diff --git a/.gitignore b/.gitignore
index d9c893f..3912c13 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.9.8.tar.gz
+SOURCES/freeipa-4.9.10.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index 15ef586..81f398b 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
+8f2b6a7f52348421fa7c67048dd5ae454f2642fb SOURCES/freeipa-4.9.10.tar.gz
diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
deleted file mode 100644
index 943e986..0000000
--- a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Fri, 10 Dec 2021 12:15:36 -0300
-Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
-
-This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
----
- freeipa.spec.in | 4 +---
- ipaplatform/base/paths.py | 2 +-
- ipaplatform/fedora/paths.py | 1 +
- ipaserver/dnssec/bindmgr.py | 1 -
- 4 files changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 8f5c370e5..e20edb7bc 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
- Requires: bind-dyndb-ldap >= 11.2-2
- Requires: bind >= %{bind_version}
- Requires: bind-utils >= %{bind_version}
--# bind-dnssec-utils is required by the OpenDNSSec integration
--# https://pagure.io/freeipa/issue/9026
--Requires: bind-dnssec-utils >= %{bind_version}
- %if %{with bind_pkcs11}
- Requires: bind-pkcs11 >= %{bind_version}
-+Requires: bind-pkcs11-utils >= %{bind_version}
- %else
- Requires: softhsm >= %{softhsm_version}
- Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 7d21367ec..42a47f1df 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -259,7 +259,7 @@ class BasePathNamespace:
- IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
- IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
- IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
-- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
-+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
- GETSEBOOL = "/usr/sbin/getsebool"
- GROUPADD = "/usr/sbin/groupadd"
- USERMOD = "/usr/sbin/usermod"
-diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
-index 4e993c063..92a948966 100644
---- a/ipaplatform/fedora/paths.py
-+++ b/ipaplatform/fedora/paths.py
-@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
- NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
- if HAS_NFS_CONF:
- SYSCONFIG_NFS = '/etc/nfs.conf'
-+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
-
-
- paths = FedoraPathNamespace()
-diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
-index 0c79cc03d..a15c0e601 100644
---- a/ipaserver/dnssec/bindmgr.py
-+++ b/ipaserver/dnssec/bindmgr.py
-@@ -127,7 +127,6 @@ class BINDMgr:
- )
- cmd = [
- paths.DNSSEC_KEYFROMLABEL,
-- '-E', 'pkcs11',
- '-K', workdir,
- '-a', attrs['idnsSecAlgorithm'][0],
- '-l', uri
---
-2.31.1
-
diff --git a/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch b/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch
new file mode 100644
index 0000000..4852df8
--- /dev/null
+++ b/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch
@@ -0,0 +1,33 @@
+From ff54fe2fdfbab11e08a138cdfd0da900ee865e3d Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Fri, 17 Jun 2022 11:22:32 -0300
+Subject: [PATCH] ipa-otpd: Fix build on older versions of gcc.
+
+Older versions of gcc do not support unnamed parameters.
+
+This patch fixes the build on older gcc by applying the same idiom for
+unsued parameters as used by other functions in the same module.
+
+Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
+---
+ daemons/ipa-otpd/oauth2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
+index df1ffd50d..11d5c135f 100644
+--- a/daemons/ipa-otpd/oauth2.c
++++ b/daemons/ipa-otpd/oauth2.c
+@@ -319,8 +319,9 @@ static int check_access_token_reply(struct child_ctx *child_ctx,
+ return ret;
+ }
+
+-static void oauth2_on_child_readable(verto_ctx *, verto_ev *ev)
++static void oauth2_on_child_readable(verto_ctx *vctx, verto_ev *ev)
+ {
++ (void)vctx; /* Unused */
+ static char buf[10240];
+ ssize_t io = 0;
+ struct child_ctx *child_ctx = NULL;
+--
+2.36.1
+
diff --git a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
deleted file mode 100644
index f5f3cf3..0000000
--- a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 15 Dec 2021 10:47:02 +0100
-Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
-
-When ipa config-mod is called with the option --enable-sid,
-the code needs to trap EmptyModlist exception (it is expected
-that no LDAP attribute is modified by this operation).
-The code had a flaw and was checking:
- 'enable_sid' in options
-instead of
- options['enable_sid']
-
-"'enable_sid' in options" always returns true as this option
-is a Flag with a default value, hence always present even if
-not specified on the command line.
-
-Fixes: https://pagure.io/freeipa/issue/9063
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/plugins/config.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
-index eae401fc3..24446beb0 100644
---- a/ipaserver/plugins/config.py
-+++ b/ipaserver/plugins/config.py
-@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
- if (isinstance(exc, errors.EmptyModlist) and
- call_func.__name__ == 'update_entry' and
- ('ca_renewal_master_server' in options or
-- 'enable_sid' in options)):
-+ options['enable_sid'])):
- return
-
- super(config_mod, self).exc_callback(
---
-2.34.1
-
-From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 15 Dec 2021 10:51:05 +0100
-Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
-
-Add a test to test_config_plugin, that calls ipa config-mod
-with the same value as already present in LDAP.
-The call must return EmptyModlist.
-
-Related: https://pagure.io/freeipa/issue/9063
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
-index e981bb4a0..a8ec9f0e5 100644
---- a/ipatests/test_xmlrpc/test_config_plugin.py
-+++ b/ipatests/test_xmlrpc/test_config_plugin.py
-@@ -312,4 +312,13 @@ class test_config(Declarative):
- 'value': None,
- },
- ),
-+ dict(
-+ desc='Set the value to the already set value, no modifications',
-+ command=(
-+ 'config_mod', [], {
-+ 'ipasearchrecordslimit': u'100',
-+ },
-+ ),
-+ expected=errors.EmptyModlist(),
-+ ),
- ]
---
-2.34.1
-
diff --git a/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch b/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
new file mode 100644
index 0000000..7928884
--- /dev/null
+++ b/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -0,0 +1,60 @@
+From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Fri, 17 Jun 2022 15:40:04 -0300
+Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation.
+
+uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>')
+for callback definition.
+
+This patch changes the arrow definition callbacks for regular anonymous
+function definitions.
+---
+ install/ui/src/freeipa/idp.js | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js
+index ada09c075..be3c4f0e6 100644
+--- a/install/ui/src/freeipa/idp.js
++++ b/install/ui/src/freeipa/idp.js
+@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() {
+ // For custom template we show custom fields
+ // and mark all of them required and passed to the RPC
+ // If show_custom is false, the opposite happens
+- custom_fields.forEach(fname => {
++ custom_fields.forEach(function(fname) {
+ widget_f = that.container.fields.get_field(fname);
+ widget_f.set_required(show_custom);
+ widget_f.set_enabled(show_custom);
+@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() {
+ });
+
+ // For template fields we show them if custom aren't shown
+- template_fields.forEach(fname => {
++ template_fields.forEach(function(fname) {
+ widget_f = that.container.fields.get_field(fname);
+ widget_f.set_enabled(!show_custom);
+ widget_f.widget.set_visible(!show_custom);
+@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() {
+ var value = prov_f.get_value()[0];
+
+ // First, clear template fields from the previous provider choice
+- template_fields.forEach(fname => {
++ template_fields.forEach(function(fname) {
+ widget_f = that.container.fields.get_field(fname);
+ widget_f.widget.set_visible(false);
+ widget_f.set_required(false);
+@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() {
+ });
+
+ // Second, enable and get required template-specific fields
+- idp.templates.forEach(idp_v => {
++ idp.templates.forEach(function(idp_v) {
+ if (idp_v['value'] == value) {
+- idp_v['fields'].forEach(fname => {
++ idp_v['fields'].forEach(function(fname) {
+ widget_f = that.container.fields.get_field(fname);
+ widget_f.set_required(true);
+ widget_f.set_enabled(true);
+--
+2.36.1
+
diff --git a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
deleted file mode 100644
index f6cf756..0000000
--- a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
-From: Francisco Trivino <ftrivino@redhat.com>
-Date: Wed, 26 Jan 2022 15:43:39 +0100
-Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys
-
-The Custodia key export handler is using the default's OpenSSL encryption
-scheme for PKCS#12.
-
-This represents an issue when performing a migration from CentOS Stream 8 (C8S)
-to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
-replica talks to the Custodia server on C8S source server. The later creates an
-encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
-default encryption scheme, which is no longer supported on C9S.
-
-This commit enforces a stronger encryption algorigthm by adding following
-arguments to the Custodia server handler:
-
--keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
-
-The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
-
-Fixes: https://pagure.io/freeipa/issue/9101
-
-Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/secrets/handlers/pemfile.py | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
-index 4e8eff0e3..ad36bd020 100644
---- a/ipaserver/secrets/handlers/pemfile.py
-+++ b/ipaserver/secrets/handlers/pemfile.py
-@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
- '-out', pk12file,
- '-inkey', args.keyfile,
- '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
-+ '-keypbe', 'AES-256-CBC',
-+ '-certpbe', 'AES-256-CBC',
-+ '-macalg', 'sha384',
- ])
-
- with open(pk12file, 'rb') as f:
---
-2.34.1
-
diff --git a/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch b/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch
new file mode 100644
index 0000000..a7b9808
--- /dev/null
+++ b/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch
@@ -0,0 +1,131 @@
+From ff4152539b96d309dcceaf854a3e0a49f435acff Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 20 Jun 2022 09:09:11 +0200
+Subject: [PATCH] Preserve user: fix the confusing summary
+
+When ipa user-del --preserve is called, the command output
+prints a summary with:
+ Deleted user: user1
+although the user was preserved.
+Replace the summary with
+ Preserved user: user1
+to reflect what was actually done.
+
+Fixes: https://pagure.io/freeipa/issue/9187
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/user.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
+index 25d2bb6aa..fa8a67d3d 100644
+--- a/ipaserver/plugins/user.py
++++ b/ipaserver/plugins/user.py
+@@ -56,6 +56,7 @@ from .idviews import remove_ipaobject_overrides
+ from ipalib.plugable import Registry
+ from .baseldap import (
+ LDAPObject,
++ pkey_to_unicode,
+ pkey_to_value,
+ LDAPCreate,
+ LDAPSearch,
+@@ -701,6 +702,7 @@ class user_del(baseuser_del):
+ __doc__ = _('Delete a user.')
+
+ msg_summary = _('Deleted user "%(value)s"')
++ msg_summary_preserved = _('Preserved user "%(value)s"')
+
+ takes_options = baseuser_del.takes_options + (
+ Bool('preserve?',
+@@ -831,6 +833,8 @@ class user_del(baseuser_del):
+ failed.append(pkey_to_value(pkey, options))
+
+ val = dict(result=dict(failed=failed), value=preserved)
++ val['summary'] = self.msg_summary_preserved % dict(
++ value=pkey_to_unicode(preserved))
+ return val
+ else:
+ return super(user_del, self).execute(*keys, **options)
+--
+2.36.1
+
+From 4984ff210a169129e4e56b10e54e9c795520855c Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 20 Jun 2022 09:12:14 +0200
+Subject: [PATCH] xmlrpc tests: updated expected output for preserved user
+
+Update the expected summary for the command
+ipa user-del --preserve
+
+The command now displays: Preserved user: user1
+instead of Deleted user: user1
+
+Related: https://pagure.io/freeipa/issue/9187
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 ++++-
+ ipatests/test_xmlrpc/tracker/user_plugin.py | 7 ++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+index bc606b093..fd146876c 100644
+--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+@@ -479,11 +479,12 @@ class TestActive(XMLRPC_test):
+
+ def test_delete_preserve(self, user):
+ user.ensure_exists()
+- user.track_delete()
++ user.track_delete(preserve=True)
+ command = user.make_delete_command(no_preserve=False, preserve=True)
+ result = command()
+ user.check_delete(result)
+
++ user.track_delete(preserve=False)
+ command = user.make_delete_command()
+ result = command()
+ user.check_delete(result)
+@@ -622,6 +623,7 @@ class TestCustomAttr(XMLRPC_test):
+ assert 'BusinessCat' in result['result'][u'businesscategory']
+
+ # delete the user with --preserve
++ user_customattr.track_delete(preserve=True)
+ command = user_customattr.make_delete_command(no_preserve=False,
+ preserve=True)
+ result = command()
+@@ -763,6 +765,7 @@ class TestGroups(XMLRPC_test):
+ result = command()
+ group.check_retrieve(result)
+
++ user.track_delete(preserve=True)
+ command = user.make_delete_command(no_preserve=False, preserve=True)
+ result = command()
+ user.check_delete(result)
+diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
+index 03c106250..b04be4c19 100644
+--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
++++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
+@@ -273,9 +273,14 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
+
+ def check_delete(self, result):
+ """ Check 'user-del' command result """
++ if u'preserved' in self.attrs and self.attrs[u'preserved']:
++ summary = u'Preserved user "%s"' % self.uid
++ else:
++ summary = u'Deleted user "%s"' % self.uid
++
+ assert_deepequal(dict(
+ value=[self.uid],
+- summary=u'Deleted user "%s"' % self.uid,
++ summary=summary,
+ result=dict(failed=[]),
+ ), result)
+
+--
+2.36.1
+
diff --git a/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch b/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch
new file mode 100644
index 0000000..54da08a
--- /dev/null
+++ b/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch
@@ -0,0 +1,56 @@
+From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 29 Jun 2022 13:25:55 +0000
+Subject: [PATCH] Only calculate LDAP password grace when the password is
+ expired
+
+The user's pwd expiration was retrieved but inadvertently was never
+compared to current time. So any LDAP bind, including from the
+IPA API, counted against the grace period. There is no need to go
+through the graceperiod code for non-expired passwords.
