From 0201d8c1f8891ab8748f106290dcc981c3346232 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 26 2015 09:19:11 +0000 Subject: import ipa-4.1.0-18.el7_1.3 --- diff --git a/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch b/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch new file mode 100644 index 0000000..ea41cde --- /dev/null +++ b/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch @@ -0,0 +1,103 @@ +From 9b01d87626de2c5a0cb9b5e0d10959b13f03fbba Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Thu, 15 Jan 2015 13:13:55 +0100 +Subject: [PATCH] Always return absolute idnsname in dnszone commands + +Ticket: https://fedorahosted.org/freeipa/ticket/4722 +Reviewed-By: Jan Cholasta +--- + ipalib/plugins/dns.py | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py +index 34afc189866993481229bb68a5edd77e0a4eaff3..ea4c212b42631e8513a13d2a7f5a859b2176376b 100644 +--- a/ipalib/plugins/dns.py ++++ b/ipalib/plugins/dns.py +@@ -1848,6 +1848,18 @@ class DNSZoneBase(LDAPObject): + except errors.NotFound: + raise e # re-raise original exception + ++ def _make_zonename_absolute(self, entry_attrs, **options): ++ """ ++ Zone names can be relative in IPA < 4.0, make sure we always return ++ absolute zone name from ldap ++ """ ++ if options.get('raw'): ++ return ++ ++ if "idnsname" in entry_attrs: ++ entry_attrs.single_value['idnsname'] = ( ++ entry_attrs.single_value['idnsname'].make_absolute()) ++ + + class DNSZoneBase_add(LDAPCreate): + +@@ -1895,6 +1907,11 @@ class DNSZoneBase_del(LDAPDelete): + class DNSZoneBase_mod(LDAPUpdate): + has_output_params = LDAPUpdate.has_output_params + dnszone_output_params + ++ def post_callback(self, ldap, dn, entry_attrs, *keys, **options): ++ assert isinstance(dn, DN) ++ self.obj._make_zonename_absolute(entry_attrs, **options) ++ return dn ++ + + class DNSZoneBase_find(LDAPSearch): + __doc__ = _('Search for DNS zones (SOA records).') +@@ -1929,6 +1946,11 @@ class DNSZoneBase_find(LDAPSearch): + filter = _create_idn_filter(self, ldap, *args, **options) + return (filter, base_dn, scope) + ++ def post_callback(self, ldap, entries, truncated, *args, **options): ++ for entry_attrs in entries: ++ self.obj._make_zonename_absolute(entry_attrs, **options) ++ return truncated ++ + + class DNSZoneBase_show(LDAPRetrieve): + has_output_params = LDAPRetrieve.has_output_params + dnszone_output_params +@@ -1939,6 +1961,11 @@ class DNSZoneBase_show(LDAPRetrieve): + self.obj.handle_not_found(*keys) + return dn + ++ def post_callback(self, ldap, dn, entry_attrs, *keys, **options): ++ assert isinstance(dn, DN) ++ self.obj._make_zonename_absolute(entry_attrs, **options) ++ return dn ++ + + class DNSZoneBase_disable(LDAPQuery): + has_output = output.standard_value +@@ -2539,7 +2566,8 @@ class dnszone_mod(DNSZoneBase_mod): + return result + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +- assert isinstance(dn, DN) ++ dn = super(dnszone_mod, self).post_callback(ldap, dn, entry_attrs, ++ *keys, **options) + self.obj._rr_zone_postprocess(entry_attrs, **options) + return dn + +@@ -2576,6 +2604,9 @@ class dnszone_find(DNSZoneBase_find): + return (filter, base_dn, scope) + + def post_callback(self, ldap, entries, truncated, *args, **options): ++ truncated = super(dnszone_find, self).post_callback(ldap, entries, ++ truncated, *args, ++ **options) + for entry_attrs in entries: + self.obj._rr_zone_postprocess(entry_attrs, **options) + return truncated +@@ -2592,7 +2623,8 @@ class dnszone_show(DNSZoneBase_show): + return result + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +- assert isinstance(dn, DN) ++ dn = super(dnszone_show, self).post_callback(ldap, dn, entry_attrs, ++ *keys, **options) + self.obj._rr_zone_postprocess(entry_attrs, **options) + return dn + +-- +2.1.0 + diff --git a/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch b/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch new file mode 100644 index 0000000..9ffb3ce --- /dev/null +++ b/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch @@ -0,0 +1,30 @@ +From b46e3a309e8aa9a629037afb6ca7972d98e943e9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 10 Dec 2014 14:59:38 +0200 +Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC + policy + +Fixes https://fedorahosted.org/freeipa/ticket/4788 + +Reviewed-By: Sumit Bose +Reviewed-By: Simo Sorce +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index a4500070760e83994c8155a12ee6414b5ebee9e0..e3215db4ea11632dce8f039fc6b89c4a09acd87a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context, + &domain->parent->sid_blacklist_incoming[k], true); + if (result) { + filter_logon_info_log_message(info->info->info3.base.domain_sid); +- return EINVAL; ++ return KRB5KDC_ERR_POLICY; + } + } + } +-- +2.1.0 + diff --git a/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch b/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch new file mode 100644 index 0000000..5a31c67 --- /dev/null +++ b/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch @@ -0,0 +1,47 @@ +From ce31d4124e20261cbd561f688110046945b082c1 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Thu, 19 Feb 2015 17:10:37 +0100 +Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for + fax + +Fixes the invalid attribute name reference in the +'System: Read User Addressbook Attributes' permission. + +https://fedorahosted.org/freeipa/ticket/4883 + +Reviewed-By: Martin Kosek +Reviewed-By: Alexander Bokovoy +--- + ACI.txt | 2 +- + ipalib/plugins/user.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ACI.txt b/ACI.txt +index 67d583fabc295deb8aa5aab329bce5100c1b9088..fa1dcc4a8c9fd0c610dadcb2c368f700d26d4011 100644 +--- a/ACI.txt ++++ b/ACI.txt +@@ -255,7 +255,7 @@ aci: (targetattr = "businesscategory || carlicense || cn || description || displ + dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example + aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: cn=users,cn=accounts,dc=ipa,dc=example +-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";) ++aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";) + dn: dc=ipa,dc=example + aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";) + dn: cn=users,cn=accounts,dc=ipa,dc=example +diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py +index 56585b9f86593c0c5879139103bc71707b88e15f..abe5ee26b8e48681eeb0cbb3bcff8617e212225c 100644 +--- a/ipalib/plugins/user.py ++++ b/ipalib/plugins/user.py +@@ -276,7 +276,7 @@ class user(LDAPObject): + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'seealso', 'telephonenumber', +- 'fax', 'l', 'ou', 'st', 'postalcode', 'street', ++ 'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode', 'street', + 'destinationindicator', 'internationalisdnnumber', + 'physicaldeliveryofficename', 'postaladdress', 'postofficebox', + 'preferreddeliverymethod', 'registeredaddress', +-- +2.1.0 + diff --git a/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch b/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch new file mode 100644 index 0000000..59ba9e7 --- /dev/null +++ b/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch @@ -0,0 +1,164 @@ +From 0dfae3e9f16d91116a6769e25bbbee0ef1e485d2 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Wed, 4 Mar 2015 10:06:47 -0500 +Subject: [PATCH] Restore default.conf and use it to build API. + +When restoring ipa after uninstallation we need to extract and load +configuration of the restored environment. + +https://fedorahosted.org/freeipa/ticket/4896 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/ipa_restore.py | 64 ++++++++++++++++++++++++++++++---------- + 1 file changed, 48 insertions(+), 16 deletions(-) + +diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py +index efe3b9b1c0c10775b3a72b9d843924263526209a..a5ecd5f62bc85918fe697d98109bd3a82120f355 100644 +--- a/ipaserver/install/ipa_restore.py ++++ b/ipaserver/install/ipa_restore.py +@@ -27,7 +27,7 @@ from ConfigParser import SafeConfigParser + import ldif + import itertools + +-from ipalib import api, errors ++from ipalib import api, errors, constants + from ipapython import version, ipautil, certdb, dogtag + from ipapython.ipautil import run, user_input + from ipapython import admintool +@@ -203,15 +203,12 @@ class Restore(admintool.AdminTool): + options = self.options + super(Restore, self).run() + +- api.bootstrap(in_server=False, context='restore') +- api.finalize() +- + self.backup_dir = self.args[0] + if not os.path.isabs(self.backup_dir): + self.backup_dir = os.path.join(BACKUP_DIR, self.backup_dir) + + self.log.info("Preparing restore from %s on %s", +- self.backup_dir, api.env.host) ++ self.backup_dir, constants.FQDN) + + self.header = os.path.join(self.backup_dir, 'header') + +@@ -225,9 +222,6 @@ class Restore(admintool.AdminTool): + else: + restore_type = self.backup_type + +- instances = [realm_to_serverid(api.env.realm), 'PKI-IPA'] +- backends = ['userRoot', 'ipaca'] +- + # These checks would normally be in the validate method but + # we need to know the type of backup we're dealing with. + if restore_type == 'FULL': +@@ -241,6 +235,8 @@ class Restore(admintool.AdminTool): + else: + installutils.check_server_configuration() + ++ self.init_api() ++ + if options.instance: + instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % + options.instance) +@@ -248,10 +244,10 @@ class Restore(admintool.AdminTool): + raise admintool.ScriptError( + "Instance %s does not exist" % options.instance) + +- instances = [options.instance] ++ self.instances = [options.instance] + + if options.backend: +- for instance in instances: ++ for instance in self.instances: + db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % + (instance, options.backend)) + if os.path.exists(db_dir): +@@ -260,9 +256,10 @@ class Restore(admintool.AdminTool): + raise admintool.ScriptError( + "Backend %s does not exist" % options.backend) + +- backends = [options.backend] ++ self.backends = [options.backend] + +- for instance, backend in itertools.product(instances, backends): ++ for instance, backend in itertools.product(self.instances, ++ self.backends): + db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % + (instance, backend)) + if os.path.exists(db_dir): +@@ -274,10 +271,10 @@ class Restore(admintool.AdminTool): + self.log.info("Performing %s restore from %s backup" % + (restore_type, self.backup_type)) + +- if self.backup_host != api.env.host: ++ if self.backup_host != constants.FQDN: + raise admintool.ScriptError( + "Host name %s does not match backup name %s" % +- (api.env.host, self.backup_host)) ++ (constants.FQDN, self.backup_host)) + + if self.backup_ipa_version != str(version.VERSION): + self.log.warning( +@@ -307,9 +304,13 @@ class Restore(admintool.AdminTool): + + self.extract_backup(options.gpg_keyring) + ++ if restore_type == 'FULL': ++ self.restore_default_conf() ++ self.init_api(confdir=self.dir + paths.ETC_IPA) ++ + databases = [] +- for instance in instances: +- for backend in backends: ++ for instance in self.instances: ++ for backend in self.backends: + database = (instance, backend) + ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database) + if os.path.exists(ldiffile): +@@ -607,6 +608,30 @@ class Restore(admintool.AdminTool): + self.log.critical("bak2db failed: %s" % stderr) + + ++ def restore_default_conf(self): ++ ''' ++ Restore paths.IPA_DEFAULT_CONF to temporary directory. ++ ++ Primary purpose of this method is to get cofiguration for api ++ finalization when restoring ipa after uninstall. ++ ''' ++ cwd = os.getcwd() ++ os.chdir(self.dir) ++ args = ['tar', ++ '--xattrs', ++ '--selinux', ++ '-xzf', ++ os.path.join(self.dir, 'files.tar'), ++ paths.IPA_DEFAULT_CONF[1:], ++ ] ++ ++ (stdout, stderr, rc) = run(args, raiseonerr=False) ++ if rc != 0: ++ self.log.critical('Restoring %s failed: %s' % ++ (paths.IPA_DEFAULT_CONF, stderr)) ++ os.chdir(cwd) ++ ++ + def file_restore(self, nologs=False): + ''' + Restore all the files in the tarball. +@@ -803,3 +828,10 @@ class Restore(admintool.AdminTool): + tasks.reload_systemwide_ca_store() + + services.knownservices.certmonger.restart() ++ ++ def init_api(self, **overrides): ++ api.bootstrap(in_server=False, context='restore', **overrides) ++ api.finalize() ++ ++ self.instances = [realm_to_serverid(api.env.realm), 'PKI-IPA'] ++ self.backends = ['userRoot', 'ipaca'] +-- +2.1.0 + diff --git a/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch b/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch new file mode 100644 index 0000000..2f75ad2 --- /dev/null +++ b/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch @@ -0,0 +1,62 @@ +From 7a98d658d662f0cec33ba6207474d8271029b4bd Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 4 Mar 2015 11:11:45 +0100 +Subject: [PATCH] Limit deadlocks between DS plugin DNA and slapi-nis + + Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config + are updated at the same time. + Schema-compat should ignore update on DNA config. + + https://fedorahosted.org/freeipa/ticket/4927 + +Reviewed-By: Jan Cholasta +--- + install/updates/10-schema_compat.update | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update +index b8c79012d121116f9cf53908fbe4eeeebe9d3d82..4484bdcce15736eeaffcc99edc694094b16fd0ed 100644 +--- a/install/updates/10-schema_compat.update ++++ b/install/updates/10-schema_compat.update +@@ -22,6 +22,7 @@ remove: schema-compat-ignore-subtree: cn=changelog + remove: schema-compat-ignore-subtree: o=ipaca + add: schema-compat-restrict-subtree: '$SUFFIX' + add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' ++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX' + + # Change padding for host and userCategory so the pad returns the same value + # as the original, '' or -. +@@ -31,6 +32,7 @@ remove: schema-compat-ignore-subtree: cn=changelog + remove: schema-compat-ignore-subtree: o=ipaca + add: schema-compat-restrict-subtree: '$SUFFIX' + add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' ++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX' + + dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config + default:objectClass: top +@@ -49,6 +51,7 @@ remove: schema-compat-ignore-subtree: cn=changelog + remove: schema-compat-ignore-subtree: o=ipaca + add: schema-compat-restrict-subtree: '$SUFFIX' + add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' ++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX' + + dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config + add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} +@@ -58,12 +61,14 @@ remove: schema-compat-ignore-subtree: cn=changelog + remove: schema-compat-ignore-subtree: o=ipaca + add: schema-compat-restrict-subtree: '$SUFFIX' + add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' ++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX' + + dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config + remove: schema-compat-ignore-subtree: cn=changelog + remove: schema-compat-ignore-subtree: o=ipaca + add: schema-compat-restrict-subtree: '$SUFFIX' + add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' ++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX' + + dn: cn=Schema Compatibility,cn=plugins,cn=config + # We need to run schema-compat pre-bind callback before +-- +2.1.0 + diff --git a/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch b/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch new file mode 100644 index 0000000..6dfaf34 --- /dev/null +++ b/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch @@ -0,0 +1,53 @@ +From d6ea80f9c0a5b7d6bd44e32297af3718c1e782ff Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 24 Feb 2015 15:29:00 +0100 +Subject: [PATCH] Add configure check for cwrap libraries + +Currently only nss-wrapper is checked, checks for other crwap libraries +can be added e.g. as + +AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER) + +Reviewed-By: Alexander Bokovoy +--- + daemons/configure.ac | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/daemons/configure.ac b/daemons/configure.ac +index e81aa60e381e035aff73bf27475fc0f101a5fbf9..932a8f7fd5230c90071cf26cc83f6aee5173457d 100644 +--- a/daemons/configure.ac ++++ b/daemons/configure.ac +@@ -224,6 +224,30 @@ PKG_CHECK_EXISTS(cmocka, + ) + AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes]) + ++dnl A macro to check presence of a cwrap (http://cwrap.org) wrapper on the system ++dnl Usage: ++dnl AM_CHECK_WRAPPER(name, conditional) ++dnl If the cwrap library is found, sets the HAVE_$name conditional ++AC_DEFUN([AM_CHECK_WRAPPER], ++[ ++ FOUND_WRAPPER=0 ++ ++ AC_MSG_CHECKING([for $1]) ++ PKG_CHECK_EXISTS([$1], ++ [ ++ AC_MSG_RESULT([yes]) ++ FOUND_WRAPPER=1 ++ ], ++ [ ++ AC_MSG_RESULT([no]) ++ AC_MSG_WARN([cwrap library $1 not found, some tests will not run]) ++ ]) ++ ++ AM_CONDITIONAL($2, [ test x$FOUND_WRAPPER = x1]) ++]) ++ ++AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER) ++ + dnl -- dirsrv is needed for the extdom unit tests -- + PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) + dnl -- sss_idmap is needed by the extdom exop -- +-- +2.1.0 + diff --git a/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch b/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch new file mode 100644 index 0000000..72bc2d4 --- /dev/null +++ b/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch @@ -0,0 +1,776 @@ +From 14310dab1698da8afbc107c5c76a3c01c9aeb20e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 24 Feb 2015 15:33:39 +0100 +Subject: [PATCH] extdom: handle ERANGE return code for getXXYYY_r() calls + +The getXXYYY_r() calls require a buffer to store the variable data of +the passwd and group structs. If the provided buffer is too small ERANGE +is returned and the caller can try with a larger buffer again. + +Cmocka/cwrap based unit-tests for get*_r_wrapper() are added. + +Resolves https://fedorahosted.org/freeipa/ticket/4908 + +Reviewed-By: Alexander Bokovoy +--- + .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 31 ++- + .../ipa-extdom-extop/ipa_extdom.h | 9 + + .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c | 226 +++++++++++++++ + .../ipa-extdom-extop/ipa_extdom_common.c | 309 +++++++++++++++------ + .../ipa-extdom-extop/test_data/group | 2 + + .../ipa-extdom-extop/test_data/passwd | 2 + + .../ipa-extdom-extop/test_data/test_setup.sh | 3 + + 7 files changed, 498 insertions(+), 84 deletions(-) + create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c + create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group + create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd + create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +index 0008476796f5b20f62f2c32e7b291b787fa7a6fc..a1679812ef3c5de8c6e18433cbb991a99ad0b6c8 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +@@ -35,9 +35,20 @@ libipa_extdom_extop_la_LIBADD = \ + $(SSSNSSIDMAP_LIBS) \ + $(NULL) + ++TESTS = ++check_PROGRAMS = ++ + if HAVE_CHECK +-TESTS = extdom_tests +-check_PROGRAMS = extdom_tests ++TESTS += extdom_tests ++check_PROGRAMS += extdom_tests ++endif ++ ++if HAVE_CMOCKA ++if HAVE_NSS_WRAPPER ++TESTS_ENVIRONMENT = . ./test_data/test_setup.sh; ++TESTS += extdom_cmocka_tests ++check_PROGRAMS += extdom_cmocka_tests ++endif + endif + + extdom_tests_SOURCES = \ +@@ -55,6 +66,22 @@ extdom_tests_LDADD = \ + $(SSSNSSIDMAP_LIBS) \ + $(NULL) + ++extdom_cmocka_tests_SOURCES = \ ++ ipa_extdom_cmocka_tests.c \ ++ ipa_extdom_common.c \ ++ $(NULL) ++extdom_cmocka_tests_CFLAGS = $(CMOCKA_CFLAGS) ++extdom_cmocka_tests_LDFLAGS = \ ++ -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \ ++ $(NULL) ++extdom_cmocka_tests_LDADD = \ ++ $(CMOCKA_LIBS) \ ++ $(LDAP_LIBS) \ ++ $(DIRSRV_LIBS) \ ++ $(SSSNSSIDMAP_LIBS) \ ++ $(NULL) ++ ++ + appdir = $(IPA_DATA_DIR) + app_DATA = \ + ipa-extdom-extop-conf.ldif \ +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +index 56ca5009b1aa427f6c059b78ac392c768e461e2e..40bf933920fdd2ca19e5ef195aaa8fb820446cc5 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +@@ -174,4 +174,13 @@ int check_request(struct extdom_req *req, enum extdom_version version); + int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + struct berval **berval); + int pack_response(struct extdom_res *res, struct berval **ret_val); ++int get_buffer(size_t *_buf_len, char **_buf); ++int getpwnam_r_wrapper(size_t buf_max, const char *name, ++ struct passwd *pwd, char **_buf, size_t *_buf_len); ++int getpwuid_r_wrapper(size_t buf_max, uid_t uid, ++ struct passwd *pwd, char **_buf, size_t *_buf_len); ++int getgrnam_r_wrapper(size_t buf_max, const char *name, ++ struct group *grp, char **_buf, size_t *_buf_len); ++int getgrgid_r_wrapper(size_t buf_max, gid_t gid, ++ struct group *grp, char **_buf, size_t *_buf_len); + #endif /* _IPA_EXTDOM_H_ */ +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +new file mode 100644 +index 0000000000000000000000000000000000000000..d5bacd7e8c9dc0a71eea70162406c7e5b67384ad +--- /dev/null ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +@@ -0,0 +1,226 @@ ++/* ++ Authors: ++ Sumit Bose ++ ++ Copyright (C) 2015 Red Hat ++ ++ Extdom tests ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++ ++#include "ipa_extdom.h" ++ ++#define MAX_BUF (1024*1024*1024) ++ ++void test_getpwnam_r_wrapper(void **state) ++{ ++ int ret; ++ struct passwd pwd; ++ char *buf; ++ size_t buf_len; ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwnam_r_wrapper(MAX_BUF, "non_exisiting_user", &pwd, &buf, ++ &buf_len); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = getpwnam_r_wrapper(MAX_BUF, "user", &pwd, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(pwd.pw_name, "user"); ++ assert_string_equal(pwd.pw_passwd, "x"); ++ assert_int_equal(pwd.pw_uid, 12345); ++ assert_int_equal(pwd.pw_gid, 23456); ++ assert_string_equal(pwd.pw_gecos, "gecos"); ++ assert_string_equal(pwd.pw_dir, "/home/user"); ++ assert_string_equal(pwd.pw_shell, "/bin/shell"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwnam_r_wrapper(MAX_BUF, "user_big", &pwd, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(pwd.pw_name, "user_big"); ++ assert_string_equal(pwd.pw_passwd, "x"); ++ assert_int_equal(pwd.pw_uid, 12346); ++ assert_int_equal(pwd.pw_gid, 23457); ++ assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos")); ++ assert_string_equal(pwd.pw_dir, "/home/user_big"); ++ assert_string_equal(pwd.pw_shell, "/bin/shell"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwnam_r_wrapper(1024, "user_big", &pwd, &buf, &buf_len); ++ assert_int_equal(ret, ERANGE); ++ free(buf); ++} ++ ++void test_getpwuid_r_wrapper(void **state) ++{ ++ int ret; ++ struct passwd pwd; ++ char *buf; ++ size_t buf_len; ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwuid_r_wrapper(MAX_BUF, 