The Identity, Policy and Audit system
505d45f9b53397c042b8c9e3d37c9f02d70247e4..07b03a71c64986416cfcd62a861744aa8315e2d6
10 days ago CentOS Sources
debrand ipa-4.6.4-10.el7_6.3
07b03a diff | tree
10 days ago CentOS Sources
import ipa-4.6.4-10.el7_6.3
9ad913 diff | tree
6 files added
1 files modified
512 ■■■■■ changed files
SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0060-Add-workaround-for-slow-host-service-del.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Optimize-cert-remove-case.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch 125 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 22 ●●●●● patch | view | raw | blame | history
SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch
New file
@@ -0,0 +1,54 @@
From b2cb212a12982cb6c9901ae0e71198c49e915258 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 14 Dec 2018 14:02:26 +0200
Subject: [PATCH] ipa-sidgen: make internal fetch_attr helper really internal
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.
Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.
Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
index 9e474e83dd0e1bfc52b2e2da3fda12420d2ea281..007b1c945d0e37c4061f6a33cfdd667c45118c99 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
@@ -63,7 +63,7 @@ struct worker_ctx {
     struct range_info **ranges;
 };
-static const char *fetch_attr(Slapi_Entry *e, const char *attrname,
+static const char *ipa_sidgen_fetch_attr(Slapi_Entry *e, const char *attrname,
                                               const char *default_val)
 {
     Slapi_Attr *attr;
@@ -242,7 +242,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e,
     worker_ctx->plugin_id = global_sidgen_plugin_id;
-    str = fetch_attr(e, "delay", NULL);
+    str = ipa_sidgen_fetch_attr(e, "delay", NULL);
     if (str != NULL) {
         errno = 0;
         worker_ctx->delay = strtol(str, &endptr, 10);
@@ -255,7 +255,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e,
     }
     LOG("delay is [%li].\n", worker_ctx->delay);
-    str = fetch_attr(e, "nsslapd-basedn", NULL);
+    str = ipa_sidgen_fetch_attr(e, "nsslapd-basedn", NULL);
     if (str == NULL) {
         LOG_FATAL("Missing nsslapd-basedn!\n");
         *returncode = LDAP_CONSTRAINT_VIOLATION;
--
2.20.1
SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch
New file
@@ -0,0 +1,61 @@
From 0ed1632ac9f659734f9397c21d0b2de3c2c2d895 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 15 Jan 2019 17:53:55 +0100
Subject: [PATCH] replica installation: add master record only if in managed
 zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.
The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.
During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/bindinstance.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 7c858aab4417ccf3a4999fcaaa1c7e0f93464e4d..3b03e536117677f0f073fc1f06a28ebab0cfe006 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -844,10 +844,13 @@ class BindInstance(service.Service):
         # Add forward and reverse records to self
         for addr in addrs:
-            try:
+            # Check first if the zone is a master zone
+            # (if it is a forward zone, dns_zone_exists will return False)
+            if dns_zone_exists(zone, api=self.api):
                 add_fwd_rr(zone, host, addr, self.api)
-            except errors.NotFound:
-                pass
+            else:
+                logger.debug("Skip adding record %s to a zone %s "
+                             "not managed by IPA", addr, zone)
             reverse_zone = find_reverse_zone(addr, self.api)
             if reverse_zone:
@@ -1063,6 +1066,10 @@ class BindInstance(service.Service):
         self.fqdn = fqdn
         self.domain = domain_name
+        if not dns_zone_exists(zone, api=self.api):
+            # Zone may be a forward zone, skip update
+            return
+
         areclist = get_fwd_rr(zone, host, api=self.api)
         for rdata in areclist:
             del_fwd_rr(zone, host, rdata, api=self.api)
--
2.20.1
SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch
New file
@@ -0,0 +1,130 @@
From 8e5149c36651eaded5d06a32fd94e78fc2e3dcb0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 17 Jan 2019 11:10:52 +0100
Subject: [PATCH] ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 .../test_replica_promotion.py                 | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 7fdc12dc4a4269772c77ff543239be49c46d199a..c635d932bc92ed8c0a147379718933aabaae0f16 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -644,3 +644,101 @@ class TestSubCAkeyReplication(IntegrationTest):
         ssl_cmd = ['openssl', 'x509', '-text', '-in', TEST_CRT_FILE]
         ssl = replica.run_command(ssl_cmd)
         assert 'Issuer: CN = {}'.format(self.SUBCA) in ssl.stdout_text
+
+
+def update_etc_hosts(host, ip, old_hostname, new_hostname):
+    '''Adds or update /etc/hosts
+
+    If /etc/hosts contains an entry for old_hostname, replace it with
+    new_hostname.