+
+https://pagure.io/freeipa/issue/1539
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+index 0860b5c20..a3f57cb4b 100644
+--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+ Slapi_ValueSet *values = NULL;
+ long grace_limit = 0;
+ int grace_user_time;
+- char *pwd_expiration = NULL;
++ char *tmpstr = NULL;
++ time_t pwd_expiration;
+ int pwresponse_requested = 0;
+ Slapi_PBlock *pbtm = NULL;
+ Slapi_Mods *smods = NULL;
+@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+ }
+ slapi_value_free(&objectclass);
+
+- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+- if (pwd_expiration == NULL) {
++ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
++ if (tmpstr == NULL) {
+ /* No expiration means nothing to do */
+ LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
+ goto done;
+ }
++ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
++ if (pwd_expiration > time(NULL)) {
++ /* Not expired, nothing to see here */
++ goto done;
++ }
+
+ ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
+ &values, &actual_type_name,
+--
+2.36.1
+
diff --git a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
deleted file mode 100644
index 1e342e5..0000000
--- a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
-From: Julien Rische <jrische@redhat.com>
-Date: Tue, 1 Feb 2022 16:43:09 +0100
-Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
-
-Since 5d51ae5, principal keys were dropped in case user auth indicator
-was not including password. Thereafter, the key removal behavior was
-removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
-Support for hardened pre-auth methods (FAST and SPAKE) was added in
-d057040, and the removal of principal keys was restored afterwards by
-f0d12b7, but not taking the new hardened auth indicator into account.
-
-Fixes: https://pagure.io/freeipa/issue/9065
-Related to: https://pagure.io/freeipa/issue/8001
-
-Signed-off-by: Julien Rische <jrische@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index 15f3df4fe..0d0d3748c 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
- &res_key_data, &result, &mkvno);
- switch (ret) {
- case 0:
-- /* Only set a principal's key if password auth can be used. Otherwise
-- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
-- * reply for AS-REQs which indicate the password authentication is
-- * available. This might confuse applications like e.g. SSSD which try
-- * to determine suitable authentication methods and corresponding
-- * prompts with the help of MIT Kerberos' responder interface which
-- * acts on the returned pre-authentication methods. A typical example
-- * is enforced OTP authentication where of course keys are available
-- * for the first factor but password authentication should not be
-- * advertised by the KDC. */
-- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
-+ /* Only set a principal's key if password or hardened auth can be used.
-+ * Otherwise the KDC would add pre-authentication methods to the
-+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
-+ * authentication is available. This might confuse applications like
-+ * e.g. SSSD which try to determine suitable authentication methods and
-+ * corresponding prompts with the help of MIT Kerberos' responder
-+ * interface which acts on the returned pre-authentication methods. A
-+ * typical example is enforced OTP authentication where of course keys
-+ * are available for the first factor but password authentication
-+ * should not be advertised by the KDC. */
-+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
-+ (ua != IPADB_USER_AUTH_NONE)) {
- /* This is the same behavior as ENOENT below. */
- ipa_krb5_free_key_data(res_key_data, result);
- break;
---
-2.34.1
-
-From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
-From: Julien Rische <jrische@redhat.com>
-Date: Tue, 1 Feb 2022 19:38:29 +0100
-Subject: [PATCH] ipatests: add case for hardened-only ticket policy
-
-Signed-off-by: Julien Rische <jrische@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
----
- ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
- 1 file changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
-index 63e75ae67..9489fbc97 100644
---- a/ipatests/test_integration/test_krbtpolicy.py
-+++ b/ipatests/test_integration/test_krbtpolicy.py
-@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
- result = master.run_command('klist | grep krbtgt')
- assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
-
-- def test_krbtpolicy_hardended(self):
-- """Test a hardened kerberos ticket policy with 10 min tickets"""
-+ def test_krbtpolicy_password_and_hardended(self):
-+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
- master = self.master
- master.run_command(['ipa', 'user-mod', USER1,
- '--user-auth-type', 'password',
-@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
- result = master.run_command('klist | grep krbtgt')
- assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
-
-+ def test_krbtpolicy_hardended(self):
-+ """Test a hardened kerberos ticket policy with 30min tickets"""
-+ master = self.master
-+ master.run_command(['ipa', 'user-mod', USER1,
-+ '--user-auth-type', 'hardened'])
-+ master.run_command(['ipa', 'config-mod',
-+ '--user-auth-type', 'hardened'])
-+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
-+ '--hardened-maxlife', '1800'])
-+
-+ tasks.kdestroy_all(master)
-+
-+ master.run_command(['kinit', USER1],
-+ stdin_text=PASSWORD + '\n')
-+ result = master.run_command('klist | grep krbtgt')
-+ assert maxlife_within_policy(result.stdout_text, 1800,
-+ slush=1800) is True
-+
-+ tasks.kdestroy_all(master)
-+
-+ # Verify that the short policy only applies to USER1
-+ master.run_command(['kinit', USER2],
-+ stdin_text=PASSWORD + '\n')
-+ result = master.run_command('klist | grep krbtgt')
-+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
-+
- def test_krbtpolicy_password(self):
- """Test the kerberos ticket policy which issues 20 min tickets"""
- master = self.master
---
-2.34.1
-
diff --git a/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch b/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch
new file mode 100644
index 0000000..700df13
--- /dev/null
+++ b/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch
@@ -0,0 +1,346 @@
+From 857713c5a9c8e0b62c06dd92e69c09eeb34b2e99 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 23 May 2022 12:26:34 +0530
+Subject: [PATCH] Add end to end integration tests for external IdP
+
+Added tests for HBAC and SUDO rule and other
+test scenarios.
+
+Related : https://pagure.io/freeipa/issue/8805
+Related: https://pagure.io/freeipa/issue/8803
+Related: https://pagure.io/freeipa/issue/8804
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_idp.py | 260 ++++++++++++++++++++++----
+ 1 file changed, 226 insertions(+), 34 deletions(-)
+
+diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py
+index 8f9e92e6a..2ffe6a208 100644
+--- a/ipatests/test_integration/test_idp.py
++++ b/ipatests/test_integration/test_idp.py
+@@ -1,6 +1,8 @@
+ from __future__ import absolute_import
+
+ import time
++import pytest
++import re
+
+ import textwrap
+ from ipaplatform.paths import paths
+@@ -22,12 +24,12 @@ driver.get(verification_uri)
+ try:
+ element = WebDriverWait(driver, 90).until(
+ EC.presence_of_element_located((By.ID, "username")))
+- driver.find_element_by_id("username").send_keys("testuser1")
+- driver.find_element_by_id("password").send_keys("{passwd}")
+- driver.find_element_by_id("kc-login").click()
++ driver.find_element(By.ID, "username").send_keys("testuser1")
++ driver.find_element(By.ID, "password").send_keys("{passwd}")
++ driver.find_element(By.ID, "kc-login").click()
+ element = WebDriverWait(driver, 90).until(
+ EC.presence_of_element_located((By.ID, "kc-login")))
+- driver.find_element_by_id("kc-login").click()
++ driver.find_element(By.ID, "kc-login").click()
+ assert "Device Login Successful" in driver.page_source
+ finally:
+ now = datetime.now().strftime("%M-%S")
+@@ -39,18 +41,12 @@ finally:
+ def add_user_code(host, verification_uri):
+ contents = user_code_script.format(uri=verification_uri,
+ passwd=host.config.admin_password)
+- host.put_file_contents("/tmp/add_user_code.py", contents)
+- tasks.run_repeatedly(
+- host, ['python3', '/tmp/add_user_code.py'])
+-
+-
+-def get_verification_uri(host, since, keycloak_server_name):
+- command = textwrap.dedent("""
+- journalctl -u ipa-otpd\\* --since="%s" | grep "user_code:" | awk '{ print substr($7,2,9) }'""" % since) # noqa: E501
+- user_code = host.run_command(command).stdout_text.rstrip("\r\n")
+- uri = ("https://{0}:8443/auth/realms/master/device?user_code={1}".format(
+- keycloak_server_name, user_code))
+- return uri
++ try:
++ host.put_file_contents("/tmp/add_user_code.py", contents)
++ tasks.run_repeatedly(
++ host, ['python3', '/tmp/add_user_code.py'])
++ finally:
++ host.run_command(["rm", "-f", "/tmp/add_user_code.py"])
+
+
+ def kinit_idp(host, user, keycloak_server):
+@@ -58,11 +54,14 @@ def kinit_idp(host, user, keycloak_server):
+ tasks.kdestroy_all(host)
+ # create armor for FAST
+ host.run_command(["kinit", "-n", "-c", ARMOR])
+- since = time.strftime('%Y-%m-%d %H:%M:%S')
+ cmd = ["kinit", "-T", ARMOR, user]
++
+ with host.spawn_expect(cmd, default_timeout=100) as e:
+- e.expect('Authenticate at .+: ')
+- uri = get_verification_uri(host, since, keycloak_server.hostname)
++ e.expect('Authenticate at (.+) and press ENTER.:')
++ prompt = e.get_last_output()
++ uri = re.search(r'Authenticate at (.*?) and press ENTER.:', prompt
++ ).group(1)
++ time.sleep(15)
+ if uri:
+ add_user_code(keycloak_server, uri)
+ e.sendline('\n')
+@@ -74,21 +73,27 @@ def kinit_idp(host, user, keycloak_server):
+
+ class TestIDPKeycloak(IntegrationTest):
+
+- num_replicas = 1
++ num_replicas = 2
+ topology = 'line'
+
+ @classmethod
+ def install(cls, mh):
+- tasks.install_master(cls.master, setup_dns=True)
+- tasks.install_client(cls.master, cls.replicas[0])
+- content = cls.master.get_file_contents(paths.IPA_DEFAULT_CONF,
+- encoding='utf-8')
+- new_content = content + "\noidc_child_debug_level = 10"
+- cls.master.put_file_contents(paths.IPA_DEFAULT_CONF, new_content)
++ cls.client = cls.replicas[0]
++ cls.replica = cls.replicas[1]
++ tasks.install_master(cls.master)
++ tasks.install_client(cls.master, cls.replicas[0],
++ extra_args=["--mkhomedir"])
++ tasks.install_replica(cls.master, cls.replicas[1])
++ for host in [cls.master, cls.replicas[0], cls.replicas[1]]:
++ content = host.get_file_contents(paths.IPA_DEFAULT_CONF,
++ encoding='utf-8')
++ new_content = content + "\noidc_child_debug_level = 10"
++ host.put_file_contents(paths.IPA_DEFAULT_CONF, new_content)
+ with tasks.remote_sssd_config(cls.master) as sssd_config:
+ sssd_config.edit_domain(
+ cls.master.domain, 'krb5_auth_timeout', 1100)
+ tasks.clear_sssd_cache(cls.master)
++ tasks.clear_sssd_cache(cls.replicas[0])
+ tasks.kinit_admin(cls.master)
+ cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp",
+ "--user-auth-type=password"])
+@@ -97,20 +102,207 @@ class TestIDPKeycloak(IntegrationTest):
+ cls.replicas[0].run_command(xvfb)
+
+ def test_auth_keycloak_idp(self):
+- keycloak_srv = self.replicas[0]
+- create_quarkus.setup_keycloakserver(keycloak_srv)
++ """
++ Test case to check that OAuth 2.0 Device
++ Authorization Grant is working as
++ expected for user configured with external idp.