99999, &pwd, &buf, &buf_len); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = getpwuid_r_wrapper(MAX_BUF, 12345, &pwd, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(pwd.pw_name, "user"); ++ assert_string_equal(pwd.pw_passwd, "x"); ++ assert_int_equal(pwd.pw_uid, 12345); ++ assert_int_equal(pwd.pw_gid, 23456); ++ assert_string_equal(pwd.pw_gecos, "gecos"); ++ assert_string_equal(pwd.pw_dir, "/home/user"); ++ assert_string_equal(pwd.pw_shell, "/bin/shell"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwuid_r_wrapper(MAX_BUF, 12346, &pwd, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(pwd.pw_name, "user_big"); ++ assert_string_equal(pwd.pw_passwd, "x"); ++ assert_int_equal(pwd.pw_uid, 12346); ++ assert_int_equal(pwd.pw_gid, 23457); ++ assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos")); ++ assert_string_equal(pwd.pw_dir, "/home/user_big"); ++ assert_string_equal(pwd.pw_shell, "/bin/shell"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getpwuid_r_wrapper(1024, 12346, &pwd, &buf, &buf_len); ++ assert_int_equal(ret, ERANGE); ++ free(buf); ++} ++ ++void test_getgrnam_r_wrapper(void **state) ++{ ++ int ret; ++ struct group grp; ++ char *buf; ++ size_t buf_len; ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrnam_r_wrapper(MAX_BUF, "non_exisiting_group", &grp, &buf, &buf_len); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = getgrnam_r_wrapper(MAX_BUF, "group", &grp, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(grp.gr_name, "group"); ++ assert_string_equal(grp.gr_passwd, "x"); ++ assert_int_equal(grp.gr_gid, 11111); ++ assert_string_equal(grp.gr_mem[0], "member0001"); ++ assert_string_equal(grp.gr_mem[1], "member0002"); ++ assert_null(grp.gr_mem[2]); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrnam_r_wrapper(MAX_BUF, "group_big", &grp, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(grp.gr_name, "group_big"); ++ assert_string_equal(grp.gr_passwd, "x"); ++ assert_int_equal(grp.gr_gid, 22222); ++ assert_string_equal(grp.gr_mem[0], "member0001"); ++ assert_string_equal(grp.gr_mem[1], "member0002"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrnam_r_wrapper(1024, "group_big", &grp, &buf, &buf_len); ++ assert_int_equal(ret, ERANGE); ++ free(buf); ++} ++ ++void test_getgrgid_r_wrapper(void **state) ++{ ++ int ret; ++ struct group grp; ++ char *buf; ++ size_t buf_len; ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrgid_r_wrapper(MAX_BUF, 99999, &grp, &buf, &buf_len); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = getgrgid_r_wrapper(MAX_BUF, 11111, &grp, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(grp.gr_name, "group"); ++ assert_string_equal(grp.gr_passwd, "x"); ++ assert_int_equal(grp.gr_gid, 11111); ++ assert_string_equal(grp.gr_mem[0], "member0001"); ++ assert_string_equal(grp.gr_mem[1], "member0002"); ++ assert_null(grp.gr_mem[2]); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrgid_r_wrapper(MAX_BUF, 22222, &grp, &buf, &buf_len); ++ assert_int_equal(ret, 0); ++ assert_string_equal(grp.gr_name, "group_big"); ++ assert_string_equal(grp.gr_passwd, "x"); ++ assert_int_equal(grp.gr_gid, 22222); ++ assert_string_equal(grp.gr_mem[0], "member0001"); ++ assert_string_equal(grp.gr_mem[1], "member0002"); ++ free(buf); ++ ++ ret = get_buffer(&buf_len, &buf); ++ assert_int_equal(ret, 0); ++ ++ ret = getgrgid_r_wrapper(1024, 22222, &grp, &buf, &buf_len); ++ assert_int_equal(ret, ERANGE); ++ free(buf); ++} ++ ++int main(int argc, const char *argv[]) ++{ ++ const UnitTest tests[] = { ++ unit_test(test_getpwnam_r_wrapper), ++ unit_test(test_getpwuid_r_wrapper), ++ unit_test(test_getgrnam_r_wrapper), ++ unit_test(test_getgrgid_r_wrapper), ++ }; ++ ++ return run_tests(tests); ++} +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 20fdd62b20f28f5384cf83b8be5819f721c6c3db..cbe336963ffbafadd5a7b8029a65fafe506f75e8 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -49,6 +49,188 @@ + + #define MAX(a,b) (((a)>(b))?(a):(b)) + #define SSSD_DOMAIN_SEPARATOR '@' ++#define MAX_BUF (1024*1024*1024) ++ ++ ++ ++int get_buffer(size_t *_buf_len, char **_buf) ++{ ++ long pw_max; ++ long gr_max; ++ size_t buf_len; ++ char *buf; ++ ++ pw_max = sysconf(_SC_GETPW_R_SIZE_MAX); ++ gr_max = sysconf(_SC_GETGR_R_SIZE_MAX); ++ ++ buf_len = MAX(16384, MAX(pw_max, gr_max)); ++ ++ buf = malloc(sizeof(char) * buf_len); ++ if (buf == NULL) { ++ return LDAP_OPERATIONS_ERROR; ++ } ++ ++ *_buf_len = buf_len; ++ *_buf = buf; ++ ++ return LDAP_SUCCESS; ++} ++ ++static int inc_buffer(size_t buf_max, size_t *_buf_len, char **_buf) ++{ ++ size_t tmp_len; ++ char *tmp_buf; ++ ++ tmp_buf = *_buf; ++ tmp_len = *_buf_len; ++ ++ tmp_len *= 2; ++ if (tmp_len > buf_max) { ++ return ERANGE; ++ } ++ ++ tmp_buf = realloc(tmp_buf, tmp_len); ++ if (tmp_buf == NULL) { ++ return ENOMEM; ++ } ++ ++ *_buf_len = tmp_len; ++ *_buf = tmp_buf; ++ ++ return 0; ++} ++ ++int getpwnam_r_wrapper(size_t buf_max, const char *name, ++ struct passwd *pwd, char **_buf, size_t *_buf_len) ++{ ++ char *buf = NULL; ++ size_t buf_len = 0; ++ int ret; ++ struct passwd *result = NULL; ++ ++ buf = *_buf; ++ buf_len = *_buf_len; ++ ++ while (buf != NULL ++ && (ret = getpwnam_r(name, pwd, buf, buf_len, &result)) == ERANGE) { ++ ret = inc_buffer(buf_max, &buf_len, &buf); ++ if (ret != 0) { ++ if (ret == ERANGE) { ++ LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n"); ++ } ++ goto done; ++ } ++ } ++ ++ if (ret == 0 && result == NULL) { ++ ret = ENOENT; ++ } ++ ++done: ++ *_buf = buf; ++ *_buf_len = buf_len; ++ ++ return ret; ++} ++ ++int getpwuid_r_wrapper(size_t buf_max, uid_t uid, ++ struct passwd *pwd, char **_buf, size_t *_buf_len) ++{ ++ char *buf = NULL; ++ size_t buf_len = 0; ++ int ret; ++ struct passwd *result = NULL; ++ ++ buf = *_buf; ++ buf_len = *_buf_len; ++ ++ while (buf != NULL ++ && (ret = getpwuid_r(uid, pwd, buf, buf_len, &result)) == ERANGE) { ++ ret = inc_buffer(buf_max, &buf_len, &buf); ++ if (ret != 0) { ++ if (ret == ERANGE) { ++ LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n"); ++ } ++ goto done; ++ } ++ } ++ ++ if (ret == 0 && result == NULL) { ++ ret = ENOENT; ++ } ++ ++done: ++ *_buf = buf; ++ *_buf_len = buf_len; ++ ++ return ret; ++} ++ ++int getgrnam_r_wrapper(size_t buf_max, const char *name, ++ struct group *grp, char **_buf, size_t *_buf_len) ++{ ++ char *buf = NULL; ++ size_t buf_len = 0; ++ int ret; ++ struct group *result = NULL; ++ ++ buf = *_buf; ++ buf_len = *_buf_len; ++ ++ while (buf != NULL ++ && (ret = getgrnam_r(name, grp, buf, buf_len, &result)) == ERANGE) { ++ ret = inc_buffer(buf_max, &buf_len, &buf); ++ if (ret != 0) { ++ if (ret == ERANGE) { ++ LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n"); ++ } ++ goto done; ++ } ++ } ++ ++ if (ret == 0 && result == NULL) { ++ ret = ENOENT; ++ } ++ ++done: ++ *_buf = buf; ++ *_buf_len = buf_len; ++ ++ return ret; ++} ++ ++int getgrgid_r_wrapper(size_t buf_max, gid_t gid, ++ struct group *grp, char **_buf, size_t *_buf_len) ++{ ++ char *buf = NULL; ++ size_t buf_len = 0; ++ int ret; ++ struct group *result = NULL; ++ ++ buf = *_buf; ++ buf_len = *_buf_len; ++ ++ while (buf != NULL ++ && (ret = getgrgid_r(gid, grp, buf, buf_len, &result)) == ERANGE) { ++ ret = inc_buffer(buf_max, &buf_len, &buf); ++ if (ret != 0) { ++ if (ret == ERANGE) { ++ LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n"); ++ } ++ goto done; ++ } ++ } ++ ++ if (ret == 0 && result == NULL) { ++ ret = ENOENT; ++ } ++ ++done: ++ *_buf = buf; ++ *_buf_len = buf_len; ++ ++ return ret; ++} + + int parse_request_data(struct berval *req_val, struct extdom_req **_req) + { +@@ -191,33 +373,6 @@ int check_request(struct extdom_req *req, enum extdom_version version) + return LDAP_SUCCESS; + } + +-static int get_buffer(size_t *_buf_len, char **_buf) +-{ +- long pw_max; +- long gr_max; +- size_t buf_len; +- char *buf; +- +- pw_max = sysconf(_SC_GETPW_R_SIZE_MAX); +- gr_max = sysconf(_SC_GETGR_R_SIZE_MAX); +- +- if (pw_max == -1 && gr_max == -1) { +- buf_len = 16384; +- } else { +- buf_len = MAX(pw_max, gr_max); +- } +- +- buf = malloc(sizeof(char) * buf_len); +- if (buf == NULL) { +- return LDAP_OPERATIONS_ERROR; +- } +- +- *_buf_len = buf_len; +- *_buf = buf; +- +- return LDAP_SUCCESS; +-} +- + static int get_user_grouplist(const char *name, gid_t gid, + size_t *_ngroups, gid_t **_groups ) + { +@@ -323,7 +478,6 @@ static int pack_ber_user(enum response_types response_type, + size_t buf_len; + char *buf = NULL; + struct group grp; +- struct group *grp_result; + size_t c; + char *locat; + char *short_user_name = NULL; +@@ -375,13 +529,13 @@ static int pack_ber_user(enum response_types response_type, + } + + for (c = 0; c < ngroups; c++) { +- ret = getgrgid_r(groups[c], &grp, buf, buf_len, &grp_result); ++ ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- if (grp_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +@@ -542,7 +696,6 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, + { + int ret; + struct passwd pwd; +- struct passwd *pwd_result = NULL; + char *sid_str = NULL; + enum sss_id_type id_type; + size_t buf_len; +@@ -568,13 +721,13 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, + + ret = pack_ber_sid(sid_str, berval); + } else { +- ret = getpwuid_r(uid, &pwd, buf, buf_len, &pwd_result); ++ ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- if (pwd_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +@@ -610,7 +763,6 @@ static int handle_gid_request(enum request_types request_type, gid_t gid, + { + int ret; + struct group grp; +- struct group *grp_result = NULL; + char *sid_str = NULL; + enum sss_id_type id_type; + size_t buf_len; +@@ -635,13 +787,13 @@ static int handle_gid_request(enum request_types request_type, gid_t gid, + + ret = pack_ber_sid(sid_str, berval); + } else { +- ret = getgrgid_r(gid, &grp, buf, buf_len, &grp_result); ++ ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- if (grp_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +@@ -676,9 +828,7 @@ static int handle_sid_request(enum request_types request_type, const char *sid, + { + int ret; + struct passwd pwd; +- struct passwd *pwd_result = NULL; + struct group grp; +- struct group *grp_result = NULL; + char *domain_name = NULL; + char *fq_name = NULL; + char *object_name = NULL; +@@ -724,14 +874,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid, + switch(id_type) { + case SSS_ID_TYPE_UID: + case SSS_ID_TYPE_BOTH: +- ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result); ++ ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- +- if (pwd_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +@@ -755,14 +904,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid, + pwd.pw_shell, kv_list, berval); + break; + case SSS_ID_TYPE_GID: +- ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result); ++ ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- +- if (grp_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +@@ -806,9 +954,7 @@ static int handle_name_request(enum request_types request_type, + int ret; + char *fq_name = NULL; + struct passwd pwd; +- struct passwd *pwd_result = NULL; + struct group grp; +- struct group *grp_result = NULL; + char *sid_str = NULL; + enum sss_id_type id_type; + size_t buf_len; +@@ -842,15 +988,8 @@ static int handle_name_request(enum request_types request_type, + goto done; + } + +- ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result); +- if (ret != 0) { +- /* according to the man page there are a couple of error codes +- * which can indicate that the user was not found. To be on the +- * safe side we fail back to the group lookup on all errors. */ +- pwd_result = NULL; +- } +- +- if (pwd_result != NULL) { ++ ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); ++ if (ret == 0) { + if (request_type == REQ_FULL_WITH_GROUPS) { + ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type); + if (ret != 0 || !