+    If /etc/hosts did not contain the entry, create one for new_hostname with
+    the provided ip.
+    The function makes a backup in /etc/hosts.sav
+
+    :param host the machine on which /etc/hosts needs to be update_dns_records
+    :param ip the ip address for the new record
+    :param old_hostname the hostname to replace
+    :param new_hostname the new hostname to put in /etc/hosts
+    '''
+    # Make a backup
+    host.run_command(['/usr/bin/cp',
+                      paths.HOSTS,
+                      '%s.sav' % paths.HOSTS])
+    contents = host.get_file_contents(paths.HOSTS, encoding='utf-8')
+    # If /etc/hosts already contains old_hostname, simply replace
+    pattern = r'^(.*\s){}(\s)'.format(old_hostname)
+    new_contents, mods = re.subn(pattern, r'\1{}\2'.format(new_hostname),
+                                 contents, flags=re.MULTILINE)
+    # If it didn't contain any entry for old_hostname, just add new_hostname
+    if mods == 0:
+        short = new_hostname.split(".", 1)[0]
+        new_contents = new_contents + "\n{}\t{} {}\n".format(ip,
+                                                             new_hostname,
+                                                             short)
+    host.put_file_contents(paths.HOSTS, new_contents)
+
+
+def restore_etc_hosts(host):
+    '''Restores /etc/hosts.sav into /etc/hosts
+    '''
+    host.run_command(['/usr/bin/mv',
+                      '%s.sav' % paths.HOSTS,
+                      paths.HOSTS],
+                     raiseonerr=False)
+
+
+class TestReplicaInForwardZone(IntegrationTest):
+    """
+    Pagure Reference: https://pagure.io/freeipa/issue/7369
+
+    Scenario: install a replica whose name is in a forwarded zone
+    """
+
+    forwardzone = 'forward.test'
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=True)
+
+    def test_replica_install_in_forward_zone(self):
+        master = self.master
+        replica = self.replicas[0]
+
+        # Create a forward zone on the master
+        master.run_command(['ipa', 'dnsforwardzone-add', self.forwardzone,
+                            '--skip-overlap-check',
+                            '--forwarder', master.config.dns_forwarder])
+
+        # Configure the client with a name in the forwardzone
+        r_shortname = replica.hostname.split(".", 1)[0]
+        r_new_hostname = '{}.{}'.format(r_shortname,
+                                        self.forwardzone)
+
+        # Update /etc/hosts on the master with an entry for the replica
+        # otherwise replica conncheck would fail
+        update_etc_hosts(master, replica.ip, replica.hostname,
+                         r_new_hostname)
+        # Remove the replica previous hostname from /etc/hosts
+        # and add the replica new hostname
+        # otherwise replica install will complain because
+        # hostname does not match
+        update_etc_hosts(replica, replica.ip, replica.hostname,
+                         r_new_hostname)
+
+        try:
+            # install client with a hostname in the forward zone
+            tasks.install_client(self.master, replica,
+                                 extra_args=['--hostname', r_new_hostname])
+
+            replica.run_command(['ipa-replica-install',
+                                 '--principal', replica.config.admin_name,
+                                 '--admin-password',
+                                 replica.config.admin_password,
+                                 '--setup-dns',
+                                 '--forwarder', master.config.dns_forwarder,
+                                 '-U'])
+        finally:
+            # Restore /etc/hosts on master and replica
+            restore_etc_hosts(master)
+            restore_etc_hosts(replica)
--
2.20.1
SOURCES/0060-Add-workaround-for-slow-host-service-del.patch
New file
@@ -0,0 +1,50 @@
From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 25 Jan 2019 16:12:11 +0100
Subject: [PATCH] Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.
