From 34b6590b9ca2407ece6923509f1092b85bfbd8fa Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 17 2017 15:27:09 +0000 Subject: import ipa-4.4.0-14.el7_3.4 --- diff --git a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch deleted file mode 100644 index 729a5b9..0000000 --- a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 15 Nov 2016 14:02:54 +1000 -Subject: [PATCH] certprofile-mod: correctly authorise config update - -Certificate profiles consist of an FreeIPA object, and a -corresponding Dogtag configuration object. When updating profile -configuration, changes to the Dogtag configuration are not properly -authorised, allowing unprivileged operators to modify (but not -create or delete) profiles. This could result in issuance of -certificates with fraudulent subject naming information, improper -key usage, or other badness. - -Update certprofile-mod to ensure that the operator has permission to -modify FreeIPA certprofile objects before modifying the Dogtag -configuration. - -https://fedorahosted.org/freeipa/ticket/6560 - -Reviewed-By: Jan Cholasta ---- - ipaserver/plugins/certprofile.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py -index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644 ---- a/ipaserver/plugins/certprofile.py -+++ b/ipaserver/plugins/certprofile.py -@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate): - raise errors.ProtectedEntryError(label='certprofile', key=keys[0], - reason=_('Certificate profiles cannot be renamed')) - if 'file' in options: -+ # ensure operator has permission to update a certprofile -+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'): -+ raise errors.ACIError(info=_( -+ "Insufficient privilege to modify a certificate profile.")) -+ - with self.api.Backend.ra_certprofile as profile_api: - profile_api.disable_profile(keys[0]) - try: --- -2.10.2 - diff --git a/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch b/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch new file mode 100644 index 0000000..245f42b --- /dev/null +++ b/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch @@ -0,0 +1,37 @@ +From 405446b0f08551fa82fd0f6d71f219d68641732b Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 23 Nov 2016 16:58:39 +0100 +Subject: [PATCH] replication: ensure bind DN group check interval is set on + replica config + +This is a safeguard ensuring valid replica configuration against incorrectly +upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on +their domain/ca topology config. + +https://fedorahosted.org/freeipa/ticket/6508 + +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/replication.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index b8b665267ea8debba9f0ce01f54a78cd67d88292..e9624894d7d1e745be8072268fa76d51a8c117e3 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -452,6 +452,12 @@ class ReplicationManager(object): + if replica_groupdn not in binddn_groups: + mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', + replica_groupdn)) ++ ++ if 'nsds5replicabinddngroupcheckinterval' not in entry: ++ mod.append( ++ (ldap.MOD_ADD, ++ 'nsds5replicabinddngroupcheckinterval', ++ '60')) + if mod: + conn.modify_s(dn, mod) + +-- +2.7.4 + diff --git a/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch b/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch new file mode 100644 index 0000000..268bb59 --- /dev/null +++ b/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch @@ -0,0 +1,38 @@ +From b84a175ad6a8c2b25d6db388fa88e6441d97ae94 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 6 Dec 2016 12:13:34 +0100 +Subject: [PATCH] bindinstance: use data in named.conf to determine + configuration status + +Instead of checking sysrestore status which leads to incorrect +evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look +into named.conf to see whther it was already modified by IPA installer. + +https://fedorahosted.org/freeipa/ticket/6503 + +Reviewed-By: Martin Basti +--- + ipaserver/install/bindinstance.