(id_type == SSS_ID_TYPE_UID +@@ -868,15 +1007,21 @@ static int handle_name_request(enum request_types request_type, + domain_name, pwd.pw_name, pwd.pw_uid, + pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, + pwd.pw_shell, kv_list, berval); ++ } else if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ goto done; + } else { /* no user entry found */ +- ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result); ++ /* according to the getpwnam() man page there are a couple of ++ * error codes which can indicate that the user was not found. To ++ * be on the safe side we fail back to the group lookup on all ++ * errors. */ ++ ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); + if (ret != 0) { +- ret = LDAP_NO_SUCH_OBJECT; +- goto done; +- } +- +- if (grp_result == NULL) { +- ret = LDAP_NO_SUCH_OBJECT; ++ if (ret == ENOMEM || ret == ERANGE) { ++ ret = LDAP_OPERATIONS_ERROR; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ } + goto done; + } + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group +new file mode 100644 +index 0000000000000000000000000000000000000000..8d1b012871b21cc9d5ffdba2168f35ef3e8a5f81 +--- /dev/null ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group +@@ -0,0 +1,2 @@ ++group:x:11111:member0001,member0002 ++group_big:x:22222:member0001,member0002,member0003,member0004,member0005,member0006,member0007,member0008,member0009,member0010,member0011,member0012,member0013,member0014,member0015,member0016,member0017,member0018,member0019,member0020,member0021,member0022,member0023,member0024,member0025,member0026,member0027,member0028,member0029,member0030,member0031,member0032,member0033,member0034,member0035,member0036,member0037,member0038,member0039,member0040,member0041,member0042,member0043,member0044,member0045,member0046,member0047,member0048,member0049,member0050,member0051,member0052,member0053,member0054,member0055,member0056,member0057,member0058,member0059,member0060,member0061,member0062,member0063,member0064,member0065,member0066,member0067,member0068,member0069,member0070,member0071,member0072,member0073,member0074,member0075,member0076,member0077,member0078,member0079,member0080,member0081,member0082,member0083,member0084,member0085,member0086,member0087,member0088,member0089,member0090,member0091,member0092,member0093,member0094,member0095,member0096,member0097,member0098,member0099,member0100,member0101,member0102,member0103,member0104,member0105,member0106,member0107,member0108,member0109,member0110,member0111,member0112,member0113,member0114,member0115,member0116,member0117,member0118,member0119,member0120,member0121,member0122,member0123,member0124,member0125,member0126,member0127,member0128,member0129,member0130,member0131,member0132,member0133,member0134,member0135,member0136,member0137,member0138,member0139,member0140,member0141,member0142,member0143,member0144,member0145,member0146,member0147,member0148,member0149,member0150,member0151,member0152,member0153,member0154,member0155,member0156,member0157,member0158,member0159,member0160,member0161,member0162,member0163,member0164,member0165,member0166,member0167,member0168,member0169,member0170,member0171,member0172,member0173,member0174,member0175,member0176,member0177,member0178,member0179,member0180,member0181,member0182,member0183,member0184,member0185,member0186,member0187,member0188,member0189,member0190,member0191,member0192,member0193,member0194,member0195,member0196,member0197,member0198,member0199,member0200,member0201,member0202,member0203,member0204,member0205,member0206,member0207,member0208,member0209,member0210,member0211,member0212,member0213,member0214,member0215,member0216,member0217,member0218,member0219,member0220,member0221,member0222,member0223,member0224,member0225,member0226,member0227,member0228,member0229,member0230,member0231,member0232,member0233,member0234,member0235,member0236,member0237,member0238,member0239,member0240,member0241,member0242,member0243,member0244,member0245,member0246,member0247,member0248,member0249,member0250,member0251,member0252,member0253,member0254,member0255,member0256,member0257,member0258,member0259,member0260,member0261,member0262,member0263,member0264,member0265,member0266,member0267,member0268,member0269,member0270,member0271,member0272,member0273,member0274,member0275,member0276,member0277,member0278,member0279,member0280,member0281,member0282,member0283,member0284,member0285,member0286,member0287,member0288,member0289,member0290,member0291,member0292,member0293,member0294,member0295,member0296,member0297,member0298,member0299,member0300,member0301,member0302,member0303,member0304,member0305,member0306,member0307,member0308,member0309,member0310,member0311,member0312,member0313,member0314,member0315,member0316,member0317,member0318,member0319,member0320,member0321,member0322,member0323,member0324,member0325,member0326,member0327,member0328,member0329,member0330,member0331,member0332,member0333,member0334,member0335,member0336,member0337,member0338,member0339,member0340,member0341,member0342,member0343,member0344,member0345,member0346,member0347,member0348,member0349,member0350,member0351,member0352,member0353,member0354,member0355,member0356,member0357,member0358,member0359,member0360,member0361,member0362,member0363,member0364,member0365,member0366,member0367,member0368,member0369,member0370,member0371,member0372,member0373,member0374,member0375,member0376,member0377,member0378,member0379,member0380,member0381,member0382,member0383,member0384,member0385,member0386,member0387,member0388,member0389,member0390,member0391,member0392,member0393,member0394,member0395,member0396,member0397,member0398,member0399,member0400,member0401,member0402,member0403,member0404,member0405,member0406,member0407,member0408,member0409,member0410,member0411,member0412,member0413,member0414,member0415,member0416,member0417,member0418,member0419,member0420,member0421,member0422,member0423,member0424,member0425,member0426,member0427,member0428,member0429,member0430,member0431,member0432,member0433,member0434,member0435,member0436,member0437,member0438,member0439,member0440,member0441,member0442,member0443,member0444,member0445,member0446,member0447,member0448,member0449,member0450,member0451,member0452,member0453,member0454,member0455,member0456,member0457,member0458,member0459,member0460,member0461,member0462,member0463,member0464,member0465,member0466,member0467,member0468,member0469,member0470,member0471,member0472,member0473,member0474,member0475,member0476,member0477,member0478,member0479,member0480,member0481,member0482,member0483,member0484,member0485,member0486,member0487,member0488,member0489,member0490,member0491,member0492,member0493,member0494,member0495,member0496,member0497,member0498,member0499,member0500,member0501,member0502,member0503,member0504,member0505,member0506,member0507,member0508,member0509,member0510,member0511,member0512,member0513,member0514,member0515,member0516,member0517,member0518,member0519,member0520,member0521,member0522,member0523,member0524,member0525,member0526,member0527,member0528,member0529,member0530,member0531,member0532,member0533,member0534,member0535,member0536,member0537,member0538,member0539,member0540,member0541,member0542,member0543,member0544,member0545,member0546,member0547,member0548,member0549,member0550,member0551,member0552,member0553,member0554,member0555,member0556,member0557,member0558,member0559,member0560,member0561,member0562,member0563,member0564,member0565,member0566,member0567,member0568,member0569,member0570,member0571,member0572,member0573,member0574,member0575,member0576,member0577,member0578,member0579,member0580,member0581,member0582,member0583,member0584,member0585,member0586,member0587,member0588,member0589,member0590,member0591,member0592,member0593,member0594,member0595,member0596,member0597,member0598,member0599,member0600,member0601,member0602,member0603,member0604,member0605,member0606,member0607,member0608,member0609,member0610,member0611,member0612,member0613,member0614,member0615,member0616,member0617,member0618,member0619,member0620,member0621,member0622,member0623,member0624,member0625,member0626,member0627,member0628,member0629,member0630,member0631,member0632,member0633,member0634,member0635,member0636,member0637,member0638,member0639,member0640,member0641,member0642,member0643,member0644,member0645,member0646,member0647,member0648,member0649,member0650,member0651,member0652,member0653,member0654,member0655,member0656,member0657,member0658,member0659,member0660,member0661,member0662,member0663,member0664,member0665,member0666,member0667,member0668,member0669,member0670,member0671,member0672,member0673,member0674,member0675,member0676,member0677,member0678,member0679,member0680,member0681,member0682,member0683,member0684,member0685,member0686,member0687,member0688,member0689,member0690,member0691,member0692,member0693,member0694,member0695,member0696,member0697,member0698,member0699,member0700,member0701,member0702,member0703,member0704,member0705,member0706,member0707,member0708,member0709,member0710,member0711,member0712,member0713,member0714,member0715,member0716,member0717,member0718,member0719,member0720,member0721,member0722,member0723,member0724,member0725,member0726,member0727,member0728,member0729,member0730,member0731,member0732,member0733,member0734,member0735,member0736,member0737,member0738,member0739,member0740,member0741,member0742,member0743,member0744,member0745,member0746,member0747,member0748,member0749,member0750,member0751,member0752,member0753,member0754,member0755,member0756,member0757,member0758,member0759,member0760,member0761,member0762,member0763,member0764,member0765,member0766,member0767,member0768,member0769,member0770,member0771,member0772,member0773,member0774,member0775,member0776,member0777,member0778,member0779,member0780,member0781,member0782,member0783,member0784,member0785,member0786,member0787,member0788,member0789,member0790,member0791,member0792,member0793,member0794,member0795,member0796,member0797,member0798,member0799,member0800,member0801,member0802,member0803,member0804,member0805,member0806,member0807,member0808,member0809,member0810,member0811,member0812,member0813,member0814,member0815,member0816,member0817,member0818,member0819,member0820,member0821,member0822,member0823,member0824,member0825,member0826,member0827,member0828,member0829,member0830,member0831,member0832,member0833,member0834,member0835,member0836,member0837,member0838,member0839,member0840,member0841,member0842,member0843,member0844,member0845,member0846,member0847,member0848,member0849,member0850,member0851,member0852,member0853,member0854,member0855,member0856,member0857,member0858,member0859,member0860,member0861,member0862,member0863,member0864,member0865,member0866,member0867,member0868