++ """
++ create_quarkus.setup_keycloakserver(self.client)
+ time.sleep(60)
+- create_quarkus.setup_keycloak_client(keycloak_srv)
++ create_quarkus.setup_keycloak_client(self.client)
+ tasks.kinit_admin(self.master)
+- cmd = ["ipa", "idp-add", "keycloak", "--provider=keycloak",
++ cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak",
+ "--client-id=ipa_oidc_client", "--org=master",
+- "--base-url={0}:8443/auth".format(keycloak_srv.hostname)]
++ "--base-url={0}:8443/auth".format(self.client.hostname)]
+ self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
+- keycloak_srv.config.admin_password))
++ self.client.config.admin_password))
+ tasks.user_add(self.master, 'keycloakuser',
+ extra_args=["--user-auth-type=idp",
+ "--idp-user-id=testuser1@ipa.test",
+- "--idp=keycloak"]
++ "--idp=keycloakidp"]
+ )
++ list_user = self.master.run_command(
++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"]
++ )
++ assert "keycloakuser" in list_user.stdout_text
++ list_by_idp = self.master.run_command(["ipa", "user-find",
++ "--idp=keycloakidp"]
++ )
++ assert "keycloakuser" in list_by_idp.stdout_text
++ list_by_user = self.master.run_command(
++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"]
++ )
++ assert "keycloakidp" in list_by_user.stdout_text
++ tasks.clear_sssd_cache(self.master)
++ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client)
++
++ @pytest.fixture
++ def hbac_setup_teardown(self):
++ # allow sshd only on given host
++ tasks.kinit_admin(self.master)
++ self.master.run_command(["ipa", "hbacrule-disable", "allow_all"])
++ self.master.run_command(["ipa", "hbacrule-add", "rule1"])
++ self.master.run_command(["ipa", "hbacrule-add-user", "rule1",
++ "--users=keycloakuser"]
++ )
++ self.master.run_command(["ipa", "hbacrule-add-host", "rule1",
++ "--hosts", self.replica.hostname])
++ self.master.run_command(["ipa", "hbacrule-add-service", "rule1",
++ "--hbacsvcs=sshd"]
++ )
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.replica)
++ yield
++
++ # cleanup
++ tasks.kinit_admin(self.master)
++ self.master.run_command(["ipa", "hbacrule-enable", "allow_all"])
++ self.master.run_command(["ipa", "hbacrule-del", "rule1"])
++
++ def test_auth_hbac(self, hbac_setup_teardown):
++ """
++ Test case to check that hbacrule is working as
++ expected for user configured with external idp.
++ """
++ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client)
++ ssh_cmd = "ssh -q -K -l keycloakuser {0} whoami"
++ valid_ssh = self.master.run_command(
++ ssh_cmd.format(self.replica.hostname))
++ assert "keycloakuser" in valid_ssh.stdout_text
++ negative_ssh = self.master.run_command(
++ ssh_cmd.format(self.master.hostname), raiseonerr=False
++ )
++ assert negative_ssh.returncode == 255
++
++ def test_auth_sudo_idp(self):
++ """
++ Test case to check that sudorule is working as
++ expected for user configured with external idp.
++ """
++ tasks.kdestroy_all(self.master)
++ tasks.kinit_admin(self.master)
++ # rule: keycloakuser are allowed to execute yum on
++ # the client machine as root.
++ cmdlist = [
++ ["ipa", "sudocmd-add", "/usr/bin/yum"],
++ ["ipa", "sudorule-add", "sudorule"],
++ ['ipa', 'sudorule-add-user', '--users=keycloakuser',
++ 'sudorule'],
++ ['ipa', 'sudorule-add-host', '--hosts',
++ self.client.hostname, 'sudorule'],
++ ['ipa', 'sudorule-add-runasuser',
++ '--users=root', 'sudorule'],
++ ['ipa', 'sudorule-add-allow-command',
++ '--sudocmds=/usr/bin/yum', 'sudorule'],
++ ['ipa', 'sudorule-show', 'sudorule', '--all'],
++ ['ipa', 'sudorule-add-option',
++ 'sudorule', '--sudooption', "!authenticate"]
++ ]
++ for cmd in cmdlist:
++ self.master.run_command(cmd)
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.client)
++ try:
++ cmd = 'sudo -ll -U keycloakuser'
++ test = self.client.run_command(cmd).stdout_text
++ assert "User keycloakuser may run the following commands" in test
++ assert "/usr/bin/yum" in test
++ kinit_idp(self.client, 'keycloakuser', self.client)
++ test_sudo = 'su -c "sudo yum list wget" keycloakuser'
++ self.client.run_command(test_sudo)
++ list_fail = self.master.run_command(cmd).stdout_text
++ assert "User keycloakuser is not allowed to run sudo" in list_fail
++ finally:
++ tasks.kinit_admin(self.master)
++ self.master.run_command(['ipa', 'sudorule-del', 'sudorule'])
++ self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"])
++
++ def test_auth_replica(self):
++ """
++ Test case to check that OAuth 2.0 Device
++ Authorization is working as expected on replica.
++ """
++ tasks.clear_sssd_cache(self.master)
++ tasks.clear_sssd_cache(self.replica)
++ tasks.kinit_admin(self.replica)
++ list_user = self.master.run_command(
++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"]
++ )
++ assert "keycloakuser" in list_user.stdout_text
++ list_by_idp = self.replica.run_command(["ipa", "user-find",
++ "--idp=keycloakidp"]
++ )
++ assert "keycloakuser" in list_by_idp.stdout_text
++ list_by_user = self.replica.run_command(
++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"]
++ )
++ assert "keycloakidp" in list_by_user.stdout_text
++ kinit_idp(self.replica, 'keycloakuser', keycloak_server=self.client)
++
++ def test_idp_with_services(self):
++ """
++ Test case to check that services can be configured
++ auth indicator as idp.
++ """
+ tasks.clear_sssd_cache(self.master)
+- kinit_idp(self.master, 'keycloakuser', keycloak_srv)
++ tasks.kinit_admin(self.master)
++ domain = self.master.domain.name.upper()
++ services = [
++ "DNS/{0}@{1}".format(self.master.hostname, domain),
++ "HTTP/{0}@{1}".format(self.client.hostname, domain),
++ "dogtag/{0}@{1}".format(self.master.hostname, domain),
++ "ipa-dnskeysyncd/{0}@{1}".format(self.master.hostname, domain)
++ ]
++ try:
++ for service in services:
++ test = self.master.run_command(["ipa", "service-mod", service,
++ "--auth-ind=idp"]
++ )
++ assert "Authentication Indicators: idp" in test.stdout_text
++ finally:
++ for service in services:
++ self.master.run_command(["ipa", "service-mod", service,
++ "--auth-ind="])
++
++ def test_idp_backup_restore(self):
++ """
++ Test case to check that after restore data is retrieved
++ with related idp configuration.
++ """
++ tasks.kinit_admin(self.master)
++ user = "backupuser"
++ cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
++ "--client-id=ipa_oidc_client", "--org=master",
++ "--base-url={0}:8443/auth".format(self.client.hostname)]
++ self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
++ self.client.config.admin_password))
++
++ tasks.user_add(self.master, user,
++ extra_args=["--user-auth-type=idp",
++ "--idp-user-id=testuser1@ipa.test",
++ "--idp=testidp"]
++ )
++
++ backup_path = tasks.get_backup_dir(self.master)
++ # change data after backup
++ self.master.run_command(['ipa', 'user-del', user])
++ self.master.run_command(['ipa', 'idp-del', 'testidp'])
++ dirman_password = self.master.config.dirman_password
++ self.master.run_command(['ipa-restore', backup_path],
++ stdin_text=dirman_password + '\nyes')
++ try:
++ list_user = self.master.run_command(
++ ['ipa', 'user-show', 'backupuser', '--all']
++ ).stdout_text
++ assert "External IdP configuration: testidp" in list_user
++ assert "User authentication types: idp" in list_user
++ assert ("External IdP user identifier: "
++ "testuser1@ipa.test") in list_user
++ list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp'])
++ assert "testidp" in list_idp.stdout_text
++ kinit_idp(self.master, user, self.client)
++ finally:
++ tasks.kdestroy_all(self.master)
++ tasks.kinit_admin(self.master)
++ self.master.run_command(["rm", "-rf", backup_path])
++ self.master.run_command(["ipa", "idp-del", "testidp"])
+--
+2.36.1
+
diff --git a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
deleted file mode 100644
index 3ac05fa..0000000
--- a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 28 Jan 2022 16:58:42 +0100
-Subject: [PATCH] ipa-pki-proxy.conf: provide access to
- /kra/admin/kra/getStatus
-
-The access to /kra/admin/kra/getStatus will be needed
-in order to fix pki-healthcheck.
