mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
-                            replica_groupdn))
-
-            if 'nsds5replicabinddngroupcheckinterval' not in entry:
-                mod.append(
-                    (ldap.MOD_ADD,
-                     'nsds5replicabinddngroupcheckinterval',
-                     '60'))
-            if mod:
+                mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
+                        replica_binddn)]
                 conn.modify_s(dn, mod)
+            self.set_replica_binddngroup(conn, entry, replica_groupdn)
+
             # replication is already configured
             return
         except errors.NotFound:
--
2.7.4
SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
New file
@@ -0,0 +1,60 @@
From 3ff9fc2141e16e7cbd4fa30c16d60e915c2c3ee4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 7 Dec 2016 14:00:09 +0100
Subject: [PATCH] add missing attribute to ipaca replica during CA topology
 update
'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/plugins/update_ca_topology.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
index d76849bf9de46b1e4ad52dbae7081b4d3aec5273..f82926b19175c3fd42bd794205ec4216fc776707 100644
--- a/ipaserver/install/plugins/update_ca_topology.py
+++ b/ipaserver/install/plugins/update_ca_topology.py
@@ -2,8 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
+from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
+from ipapython.dn import DN
 from ipaserver.install import certs, cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
@@ -31,4 +33,24 @@ class update_ca_topology(Updater):
         ld.update([paths.CA_TOPOLOGY_ULDIF])
+        ldap = self.api.Backend.ldap2
+
+        ca_replica_dn = DN(
+            ('cn', 'replica'),
+            ('cn', 'o=ipaca'),
+            ('cn', 'mapping tree'),
+            ('cn', 'config'))
+
+        check_interval_attr = 'nsds5replicabinddngroupcheckinterval'
+        default_check_interval = ['60']
+
+        try:
+            ca_replica_entry = ldap.get_entry(ca_replica_dn)
+        except errors.NotFound:
+            pass
+        else:
+            if check_interval_attr not in ca_replica_entry:
+                ca_replica_entry[check_interval_attr] = default_check_interval
+                ldap.update_entry(ca_replica_entry)
+
         return False, []
--
2.7.4
SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch
New file
@@ -0,0 +1,64 @@
From 81a1bdae1743c4cd7aab296cb0a7474b9bd52b33 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Fri, 9 Dec 2016 15:04:21 +0100
Subject: [PATCH] Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/domainlevel.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py
index 23fa2a1b2f0f681ac215e96a651d688294df4b99..d8c508a64dd91a0a18e061d2af3080c8f1b38260 100644
--- a/ipaserver/plugins/domainlevel.py
+++ b/ipaserver/plugins/domainlevel.py
@@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry):
         return DomainLevelRange(0, 0)
+def check_conflict_entries(ldap, api, desired_value):
+    """
+    Check if conflict entries exist in topology subtree
+    """
+
+    container_dn = DN(
+        ('cn', 'ipa'),
+        ('cn', 'etc'),
+        api.env.basedn
+    )
+    conflict = "(nsds5replconflict=*)"
+    subentry = "(|(objectclass=ldapsubentry)(objectclass=*))"
+    try:
+        ldap.get_entries(
+            filter="(& %s %s)" % (conflict, subentry),
+            base_dn=container_dn,
+            scope=ldap.SCOPE_SUBTREE)
+        message = _("Domain Level cannot be raised to {0}, "
+                    "existing replication conflicts have to be resolved."
+                    .format(desired_value))
+        raise errors.InvalidDomainLevelError(reason=message)
+    except errors.NotFound:
+        pass
+
 def get_master_entries(ldap, api):
     """
     Returns list of LDAPEntries representing IPA masters.
@@ -131,6 +155,10 @@ class domainlevel_set(Command):
                             .format(desired_value, master['cn'][0]))
                 raise errors.InvalidDomainLevelError(reason=message)
+        # Check if conflict entries exist in topology subtree
+        # should be resolved first
+        check_conflict_entries(ldap, self.api, desired_value)
+
         current_entry.single_value['ipaDomainLevel'] = desired_value
         ldap.update_entry(current_entry)
--
2.7.4
SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch
File was renamed from SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
@@ -1,4 +1,4 @@
From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001
From 59e072eab0d58af195a14d53240de20ee4a3171f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 15 Nov 2016 14:02:54 +1000
Subject: [PATCH] certprofile-mod: correctly authorise config update
@@ -39,5 +39,5 @@
                 profile_api.disable_profile(keys[0])
                 try:
-- 
2.10.2
2.7.4
SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch
File was renamed from SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
@@ -1,4 +1,4 @@
From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001
From 018266f9dcc06cedcfe679ed32870dd3eda2ece7 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH] password policy: Add explicit default password policy for
@@ -188,5 +188,5 @@
         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
         self.admin_conn.delete_entry(entry)
-- 
2.10.2
2.7.4
SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch
File was renamed from SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
@@ -1,4 +1,4 @@
From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001
From 3e27ba027208df0408c77307e403bc8382aa3395 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 15 Dec 2016 16:30:00 +0200
Subject: [PATCH] ipa-kdb: search for password policies globally
@@ -34,5 +34,5 @@
     if (kerr) {
         goto done;
-- 
2.10.2
2.7.4
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name:           ipa
Version:        4.4.0
Release:        14%{?dist}.1.1
Release:        14%{?dist}.4
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -51,10 +51,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -203,9 +203,14 @@
Patch0142:      0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
Patch0143:      0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
Patch0144:      0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
Patch0145:      0145-certprofile-mod-correctly-authorise-config-update.patch
Patch0146:      0146-password-policy-Add-explicit-default-password-policy.patch
Patch0147:      0147-ipa-kdb-search-for-password-policies-globally.patch
Patch0145:      0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
Patch0146:      0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
Patch0147:      0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
Patch0148:      0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
Patch0149:      0149-Check-for-conflict-entries-before-raising-domain-lev.patch
Patch0150:      0150-certprofile-mod-correctly-authorise-config-update.patch
Patch0151:      0151-password-policy-Add-explicit-default-password-policy.patch
Patch0152:      0152-ipa-kdb-search-for-password-policies-globally.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -217,7 +222,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -797,10 +801,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1536,14 +1540,28 @@
%changelog
* Mon Jan 02 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.1.1
- Roll in CentOS Branding
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1.1
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
  by abusing password policy
  - ipa-kdb: search for password policies globally
- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream
- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.3
- Resolves: #1404338 Check IdM Topology for broken record caused by replication
  conflict before upgrading it
  - Check for conflict entries before raising domain level
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.2
- Resolves: #1401953 ipa-ca-install on promoted replica hangs on creating a
  temporary CA admin
  - replication: ensure bind DN group check interval is set on replica config
  - add missing attribute to ipaca replica during CA topology update
- Resolves: #1404169 IPA upgrade of replica without DNS fails during restart of
  named-pkcs11
  - bindinstance: use data in named.conf to determine configuration status
- Resolves: #1404171 Creation of replica for disconnected environment is
  failing with CA issuance errors; Need good steps.
  - gracefully handle setting replica bind dn group on old masters
* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services