,member0869,member0870,member0871,member0872,member0873,member0874,member0875,member0876,member0877,member0878,member0879,member0880,member0881,member0882,member0883,member0884,member0885,member0886,member0887,member0888,member0889,member0890,member0891,member0892,member0893,member0894,member0895,member0896,member0897,member0898,member0899,member0900,member0901,member0902,member0903,member0904,member0905,member0906,member0907,member0908,member0909,member0910,member0911,member0912,member0913,member0914,member0915,member0916,member0917,member0918,member0919,member0920,member0921,member0922,member0923,member0924,member0925,member0926,member0927,member0928,member0929,member0930,member0931,member0932,member0933,member0934,member0935,member0936,member0937,member0938,member0939,member0940,member0941,member0942,member0943,member0944,member0945,member0946,member0947,member0948,member0949,member0950,member0951,member0952,member0953,member0954,member0955,member0956,member0957,member0958,member0959,member0960,member0961,member0962,member0963,member0964,member0965,member0966,member0967,member0968,member0969,member0970,member0971,member0972,member0973,member0974,member0975,member0976,member0977,member0978,member0979,member0980,member0981,member0982,member0983,member0984,member0985,member0986,member0987,member0988,member0989,member0990,member0991,member0992,member0993,member0994,member0995,member0996,member0997,member0998,member0999,member1000,member1001,member1002,member1003,member1004,member1005,member1006,member1007,member1008,member1009,member1010,member1011,member1012,member1013,member1014,member1015,member1016,member1017,member1018,member1019,member1020,member1021,member1022,member1023,member1024,member1025,member1026,member1027,member1028,member1029,member1030,member1031,member1032,member1033,member1034,member1035,member1036,member1037,member1038,member1039,member1040,member1041,member1042,member1043,member1044,member1045,member1046,member1047,member1048,member1049,member1050,member1051,member1052,member1053,member1054,member1055,member1056,member1057,member1058,member1059,member1060,member1061,member1062,member1063,member1064,member1065,member1066,member1067,member1068,member1069,member1070,member1071,member1072,member1073,member1074,member1075,member1076,member1077,member1078,member1079,member1080,member1081,member1082,member1083,member1084,member1085,member1086,member1087,member1088,member1089,member1090,member1091,member1092,member1093,member1094,member1095,member1096,member1097,member1098,member1099,member1100,member1101,member1102,member1103,member1104,member1105,member1106,member1107,member1108,member1109,member1110,member1111,member1112,member1113,member1114,member1115,member1116,member1117,member1118,member1119,member1120,member1121,member1122,member1123,member1124,member1125,member1126,member1127,member1128,member1129,member1130,member1131,member1132,member1133,member1134,member1135,member1136,member1137,member1138,member1139,member1140,member1141,member1142,member1143,member1144,member1145,member1146,member1147,member1148,member1149,member1150,member1151,member1152,member1153,member1154,member1155,member1156,member1157,member1158,member1159,member1160,member1161,member1162,member1163,member1164,member1165,member1166,member1167,member1168,member1169,member1170,member1171,member1172,member1173,member1174,member1175,member1176,member1177,member1178,member1179,member1180,member1181,member1182,member1183,member1184,member1185,member1186,member1187,member1188,member1189,member1190,member1191,member1192,member1193,member1194,member1195,member1196,member1197,member1198,member1199,member1200,member1201,member1202,member1203,member1204,member1205,member1206,member1207,member1208,member1209,member1210,member1211,member1212,member1213,member1214,member1215,member1216,member1217,member1218,member1219,member1220,member1221,member1222,member1223,member1224,member1225,member1226,member1227,member1228,member1229,member1230,member1231,member1232,member1233,member1234,member1235,member1236,member1237,member1238,member1239,member1240,member1241,member1242,member1243,member1244,member1245,member1246,member1247,member1248,member1249,member1250,member1251,member1252,member1253,member1254,member1255,member1256,member1257,member1258,member1259,member1260,member1261,member1262,member1263,member1264,member1265,member1266,member1267,member1268,member1269,member1270,member1271,member1272,member1273,member1274,member1275,member1276,member1277,member1278,member1279,member1280,member1281,member1282,member1283,member1284,member1285,member1286,member1287,member1288,member1289,member1290,member1291,member1292,member1293,member1294,member1295,member1296,member1297,member1298,member1299,member1300,member1301,member1302,member1303,member1304,member1305,member1306,member1307,member1308,member1309,member1310,member1311,member1312,member1313,member1314,member1315,member1316,member1317,member1318,member1319,member1320,member1321,member1322,member1323,member1324,member1325,member1326,member1327,member1328,member1329,member1330,member1331,member1332,member1333,member1334,member1335,member1336,member1337,member1338,member1339,member1340,member1341,member1342,member1343,member1344,member1345,member1346,member1347,member1348,member1349,member1350,member1351,member1352,member1353,member1354,member1355,member1356,member1357,member1358,member1359,member1360,member1361,member1362,member1363,member1364,member1365,member1366,member1367,member1368,member1369,member1370,member1371,member1372,member1373,member1374,member1375,member1376,member1377,member1378,member1379,member1380,member1381,member1382,member1383,member1384,member1385,member1386,member1387,member1388,member1389,member1390,member1391,member1392,member1393,member1394,member1395,member1396,member1397,member1398,member1399,member1400,member1401,member1402,member1403,member1404,member1405,member1406,member1407,member1408,member1409,member1410,member1411,member1412,member1413,member1414,member1415,member1416,member1417,member1418,member1419,member1420,member1421,member1422,member1423,member1424,member1425,member1426,member1427,member1428,member1429,member1430,member1431,member1432,member1433,member1434,member1435,member1436,member1437,member1438,member1439,member1440,member1441,member1442,member1443,member1444,member1445,member1446,member1447,member1448,member1449,member1450,member1451,member1452,member1453,member1454,member1455,member1456,member1457,member1458,member1459,member1460,member1461,member1462,member1463,member1464,member1465,member1466,member1467,member1468,member1469,member1470,member1471,member1472,member1473,member1474,member1475,member1476,member1477,member1478,member1479,member1480,member1481,member1482,member1483,member1484,member1485,member1486,member1487,member1488,member1489,member1490,member1491,member1492,member1493,member1494,member1495,member1496,member1497,member1498,member1499,member1500,member1501,member1502,member1503,member1504,member1505,member1506,member1507,member1508,member1509,member1510,member1511,member1512,member1513,member1514,member1515,member1516,member1517,member1518,member1519,member1520,member1521,member1522,member1523,member1524,member1525,member1526,member1527,member1528,member1529,member1530,member1531,member1532,member1533,member1534,member1535,member1536,member1537,member1538,member1539,member1540,member1541,member1542,member1543,member1544,member1545,member1546,member1547,member1548,member1549,member1550,member1551,member1552,member1553,member1554,member1555,member1556,member1557,member1558,member1559,member1560,member1561,member1562,member1563,member1564,member1565,member1566,member1567,member1568,member1569,member1570,member1571,member1572,member1573,member1574,member1575,member1576,member1577,member1578,member1579,member1580,member1581,member1582,member1583,member1584,member1585,member1586,member1587,member1588,member1589,member1590,member1591,member1592,member1593,member1594,member1595,member1596,member1597,member1598,member1599,member1600,member1601,member1602,member1603,member1604,member1605,member1606,member1607,member1608,member1609,member1610,member1611,member1612,member1613,member1614,member1615,member1616,member1617,member1618,member1619,member1620,member1621,member1622,member1623,member1624,member1625,member1626,member1627,member1628,member1629,member1630,member1631,member1632,member1633,member1634,member1635,member1636,member1637,member1638,member1639,member1640,member1641,member1642,member1643,member1644,member1645,member1646,member1647,member1648,member1649,member1650,member1651,member1652,member1653,member1654,member1655,member1656,member1657,member1658,member1659,member1660,member1661,member1662,member1663,member1664,member1665,member1666,member1667,member1668,member1669,member1670,member1671,member1672,member1673,member1674,member1675,member1676,member1677,member1678,member1679,member1680,member1681,member1682,member1683,member1684,member1685,member1686,member1687,member1688,member1689,member1690,member1691,member1692,member1693,member1694,member1695,member1696,member1697,member1698,member1699,member1700,member1701,member1702,member1703,member1704,member1705,member1706,member1707,member1708,member1709,member1710,member1711,member1712,member1713,member1714,member1715,member1716,member1717,member1718,member1719,member1720,member1721,member1722,member1723,member1724,member1725,member1726,member1727,member1728,member1729,member1730,member1731,member1732,member1733,member1734,member1735,member1736,member1737,member1738,member1739,member1740,member1741,member1742,member1743,member1744,member1745,member1746,member1747,member1748,member1749,member1750,member1751,member1752,member1753,member1754,member1755,member1756,member1757,member1758,member1759,member1760,member1761,member1762,member1763,member1764,member1765,member1766,member1767,member1768,member1769,member1770,member1771,member1772,member1773,member1774,member1775,member1776,member1777,member1778,member1779,member1780,member1781,member1782,member1783,member1784,member1785,member1786,member1787,member1788,member1789,member1790,member1791,member1792,member1793,member1794,member1795,member1796,member1797,member1798,member1799,member1800,member1801,member1802,member1803,member1804,member1805,member1806,member1807,member1808,member1809,member1810,member1811,member1812,member1813,member1814,member1815,member1816,member1817,member1818,member1819,member1820,member1821,member1822,member1823,member1824,member1825,member1826,member1827,member1828,member1829,member1830,member1831,member1832,member1833,member1834,member1835,member1836,member1837,member1838,member1839,member1840,member1841,member1842,member1843,member1844,member1845,member1846,member1847,member1848,member1849,member1850,member1851,member1852,member1853,member1854,member1855,member1856,member1857,member1858,member1859,member1860,member1861,member1862,member1863,member1864,member1865,member1866,member1867,member1868,member1869,member1870,member1871,member1872,member1873,member1874,member1875,member1876,member1877,member1878,member1879,member1880,member1881,member1882,member1883,member1884,member1885,member1886,member1887,member1888,member1889,member1890,member1891,member1892,member1893,member1894,member1895,member1896,member1897,member1898,member1899,member1900,member1901,member1902,member1903,member1904,member1905,member1906,member1907,member1908,member1909,member1910,member1911,member1912,member1913,member1914,member1915,member1916,member1917,member1918,member1919,member1920,member1921,member1922,member1923,member1924,member1925,member1926,member1927,member1928,member1929,member1930,member1931,member1932,member1933,member1934,member1935,member1936,member1937,member1938,member1939,member1940,member1941,member1942,member1943,member1944,member1945,member1946,member1947,member1948,member1949,member1950,member1951,member1952,member1953,member1954,member1955,member1956,member1957,member1958,member1959,member1960,member1961,member1962,member1963,member1964,member1965,member1966,member1967,member1968,member1969,member1970,member1971,member1972,member1973,member1974,member1975,member1976,member1977,member1978,member1979,member1980,member1981,member1982,member1983,member1984,member1985,member1986,member1987,member1988,member1989,member1990,member1991,member1992,member1993,member1994,member1995,member1996,member1997,member1998,member1999,member2000, +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd +new file mode 100644 +index 0000000000000000000000000000000000000000..971e9bdb8a5d43d915ce0adc42ac29f2f95ade52 +--- /dev/null ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd +@@ -0,0 +1,2 @@ ++user:x:12345:23456:gecos:/home/user:/bin/shell ++user_big:x:12346:23457::/home/user_big:/bin/shell +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh +new file mode 100644 +index 0000000000000000000000000000000000000000..ad839f340efe989a91cd6902f59c9a41483f68e0 +--- /dev/null ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh +@@ -0,0 +1,3 @@ ++export LD_PRELOAD=$(pkg-config --libs nss_wrapper) ++export NSS_WRAPPER_PASSWD=./test_data/passwd ++export NSS_WRAPPER_GROUP=./test_data/group +-- +2.1.0 + diff --git a/SOURCES/0120-extdom-make-nss-buffer-configurable.patch b/SOURCES/0120-extdom-make-nss-buffer-configurable.patch new file mode 100644 index 0000000..6d68642 --- /dev/null +++ b/SOURCES/0120-extdom-make-nss-buffer-configurable.patch @@ -0,0 +1,254 @@ +From 637807410ae730436f9ca647092250ead70faa1c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 2 Mar 2015 10:59:34 +0100 +Subject: [PATCH] extdom: make nss buffer configurable + +The get*_r_wrapper() calls expect a maximum buffer size to avoid memory +shortage if too many threads try to allocate buffers e.g. for large +groups. With this patch this size can be configured by setting +ipaExtdomMaxNssBufSize in the plugin config object +cn=ipa_extdom_extop,cn=plugins,cn=config. + +Related to https://fedorahosted.org/freeipa/ticket/4908 + +Reviewed-By: Alexander Bokovoy +--- + .../ipa-extdom-extop/ipa_extdom.h | 1 + + .../ipa-extdom-extop/ipa_extdom_common.c | 59 ++++++++++++++-------- + .../ipa-extdom-extop/ipa_extdom_extop.c | 10 ++++ + 3 files changed, 48 insertions(+), 22 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +index 40bf933920fdd2ca19e5ef195aaa8fb820446cc5..d4c851169ddadc869a59c53075f9fc7f33321085 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +@@ -150,6 +150,7 @@ struct extdom_res { + struct ipa_extdom_ctx { + Slapi_ComponentId *plugin_id; + char *base_dn; ++ size_t max_nss_buf_size; + }; + + struct domain_info { +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index cbe336963ffbafadd5a7b8029a65fafe506f75e8..47bcb179f04e08c64d92f55809b84f2d59622344 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -49,9 +49,6 @@ + + #define MAX(a,b) (((a)>(b))?(a):(b)) + #define SSSD_DOMAIN_SEPARATOR '@' +-#define MAX_BUF (1024*1024*1024) +- +- + + int get_buffer(size_t *_buf_len, char **_buf) + { +@@ -464,7 +461,8 @@ static int pack_ber_sid(const char *sid, struct berval **berval) + + #define SSSD_SYSDB_SID_STR "objectSIDString" + +-static int pack_ber_user(enum response_types response_type, ++static int pack_ber_user(struct ipa_extdom_ctx *ctx, ++ enum response_types response_type, + const char *domain_name, const char *user_name, + uid_t uid, gid_t gid, + const char *gecos, const char *homedir, +@@ -529,7 +527,8 @@ static int pack_ber_user(enum response_types response_type, + } + + for (c = 0; c < ngroups; c++) { +- ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len); ++ ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, ++ groups[c], &grp, &buf, &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -691,7 +690,8 @@ static int pack_ber_name(const char *domain_name, const char *name, + return LDAP_SUCCESS; + } + +-static int handle_uid_request(enum request_types request_type, uid_t uid, ++static int handle_uid_request(struct ipa_extdom_ctx *ctx, ++ enum request_types request_type, uid_t uid, + const char *domain_name, struct berval **berval) + { + int ret; +@@ -721,7 +721,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, + + ret = pack_ber_sid(sid_str, berval); + } else { +- ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len); ++ ret = getpwuid_r_wrapper(ctx->max_nss_buf_size, uid, &pwd, &buf, ++ &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -744,7 +745,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, + } + } + +- ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER ++ ret = pack_ber_user(ctx, ++ (request_type == REQ_FULL ? RESP_USER + : RESP_USER_GROUPLIST), + domain_name, pwd.pw_name, pwd.pw_uid, + pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, +@@ -758,7 +760,8 @@ done: + return ret; + } + +-static int handle_gid_request(enum request_types request_type, gid_t gid, ++static int handle_gid_request(struct ipa_extdom_ctx *ctx, ++ enum request_types request_type, gid_t gid, + const char *domain_name, struct berval **berval) + { + int ret; +@@ -787,7 +790,8 @@ static int handle_gid_request(enum request_types request_type, gid_t gid, + + ret = pack_ber_sid(sid_str, berval); + } else { +- ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len); ++ ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, gid, &grp, &buf, ++ &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -823,7 +827,8 @@ done: + return ret; + } + +-static int handle_sid_request(enum request_types request_type, const char *sid, ++static int handle_sid_request(struct ipa_extdom_ctx *ctx, ++ enum request_types request_type, const char *sid, + struct berval **berval) + { + int ret; +@@ -874,7 +879,8 @@ static int handle_sid_request(enum request_types request_type, const char *sid, + switch(id_type) { + case SSS_ID_TYPE_UID: + case SSS_ID_TYPE_BOTH: +- ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); ++ ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf, ++ &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -897,14 +903,16 @@ static int handle_sid_request(enum request_types request_type, const char *sid, + } + } + +- ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER ++ ret = pack_ber_user(ctx, ++ (request_type == REQ_FULL ? RESP_USER + : RESP_USER_GROUPLIST), + domain_name, pwd.pw_name, pwd.pw_uid, + pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, + pwd.pw_shell, kv_list, berval); + break; + case SSS_ID_TYPE_GID: +- ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); ++ ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf, ++ &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -947,7 +955,8 @@ done: + return ret; + } + +-static int handle_name_request(enum request_types request_type, ++static int handle_name_request(struct ipa_extdom_ctx *ctx, ++ enum request_types request_type, + const char *name, const char *domain_name, + struct berval **berval) + { +@@ -988,7 +997,8 @@ static int handle_name_request(enum request_types request_type, + goto done; + } + +- ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); ++ ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf, ++ &buf_len); + if (ret == 0) { + if (request_type == REQ_FULL_WITH_GROUPS) { + ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type); +@@ -1002,7 +1012,8 @@ static int handle_name_request(enum request_types request_type, + goto done; + } + } +- ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER ++ ret = pack_ber_user(ctx, ++ (request_type == REQ_FULL ? RESP_USER + : RESP_USER_GROUPLIST), + domain_name, pwd.pw_name, pwd.pw_uid, + pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, +@@ -1015,7 +1026,8 @@ static int handle_name_request(enum request_types request_type, + * error codes which can indicate that the user was not found. To + * be on the safe side we fail back to the group lookup on all + * errors. */ +- ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); ++ ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf, ++ &buf_len); + if (ret != 0) { + if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; +@@ -1061,20 +1073,23 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, + + switch (req->input_type) { + case INP_POSIX_UID: +- ret = handle_uid_request(req->request_type, req->data.posix_uid.uid, ++ ret = handle_uid_request(ctx, req->request_type, ++ req->data.posix_uid.uid, + req->data.posix_uid.domain_name, berval); + + break; + case INP_POSIX_GID: +- ret = handle_gid_request(req->request_type, req->data.posix_gid.gid, ++ ret = handle_gid_request(ctx, req->request_type, ++ req->data.posix_gid.gid, + req->data.posix_uid.domain_name, berval); + + break; + case INP_SID: +- ret = handle_sid_request(req->request_type, req->data.sid, berval); ++ ret = handle_sid_request(ctx, req->request_type, req->data.sid, berval); + break; + case INP_NAME: +- ret = handle_name_request(req->request_type, req->data.name.object_name, ++ ret = handle_name_request(ctx, req->request_type, ++ req->data.name.object_name, + req->data.name.domain_name, berval); + + break; +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +index aa66c145bc6cf2b77fdfe37be18da67588dc0439..e53f968db040a37fbd6a193f87b3671eeabda89d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +@@ -40,6 +40,8 @@ + #include "ipa_extdom.h" + #include "util.h" + ++#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024) ++ + Slapi_PluginDesc ipa_extdom_plugin_desc = { + IPA_EXTDOM_FEATURE_DESC, + "FreeIPA project", +@@ -185,6 +187,14 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) + goto done; + } + ++ ctx->max_nss_buf_size = slapi_entry_attr_get_uint(e, ++ "ipaExtdomMaxNssBufSize"); ++ if (ctx->max_nss_buf_size == 0) { ++ ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER; ++ } ++ LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size); ++ ++ ret = 0; + + done: + if (ret) { +-- +2.1.0 + diff --git a/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch b/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch new file mode 100644 index 0000000..083a8c2 --- /dev/null +++ b/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch @@ -0,0 +1,32 @@ +From 0ce5d4e89e1a619bbae28105ece7033f8dbadce4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 4 Mar 2015 13:39:04 +0100 +Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT to the client + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +index e53f968db040a37fbd6a193f87b3671eeabda89d..1ea0c1320accc66235d6f1a41055de434aeacab7 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +@@ -123,8 +123,12 @@ static int ipa_extdom_extop(Slapi_PBlock *pb) + + ret = handle_request(ctx, req, &ret_val); + if (ret != LDAP_SUCCESS) { +- rc = LDAP_OPERATIONS_ERROR; +- err_msg = "Failed to handle the request.