-Note that this commit is a pre-requisite for the fix
-to be done on PKI side. No test added since the full
-integration test already exists in test_replica_promotion.py,
-in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
-
-Fixes: https://pagure.io/freeipa/issue/9099
-Related: https://pagure.io/freeipa/issue/8582
-
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- install/share/ipa-pki-proxy.conf.template | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
-index 96708482c..7a46f20b9 100644
---- a/install/share/ipa-pki-proxy.conf.template
-+++ b/install/share/ipa-pki-proxy.conf.template
-@@ -1,4 +1,4 @@
--# VERSION 16 - DO NOT REMOVE THIS LINE
-+# VERSION 17 - DO NOT REMOVE THIS LINE
-
- ProxyRequests Off
-
-@@ -11,7 +11,7 @@ ProxyRequests Off
- </LocationMatch>
-
- # matches for admin port and installer
--<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
-+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
- SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
- SSLVerifyClient none
- ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
---
-2.34.1
-
diff --git a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
deleted file mode 100644
index 14d1f0c..0000000
--- a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
+++ /dev/null
@@ -1,755 +0,0 @@
-From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
-From: Sumedh Sidhaye <ssidhaye@redhat.com>
-Date: Fri, 14 Jan 2022 19:55:13 +0530
-Subject: [PATCH] Added test automation for SHA384withRSA CSR support
-
-Scenario 1:
-Setup master with --ca-signing-algorithm=SHA384withRSA
-Run certutil and check Signing Algorithm
-
-Scenario 2:
-Setup a master
-Stop services
-Modify default.params.signingAlg in CS.cfg
-Restart services
-Resubmit cert (Resubmitted cert should have new Algorithm)
-
-Pagure Link: https://pagure.io/freeipa/issue/8906
-
-Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Antonio Torres <antorres@redhat.com>
----
- .../test_integration/test_installation.py | 63 +++++++++++++++++++
- 1 file changed, 63 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 0947241ae..f2d372c0c 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
- from ipatests.pytest_ipa.integration.env_config import get_global_config
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-+from ipatests.test_integration.test_cert import get_certmonger_fs_id
- from ipaplatform import services
-
-
-@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
- tasks.install_replica(
- self.master, self.replicas[0], setup_ca=False, setup_dns=False
- )
-+
-+
-+class TestInstallwithSHA384withRSA(IntegrationTest):
-+ num_replicas = 0
-+
-+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
-+ tasks.install_master(
-+ self.master,
-+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
-+ )
-+
-+ # check Signing Algorithm post installation
-+ dashed_domain = self.master.domain.realm.replace(".", '-')
-+ cmd_args = ['certutil', '-L', '-d',
-+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
-+ '-n', 'Server-Cert']
-+ result = self.master.run_command(cmd_args)
-+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
-+
-+ def test_install_master_modify_existing(self, server_cleanup):
-+ """
-+ Setup a master
-+ Stop services
-+ Modify default.params.signingAlg in CS.cfg
-+ Restart services
-+ Resubmit cert (Resubmitted cert should have new Algorithm)
-+ """
-+ tasks.install_master(self.master)
-+ self.master.run_command(['ipactl', 'stop'])
-+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
-+ encoding='utf-8')
-+ new_lines = []
-+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
-+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
-+ for line in cs_cfg_content.split('\n'):
-+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
-+ new_lines.append(replace_str)
-+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
-+ new_lines.append(ocsp_rep_str)
-+ else:
-+ new_lines.append(line)
-+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
-+ '\n'.join(new_lines))
-+ self.master.run_command(['ipactl', 'start'])
-+
-+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
-+ result = self.master.run_command(cmd)
-+ request_id = get_certmonger_fs_id(result.stdout_text)
-+
-+ # resubmit RA Agent cert
-+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
-+ self.master.run_command(cmd)
-+
-+ tasks.wait_for_certmonger_status(self.master,
-+ ('CA_WORKING', 'MONITORING'),
-+ request_id)
-+
-+ cmd_args = ['openssl', 'x509', '-in',
-+ paths.RA_AGENT_PEM, '-noout', '-text']
-+ result = self.master.run_command(cmd_args)
-+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
-+ assert assert_str in result.stdout_text
---
-2.34.1
-
-From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
-From: Sumedh Sidhaye <ssidhaye@redhat.com>
-Date: Thu, 25 Nov 2021 17:48:20 +0530
-Subject: [PATCH] Extend test to see if replica is not shown when running
- `ipa-replica-manage list -v <FQDN>`
-
-Related: https://pagure.io/freeipa/issue/8605
-
-Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_simple_replication.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
-index 8de385144..17092a499 100644
---- a/ipatests/test_integration/test_simple_replication.py
-+++ b/ipatests/test_integration/test_simple_replication.py
-@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
- # has to be run with --force, there is no --unattended
- self.master.run_command(['ipa-replica-manage', 'del',
- self.replicas[0].hostname, '--force'])
-- result = self.master.run_command(['ipa-replica-manage', 'list'])
-+ result = self.master.run_command(
-+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
- assert self.replicas[0].hostname not in result.stdout_text
---
-2.34.1
-
-From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Fri, 26 Nov 2021 12:11:21 +0530
-Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
- teardown
-
-Fixture `expire_certs` moves date back after renewing the certs.
-This is causing the ipa-replica to fail. This fix first uninstalls
-the server then moves back the date.
-
-Fixes: https://pagure.io/freeipa/issue/9052
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
-index 39904d5de..5b56054b4 100644
---- a/ipatests/test_integration/test_ipa_cert_fix.py
-+++ b/ipatests/test_integration/test_ipa_cert_fix.py
-@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
- setup_dns=False, extra_args=['--no-ntp']
- )
-
-+ @classmethod
-+ def uninstall(cls, mh):
-+ # Uninstall method is empty as the uninstallation is done in
-+ # the fixture
-+ pass
-+
- @pytest.fixture
- def expire_certs(self):
- # move system date to expire certs
-@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
- yield
-
- # move date back on replica and master
-- for host in self.master, self.replicas[0]:
-+ for host in self.replicas[0], self.master:
-+ tasks.uninstall_master(host)
- tasks.move_date(host, 'start', '-3years-1days')
-
- def test_renew_expired_cert_replica(self, expire_certs):
---
-2.34.1
-
-From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Mon, 13 Dec 2021 17:37:05 +0530
-Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
-
-related : https://pagure.io/freeipa/issue/8962
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_installation.py | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 95cfaad54..0947241ae 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
- )
- assert "nsslapd-db-locks" not in result.stdout_text
-
-+ def test_nsslapd_sizelimit(self):
-+ """ Test for default value of nsslapd-sizelimit.
-+
-+ Related : https://pagure.io/freeipa/issue/8962
-+ """
-+ result = tasks.ldapsearch_dm(
-+ self.master,
-+ "cn=config",
-+ ["nsslapd-sizelimit"],
-+ scope="base"
-+ )
-+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
-+
- def test_admin_root_alias_CVE_2020_10747(self):
- # Test for CVE-2020-10747 fix
- # https://bugzilla.redhat.com/show_bug.cgi?id=1810160
---
-2.34.1
-
-From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Thu, 25 Nov 2021 13:10:05 +0530
-Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
- segfault
-
-When empty cert request is submitted to certmonger, it goes to
-segfault. This fix test that if something like this happens,
-certmonger should gracefuly handle it
-
-and some PEP8 fixes
-
-related: https://pagure.io/certmonger/issue/191
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
----
- ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
- 1 file changed, 78 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
-index 5ffb8c608..0518d7954 100644
---- a/ipatests/test_integration/test_cert.py
-+++ b/ipatests/test_integration/test_cert.py
-@@ -14,6 +14,7 @@ import random
- import re
- import string
- import time
-+import textwrap
-
- from ipaplatform.paths import paths
- from ipapython.dn import DN
-@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
- tasks.kinit_admin(self.master)
- tasks.user_add(self.master, user)
-
-- for id in (0,1):
-+ for id in (0, 1):
- csr_file = f'{id}.csr'
- key_file = f'{id}.key'
- cert_file = f'{id}.crt'
-@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
- error_msg = 'ipa: ERROR: The certificate for ' \
- '{} is not available on this server.'.format(lwca)
- assert error_msg in result.stderr_text
-+
-+ def test_certmonger_empty_cert_not_segfault(self):
-+ """Test empty cert request doesn't force certmonger to segfault
-+
-+ Test scenario:
-+ create a cert request file in /var/lib/certmonger/requests which is
-+ missing most of the required information, and ask request a new
-+ certificate to certmonger. The wrong request file should not make
-+ certmonger crash.
-+
-+ related: https://pagure.io/certmonger/issue/191
-+ """
-+ empty_cert_req_content = textwrap.dedent("""
-+ id=dogtag-ipa-renew-agent
-+ key_type=UNSPECIFIED
-+ key_gen_type=UNSPECIFIED
-+ key_size=0
-+ key_gen_size=0
-+ key_next_type=UNSPECIFIED
-+ key_next_gen_type=UNSPECIFIED
-+ key_next_size=0
-+ key_next_gen_size=0
-+ key_preserve=0
-+ key_storage_type=NONE
-+ key_perms=0
-+ key_requested_count=0
-+ key_issued_count=0
-+ cert_storage_type=FILE
-+ cert_perms=0
-+ cert_is_ca=0
-+ cert_ca_path_length=0
-+ cert_no_ocsp_check=0
-+ last_need_notify_check=19700101000000
-+ last_need_enroll_check=19700101000000
-+ template_is_ca=0
-+ template_ca_path_length=-1
-+ template_no_ocsp_check=0
-+ state=NEED_KEY_PAIR
-+ autorenew=0
-+ monitor=0
-+ submitted=19700101000000
-+ """)
-+ # stop certmonger service
-+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
-+
-+ # place an empty cert request file to certmonger request dir
-+ self.master.put_file_contents(
-+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
-+ empty_cert_req_content
-+ )
-+
-+ # start certmonger, it should not fail
-+ self.master.run_command(['systemctl', 'start', 'certmonger'])
-+
-+ # request a new cert, should succeed and certmonger doesn't goes
-+ # to segfault
-+ result = self.master.run_command([
-+ "ipa-getcert", "request",
-+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
-+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
-+ ])
-+ request_id = re.findall(r'\d+', result.stdout_text)
-+
-+ # check if certificate is in MONITORING state
-+ status = tasks.wait_for_request(self.master, request_id[0], 50)
-+ assert status == "MONITORING"
-+
-+ self.master.run_command(
-+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
-+ )
-+ self.master.run_command([
-+ 'rm', '-rf',
-+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
-+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
-+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
-+ ])
---
-2.34.1
-
-From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Mon, 6 Dec 2021 20:50:01 +0530
-Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
-
-Added web-ui tests to verify where operations
-using subordinate ids are working as expected.
-
-Related : https://pagure.io/freeipa/issue/8361
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
- ipatests/test_webui/ui_driver.py | 28 ++++++
- 2 files changed, 169 insertions(+)
- create mode 100644 ipatests/test_webui/test_subid.py
-
-diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
-new file mode 100644
-index 000000000..26decdba0
---- /dev/null
-+++ b/ipatests/test_webui/test_subid.py
-@@ -0,0 +1,141 @@
-+
-+"""
-+Tests for subordinateid.
-+"""
-+
-+from ipatests.test_webui.ui_driver import UI_driver
-+import ipatests.test_webui.data_config as config_data
-+import ipatests.test_webui.data_user as user_data
-+from ipatests.test_webui.ui_driver import screenshot
-+import re
-+
-+
-+class test_subid(UI_driver):
-+
-+ def add_user(self, pkey, name, surname):
-+ self.add_record('user', {
-+ 'pkey': pkey,
-+ 'add': [
-+ ('textbox', 'uid', pkey),
-+ ('textbox', 'givenname', name),
-+ ('textbox', 'sn', surname),
-+ ]
-+ })
-+
-+ def set_default_subid(self):
-+ self.navigate_to_entity(config_data.ENTITY)
-+ self.check_option('ipauserdefaultsubordinateid', 'checked')
-+ self.facet_button_click('save')
-+
-+ def get_user_count(self, user_pkey):
-+ self.navigate_to_entity('subid', facet='search')
-+ self.apply_search_filter(user_pkey)
-+ self.wait_for_request()
-+ return self.get_rows()
-+
-+ @screenshot
-+ def test_set_defaultsubid(self):
-+ """
-+ Test to verify that enable/disable is working for
-+ adding subids to new users.
-+ """
-+ self.init_app()
-+ self.add_record(user_data.ENTITY, user_data.DATA2)
-+ self.navigate_to_entity(config_data.ENTITY)
-+ # test subid can be enabled/disabled.
-+ self.set_default_subid()
-+ assert self.get_field_checked('ipauserdefaultsubordinateid')
-+ self.set_default_subid()
-+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
-+
-+ @screenshot
-+ def test_user_defaultsubid(self):
-+ """
-+ Test to verify that subid is generated for new user.
-+ """
-+ self.init_app()
-+ user_pkey = "some-user"
-+
-+ self.set_default_subid()
-+ assert self.get_field_checked('ipauserdefaultsubordinateid')
-+
-+ before_count = self.get_user_count(user_pkey)
-+ assert len(before_count) == 0
-+
-+ self.add_user(user_pkey, 'Some', 'User')
-+ after_count = self.get_user_count(user_pkey)
-+ assert len(after_count) == 1
-+
-+ @screenshot
-+ def test_user_subid_mod_desc(self):
-+ """
-+ Test to verify that auto-assigned subid description is modified.
-+ """
-+ self.init_app()
-+ self.navigate_to_record("some-user")
-+ self.switch_to_facet('memberof_subid')
-+ rows = self.get_rows()
-+ self.navigate_to_row_record(rows[-1])
-+ self.fill_textbox("description", "some-user-subid-desc")
-+ self.facet_button_click('save')
-+
-+ @screenshot
-+ def test_admin_subid(self):
-+ """
-+ Test to verify that subid range is created with owner admin.
-+ """
-+ self.init_app()
-+ self.navigate_to_entity('subid', facet='search')
-+ self.facet_button_click('add')
-+ self.select_combobox('ipaowner', 'admin')
-+ self.dialog_button_click('add')
-+ self.wait(0.3)
-+ self.assert_no_error_dialog()
-+
-+ @screenshot
-+ def test_admin_subid_negative(self):
-+ """
-+ Test to verify that readding the subid fails with error.