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 7538e145cbe37dfc21963d97dea0e835e3bd5072..a65b065fd654655ff034e277eb7e0ad49e4a418e 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -1170,6 +1170,13 @@ class BindInstance(service.Service): + self.api.Command.dnsconfig_show.output_for_cli(textui, result, None, + reverse=False) + ++ def is_configured(self): ++ """ ++ Override the default logic querying StateFile for configuration status ++ and look whether named.conf was already modified by IPA installer. ++ """ ++ return named_conf_exists() ++ + def uninstall(self): + if self.is_configured(): + self.print_msg("Unconfiguring %s" % self.service_name) +-- +2.7.4 + diff --git a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch deleted file mode 100644 index 9c4e4af..0000000 --- a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Thu, 29 Sep 2016 15:59:34 +0200 -Subject: [PATCH] password policy: Add explicit default password policy for - hosts and services - -Set explicitly krbPwdPolicyReference attribute to all hosts (entries in -cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and -Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's -CoS so no attributes are really added. - -The default policies effectively disable any enforcement or lockout for hosts -and services. Since hosts and services use keytabs passwords enforcements -doesn't make much sense. Also the lockout policy could be used for easy and -cheap DoS. - -https://fedorahosted.org/freeipa/ticket/6561 - -Reviewed-By: Pavel Vomacka ---- - install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++ - install/updates/Makefile.am | 1 + - ipaserver/install/service.py | 1 + - 3 files changed, 135 insertions(+) - create mode 100644 install/updates/20-default_password_policy.update - -diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update -new file mode 100644 -index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce ---- /dev/null -+++ b/install/updates/20-default_password_policy.update -@@ -0,0 +1,133 @@ -+# Default password policies for hosts, services and Kerberos services -+# Setting all attributes to zero effectively disables any password policy -+# We can do this because hosts and services uses keytabs instead of passwords -+ -+# hosts -+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX -+default:objectClass: krbPwdPolicy -+default:objectClass: nsContainer -+default:objectClass: top -+default:cn: Default Host Password Policy -+default:krbMinPwdLife: 0 -+default:krbPwdMinDiffChars: 0 -+default:krbPwdMinLength: 0 -+default:krbPwdHistoryLength: 0 -+default:krbMaxPwdLife: 0 -+default:krbPwdMaxFailure: 0 -+default:krbPwdFailureCountInterval: 0 -+default:krbPwdLockoutDuration: 0 -+ -+# services -+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX -+default:objectClass: krbPwdPolicy -+default:objectClass: nsContainer -+default:objectClass: top -+default:cn: Default Service Password Policy -+default:krbMinPwdLife: 0 -+default:krbPwdMinDiffChars: 0 -+default:krbPwdMinLength: 0 -+default:krbPwdHistoryLength: 0 -+default:krbMaxPwdLife: 0 -+default:krbPwdMaxFailure: 0 -+default:krbPwdFailureCountInterval: 0 -+default:krbPwdLockoutDuration: 0 -+ -+# kerberos policy container -+# this is necessary to avoid mixing the Kerberos sevice password policy -+# with group-membership based user password policies -+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX -+default:objectClass: nsContainer -+default:objectClass: top -+default:cn: Kerberos Service Password Policy -+ -+# kerberos services -+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX -+default:objectClass: krbPwdPolicy -+default:objectClass: nsContainer -+default:objectClass: top -+default:cn: Default Kerberos Service Password Policy -+default:krbMinPwdLife: 0 -+default:krbPwdMinDiffChars: 0 -+default:krbPwdMinLength: 0 -+default:krbPwdHistoryLength: 0 -+default:krbMaxPwdLife: 0 -+default:krbPwdMaxFailure: 0 -+default:krbPwdFailureCountInterval: 0 -+default:krbPwdLockoutDuration: 0 -+ -+# default password policies for hosts, services and kerberos services -+# cosPriority is set intentionally to higher number than FreeIPA API allows -+# to set to ensure that these password policies have always lower priority -+# than any defined by user. -+ -+# hosts -+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX -+default:objectclass: top -+default:objectclass: nsContainer -+default:cn: cosTemplates -+ -+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX -+default:objectclass: top -+default:objectclass: cosTemplate -+default:objectclass: extensibleObject -+default:objectclass: krbContainer -+default:cn: Default Password Policy -+default:cosPriority: 10000000000 -+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX -+ -+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX -+default:description: Default Password Policy for Hosts -+default:objectClass: top -+default:objectClass: ldapsubentry -+default:objectClass: cosSuperDefinition -+default:objectClass: cosPointerDefinition -+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX -+default:cosAttribute: krbPwdPolicyReference default -+ -+# services -+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX -+default:objectclass: top -+default:objectclass: nsContainer -+default:cn: cosTemplates -+ -+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX -+default:objectclass: top -+default:objectclass: cosTemplate -+default:objectclass: extensibleObject -+default:objectclass: krbContainer -+default:cn: Default Password Policy -+default:cosPriority: 10000000000 -+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX -+ -+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX -+default:description: Default Password Policy for Services -+default:objectClass: top -+default:objectClass: ldapsubentry -+default:objectClass: cosSuperDefinition -+default:objectClass: cosPointerDefinition -+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX -+default:cosAttribute: krbPwdPolicyReference default -+ -+# kerberos services -+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX -+default:objectclass: top -+default:objectclass: nsContainer -+default:cn: cosTemplates -+ -+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX -+default:objectclass: top -+default:objectclass: cosTemplate -+default:objectclass: extensibleObject -+default:objectclass: krbContainer -+default:cn: Default Password Policy -+default:cosPriority: 10000000000 -+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX -+ -+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX -+default:description: Default Password Policy for Kerberos Services -+default:objectClass: top -+default:objectClass: ldapsubentry -+default:objectClass: cosSuperDefinition -+default:objectClass: cosPointerDefinition -+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX -+default:cosAttribute: krbPwdPolicyReference default -diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am -index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644 ---- a/install/updates/Makefile.am -+++ b/install/updates/Makefile.am -@@ -23,6 +23,7 @@ app_DATA = \ - 20-winsync_index.update \ - 20-idoverride_index.update \ - 20-uuid.update \ -+ 20-default_password_policy.update \ - 21-replicas_container.update \ - 21-ca_renewal_container.update \ - 21-certstore_container.update \ -diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py -index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644 ---- a/ipaserver/install/service.py -+++ b/ipaserver/install/service.py -@@ -252,6 +252,7 @@ class Service(object): - # There is no service in the wrong location, nothing to do. - # This can happen when installing a replica - return None -+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr - newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) - hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - self.admin_conn.delete_entry(entry) --- -2.10.2 - diff --git a/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch b/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch new file mode 100644 index 0000000..ab2aa23 --- /dev/null +++ b/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch @@ -0,0 +1,93 @@ +From 32b222610532b543d713d4d4b5ce02eed15a66d5 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 6 Dec 2016 18:07:50 +0100 +Subject: [PATCH] gracefully handle setting replica bind dn group on old + masters + +Pre-3.3 masters do not support setting 'nsds5replicabinddngroup' +attribute on existing replica entry during setup of initial replication. +In this case UNWILLING_TO_PERFORM is returned. The code can interpret +this error as an indication of old master and fall back to just adding +its LDAP principal to entry's 'nsds5replicabinddn' attribute. + +https://fedorahosted.org/freeipa/ticket/6532 + +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/replication.py | 48 ++++++++++++++++++++++++++-------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index e9624894d7d1e745be8072268fa76d51a8c117e3..5f03ddeadfc515255509a1f49d3b38687e561b9f 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -429,6 +429,34 @@ class ReplicationManager(object): + return DN(('cn', 'replica'), ('cn', self.db_suffix), + ('cn', 'mapping tree'), ('cn', 'config')) + ++ def set_replica_binddngroup(self, r_conn, entry, replica_groupdn): ++ """ ++ Set nsds5replicabinddngroup attribute on remote master's replica entry. ++ Older masters (ipa < 3.3) may not support setting this attribute. In ++ this case log the error and fall back to setting replica's binddn ++ directly. ++ """ ++ binddn_groups = { ++ DN(p) for p in entry.get('nsds5replicabinddngroup', [])} ++ ++ mod = [] ++ if replica_groupdn not in binddn_groups: ++ mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', ++ replica_groupdn)) ++ ++ if 'nsds5replicabinddngroupcheckinterval' not in entry: ++ mod.append( ++ (ldap.MOD_ADD, ++ 'nsds5replicabinddngroupcheckinterval', ++ '60')) ++ if mod: ++ try: ++ r_conn.modify_s(entry.dn, mod) ++ except ldap.UNWILLING_TO_PERFORM: ++ root_logger.debug( ++ "nsds5replicabinddngroup attribute not supported on " ++ "remote master.") ++ + def replica_config(self, conn, replica_id, replica_binddn): + assert isinstance(replica_binddn, DN) + dn = self.replica_dn() +@@ -440,27 +468,15 @@ class ReplicationManager(object): + try: + entry = conn.get_entry(dn) + managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} +- binddn_groups = { +- DN(p) for p in entry.get('nsds5replicabinddngroup', [])} + +- mod = [] + if replica_binddn not in managers: + # Add the new replication manager +- mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN', +- replica_binddn)) +- +- if replica_groupdn not in binddn_groups: +- mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', +- replica_groupdn)) +- +- if 'nsds5replicabinddngroupcheckinterval' not in entry: +- mod.append( +- (ldap.MOD_ADD, +- 'nsds5replicabinddngroupcheckinterval', +- '60')) +- if mod: ++ mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN', ++ replica_binddn)] + conn.modify_s(dn, mod) + ++ self.set_replica_binddngroup(conn, entry, replica_groupdn) ++ + # replication is already configured + return + except errors.NotFound: +-- +2.7.4 + diff --git a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch deleted file mode 100644 index 96cc471..0000000 --- a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 15 Dec 2016 16:30:00 +0200 -Subject: [PATCH] ipa-kdb: search for password policies globally - -With the CoS templates now used to create additional password policies -per object type that are placed under the object subtrees, DAL driver -needs to search for the policies in the whole tree. - -Individual policies referenced by the krbPwdPolicyReference attribute -are always searched by their full DN and with the base scope. However, -when KDC asks a DAL driver to return a password policy by name, we don't -have any specific base to search. The original code did search by the -realm subtree. - -Fixes https://fedorahosted.org/freeipa/ticket/6561 - -Reviewed-By: Martin Babinsky ---- - daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644 ---- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, - } - - kerr = ipadb_simple_search(ipactx, -- ipactx->realm_base, LDAP_SCOPE_SUBTREE, -+ ipactx->base, LDAP_SCOPE_SUBTREE, - src_filter, std_pwdpolicy_attrs, &res); - if (kerr) { - goto done; --- -2.10.2 - diff --git a/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch b/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch new file mode 100644 index 0000000..6844cbb --- /dev/null +++ b/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch @@ -0,0 +1,60 @@ +From 3ff9fc2141e16e7cbd4fa30c16d60e915c2c3ee4 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 7 Dec 2016 14:00:09 +0100 +Subject: [PATCH] add missing attribute to ipaca replica during CA topology + update + +'nsds5replicabinddngroupcheckinterval' attribute was not properly added +to 'o=ipaca' replica attribute during upgrade. The CA topology update +plugin should now add it to the entry if it exists. + +https://fedorahosted.org/freeipa/ticket/6508 + +Reviewed-By: Martin Basti +--- + ipaserver/install/plugins/update_ca_topology.py | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py +index d76849bf9de46b1e4ad52dbae7081b4d3aec5273..f82926b19175c3fd42bd794205ec4216fc776707 100644 +--- a/ipaserver/install/plugins/update_ca_topology.py ++++ b/ipaserver/install/plugins/update_ca_topology.py +@@ -2,8 +2,10 @@ + # Copyright (C) 2015 FreeIPA Contributors see COPYING for license + # + ++from ipalib import errors + from ipalib import Registry + from ipalib import Updater ++from ipapython.dn import DN + from ipaserver.install import certs, cainstance + from ipaserver.install import ldapupdate + from ipaplatform.paths import paths +@@ -31,4 +33,24 @@ class update_ca_topology(Updater): + + ld.update([paths.CA_TOPOLOGY_ULDIF]) + ++ ldap = self.api.Backend.ldap2 ++ ++ ca_replica_dn = DN( ++ ('cn', 'replica'), ++ ('cn', 'o=ipaca'), ++ ('cn', 'mapping tree'), ++ ('cn', 'config')) ++ ++ check_interval_attr = 'nsds5replicabinddngroupcheckinterval' ++ default_check_interval = ['60'] ++ ++ try: ++ ca_replica_entry = ldap.get_entry(ca_replica_dn) ++ except errors.NotFound: ++ pass ++ else: ++ if check_interval_attr not in ca_replica_entry: ++ ca_replica_entry[check_interval_attr] = default_check_interval ++ ldap.update_entry(ca_replica_entry) ++ + return False, [] +-- +2.7.4 + diff --git a/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch b/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch new file mode 100644 index 0000000..a3fd173 --- /dev/null +++ b/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch @@ -0,0 +1,64 @@ +From 81a1bdae1743c4cd7aab296cb0a7474b9bd52b33 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Fri, 9 Dec 2016 15:04:21 +0100 +Subject: [PATCH] Check for conflict entries before raising domain level + +Checking of conflicts is not only done in topology container as +tests showed it can occurs elsewhere + +https://fedorahosted.org/freeipa/ticket/6534 + +Reviewed-By: Martin Babinsky +--- + ipaserver/plugins/domainlevel.py | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py +index 23fa2a1b2f0f681ac215e96a651d688294df4b99..d8c508a64dd91a0a18e061d2af3080c8f1b38260 100644 +--- a/ipaserver/plugins/domainlevel.py ++++ b/ipaserver/plugins/domainlevel.py +@@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry): + return DomainLevelRange(0, 0) + + ++def check_conflict_entries(ldap, api, desired_value): ++ """ ++ Check if conflict entries exist in topology subtree ++ """ ++ ++ container_dn = DN( ++ ('cn', 'ipa'), ++ ('cn', 'etc'), ++ api.env.basedn ++ ) ++ conflict = "(nsds5replconflict=*)" ++ subentry = "(|(objectclass=ldapsubentry)(objectclass=*))" ++ try: ++ ldap.get_entries( ++ filter="(& %s %s)" % (conflict, subentry), ++ base_dn=container_dn, ++ scope=ldap.SCOPE_SUBTREE) ++ message = _("Domain Level cannot be raised to {0}, " ++ "existing replication conflicts have to be resolved." ++ .format(desired_value)) ++ raise errors.InvalidDomainLevelError(reason=message) ++ except errors.NotFound: ++ pass ++ + def get_master_entries(ldap, api): + """ + Returns list of LDAPEntries representing IPA masters. +@@ -131,6 +155,10 @@ class domainlevel_set(Command): + .format(desired_value, master['cn'][0])) + raise errors.InvalidDomainLevelError(reason=message) + ++ # Check if conflict entries exist in topology subtree ++ # should be resolved first ++ check_conflict_entries(ldap, self.api, desired_value) ++ + current_entry.single_value['ipaDomainLevel'] = desired_value + ldap.update_entry(current_entry) + +-- +2.7.4 + diff --git a/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch new file mode 100644 index 0000000..55acdcc --- /dev/null +++ b/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch @@ -0,0 +1,43 @@ +From 59e072eab0d58af195a14d53240de20ee4a3171f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 15 Nov 2016 14:02:54 +1000 +Subject: [PATCH] certprofile-mod: correctly authorise config update + +Certificate profiles consist of an FreeIPA object, and a +corresponding Dogtag configuration object. When updating profile +configuration, changes to the Dogtag configuration are not properly +authorised, allowing unprivileged operators to modify (but not +create or delete) profiles. This could result in issuance of +certificates with fraudulent subject naming information, improper +key usage, or other badness. + +Update certprofile-mod to ensure that the operator has permission to +modify FreeIPA certprofile objects before modifying the Dogtag +configuration. + +https://fedorahosted.org/freeipa/ticket/6560 + +Reviewed-By: Jan Cholasta +--- + ipaserver/plugins/certprofile.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py +index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644 +--- a/ipaserver/plugins/certprofile.py ++++ b/ipaserver/plugins/certprofile.py +@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate): + raise errors.ProtectedEntryError(label='certprofile', key=keys[0], + reason=_('Certificate profiles cannot be renamed')) + if 'file' in options: ++ # ensure operator has permission to update a certprofile ++ if not ldap.can_write(dn, 'ipacertprofilestoreissued'): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to modify a certificate profile.")) ++ + with self.api.Backend.ra_certprofile as profile_api: + profile_api.disable_profile(keys[0]) + try: +-- +2.7.4 + diff --git a/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch new file mode 100644 index 0000000..22ac7ff --- /dev/null +++ b/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch @@ -0,0 +1,192 @@ +From 