From ab4b7f7ca4a3a477df1cf61418f2d63755652dcc Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Mon, 14 May 2018 14:34:43 +0000
Subject: [PATCH] set ipaplatform to rhel for compatibilty for updates

---
 SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch |   86 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 86 insertions(+), 0 deletions(-)

diff --git a/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
new file mode 100644
index 0000000..a8818c2
--- /dev/null
+++ b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
@@ -0,0 +1,86 @@
+From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Mon, 26 Feb 2018 09:48:22 -0500
+Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode"
+
+This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
+
+OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
+traffic in a VPN.
+
+https://pagure.io/freeipa/issue/7168
+https://pagure.io/freeipa/issue/7243
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/baseuser.py |  3 ---
+ ipaserver/plugins/config.py   | 16 ----------------
+ 2 files changed, 19 deletions(-)
+
+diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
+index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
+--- a/ipaserver/plugins/baseuser.py
++++ b/ipaserver/plugins/baseuser.py
+@@ -32,7 +32,6 @@ from .baseldap import (
+     add_missing_object_class)
+ from ipaserver.plugins.service import (
+    validate_certificate, validate_realm, normalize_principal)
+-from ipaserver.plugins.config import check_fips_auth_opts
+ from ipalib.request import context
+ from ipalib import _
+ from ipalib.constants import PATTERN_GROUPUSER_NAME
+@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate):
+                             **options):
+         assert isinstance(dn, DN)
+         set_krbcanonicalname(entry_attrs)
+-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+         self.obj.convert_usercertificate_pre(entry_attrs)
+ 
+     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
+@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate):
+         assert isinstance(dn, DN)
+         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
+ 
+-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+         self.check_namelength(ldap, **options)
+ 
+         self.check_mail(entry_attrs)
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644
+--- a/ipaserver/plugins/config.py
++++ b/ipaserver/plugins/config.py
+@@ -85,20 +85,6 @@ EXAMPLES:
+ 
+ register = Registry()
+ 
+-
+-def check_fips_auth_opts(fips_mode, **options):
+-    """
+-    OTP and RADIUS are not allowed in FIPS mode since they use MD5
+-    checksums (OTP uses our RADIUS responder daemon ipa-otpd).
+-    """
+-    if 'ipauserauthtype' in options and fips_mode:
+-        if ('otp' in options['ipauserauthtype'] or
+-                'radius' in options['ipauserauthtype']):
+-            raise errors.InvocationError(
+-                'OTP and RADIUS authentication in FIPS is '
+-                'not yet supported')
+-
+-
+ @register()
+ class config(LDAPObject):
+     """
+@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):
+ 
+     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+         assert isinstance(dn, DN)
+-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+-
+         if 'ipadefaultprimarygroup' in entry_attrs:
+             group=entry_attrs['ipadefaultprimarygroup']
+             try:
+-- 
+2.14.3
+

--
Gitblit v1.8.0