-+ """
-+ self.init_app()
-+ self.navigate_to_entity('subid', facet='search')
-+ self.facet_button_click('add')
-+ self.select_combobox('ipaowner', 'admin')
-+ self.dialog_button_click('add')
-+ self.wait(0.3)
-+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
-+ text = self.get_text('.modal-body div p', err_dialog)
-+ text = text.strip()
-+ pattern = r'Subordinate id with with name .* already exists.'
-+ assert re.search(pattern, text) is not None
-+ self.close_all_dialogs()
-+
-+ @screenshot
-+ def test_user_subid_add(self):
-+ """
-+ Test to verify that subid range is created for given user.
-+ """
-+ self.init_app()
-+ self.navigate_to_entity('subid', facet='search')
-+ before_count = self.get_rows()
-+ self.facet_button_click('add')
-+ self.select_combobox('ipaowner', user_data.PKEY2)
-+ self.dialog_button_click('add')
-+ self.wait(0.3)
-+ self.assert_no_error_dialog()
-+ after_count = self.get_rows()
-+ assert len(before_count) < len(after_count)
-+
-+ @screenshot
-+ def test_subid_del(self):
-+ """
-+ Test to remove subordinate id for given user.
-+ """
-+ self.init_app()
-+ self.navigate_to_entity('subid', facet='search')
-+ user_uid = self.get_record_pkey("some-user", "ipaowner",
-+ table_name="ipauniqueid")
-+ before_count = self.get_rows()
-+ self.delete_record(user_uid, table_name="ipauniqueid")
-+ after_count = self.get_rows()
-+ assert len(before_count) > len(after_count)
-diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
-index 46fd512ae..77fd74e49 100644
---- a/ipatests/test_webui/ui_driver.py
-+++ b/ipatests/test_webui/ui_driver.py
-@@ -1151,6 +1151,34 @@ class UI_driver:
- return row
- return None
-
-+ def get_row_by_column_value(self, key, column_name, parent=None,
-+ table_name=None):
-+ """
-+ Get the first matched row element of a search table with given key
-+ matched against selected column. None if not found
-+ """
-+ rows = self.get_rows(parent, table_name)
-+ s = "td div[name='%s']" % column_name
-+ for row in rows:
-+ has = self.find(s, By.CSS_SELECTOR, row)
-+ if has.text == key:
-+ return row
-+ return None
-+
-+ def get_record_pkey(self, key, column, parent=None, table_name=None):
-+ """
-+ Get record pkey if value of column is known
-+ """
-+ row = self.get_row_by_column_value(key,
-+ column_name=column,
-+ parent=parent,
-+ table_name=table_name)
-+ val = None
-+ if row:
-+ el = self.find("td input", By.CSS_SELECTOR, row)
-+ val = el.get_attribute("value")
-+ return val
-+
- def navigate_to_row_record(self, row, pkey_column=None):
- """
- Navigate to record by clicking on a link.
---
-2.34.1
-
-From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
-From: Michal Polovka <mpolovka@redhat.com>
-Date: Fri, 7 Jan 2022 12:12:26 +0100
-Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
- configuration file
-
-FullLoader class for YAML loader was introduced in version 5.1 which
-also deprecated default loader. SafeLoader, however, stays consistent
-across the versions and brings added security.
-
-This fix is necessary as PyYAML > 5.1 is not available in downstream.
-
-Related: https://pagure.io/freeipa/issue/9009
-
-Signed-off-by: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_webui/ui_driver.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
-index 77fd74e49..519efee9b 100644
---- a/ipatests/test_webui/ui_driver.py
-+++ b/ipatests/test_webui/ui_driver.py
-@@ -192,7 +192,7 @@ class UI_driver:
- if not NO_YAML and os.path.isfile(path):
- try:
- with open(path, 'r') as conf:
-- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
-+ cls.config = yaml.safe_load(stream=conf)
- except yaml.YAMLError as e:
- pytest.skip("Invalid Web UI config.\n%s" % e)
- except IOError as e:
---
-2.34.1
-
-From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Thu, 18 Nov 2021 18:43:22 +0530
-Subject: [PATCH] PEP8 Fixes
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
----
- .../test_integration/test_replica_promotion.py | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index 1a4e9bc12..c328b1a08 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
- assert res.returncode == 1
- assert expected_err in res.stderr_text
-
--
- @replicas_cleanup
- def test_one_command_installation(self):
- """
-@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
- Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
- "freeipa-ldaps"])
- self.replicas[0].run_command(['ipa-replica-install', '-w',
-- self.master.config.admin_password,
-- '-n', self.master.domain.name,
-- '-r', self.master.domain.realm,
-- '--server', self.master.hostname,
-- '-U'])
-+ self.master.config.admin_password,
-+ '-n', self.master.domain.name,
-+ '-r', self.master.domain.realm,
-+ '--server', self.master.hostname,
-+ '-U'])
- # Ensure that pkinit is properly configured, test for 7566
- result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
- assert "PKINIT is enabled" in result.stdout_text
-@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
- result1 = client.run_command(['ipa-replica-install', '-U', '-w',
- self.master.config.dirman_password],
- raiseonerr=False)
-- assert(result1.returncode == 0), (
-+ assert (result1.returncode == 0), (
- 'Failed to promote the client installed with the upcase domain name')
-
- def test_client_rollback(self):
-@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
- assert("An error occurred while removing SSSD" not in
- result.stdout_text)
-
-+
- class TestRenewalMaster(IntegrationTest):
-
- topology = 'star'
---
-2.34.1
-
-From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Thu, 18 Nov 2021 18:36:58 +0530
-Subject: [PATCH] Test cases for ipa-replica-conncheck command
-
-Following test cases would be checked:
-- when called with --principal (it should then prompt for a password)
-- when called with --principal / --password
-- when called without principal and password but with a kerberos TGT,
- kinit admin done before calling ipa-replica-conncheck
-- when called without principal and password, and without any kerberos
- TGT (it should default to principal=admin and prompt for a password)
-
-related: https://pagure.io/freeipa/issue/9047
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
----
- .../test_replica_promotion.py | 70 +++++++++++++++++++
- 1 file changed, 70 insertions(+)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index b9c56f775..1a4e9bc12 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
- self.assertCARenewalMaster(master, replica.hostname)
- self.assertCARenewalMaster(replica, replica.hostname)
-
-+ def test_replica_concheck(self):
-+ """Test cases for ipa-replica-conncheck command
-+
-+ Following test cases would be checked:
-+ - when called with --principal (it should then prompt for a password)
-+ - when called with --principal / --password
-+ - when called without principal and password but with a kerberos TGT,
-+ kinit admin done before calling ipa-replica-conncheck
-+ - when called without principal and password, and without any kerberos
-+ TGT (it should default to principal=admin and prompt for a password)
-+
-+ related: https://pagure.io/freeipa/issue/9047
-+ """
-+ exp_str1 = "Connection from replica to master is OK."
-+ exp_str2 = "Connection from master to replica is OK"
-+ tasks.kdestroy_all(self.replicas[0])
-+ # when called with --principal (it should then prompt for a password)
-+ result = self.replicas[0].run_command(
-+ ['ipa-replica-conncheck', '--auto-master-check',
-+ '--master', self.master.hostname,
-+ '-r', self.replicas[0].domain.realm,
-+ '-p', self.replicas[0].config.admin_name],
-+ stdin_text=self.master.config.admin_password
-+ )
-+ assert result.returncode == 0
-+ assert (
-+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
-+ )
-+
-+ # when called with --principal / --password
-+ result = self.replicas[0].run_command([
-+ 'ipa-replica-conncheck', '--auto-master-check',
-+ '--master', self.master.hostname,
-+ '-r', self.replicas[0].domain.realm,
-+ '-p', self.replicas[0].config.admin_name,
-+ '-w', self.master.config.admin_password
-+ ])
-+ assert result.returncode == 0
-+ assert (
-+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
-+ )
-+
-+ # when called without principal and password, and without
-+ # any kerberos TGT, it should default to principal=admin
-+ # and prompt for a password
-+ result = self.replicas[0].run_command(
-+ ['ipa-replica-conncheck', '--auto-master-check',
-+ '--master', self.master.hostname,
-+ '-r', self.replicas[0].domain.realm],
-+ stdin_text=self.master.config.admin_password
-+ )
-+ assert result.returncode == 0
-+ assert (
-+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
-+ )
-+
-+ # when called without principal and password but with a kerberos TGT,
-+ # kinit admin done before calling ipa-replica-conncheck
-+ tasks.kinit_admin(self.replicas[0])
-+ result = self.replicas[0].run_command(
-+ ['ipa-replica-conncheck', '--auto-master-check',
-+ '--master', self.master.hostname,
-+ '-r', self.replicas[0].domain.realm]
-+ )
-+ assert result.returncode == 0
-+ assert (
-+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
-+ )
-+ tasks.kdestroy_all(self.replicas[0])
-+
- def test_automatic_renewal_master_transfer_ondelete(self):
- # Test that after replica uninstallation, master overtakes the cert
- # renewal master role from replica (which was previously set there)
---
-2.34.1
-
diff --git a/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch b/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch
new file mode 100644
index 0000000..25e9f72
--- /dev/null
+++ b/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch
@@ -0,0 +1,67 @@
+From 991849cf58fa990ad4540a61214b5ab4fcd4baa1 Mon Sep 17 00:00:00 2001
+From: Armando Neto <abiagion@redhat.com>
+Date: Fri, 8 Jul 2022 15:56:31 -0300
+Subject: [PATCH] webui: Do not allow empty pagination size
+
+Pagination size must be required, the current validators are triggered after
+form is submitted, thus the only way for check if data is not empty is by making
+the field required.
+
+Fixes: https://pagure.io/freeipa/issue/9192
+
+Signed-off-by: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../ui/src/freeipa/Application_controller.js | 1 +
+ ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
+index 46aabc9c4..140ee8fe0 100644
+--- a/install/ui/src/freeipa/Application_controller.js
++++ b/install/ui/src/freeipa/Application_controller.js
+@@ -318,6 +318,7 @@ define([
+ $type: 'text',
+ name: 'pagination_size',
+ label: '@i18n:customization.table_pagination',
++ required: true,
+ validators: ['positive_integer']
+ }
+ ]
+diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py
+index 5f7ffb54e..aca9e1a99 100644
+--- a/ipatests/test_webui/test_misc_cases.py
++++ b/ipatests/test_webui/test_misc_cases.py
+@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot
+ import pytest
+ import re
+
++try:
++ from selenium.webdriver.common.by import By
++except ImportError:
++ pass
++
+
+ @pytest.mark.tier1
+ class TestMiscCases(UI_driver):
+@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver):
+ ver_re = re.compile('version: .*')
+ assert re.search(ver_re, about_text), 'Version not found'
+ self.dialog_button_click('ok')
++
++ @screenshot
++ def test_customization_pagination_input_required(self):
++ """Test if 'pagination size' is required when submitting the form."""
++ self.init_app()
++
++ self.profile_menu_action('configuration')
++ self.fill_input('pagination_size', '')
++ self.dialog_button_click('save')
++
++ pagination_size_elem = self.find(
++ ".widget[name='pagination_size']", By.CSS_SELECTOR)
++
++ self.assert_field_validation_required(parent=pagination_size_elem)
+--
+2.36.1
+
diff --git a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
deleted file mode 100644
index f8b3b9f..0000000
--- a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 28 Jan 2022 16:46:35 -0500
-Subject: [PATCH] Don't always override the port in import_included_profiles
-
-I can only guess to the original purpose of this override. I
-believe it was because this is called in the installer prior
-to Apache being set up. The expectation was that this would
-only be called locally. It predates the RestClient class.
-
-RestClient will attempt to find an available service. In this
-case, during a CA installation, the local server is not
-considered available because it lacks an entry in
-cn=masters. So it will never be returned as an option.