018266f9dcc06cedcfe679ed32870dd3eda2ece7 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Thu, 29 Sep 2016 15:59:34 +0200 +Subject: [PATCH] password policy: Add explicit default password policy for + hosts and services + +Set explicitly krbPwdPolicyReference attribute to all hosts (entries in +cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and +Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's +CoS so no attributes are really added. + +The default policies effectively disable any enforcement or lockout for hosts +and services. Since hosts and services use keytabs passwords enforcements +doesn't make much sense. Also the lockout policy could be used for easy and +cheap DoS. + +https://fedorahosted.org/freeipa/ticket/6561 + +Reviewed-By: Pavel Vomacka +--- + install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++ + install/updates/Makefile.am | 1 + + ipaserver/install/service.py | 1 + + 3 files changed, 135 insertions(+) + create mode 100644 install/updates/20-default_password_policy.update + +diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update +new file mode 100644 +index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce +--- /dev/null ++++ b/install/updates/20-default_password_policy.update +@@ -0,0 +1,133 @@ ++# Default password policies for hosts, services and Kerberos services ++# Setting all attributes to zero effectively disables any password policy ++# We can do this because hosts and services uses keytabs instead of passwords ++ ++# hosts ++dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Host Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# services ++dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Service Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# kerberos policy container ++# this is necessary to avoid mixing the Kerberos sevice password policy ++# with group-membership based user password policies ++dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Kerberos Service Password Policy ++ ++# kerberos services ++dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectClass: krbPwdPolicy ++default:objectClass: nsContainer ++default:objectClass: top ++default:cn: Default Kerberos Service Password Policy ++default:krbMinPwdLife: 0 ++default:krbPwdMinDiffChars: 0 ++default:krbPwdMinLength: 0 ++default:krbPwdHistoryLength: 0 ++default:krbMaxPwdLife: 0 ++default:krbPwdMaxFailure: 0 ++default:krbPwdFailureCountInterval: 0 ++default:krbPwdLockoutDuration: 0 ++ ++# default password policies for hosts, services and kerberos services ++# cosPriority is set intentionally to higher number than FreeIPA API allows ++# to set to ensure that these password policies have always lower priority ++# than any defined by user. ++ ++# hosts ++dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX ++default:description: Default Password Policy for Hosts ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default ++ ++# services ++dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX ++default:description: Default Password Policy for Services ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default ++ ++# kerberos services ++dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectclass: top ++default:objectclass: nsContainer ++default:cn: cosTemplates ++ ++dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:objectclass: top ++default:objectclass: cosTemplate ++default:objectclass: extensibleObject ++default:objectclass: krbContainer ++default:cn: Default Password Policy ++default:cosPriority: 10000000000 ++default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++ ++dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX ++default:description: Default Password Policy for Kerberos Services ++default:objectClass: top ++default:objectClass: ldapsubentry ++default:objectClass: cosSuperDefinition ++default:objectClass: cosPointerDefinition ++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX ++default:cosAttribute: krbPwdPolicyReference default +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -23,6 +23,7 @@ app_DATA = \ + 20-winsync_index.update \ + 20-idoverride_index.update \ + 20-uuid.update \ ++ 20-default_password_policy.update \ + 21-replicas_container.update \ + 21-ca_renewal_container.update \ + 21-certstore_container.update \ +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -252,6 +252,7 @@ class Service(object): + # There is no service in the wrong location, nothing to do. + # This can happen when installing a replica + return None ++ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr + newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) + hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) + self.admin_conn.delete_entry(entry) +-- +2.7.4 + diff --git a/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch new file mode 100644 index 0000000..c92f812 --- /dev/null +++ b/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch @@ -0,0 +1,38 @@ +From 3e27ba027208df0408c77307e403bc8382aa3395 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 15 Dec 2016 16:30:00 +0200 +Subject: [PATCH] ipa-kdb: search for password policies globally + +With the CoS templates now used to create additional password policies +per object type that are placed under the object subtrees, DAL driver +needs to search for the policies in the whole tree. + +Individual policies referenced by the krbPwdPolicyReference attribute +are always searched by their full DN and with the base scope. However, +when KDC asks a DAL driver to return a password policy by name, we don't +have any specific base to search. The original code did search by the +realm subtree. + +Fixes https://fedorahosted.org/freeipa/ticket/6561 + +Reviewed-By: Martin Babinsky +--- + daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644 +--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + } + + kerr = ipadb_simple_search(ipactx, +- ipactx->realm_base, LDAP_SCOPE_SUBTREE, ++ ipactx->base, LDAP_SCOPE_SUBTREE, + src_filter, std_pwdpolicy_attrs, &res); + if (kerr) { + goto done; +-- +2.7.4 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index d301bee..ed206ac 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -43,7 +43,7 @@ Name: ipa Version: 4.4.0 -Release: 14%{?dist}.1.1 +Release: 14%{?dist}.4 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,10 +51,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -203,9 +203,14 @@ Patch0141: 0141-WebUI-services-without-canonical-name-are-shown-corr.patch Patch0142: 0142-Fix-missing-file-that-fails-DL1-replica-installation.patch Patch0143: 0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch Patch0144: 0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch -Patch0145: 0145-certprofile-mod-correctly-authorise-config-update.patch -Patch0146: 0146-password-policy-Add-explicit-default-password-policy.patch -Patch0147: 0147-ipa-kdb-search-for-password-policies-globally.patch +Patch0145: 0145-replication-ensure-bind-DN-group-check-interval-is-s.patch +Patch0146: 0146-bindinstance-use-data-in-named.conf-to-determine-con.patch +Patch0147: 0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch +Patch0148: 0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch +Patch0149: 0149-Check-for-conflict-entries-before-raising-domain-lev.patch +Patch0150: 0150-certprofile-mod-correctly-authorise-config-update.patch +Patch0151: 0151-password-policy-Add-explicit-default-password-policy.patch +Patch0152: 0152-ipa-kdb-search-for-password-policies-globally.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -217,7 +222,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -797,10 +801,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END @@ -1536,14 +1540,28 @@ fi %changelog -* Mon Jan 02 2017 CentOS Sources - 4.4.0-14.el7.centos.1.1 -- Roll in CentOS Branding - -* Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.1.1 +* Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.4 - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally -- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream +- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream + +* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.3 +- Resolves: #1404338 Check IdM Topology for broken record caused by replication + conflict before upgrading it + - Check for conflict entries before raising domain level + +* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.2 +- Resolves: #1401953 ipa-ca-install on promoted replica hangs on creating a + temporary CA admin + - replication: ensure bind DN group check interval is set on replica config + - add missing attribute to ipaca replica during CA topology update +- Resolves: #1404169 IPA upgrade of replica without DNS fails during restart of + named-pkcs11 + - bindinstance: use data in named.conf to determine configuration status +- Resolves: #1404171 Creation of replica for disconnected environment is + failing with CA issuance errors; Need good steps. + - gracefully handle setting replica bind dn group on old masters * Mon Dec 12 2016 Jan Cholasta - 4.4.0-14.1 - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services