The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/cert.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod):
         result = collections.OrderedDict()
         complete = bool(ra_options)
+        # workaround for RHBZ#1669012
+        # Improve performance for service and host case by also searching
+        # for subject. This limits the amount of certificate retrieved from
+        # Dogtag. The special case is only used, when no ra_options are set
+        # and exactly one service or host is supplied.
+        # The complete flag is left to False.
+        if not ra_options:
+            services = options.get('service', ())
+            hosts = options.get('host', ())
+            if len(services) == 1 and not hosts:
+                principal = kerberos.Principal(options['service'][0])
+                if principal.is_service:
+                    ra_options['subject'] = principal.hostname
+            elif len(hosts) == 1 and not services:
+                ra_options['subject'] = options['host'][0]
+
         try:
             ca_enabled_check(self.api)
         except errors.NotFound:
--
2.20.1
SOURCES/0061-Optimize-cert-remove-case.patch
New file
@@ -0,0 +1,70 @@
From 964a4d858e7f30e62691e6e0a1abdcd55cc68405 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 25 Jan 2019 16:18:59 +0100
Subject: [PATCH] Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/host.py    | 8 ++++++--
 ipaserver/plugins/service.py | 7 +++++--
 2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 306105d67a58fd4343933349db70a1d786eaa4b2..c74a3e58f8af6b33e284ba54b5763a684d91bac3 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -899,7 +899,9 @@ class host_mod(LDAPUpdate):
             old_certs = entry_attrs_old.get('usercertificate', [])
             removed_certs = set(old_certs) - set(certs)
             for cert in removed_certs:
-                rm_certs = api.Command.cert_find(certificate=cert)['result']
+                rm_certs = api.Command.cert_find(
+                    certificate=cert,
+                    host=keys)['result']
                 revoke_certs(rm_certs)
         if certs:
@@ -1335,7 +1337,9 @@ class host_remove_cert(LDAPRemoveAttributeViaOption):
         assert isinstance(dn, DN)
         for cert in options.get('usercertificate', []):
-            revoke_certs(api.Command.cert_find(certificate=cert)['result'])
+            revoke_certs(api.Command.cert_find(
+                certificate=cert,
+                host=keys)['result'])
         return dn
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index be31f810275214eb28a3f6b7ed9e6dc8ec808ae0..d176adddff8d2590d64ba4059018606ff1eb8d48 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -703,7 +703,8 @@ class service_mod(LDAPUpdate):
             removed_certs = set(old_certs) - set(certs)
             for cert in removed_certs:
                 rm_certs = api.Command.cert_find(
-                    certificate=cert.public_bytes(x509.Encoding.DER))['result']
+                    certificate=cert.public_bytes(x509.Encoding.DER),
+                    service=keys)['result']
                 revoke_certs(rm_certs)
         if certs:
@@ -983,7 +984,9 @@ class service_remove_cert(LDAPRemoveAttributeViaOption):
         assert isinstance(dn, DN)
         for cert in options.get('usercertificate', []):
-            revoke_certs(api.Command.cert_find(certificate=cert)['result'])
+            revoke_certs(api.Command.cert_find(
+                certificate=cert,
+                service=keys)['result'])
         return dn
--
2.20.1
SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
New file
@@ -0,0 +1,125 @@
From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Feb 2019 10:30:40 -0500
Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x
 master
dogtag updated its cipher list, disabling a lot of ciphers, which
causes an overlap problem with a RHEL 6.x IPA master.
This update script adds the two available ciphers to the nss.conf
so that creating a CA replica is possible.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py
index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755
--- a/contrib/copy-schema-to-ca-RHEL6.py
+++ b/contrib/copy-schema-to-ca-RHEL6.py
@@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER
 from ipaserver.install.cainstance import PKI_USER
 from ipapython import services
+# for mod_nss
+from ipaserver.install.httpinstance import NSS_CONF
+from ipaserver.install.httpinstance import HTTPInstance
+from ipaserver.install import installutils
+from ipapython import sysrestore
+
 SERVERID = "PKI-IPA"
 SCHEMA_FILENAMES = (
     "60kerberos.ldif",
@@ -100,6 +106,77 @@ def restart_pki_ds():
     services.service('dirsrv').restart(SERVERID)
+# The ipa-3-0 set_directive() has very loose comparision of directive
+# which would cause multiple NSSCipherSuite to be added so provide
+# a custom function for it.