\n"; ++ if (ret == LDAP_NO_SUCH_OBJECT) { ++ rc = LDAP_NO_SUCH_OBJECT; ++ } else { ++ rc = LDAP_OPERATIONS_ERROR; ++ err_msg = "Failed to handle the request.\n"; ++ } + goto done; + } + +-- +2.1.0 + diff --git a/SOURCES/0122-extdom-fix-memory-leak.patch b/SOURCES/0122-extdom-fix-memory-leak.patch new file mode 100644 index 0000000..094b9fd --- /dev/null +++ b/SOURCES/0122-extdom-fix-memory-leak.patch @@ -0,0 +1,25 @@ +From a19a8e4174560ca6c7a23aa821c14713415b4c5d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 4 Mar 2015 17:53:08 +0100 +Subject: [PATCH] extdom: fix memory leak + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +index 1ea0c1320accc66235d6f1a41055de434aeacab7..dc7785877fc321ddaa5b6967d1c1b06cb454bbbf 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +@@ -154,6 +154,7 @@ done: + LOG("%s", err_msg); + } + slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); ++ ber_bvfree(ret_val); + return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; + } + +-- +2.1.0 + diff --git a/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch b/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch new file mode 100644 index 0000000..f177c08 --- /dev/null +++ b/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch @@ -0,0 +1,128 @@ +From 2805b17bb7f204c25ed27bea1ee4fb999ae3d9d7 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 17 Mar 2015 09:28:47 +0000 +Subject: [PATCH] certstore: Make certificate retrieval more robust + +https://fedorahosted.org/freeipa/ticket/4565 + +Reviewed-By: David Kupka +--- + ipalib/certstore.py | 74 +++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 22 deletions(-) + +diff --git a/ipalib/certstore.py b/ipalib/certstore.py +index 8a9b41015127fcb1b2b5e01da10f0defcee18265..3a5555c95251fdf3384c7dd21cb19d2125a469f5 100644 +--- a/ipalib/certstore.py ++++ b/ipalib/certstore.py +@@ -239,6 +239,31 @@ def put_ca_cert(ldap, base_dn, dercert, nickname, trusted=None, + pass + + ++def make_compat_ca_certs(certs, realm, ipa_ca_subject): ++ """ ++ Make CA certificates and associated key policy from DER certificates. ++ """ ++ result = [] ++ ++ for cert in certs: ++ subject, issuer_serial, public_key_info = _parse_cert(cert) ++ subject = DN(subject) ++ ++ if ipa_ca_subject is not None and subject == DN(ipa_ca_subject): ++ nickname = get_ca_nickname(realm) ++ ext_key_usage = {x509.EKU_SERVER_AUTH, ++ x509.EKU_CLIENT_AUTH, ++ x509.EKU_EMAIL_PROTECTION, ++ x509.EKU_CODE_SIGNING} ++ else: ++ nickname = str(subject) ++ ext_key_usage = {x509.EKU_SERVER_AUTH} ++ ++ result.append((cert, nickname, True, ext_key_usage)) ++ ++ return result ++ ++ + def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca, + filter_subject=None): + """ +@@ -250,6 +275,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca, + filter_subject = [str(subj).replace('\\;', '\\3b') + for subj in filter_subject] + ++ certs = [] + config_dn = DN(('cn', 'ipa'), ('cn', 'etc'), base_dn) + container_dn = DN(('cn', 'certificates'), config_dn) + try: +@@ -265,7 +291,6 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca, + 'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage', + 'cACertificate;binary']) + +- certs = [] + for entry in result: + nickname = entry.single_value['cn'] + trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower() +@@ -281,34 +306,39 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca, + ext_key_usage.discard(x509.EKU_PLACEHOLDER) + + for cert in entry.get('cACertificate;binary', []): ++ try: ++ _parse_cert(cert) ++ except ValueError: ++ certs = [] ++ break + certs.append((cert, nickname, trusted, ext_key_usage)) +- +- return certs + except errors.NotFound: + try: + ldap.get_entry(container_dn, ['']) + except errors.NotFound: +- pass +- else: +- return [] +- +- # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX +- dn = DN(('cn', 'CAcert'), config_dn) +- entry = ldap.get_entry(dn, ['cACertificate;binary']) +- +- cert = entry.single_value['cACertificate;binary'] +- subject, issuer_serial, public_key_info = _parse_cert(cert) +- if filter_subject is not None and subject not in filter_subject: +- return [] ++ # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX ++ dn = DN(('cn', 'CAcert'), config_dn) ++ entry = ldap.get_entry(dn, ['cACertificate;binary']) ++ ++ cert = entry.single_value['cACertificate;binary'] ++ try: ++ subject, issuer_serial, public_key_info = _parse_cert(cert) ++ except ValueError: ++ pass ++ else: ++ if filter_subject is not None and subject not in filter_subject: ++ raise errors.NotFound(reason="no matching entry found") + +- nickname = get_ca_nickname(compat_realm) +- ext_key_usage = {x509.EKU_SERVER_AUTH} +- if compat_ipa_ca: +- ext_key_usage |= {x509.EKU_CLIENT_AUTH, +- x509.EKU_EMAIL_PROTECTION, +- x509.EKU_CODE_SIGNING} ++ if compat_ipa_ca: ++ ca_subject = subject ++ else: ++ ca_subject = None ++ certs = make_compat_ca_certs([cert], compat_realm, ca_subject) + +- return [(cert, nickname, True, ext_key_usage)] ++ if certs: ++ return certs ++ else: ++ raise errors.NotFound(reason="no such entry") + + + def trust_flags_to_key_policy(trust_flags): +-- +2.1.0 + diff --git a/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch b/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch new file mode 100644 index 0000000..c3f097b --- /dev/null +++ b/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch @@ -0,0 +1,60 @@ +From 175dbfb667a9989593eaef2f35586d2afbfdc66c Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 17 Mar 2015 09:29:21 +0000 +Subject: [PATCH] client-install: Do not crash on invalid CA certificate in + LDAP + +When CA certificates in LDAP are corrupted, use the otherwise acquired CA +certificates from before. + +https://fedorahosted.org/freeipa/ticket/4565 + +Reviewed-By: David Kupka +--- + ipa-client/ipa-install/ipa-client-install | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..c60124472005670834496569f550f0ffd986aa27 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -2585,14 +2585,15 @@ def install(options, env, fstore, statestore): + except ValueError: + pass + ++ ca_certs = x509.load_certificate_list_from_file(CACERT) ++ ca_certs = [cert.der_data for cert in ca_certs] ++ + with certdb.NSSDatabase() as tmp_db: + # Add CA certs to a temporary NSS database + try: + pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) + tmp_db.create_db(pwd_file.name) + +- ca_certs = x509.load_certificate_list_from_file(CACERT) +- ca_certs = [cert.der_data for cert in ca_certs] + for i, cert in enumerate(ca_certs): + tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') + except CalledProcessError, e: +@@ -2665,8 +2666,16 @@ def install(options, env, fstore, statestore): + return CLIENT_INSTALL_ERROR + + # Get CA certificates from the certificate store +- ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, +- ca_enabled) ++ try: ++ ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, ++ ca_enabled) ++ except errors.NoCertificateError: ++ if ca_enabled: ++ ca_subject = DN(('CN', 'Certificate Authority'), subject_base) ++ else: ++ ca_subject = None ++ ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm, ++ ca_subject) + ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u)) + for (c, n, t, u) in ca_certs] + +-- +2.1.0 + diff --git a/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch b/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch new file mode 100644 index 0000000..f5f8d22 --- /dev/null +++ b/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch @@ -0,0 +1,53 @@ +From 424b8c73fa0c92ea8befe6e918c0bcaee384ed6b Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 17 Mar 2015 09:35:49 +0000 +Subject: [PATCH] client: Fix ca_is_enabled calls + +The command was added in API version 2.107. Old IPA servers may crash with +NetworkError on ca_is_enabled, handle this case gracefully. + +https://fedorahosted.org/freeipa/ticket/4565 + +Reviewed-By: David Kupka +--- + ipa-client/ipa-install/ipa-client-install | 4 ++-- + ipa-client/ipaclient/ipa_certupdate.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index c60124472005670834496569f550f0ffd986aa27..b7b3d05b6b6d1c9635084e0c01aa7443bb559db2 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -2645,10 +2645,10 @@ def install(options, env, fstore, statestore): + try: + result = api.Backend.rpcclient.forward( + 'ca_is_enabled', +- version=u'2.0', ++ version=u'2.107', + ) + ca_enabled = result['result'] +- except errors.CommandError: ++ except (errors.CommandError, errors.NetworkError): + result = api.Backend.rpcclient.forward( + 'env', + server=True, +diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py +index 031a34c3a54a02d43978eedcb794678a1550702b..5ec5026f5ff7bf93227ce0a551fbf5cf60b9175d 100644 +--- a/ipa-client/ipaclient/ipa_certupdate.py ++++ b/ipa-client/ipaclient/ipa_certupdate.py +@@ -63,10 +63,10 @@ class CertUpdate(admintool.AdminTool): + try: + result = api.Backend.rpcclient.forward( + 'ca_is_enabled', +- version=u'2.0', ++ version=u'2.107', + ) + ca_enabled = result['result'] +- except errors.CommandError: ++ except (errors.CommandError, errors.NetworkError): + result = api.Backend.rpcclient.forward( + 'env', + server=True, +-- +2.1.0 + diff --git a/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch b/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch new file mode 100644 index 0000000..6435cfd --- /dev/null +++ b/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch @@ -0,0 +1,106 @@ +From e6bdbe215ae3fba629eea69e4413c44fea7cd02b Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 17 Mar 2015 08:23:40 +0000 +Subject: [PATCH] upload_cacrt: Fix empty cACertificate in cn=CAcert + +https://fedorahosted.org/freeipa/ticket/4565 + +Reviewed-By: David Kupka +--- + ipaserver/install/plugins/upload_cacrt.py | 54 +++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 24 deletions(-) + +diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py +index 66270ae7613e935fc8df4bc90aa5001296e1c06d..4d5ce52d4073660fc0c1c1ba09e993b250e11fcb 100644 +--- a/ipaserver/install/plugins/upload_cacrt.py ++++ b/ipaserver/install/plugins/upload_cacrt.py +@@ -20,7 +20,7 @@ + from ipaserver.install.plugins import MIDDLE + from ipaserver.install.plugins.baseupdate import PostUpdate + from ipaserver.install import certs +-from ipalib import api, certstore ++from ipalib import api, errors, certstore + from ipapython import certdb + from ipapython.dn import DN + +@@ -45,7 +45,7 @@ class update_upload_cacrt(PostUpdate): + if ca_chain: + ca_nickname = ca_chain[-1] + +- updates = {} ++ ldap = self.obj.backend + + for nickname, trust_flags in db.list_certs(): + if 'u' in trust_flags: +@@ -53,40 +53,46 @@ class update_upload_cacrt(PostUpdate): + if nickname == ca_nickname and ca_enabled: + trust_flags = 'CT,C,C' + cert = db.get_cert_from_db(nickname, pem=False) ++ trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags) ++ ++ dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'), ++ ('cn','etc'), self.api.env.basedn) ++ entry = ldap.make_entry(dn) ++ + try: +- dn, entry = self._make_entry(cert, nickname, trust_flags) ++ certstore.init_ca_entry(entry, cert, nickname, trust, eku) + except Exception, e: + self.log.warning("Failed to create entry for %s: %s", + nickname, e) + continue + if nickname == ca_nickname: + ca_cert = cert ++ config = entry.setdefault('ipaConfigString', []) + if ca_enabled: +- entry.append('ipaConfigString:ipaCA') +- entry.append('ipaConfigString:compatCA') +- updates[dn] = {'dn': dn, 'default': entry} ++ config.append('ipaCa') ++ config.append('ipaCa') ++ ++ try: ++ ldap.add_entry(entry) ++ except errors.DuplicateEntry: ++ pass + + if ca_cert: + dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'), + self.api.env.basedn) +- entry = ['objectclass:nsContainer', +- 'objectclass:pkiCA', +- 'cn:CAcert', +- 'cACertificate;binary:%s' % ca_cert, +- ] +- updates[dn] = {'dn': dn, 'default': entry} +- +- return (False, True, [updates]) +- +- def _make_entry(self, cert, nickname, trust_flags): +- dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'), +- ('cn','etc'), self.api.env.basedn) +- +- entry = dict() +- trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags) +- certstore.init_ca_entry(entry, cert, nickname, trust, eku) +- entry = ['%s:%s' % (a, v) for a, vs in entry.iteritems() for v in vs] ++ try: ++ entry = ldap.get_entry(dn) ++ except errors.NotFound: ++ entry = ldap.make_entry(dn) ++ entry['objectclass'] = ['nsContainer', 'pkiCA'] ++ entry.single_value['cn'] = 'CAcert' ++ entry.single_value['cACertificate;binary'] = ca_cert ++ ldap.add_entry(entry) ++ else: ++ if '' in entry['cACertificate;binary']: ++ entry.single_value['cACertificate;binary'] = ca_cert ++ ldap.update_entry(entry) + +- return dn, entry ++ return (False, False, []) + + api.register(update_upload_cacrt) +-- +2.1.0 + diff --git a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch index 29eb9cc..31e69f8 100644 --- a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch +++ b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001 +From d99f08c6b205edbbf5df68a088296b5fe029b049 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:56:28 +0200 Subject: [PATCH] Do not allow installation in FIPS mode @@ -61,10 +61,10 @@ index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab try: check_IPA_configuration() diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install -index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755 +index b7b3d05b6b6d1c9635084e0c01aa7443bb559db2..82ac1d4db8bf969ba72113bc2802879fea5dcb01 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install -@@ -2865,6 +2865,10 @@ def main(): +@@ -2874,6 +2874,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") diff --git a/SOURCES/1010-Disable-DNSSEC-support.patch b/SOURCES/1010-Disable-DNSSEC-support.patch index e550f55..ef456e1 100644 --- a/SOURCES/1010-Disable-DNSSEC-support.patch +++ b/SOURCES/1010-Disable-DNSSEC-support.patch @@ -1,4 +1,4 @@ -From 80cae5f5ea38528caab01efae9100659e2ebb86e Mon Sep 17 00:00:00 2001 +From a19cb9b5477901efc08c00c122f08e3d5ed126ff Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:25:50 +0200 Subject: [PATCH] Disable DNSSEC support @@ -373,10 +373,10 @@ index cd50edeecb055c71831fad806afde43c2779cdf8..cf85f58c26510fcd105b54126152a504 if any(named_conf_changes): diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py -index 34afc189866993481229bb68a5edd77e0a4eaff3..d01dde31ad37f7d7aa4044de77704f4d560f0d30 100644 +index ea4c212b42631e8513a13d2a7f5a859b2176376b..60129f8b873fad1d3552ca749068f36db41108e9 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py -@@ -2362,7 +2362,9 @@ class dnszone(DNSZoneBase): +@@ -2389,7 +2389,9 @@ class dnszone(DNSZoneBase): if options['idnssecinlinesigning'] is True: messages.add_message(options['version'], result, messages.DNSSECWarning( diff --git a/SOURCES/1013-extdom-fix-wrong-realloc-size.patch b/SOURCES/1013-extdom-fix-wrong-realloc-size.patch new file mode 100644 index 0000000..ed6a5cb --- /dev/null +++ b/SOURCES/1013-extdom-fix-wrong-realloc-size.patch @@ -0,0 +1,25 @@ +From 0e76322666c91affc47387d88260a8774a634eaa Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 25 Feb 2015 10:28:22 +0100 +Subject: [PATCH] extdom: fix wrong realloc size + +--- + daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 47bcb179f04e08c64d92f55809b84f2d59622344..686128e9bb6994cf442c1cc9ff725657584e17be 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -386,7 +386,7 @@ static int get_user_grouplist(const char *name, gid_t gid, + + ret = getgrouplist(name, gid, groups, &ngroups); + if (ret == -1) { +- new_groups = realloc(groups, ngroups); ++ new_groups = realloc(groups, ngroups * sizeof(gid_t)); + if (new_groups == NULL) { + free(groups); + return LDAP_OPERATIONS_ERROR; +-- +2.1.0 + diff --git a/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch b/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch deleted file mode 100644 index 7eba1a2..0000000 --- a/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 50b420b5f8ec1c4a6696b387ee5f3378dd0257bc Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 10 Dec 2014 14:59:38 +0200 -Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC - policy - -Fixes https://fedorahosted.org/freeipa/ticket/4788 ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index a4500070760e83994c8155a12ee6414b5ebee9e0..e3215db4ea11632dce8f039fc6b89c4a09acd87a 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context, - &domain->parent->sid_blacklist_incoming[k], true); - if (result) { - filter_logon_info_log_message(info->info->info3.base.domain_sid); -- return EINVAL; -+ return KRB5KDC_ERR_POLICY; - } - } - } --- -2.1.0 - diff --git a/SOURCES/1014-fix-Makefile.am-for-daemons.patch b/SOURCES/1014-fix-Makefile.am-for-daemons.patch new file mode 100644 index 0000000..3e46dd8 --- /dev/null +++ b/SOURCES/1014-fix-Makefile.am-for-daemons.patch @@ -0,0 +1,63 @@ +From d249ac3c15aefd23b6c47f16cc2843bd136f4fd5 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 18 Mar 2015 17:09:06 +0000 +Subject: [PATCH] fix Makefile.am for daemons + +--- + daemons/Makefile.am | 2 +- + daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 - + 4 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/daemons/Makefile.am b/daemons/Makefile.am +index 956f399b1ed6d399ee52a620dcda5f67d252c848..f919429dcbd29fed3071e8f385d2573354717519 100644 +--- a/daemons/Makefile.am ++++ b/daemons/Makefile.am +@@ -1,6 +1,6 @@ + # This file will be processed with automake-1.7 to create Makefile.in + # +-AUTOMAKE_OPTIONS = 1.7 ++AUTOMAKE_OPTIONS = 1.7 subdir-objects + + NULL = + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +index 8e35cdbd4499582dd0e14562f05e4eda5bb3ec5b..fba5b08bfc15450ab4864812049699d2cfcbaf05 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +@@ -6,7 +6,6 @@ AM_CPPFLAGS = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ +- -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +index a1679812ef3c5de8c6e18433cbb991a99ad0b6c8..8ee26a7fe8ef988dbbf2ac357e6702b73e887754 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +@@ -7,7 +7,6 @@ AM_CPPFLAGS = \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ +- -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +index 1ab6c6704e401810772a5ababc7cc5eec19d2c83..078ff9c8476b8547db58d2cf5c5d941846a3143c 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +@@ -14,7 +14,6 @@ AM_CPPFLAGS = \ + -I$(PLUGIN_COMMON_DIR) \ + -I$(KRB5_UTIL_DIR) \ + -I$(ASN1_UTIL_DIR) \ +- -I$(COMMON_BER_DIR) \ + -DPREFIX=\""$(prefix)"\" \ + -DBINDIR=\""$(bindir)"\" \ + -DLIBDIR=\""$(libdir)"\" \ +-- +2.1.0 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index c9441a1..899d783 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -32,7 +32,7 @@ Name: ipa Version: 4.1.0 -Release: 18%{?dist} +Release: 18%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -40,10 +40,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -160,6 +160,20 @@ Patch0109: 0109-Do-not-crash-when-replica-is-unreachable-in-ipa-rest.patch Patch0110: 0110-idviews-Allow-setting-ssh-public-key-on-ipauseroverr.patch Patch0111: 0111-Fix-ipa-pwd-extop-global-configuration-caching.patch Patch0112: 0112-group-detach-does-not-add-correct-objectclasses.patch +Patch0113: 0113-Always-return-absolute-idnsname-in-dnszone-commands.patch +Patch0114: 0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch +Patch0115: 0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch +Patch0116: 0116-Restore-default.conf-and-use-it-to-build-API.patch +Patch0117: 0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch +Patch0118: 0118-Add-configure-check-for-cwrap-libraries.patch +Patch0119: 0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch +Patch0120: 0120-extdom-make-nss-buffer-configurable.patch +Patch0121: 0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch +Patch0122: 0122-extdom-fix-memory-leak.patch +Patch0123: 0123-certstore-Make-certificate-retrieval-more-robust.patch +Patch0124: 0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch +Patch0125: 0125-client-Fix-ca_is_enabled-calls.patch +Patch0126: 0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -173,8 +187,8 @@ Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-Disable-DNSSEC-support.patch Patch1011: 1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch Patch1012: 1012-Expand-the-token-auth-sync-windows.patch -Patch1013: 1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch -Patch1014: ipa-centos-branding.patch +Patch1013: 1013-extdom-fix-wrong-realloc-size.patch +Patch1014: 1014-fix-Makefile.am-for-daemons.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -277,6 +291,9 @@ Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54-2 Requires: pki-ca >= 10.1.2-5 +%if 0%{?rhel} +Requires: subscription-manager +%endif Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1-2 @@ -289,7 +306,7 @@ Requires: fontawesome-fonts Requires: open-sans-fonts # RHEL spec file only: DELETED: Disable DNSSEC support # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -463,10 +480,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -492,6 +509,9 @@ rm -f ipaserver/install/opendnssecinstance.py make version-update cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} +# RHEL SPEC file only: START: Force re-generation of the makefiles +find daemons -name Makefile.in |egrep -v '(libotp|lockout|otp-counter|lasttoken)'|xargs rm -f +# RHEL SPEC file only: END: Force re-generation of the makefiles cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %endif # ONLY_CLIENT @@ -1013,11 +1033,25 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Thu Mar 05 2015 CentOS Sources - 4.1.0-18.el7.centos -- Roll in CentOS Branding -- Remove supscription-manager requires - -* Thu Jan 29 2015 Martin Kosek 4.1.0-18 +* Thu Mar 19 2015 Jan Cholasta - 4.1.0-18.3 +- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: + (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) + +* Wed Mar 18 2015 Alexander Bokovoy - 4.1.0-18.2 +- IPA extdom plugin fails when encountering large groups (#1193759) +- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() + (#1202997) + +* Thu Mar 5 2015 Jan Cholasta - 4.1.0-18.1 +- "an internal error has occurred" during ipa host-del --updatedns (#1198431) +- Renamed patch 1013 to 0114, as it was merged upstream +- Fax number not displayed for user-show when kinit'ed as normal user. + (#1198430) +- Replication agreement with replica not disabled when ipa-restore done without + IPA installed (#1199060) +- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) + +* Thu Jan 29 2015 Martin Kosek - 4.1.0-18 - Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)