-
-So by overriding the port to 8443 the remote connection will
-likely fail because we don't require that the port be open.
-
-So instead, instantiate a RestClient and see what happens.
-
-There are several use-cases:
-
-1. Installing an initial server. The RestClient connection
- should fail, so we will fall back to the override port and
- use the local server. If Apache happens to be running with
- a globally-issued certificate then the RestClient will
- succeed. In this case if the connected host and the local
- hostname are the same, override in that case as well.
-
-2. Installing as a replica. In this case the local server should
- be ignored in all cases and a remote CA will be picked with
- no override done.
-
-3. Switching from CA-less to CA-ful. The web server will be
- trusted but the RestClient login will fail with a 404. Fall
- back to the override port in this case.
-
-The motivation for this is trying to install an EL 8.x replica
-against an EL 7.9 server. 8.5+ includes the ACME service and
-a new profile is needed which doesn't exist in 7. This was
-failing because the RestClient determined that the local server
-wasn't running a CA so tried the remote one (7.9) on the override
-port 8443. Since this port isn't open: failure.
-
-Chances are that adding the profile is still going to fail
-because again, 7.9 lacks ACME capabilities, but it will fail in
-a way that allows the installation to continue.
-
-I suspect that all of the overrides can similarly handled, or
-handled directly within the RestClient class, but for the sake
-of "do no harm" I'm only changing this instance for now.
-
-https://pagure.io/freeipa/issue/9100
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
- 1 file changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 8c8bf1b3a..ad206aad4 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -1953,7 +1953,35 @@ def import_included_profiles():
- cn=['certprofiles'],
- )
-
-- api.Backend.ra_certprofile.override_port = 8443
-+ # At this point Apache may or may not be running with a valid
-+ # certificate. The local server is not yet recognized as a full
-+ # CA yet so it isn't discoverable. So try to do some detection
-+ # on what port to use, 443 (remote) or 8443 (local) for importing
-+ # the profiles.
-+ #
-+ # api.Backend.ra_certprofile invokes the RestClient class
-+ # which will discover and login to the CA REST API. We can
-+ # use this information to detect where to import the profiles.
-+ #
-+ # If the login is successful (e.g. doesn't raise an exception)
-+ # and it returns our hostname (it prefers the local host) then
-+ # we override and talk locally.
-+ #
-+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
-+ # a firewall) or we get an HTTP error (valid TLS certificate on
-+ # Apache but no CA, login fails with 404) so we override to the
-+ # local server.
-+ #
-+ # When override port was always set to 8443 the RestClient could
-+ # pick a remote server and since 8443 isn't in our firewall profile
-+ # setting up a new server would fail.
-+ try:
-+ with api.Backend.ra_certprofile as profile_api:
-+ if profile_api.ca_host == api.env.host:
-+ api.Backend.ra_certprofile.override_port = 8443
-+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
-+ logger.debug('Overriding CA port: %s', e)
-+ api.Backend.ra_certprofile.override_port = 8443
-
- for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
- dn = DN(('cn', profile_id),
---
-2.34.1
-
diff --git a/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch b/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch
new file mode 100644
index 0000000..93cfab9
--- /dev/null
+++ b/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch
@@ -0,0 +1,56 @@
+From ade5093b08f92b279c200f341e96972a74f644d8 Mon Sep 17 00:00:00 2001
+From: Carla Martinez <carlmart@redhat.com>
+Date: Fri, 29 Jul 2022 13:16:16 +0200
+Subject: [PATCH] webui: Allow grace login limit
+
+There was no support for setting the grace login limit on the WebUI. The
+only way to so was only via CLI:
+
+ `ipa pwpolicy-mod --gracelimit=2 global_policy`
+
+Thus, the grace login limit must be updated from the policy section and
+this will reflect also on the user settings (under the 'Password Policy'
+section)
+
+Fixes: https://pagure.io/freeipa/issue/9211
+
+Signed-off-by: Carla Martinez <carlmart@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ install/ui/src/freeipa/policy.js | 3 +++
+ install/ui/src/freeipa/user.js | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
+index fa2028a52..7ec103636 100644
+--- a/install/ui/src/freeipa/policy.js
++++ b/install/ui/src/freeipa/policy.js
+@@ -72,6 +72,9 @@ return {
+ {
+ name: 'cospriority',
+ required: true
++ },
++ {
++ name: 'passwordgracelimit'
+ }
+ ]
+ }]
+diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
+index a580db035..b47c97f72 100644
+--- a/install/ui/src/freeipa/user.js
++++ b/install/ui/src/freeipa/user.js
+@@ -318,6 +318,11 @@ return {
+ label: '@mo-param:pwpolicy:krbpwdlockoutduration:label',
+ read_only: true,
+ measurement_unit: 'seconds'
++ },
++ {
++ name: 'passwordgracelimit',
++ label: '@mo-param:pwpolicy:passwordgracelimit:label',
++ read_only: true
+ }
+ ]
+ },
+--
+2.37.2
+
diff --git a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
deleted file mode 100644
index e083b06..0000000
--- a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 31 Jan 2022 17:31:50 -0500
-Subject: [PATCH] Remove ipa-join errors from behind the debug option
-
-This brings it inline with the previous XML-RPC output which
-only hid the request and response from the output and not
-any errors returned.
-
-https://pagure.io/freeipa/issue/9103
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
----
- client/ipa-join.c | 27 +++++++++------------------
- 1 file changed, 9 insertions(+), 18 deletions(-)
-
-diff --git a/client/ipa-join.c b/client/ipa-join.c
-index d98739a9a..5888a33bf 100644
---- a/client/ipa-join.c
-+++ b/client/ipa-join.c
-@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
-
- json_str = json_dumps(json, 0);
- if (!json_str) {
-- if (debug)
-- fprintf(stderr, _("json_dumps() failed\n"));
-+ fprintf(stderr, _("json_dumps() failed\n"));
-
- rval = 17;
- goto cleanup;
-@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
- CURLcode res = curl_easy_perform(curl);
- if (res != CURLE_OK)
- {
-- if (debug)
-- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
-+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
-
- rval = 17;
- goto cleanup;
-@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
- curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
-
- if (resp_code != 200) {
-- if (debug)
-- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
-+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
-
- if (!quiet && resp_code == 401)
- fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
-@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
-
- j_root = json_loads(payload, 0, &j_error);
- if (!j_root) {
-- if (debug)
-- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
-+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
-
- rval = 17;
- goto cleanup;
-@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
-
- *j_result_obj = json_object_get(j_root, "result");
- if (!*j_result_obj) {
-- if (debug)
-- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
-+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
-
- rval = 17;
- goto cleanup;
-@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
- &tmp_hostdn,
- "krbprincipalname", &tmp_princ,
- "krblastpwdchange", &tmp_pwdch) != 0) {
-- if (debug)
-- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
-+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
-
- rval = 17;
- goto cleanup;
-@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
- "nshardwareplatform", uinfo.machine);
-
- if (!json_req) {
-- if (debug)
-- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
-+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
-
- rval = 17;
- goto cleanup;
-@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
-
- if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
- "result", result) != 0) {
-- if (debug)
-- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
-+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
-
- rval = 20;
- goto cleanup;
-@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
- host);
-
- if (!json_req) {
-- if (debug)
-- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
-+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
-
- rval = 17;
- goto cleanup;
---
-2.34.1
-
diff --git a/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch b/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch
new file mode 100644
index 0000000..36629da
--- /dev/null
+++ b/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch
@@ -0,0 +1,35 @@
+From 05a298f56485222583cb7dd4f6a3a4c5c77fc8cf Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Sun, 7 Aug 2022 12:44:47 +0200
+Subject: [PATCH] check_repl_update: in progress is a boolean
+
+With the fix for https://pagure.io/freeipa/issue/9171,
+nsds5replicaUpdateInProgress is now handled as a boolean.
+One remaining occurrence was still handling it as a string
+and calling lower() on its value.
+
+Replace with direct boolean comparison.
+
+Fixes: https://pagure.io/freeipa/issue/9218
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/replication.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index 16be3760c..9d9aa1c4b 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -1152,7 +1152,7 @@ class ReplicationManager:
+ except (ValueError, TypeError, KeyError):
+ end = 0
+ # incremental update is done if inprogress is false and end >= start
+- done = inprogress and inprogress.lower() == 'false' and start <= end
++ done = inprogress is not None and not inprogress and start <= end
+ logger.info("Replication Update in progress: %s: status: %s: "
+ "start: %d: end: %d",
+ inprogress, status, start, end)
+--
+2.37.2
+
diff --git a/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch b/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch
new file mode 100644
index 0000000..17088cf
--- /dev/null
+++ b/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch
@@ -0,0 +1,125 @@
+From 1316cd8b2252c2543cf2ef2186956a8833037b1e Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 21 Jul 2022 09:28:46 -0400
+Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds
+
+Originally the code treated 0 as disabled. This was
+changed during the review process to -1 but one remnant
+was missed effetively allowing gracelimit 0 to also mean
+disabled.
+
+Add explicit tests for testing with gracelimit = 0 and
+gracelimit = -1.
+
+Also remove some extranous "str(self.master.domain.basedn)"
+lines from some of the tests.
+
+Fixes: https://pagure.io/freeipa/issue/9206
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ .../ipa-graceperiod/ipa_graceperiod.c | 2 +-
+ ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++-
+ 2 files changed, 53 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+index a3f57cb4b..345e1dee7 100644
+--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+ if (pwresponse_requested) {
+ slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
+ }
+- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
++ } else if (grace_user_time >= grace_limit) {
+ LOG_TRACE("%s password is expired and out of grace limit\n", dn);
+ errstr = "Password is expired.\n";
+ ret = LDAP_INVALID_CREDENTIALS;
+diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
+index 6d6698284..41d6e9070 100644
+--- a/ipatests/test_integration/test_pwpolicy.py
++++ b/ipatests/test_integration/test_pwpolicy.py
+@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
+ cls.master.run_command(['ipa', 'group-add-member', POLICY,
+ '--users', USER])
+ cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
+- '--priority', '1'])
++ '--priority', '1', '--gracelimit', '-1'])
+ cls.master.run_command(['ipa', 'passwd', USER],
+ stdin_text='{password}\n{password}\n'.format(
+ password=PASSWORD
+@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):
+
+ def test_graceperiod_expired(self):
+ """Test the LDAP bind grace period"""
+- str(self.master.domain.basedn)
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):
+
+ def test_graceperiod_not_replicated(self):
+ """Test that the grace period is reset on password reset"""
+- str(self.master.domain.basedn)
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
+ )
+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
+ self.reset_password(self.master)
++
++ def test_graceperiod_zero(self):
++ """Test the LDAP bind with zero grace period"""
++ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
++ user=USER, base_dn=str(self.master.domain.basedn))
++
++ self.master.run_command(
++ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
++ )
++
++ # Resetting the password will mark it as expired
++ self.reset_password(self.master)
++
++ # Now grace is done and binds should fail.
++ result = self.master.run_command(
++ ["ldapsearch", "-e", "ppolicy", "-D", dn,
++ "-w", PASSWORD, "-b", dn], raiseonerr=False
++ )
++ assert result.returncode == 49
++
++ assert 'Password is expired' in result.stderr_text
++ assert 'Password expired, 0 grace logins remain' in result.stderr_text
++
++ def test_graceperiod_disabled(self):
++ """Test the LDAP bind with grace period disabled (-1)"""
++ str(self.master.domain.basedn)
++ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
++ user=USER, base_dn=str(self.master.domain.basedn))
++
++ # This can fail if gracelimit is already -1 so ignore it
++ self.master.run_command(
++ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
++ raiseonerr=False,
++ )
++
++ # Ensure the password is expired
++ self.reset_password(self.master)
++
++ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
++
++ for _i in range(0, 10):
++ result = self.master.run_command(
++ ["ldapsearch", "-e", "ppolicy", "-D", dn,
++ "-w", PASSWORD, "-b", dn]
++ )
++
++ # With graceperiod disabled it should not increment
++ result = tasks.ldapsearch_dm(
++ self.master, dn, ['passwordgraceusertime',],
++ )
++ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
+--
+2.37.2
+
diff --git a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
deleted file mode 100644
index ef581d8..0000000
--- a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 7 Feb 2022 10:39:55 -0500
-Subject: [PATCH] Enable the ccache sweep timer during installation
-
-The timer was only being enabled during package installation
-if IPA was configured. So effectively only on upgrade.