+def set_directive(filename, directive, value, quotes=True, separator=' '):
+    """Set a name/value pair directive in a configuration file.
+
+       A value of None means to drop the directive.
+
+       This has only been tested with nss.conf
+    """
+    valueset = False
+    st = os.stat(filename)
+    fd = open(filename)
+    newfile = []
+    for line in fd:
+        if line.lstrip().startswith(directive):
+            valueset = True
+            if value is not None:
+                if quotes:
+                    newfile.append('%s%s"%s"\n' %
+                                   (directive, separator, value))
+                else:
+                    newfile.append('%s%s%s\n' % (directive, separator, value))
+        else:
+            newfile.append(line)
+    fd.close()
+    if not valueset:
+        if value is not None:
+            if quotes:
+                newfile.append('%s%s"%s"\n' % (directive, separator, value))
+            else:
+                newfile.append('%s%s%s\n' % (directive, separator, value))
+
+    fd = open(filename, "w")
+    fd.write("".join(newfile))
+    fd.close()
+    os.chown(filename, st.st_uid, st.st_gid)  # reset perms
+
+
+def update_mod_nss_cipher_suite():
+    add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
+    ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
+
+    # Run through once to see if any of the new ciphers are there but
+    # disabled. If they are then enable them.
+    lciphers = ciphers.split(',')
+    new_ciphers = []
+    for cipher in lciphers:
+        for add in add_ciphers:
+            if cipher.endswith(add):
+                if cipher.startswith('-'):
+                    cipher = '+%s' % add
+        new_ciphers.append(cipher)
+
+    # Run through again and add remaining ciphers as enabled.
+    for add in add_ciphers:
+        if add not in ciphers:
+            new_ciphers.append('+%s' % add)
+
+    ciphers = ','.join(new_ciphers)
+    set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
+    root_logger.info('Updated Apache cipher list')
+
+
+def restart_http():
+    root_logger.info('Restarting HTTP')
+    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+    http = HTTPInstance(fstore)
+    http.restart()
+
+
 def main():
     if os.getegid() != 0:
         sys.exit("Must be root to run this script")
@@ -110,6 +187,8 @@ def main():
     add_ca_schema()
     restart_pki_ds()
+    update_mod_nss_cipher_suite()
+    restart_http()
     root_logger.info('Schema updated successfully')
--
2.20.1
SPECS/ipa.spec
@@ -93,7 +93,7 @@
Name:           ipa
Version:        %{IPA_VERSION}
Release:        10%{?dist}.2
Release:        10%{?dist}.3
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -165,6 +165,12 @@
Patch0054:    0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
Patch0055:    0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
Patch0056:    0056-replication-check-remote-ds-version-before-editing-a.patch
Patch0057:    0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch
Patch0058:    0058-replica-installation-add-master-record-only-if-in-ma.patch
Patch0059:    0059-ipatests-add-test-for-replica-in-forward-zone.patch
Patch0060:    0060-Add-workaround-for-slow-host-service-del.patch
Patch0061:    0061-Optimize-cert-remove-case.patch
Patch0062:    0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
Patch1003:      1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1740,9 +1746,21 @@
%changelog
* Tue Jan 29 2019 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos.2
* Tue Mar 12 2019 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos.3
- Roll in CentOS Branding
* Mon Feb 4 2019 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.3
- Resolves: 1672343 pki spawn fails for IPA replica install from RHEL6 IPA master
  - Update mod_nss cipher list so there is overlap with a 4.x master
- Resolves: 1672342 Fix compile issue with new 389-ds
  - ipa-sidgen: make internal fetch_attr helper really internal
- Resolves: 1672176 host_del and host_disable fails, ra.find() search for every certificates instead of the host's certificate by subject
  - Add workaround for slow host/service del
  - Optimize cert remove case
- Resolves: 1672238 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain record
  - replica installation: add master record only if in managed zone
  - ipatests: add test for replica in forward zone
* Tue Dec 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.2
- Resolves: 1659492 searching for ipa users by certificate fails
  - ipaldap.py: fix method creating a ldap filter for IPACertificate