diff --git a/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch b/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch new file mode 100644 index 0000000..6db4260 --- /dev/null +++ b/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch @@ -0,0 +1,46 @@ +From 65953c3a20f497c318919c18198da9c57fd7b5be Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 25 Aug 2021 17:10:29 +0200 +Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ + +If a client sends a request to lookup an object from a given trusted +domain by UID or GID and an object with matching ID is only found in a +different domain the extdom should return LDAP_NO_SUCH_OBJECT to +indicate to the client that the requested ID does not exists in the +given domain. + +Resolves: https://pagure.io/freeipa/issue/8965 +Reviewed-By: Rob Crittenden +--- + .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 1e96c495ab1b893d963bcf0efde91d46adfd91ba..7c61099ccf2f67a5ea404c4c5e9747104a44a601 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +-- +2.31.1 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 38faab6..dc13b8d 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From a93c2ff982b27166206eab66f1b7d6c13eff63ed Mon Sep 17 00:00:00 2001 +From 2178218fdb1d1a8fe2c173d09b1a0dafc8504f3b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5 """) + _(""" To enable the binddn run the following command to set the password: -- -2.26.3 +2.31.1 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index a53c925..868769e 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From e83c5db6277d24159c869da9463ab2737396cddc Mon Sep 17 00:00:00 2001 +From 87b561cd11582ac64d10d2fc0288f6dc93eb1786 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9 -- -2.26.3 +2.31.1 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 41c4053..7c2f716 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 98045b1cf0c3d18c958c67a585c8745cf0948675 Mon Sep 17 00:00:00 2001 +From 7f8fdb2a050e72f8a8069e572a957f5ade9c11a8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.26.3 +2.31.1 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 0964281..4ab0990 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From e4d43beea85e161ac426a5bff8fe10118a72a9a4 Mon Sep 17 00:00:00 2001 +From 117c3b5e46e2ed3cc2e5c74ebe93b6a359c01aba Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.26.3 +2.31.1 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index e6a31b2..1ee4878 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 47575ded74d9bd4b0691b0e356453629e8d00e49 Mon Sep 17 00:00:00 2001 +From a3c7afb55ef0ed4542dd59295ba4ac9b8a77f88d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b IPA_NOT_CONFIGURED = b'IPA is not configured on this system' IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' -- -2.26.3 +2.31.1 diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 84089b2..f0c20bb 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -103,7 +103,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 5%{?dist}.7 +Release: 5%{?dist}.9 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -111,9 +111,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -145,6 +145,7 @@ Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch +Patch0028: 0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -405,10 +406,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -965,9 +963,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -991,8 +989,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1013,8 +1010,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1101,11 +1097,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1762,8 +1756,9 @@ fi %changelog -* Tue Jul 20 2021 CentOS Sources - 4.6.8-5.el7.centos.7 -- Roll in CentOS Branding +* Wed Sep 08 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.9 +- Resolves: #2000261 - extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT + - extdom: return LDAP_NO_SUCH_OBJECT if domains differ * Tue Jun 22 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.7 - Resolves: #1956550 - IPA server installation fails when cert contains non-ASCII character