-
-Add as a separate installation step after the ccache directory
-is configured.
-
-Fixes: https://pagure.io/freeipa/issue/9107
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/httpinstance.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
-index 732bb58d4..50ccf5e50 100644
---- a/ipaserver/install/httpinstance.py
-+++ b/ipaserver/install/httpinstance.py
-@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
- self.step("publish CA cert", self.__publish_ca_cert)
- self.step("clean up any existing httpd ccaches",
- self.remove_httpd_ccaches)
-+ self.step("enable ccache sweep",
-+ self.enable_ccache_sweep)
- self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
- if not self.is_kdcproxy_configured():
- self.step("create KDC proxy config", self.create_kdcproxy_conf)
-@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
- [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
- )
-
-+ def enable_ccache_sweep(self):
-+ ipautil.run(
-+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
-+ )
-+
- def __configure_http(self):
- self.update_httpd_service_ipa_conf()
- self.update_httpd_wsgi_conf()
---
-2.34.1
-
-From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Wed, 9 Feb 2022 18:56:21 +0530
-Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
- installation
-
-This test checks that ipa-ccache-sweep.timer is enabled by default
-during the ipa installation.
-
-related: https://pagure.io/freeipa/issue/9107
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- .../test_integration/test_installation.py | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index f2d372c0c..63edbaa2b 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
-
- # Tweak sysrestore.state to drop installation section
- self.master.run_command(
-- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
-+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
- os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
-
- # Re-run installation check and it should fall back to old method
-@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
-
- # Restore installation section.
- self.master.run_command(
-- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
-+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
- os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
-
- # Uninstall and confirm that the old method reports correctly
-@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
- break
- return(pid)
-
-+
- def get_ipa_services_pids(host):
- ipa_services_name = [
- "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
-@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
- def test_install_master(self):
- tasks.install_master(self.master, setup_dns=False, setup_kra=True)
-
-+ def test_ipa_ccache_sweep_timer_enabled(self):
-+ """Test ipa-ccache-sweep.timer enabled by default during installation
-+
-+ This test checks that ipa-ccache-sweep.timer is enabled by default
-+ during the ipa installation.
-+
-+ related: https://pagure.io/freeipa/issue/9107
-+ """
-+ result = self.master.run_command(
-+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
-+ raiseonerr=False
-+ )
-+ assert 'enabled' in result.stdout_text
-+
- def test_install_dns(self):
- tasks.install_dns(self.master)
-
---
-2.34.1
-
diff --git a/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch b/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch
new file mode 100644
index 0000000..952e49b
--- /dev/null
+++ b/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch
@@ -0,0 +1,230 @@
+From 434620ee342ac4767beccec647a318bfa7743dfa Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 18 Aug 2022 08:21:58 -0400
+Subject: [PATCH] doc: Update LDAP grace period design with default values
+
+New group password policies will get -1 (unlimited) on creation
+by default.
+
+Existing group password policies will remain untouched and
+those created prior will be treated as no BIND allowed.
+
+Fixes: https://pagure.io/freeipa/issue/9212
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
+index 4b9db3424..e26aedda9 100644
+--- a/doc/designs/ldap_grace_period.md
++++ b/doc/designs/ldap_grace_period.md
+@@ -51,7 +51,22 @@ The basic flow is:
+
+ On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
+
+-The default value on install/upgrade will be -1 to retail existing behavior.
++Range values for passwordgracelimit are:
++
++-1 : password grace checking is disabled
++ 0 : no grace BIND are allowed at all post-expiration
++ 1..MAXINT: the number of BIND allowed post-expiration
++
++The default value for the global policy on install/upgrade will be -1 to
++retain existing behavior.
++
++New group password policies will default to -1 to retain previous
++behavior.
++
++Existing group policies with no grace limit set are updated to use
++the default unlimited value, -1. This is done because lack of value in
++LDAP is treated as 0 so any existing group policies would not allow
++post-expiration BIND so this will avoid confusion.
+
+ The per-user attempts will not be replicated.
+
+--
+2.37.2
+
+From 497a57e7a6872fa30d1855a1d91a455bfdbf9300 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 4 Aug 2022 12:04:22 -0400
+Subject: [PATCH] Set default gracelimit on group password policies to -1
+
+This will retain previous behavior of unlimited LDAP BIND
+post-expiration.
+
+Fixes: https://pagure.io/freeipa/issue/9212
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ API.txt | 2 +-
+ ipaserver/plugins/pwpolicy.py | 2 ++
+ ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/API.txt b/API.txt
+index 5ba9add13..d7ea74f08 100644
+--- a/API.txt
++++ b/API.txt
+@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
+ option: Int('krbpwdmaxfailure?', cli_name='maxfail')
+ option: Int('krbpwdmindiffchars?', cli_name='minclasses')
+ option: Int('krbpwdminlength?', cli_name='minlength')
+-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
++option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
+ option: Flag('raw', autofill=True, cli_name='raw', default=False)
+ option: Str('setattr*', cli_name='setattr')
+ option: Str('version?')
+diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
+index 4428aede2..f4ebffd5c 100644
+--- a/ipaserver/plugins/pwpolicy.py
++++ b/ipaserver/plugins/pwpolicy.py
+@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
+ minvalue=-1,
+ maxvalue=Int.MAX_UINT32,
+ default=-1,
++ autofill=True,
+ ),
+ )
+
+@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
+ keys[-1], krbpwdpolicyreference=dn,
+ cospriority=options.get('cospriority')
+ )
++
+ return dn
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
+index 8eee69c18..fc785223b 100644
+--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
++++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
+@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
+ krbpwdhistorylength=[u'10'],
+ krbpwdmindiffchars=[u'3'],
+ krbpwdminlength=[u'8'],
++ passwordgracelimit=[u'-1'],
+ objectclass=objectclasses.pwpolicy,
+ ),
+ summary=None,
+@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
+ krbpwdhistorylength=[u'10'],
+ krbpwdmindiffchars=[u'3'],
+ krbpwdminlength=[u'8'],
++ passwordgracelimit=[u'-1'],
+ ),
+ summary=None,
+ value=u'ipausers',
+--
+2.37.2
+
+From a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 4 Aug 2022 12:04:41 -0400
+Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
+
+If an existing group policy lacks a password grace limit
+update it to -1 on upgrade.
+
+Fixes: https://pagure.io/freeipa/issue/9212
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../updates/90-post_upgrade_plugins.update | 1 +
+ ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
+ 2 files changed, 67 insertions(+)
+
+diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
+index c7ec71d49..6fe91aa6c 100644
+--- a/install/updates/90-post_upgrade_plugins.update
++++ b/install/updates/90-post_upgrade_plugins.update
+@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
+ plugin: update_mapping_Guests_to_nobody
+ plugin: fix_kra_people_entry
+ plugin: update_pwpolicy
++plugin: update_pwpolicy_grace
+
+ # last
+ # DNS version 1
+diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
+index dca44ce43..4185f0343 100644
+--- a/ipaserver/install/plugins/update_pwpolicy.py
++++ b/ipaserver/install/plugins/update_pwpolicy.py
+@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
+ return False, []
+
+ return False, []
++
++
++@register()
++class update_pwpolicy_grace(Updater):
++ """
++ Ensure all group policies have a grace period set.
++ """
++
++ def execute(self, **options):
++ ldap = self.api.Backend.ldap2
++
++ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
++ self.api.env.basedn)
++ search_filter = (
++ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
++ )
++
++ while True:
++ # Run the search in loop to avoid issues when LDAP limits are hit
++ # during update
++
++ try:
++ (entries, truncated) = ldap.find_entries(
++ search_filter, ['objectclass'], base_dn, time_limit=0,
++ size_limit=0)
++
++ except errors.EmptyResult:
++ logger.debug("update_pwpolicy: no policies without "
++ "passwordgracelimit set")
++ return False, []
++
++ except errors.ExecutionError as e:
++ logger.error("update_pwpolicy: cannot retrieve list "
++ "of policies missing passwordgracelimit: %s", e)
++ return False, []
++
++ logger.debug("update_pwpolicy: found %d "
++ "policies to update, truncated: %s",
++ len(entries), truncated)
++
++ error = False
++
++ for entry in entries:
++ # Set unlimited BIND by default
++ entry['passwordgracelimit'] = -1
++ try:
++ ldap.update_entry(entry)
++ except (errors.EmptyModlist, errors.NotFound):
++ pass
++ except errors.ExecutionError as e:
++ logger.debug("update_pwpolicy: cannot "
++ "update policy: %s", e)
++ error = True
++
++ if error:
++ # Exit loop to avoid infinite cycles
++ logger.error("update_pwpolicy: error(s) "
++ "detected during pwpolicy update")
++ return False, []
++
++ elif not truncated:
++ # All affected entries updated, exit the loop
++ logger.debug("update_pwpolicy: all policies updated")
++ return False, []
++
++ return False, []
+--
+2.37.2
+
diff --git a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
deleted file mode 100644
index c384f15..0000000
--- a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 10 Feb 2022 18:49:06 +0530
-Subject: [PATCH] ipatests: remove additional check for failed units.
-
-On RHEL tests are randomly failing because of this check
-and the test doesn't need to check this.
-
-Related : https://pagure.io/freeipa/issue/9108
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_otp.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
-index d8ce527ca..6e70ddcb3 100644
---- a/ipatests/test_integration/test_otp.py
-+++ b/ipatests/test_integration/test_otp.py
-@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
- check_services = self.master.run_command(
- ['systemctl', 'list-units', '--state=failed']
- )
-- assert "0 loaded units listed" in check_services.stdout_text
- assert "ipa-otpd" not in check_services.stdout_text
- # Be sure no services are running and failed units
- self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
---
-2.34.1
-
diff --git a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
deleted file mode 100644
index 3c8109e..0000000
--- a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
-From: Francisco Trivino <ftrivino@redhat.com>
-Date: Thu, 10 Feb 2022 14:23:12 +0100
-Subject: [PATCH] ipa_cldap: fix memory leak
-
-ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
-berval (bv_val) when processing a CLDAP packet request from a worker. The
-data is used by ipa_cldap_respond() but bv_val is not freed later on.
-
-This commit is adding the corresponding free() after ipa_cldap_respond()
-is completed.
-
-Discovered by LeakSanitizer
-
-Fixes: https://pagure.io/freeipa/issue/9110
-Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
----
- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
-index db4a3d061..252bcf647 100644
---- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
-+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
-@@ -287,6 +287,7 @@ done:
- ipa_cldap_respond(ctx, req, &reply);
-
- ipa_cldap_free_kvps(&req->kvps);
-+ free(reply.bv_val);
- free(req);
- return;
- }
---
-2.34.1
-
diff --git a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
deleted file mode 100644
index e7081cd..0000000
--- a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Sun, 5 Dec 2021 17:38:58 +0100
-Subject: [PATCH] ipatests: fix
- TestOTPToken::test_check_otpd_after_idle_timeout
-
-The test sets 389-ds nsslapd-idletimeout to 60s, then does a
-kinit with an otp token (which makes ipa-otpd create a LDAP
-connection), then sleeps for 60s. The expectation is that
-ns-slapd will detect that the LDAP conn from ipa-otpd is idle
-and close the connection.
-According to 389ds doc, the idle timeout is enforced when the
-connection table is walked. By doing a ldapsearch, the test
-"wakes up" ns-slapd and forces the detection of ipa-otpd
-idle connection.
-
-Fixes: https://pagure.io/freeipa/issue/9044
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipatests/test_integration/test_otp.py | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
-index 353470897..d8ce527ca 100644
---- a/ipatests/test_integration/test_otp.py
-+++ b/ipatests/test_integration/test_otp.py
-@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
- otpvalue = totp.generate(int(time.time())).decode("ascii")
- kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
- time.sleep(60)
-+ # ldapsearch will wake up slapd and force walking through
-+ # the connection list, in order to spot the idle connections
-+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
-
- def test_cb(cmd_jornalctl):
- # check if LDAP connection is timed out
---
-2.34.1
-
diff --git a/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch b/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
deleted file mode 100644
index fc37fb1..0000000
--- a/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
+++ /dev/null
@@ -1,407 +0,0 @@
-From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Mon, 17 Jan 2022 16:57:52 +0530
-Subject: [PATCH] ipatests: Tests for Autoprivate group.
-
-Added tests using posix AD trust and non posix AD trust.
-For option --auto-private-groups=[hybrid/true/false]
-
-Related : https://pagure.io/freeipa/issue/8807
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- .../nightly_ipa-4-9_latest.yaml | 2 +-
- .../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
- .../nightly_ipa-4-9_previous.yaml | 2 +-
- ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
- 4 files changed, 240 insertions(+), 8 deletions(-)
-
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-index 6817421b2..8b1f58c4d 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-@@ -1627,7 +1627,7 @@ jobs:
- build_url: '{fedora-latest-ipa-4-9/build_url}'
- test_suite: test_integration/test_trust.py
- template: *ci-ipa-4-9-latest
-- timeout: 9000
-+ timeout: 10000
- topology: *adroot_adchild_adtree_master_1client
-
- fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-index 817329756..a11376ab8 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-@@ -1743,7 +1743,7 @@ jobs:
- selinux_enforcing: True
- test_suite: test_integration/test_trust.py
- template: *ci-ipa-4-9-latest
-- timeout: 9000
-+ timeout: 10000
- topology: *adroot_adchild_adtree_master_1client
-
- fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-index 4196265c7..3f8ce8b76 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-@@ -1627,7 +1627,7 @@ jobs:
- build_url: '{fedora-previous-ipa-4-9/build_url}'
- test_suite: test_integration/test_trust.py
- template: *ci-ipa-4-9-previous
-- timeout: 9000
-+ timeout: 10000
- topology: *adroot_adchild_adtree_master_1client
-
- fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index 0634badbb..ff2dd9cc8 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
- cls.check_sid_generation()
- tasks.sync_time(cls.master, cls.ad)
-
-- cls.child_ad = cls.ad_subdomains[0]
-- cls.ad_subdomain = cls.child_ad.domain.name
-- cls.tree_ad = cls.ad_treedomains[0]
-- cls.ad_treedomain = cls.tree_ad.domain.name
--
-+ if cls.num_ad_subdomains > 0:
-+ cls.child_ad = cls.ad_subdomains[0]
-+ cls.ad_subdomain = cls.child_ad.domain.name
-+ if cls.num_ad_treedomains > 0:
-+ cls.tree_ad = cls.ad_treedomains[0]
-+ cls.ad_treedomain = cls.tree_ad.domain.name
- # values used in workaround for
- # https://bugzilla.redhat.com/show_bug.cgi?id=1711958
- cls.srv_gc_record_name = \
-@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
- expected_text = 'iparangetype: %s\n' % expected_type
- assert expected_text in result.stdout_text
-
-+ def mod_idrange_auto_private_group(
-+ self, option='false'
-+ ):
-+ """
-+ Set the auto-private-group option of the default trusted
-+ AD domain range.
-+ """
-+ tasks.kinit_admin(self.master)
-+ rangename = self.ad_domain.upper() + '_id_range'
-+ error_msg = "ipa: ERROR: no modifications to be performed"
-+ cmd = ["ipa", "idrange-mod", rangename,
-+ "--auto-private-groups", option]
-+ result = self.master.run_command(cmd, raiseonerr=False)
-+ if result.returncode != 0:
-+ tasks.assert_error(result, error_msg)
-+ tasks.clear_sssd_cache(self.master)
-+ tasks.clear_sssd_cache(self.clients[0])
-+ test = self.master.run_command(["ipa", "idrange-show", rangename])
-+ assert "Auto private groups: {0}".format(option) in test.stdout_text
-+
-+ def get_user_id(self, host, username):
-+ """
-+ User uid gid is parsed from the output of id user command.
-+ """
-+ tasks.clear_sssd_cache(self.master)
-+ tasks.clear_sssd_cache(self.clients[0])
-+ self.master.run_command(["id", username])
-+ test_id = host.run_command(["id", username])
-+ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
-+ match = re.match(regex, test_id.stdout_text)
-+ uid = match.group('uid')
-+ gid = match.group('gid')
-+ return uid, gid
-+
-+ @contextmanager
-+ def set_idoverrideuser(self, user, uid, gid):
-+ """
-+ Fixture to add/remove idoverrideuser for default idview,
-+ also creates idm group with the provided gid because
-+ gid overrides requires an existing group.
-+ """
-+ tasks.clear_sssd_cache(self.master)
-+ tasks.clear_sssd_cache(self.clients[0])
-+ tasks.kinit_admin(self.master)
-+ try:
-+ args = ["ipa", "idoverrideuser-add", "Default Trust View",
-+ "--gid", gid, "--uid", uid, user]
-+ self.master.run_command(args)
-+ tasks.group_add(self.master, "idgroup",
-+ extra_args=["--gid", gid])
-+ yield
-+ finally:
-+ self.master.run_command([
-+ "ipa", "idoverrideuser-del", "Default Trust View", user]
-+ )
-+ self.master.run_command(["ipa", "group-del", "idgroup"])
-+
- def remove_trust(self, ad):
- tasks.remove_trust_with_ad(self.master,
- ad.domain.name, ad.hostname)
-@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
- self.master.run_command(['rm', '-f', ad_zone_file])
- tasks.configure_dns_for_trust(self.master, self.ad)
- self.remove_trust(self.ad)
-+
-+
-+class TestNonPosixAutoPrivateGroup(BaseTestTrust):
-+ """
-+ Tests for auto-private-groups option with non posix AD trust
-+ Related : https://pagure.io/freeipa/issue/8807
-+ """
-+ topology = 'line'
-+ num_ad_domains = 1
-+ num_clients = 1
-+ num_ad_subdomains = 0
-+ num_ad_treedomains = 0
-+ uid_override = "99999999"
-+ gid_override = "78878787"
-+
-+ def test_add_nonposix_trust(self):
-+ tasks.configure_dns_for_trust(self.master, self.ad)
-+ tasks.establish_trust_with_ad(
-+ self.master, self.ad_domain,
-+ extra_args=['--range-type', 'ipa-ad-trust'])
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_auto_private_groups_default_trusted_range(self, type):
-+ """
-+ Modify existing range for default trusted AD domain range
-+ with auto-private-groups set as true/hybrid/false and test
-+ user with no posix attributes.
-+ """
-+ self.mod_idrange_auto_private_group(type)
-+ nonposixuser = "nonposixuser@%s" % self.ad_domain
-+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
-+ if type == "true":
-+ assert uid == gid
-+ else:
-+ test_group = self.clients[0].run_command(["id", nonposixuser])
-+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
-+ grp_str = "groups={0}(domain users@{1})".format(gid,
-+ self.ad_domain)
-+ assert gid_str in test_group.stdout_text
-+ assert grp_str in test_group.stdout_text
-+ assert uid != gid
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_idoverride_with_auto_private_group(self, type):
-+ """
-+ Override ad trusted user in default trust view
-+ and set auto-private-groups=[hybrid,true,false]
-+ and ensure that overridden values takes effect.
-+ """
-+ nonposixuser = "nonposixuser@%s" % self.ad_domain
-+ with self.set_idoverrideuser(nonposixuser,
-+ self.uid_override,
-+ self.gid_override
-+ ):
-+ self.mod_idrange_auto_private_group(type)
-+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
-+ assert (uid == self.uid_override and gid == self.gid_override)
-+ test_group = self.clients[0].run_command(
-+ ["id", nonposixuser]).stdout_text
-+ assert "domain users@{0}".format(self.ad_domain) in test_group
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_nonposixuser_nondefault_primary_group(self, type):
-+ """
-+ Test for non default primary group.
-+ For hybrid/false gid corresponds to the group testgroup1.
-+ """
-+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
-+ self.mod_idrange_auto_private_group(type)
-+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
-+ if type == "true":
-+ assert uid == gid
-+ else:
-+ test_group = self.clients[0].run_command(["id", nonposixuser1])
-+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
-+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
-+ assert (gid_str in test_group.stdout_text
-+ and group in test_group.stdout_text)
-+
-+
-+class TestPosixAutoPrivateGroup(BaseTestTrust):
-+ """
-+ Tests for auto-private-groups option with posix AD trust
-+ Related : https://pagure.io/freeipa/issue/8807
-+ """
-+ topology = 'line'
-+ num_ad_domains = 1
-+ num_clients = 1
-+ num_ad_subdomains = 0
-+ num_ad_treedomains = 0
-+ uid_override = "99999999"
-+ gid_override = "78878787"
-+
-+ def test_add_posix_trust(self):
-+ tasks.configure_dns_for_trust(self.master, self.ad)
-+ tasks.establish_trust_with_ad(
-+ self.master, self.ad_domain,
-+ extra_args=['--range-type', 'ipa-ad-trust-posix'])
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_gidnumber_not_corresponding_existing_group(self, type):
-+ """
-+ Test checks that sssd can resolve AD users which
-+ contain posix attributes (uidNumber and gidNumber)
-+ but there is no group with the corresponding gidNumber.
-+ """
-+ posixuser = "testuser2@%s" % self.ad_domain
-+ self.mod_idrange_auto_private_group(type)
-+ if type != "true":
-+ result = self.clients[0].run_command(['id', posixuser],
-+ raiseonerr=False)
-+ tasks.assert_error(result, "no such user")
-+ else:
-+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-+ assert uid == gid
-+ assert uid == '10060'
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_only_uid_number_auto_private_group_default(self, type):
-+ """
-+ Test checks that posix user with only uidNumber defined
-+ and gidNumber not set, auto-private-group
-+ is set to false/true/hybrid
-+ """
-+ posixuser = "testuser1@%s" % self.ad_domain
-+ self.mod_idrange_auto_private_group(type)
-+ if type == "true":
-+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-+ assert uid == gid
-+ else:
-+ for host in [self.master, self.clients[0]]:
-+ result = host.run_command(['id', posixuser], raiseonerr=False)
-+ tasks.assert_error(result, "no such user")
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_auto_private_group_primary_group(self, type):
-+ """
-+ Test checks that AD users which contain posix attributes
-+ (uidNumber and gidNumber) and there is primary group
-+ with gid number defined.
-+ """
-+ posixuser = "testuser@%s" % self.ad_domain
-+ self.mod_idrange_auto_private_group(type)
-+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-+ test_grp = self.clients[0].run_command(["id", posixuser])
-+ assert uid == '10042'
-+ if type == "true":
-+ assert uid == gid
-+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
-+ self.ad_domain, self.ad_domain)
-+ assert groups in test_grp.stdout_text
-+ else:
-+ assert gid == '10047'
-+ groups = "10047(testgroup@{0})".format(self.ad_domain)
-+ assert groups in test_grp.stdout_text
-+
-+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
-+ def test_idoverride_with_auto_private_group(self, type):
-+ """
-+ Override ad trusted user in default trust view
-+ and set auto-private-groups=[hybrid,true,false]
-+ and ensure that overridden values takes effect.
-+ """
-+ posixuser = "testuser@%s" % self.ad_domain
-+ with self.set_idoverrideuser(posixuser,
-+ self.uid_override,
-+ self.gid_override):
-+ self.mod_idrange_auto_private_group(type)
-+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-+ assert(uid == self.uid_override
-+ and gid == self.gid_override)
-+ result = self.clients[0].run_command(['id', posixuser])
-+ assert "10047(testgroup@{0})".format(
-+ self.ad_domain) in result.stdout_text
---
-2.35.1
-
-From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 10 Feb 2022 17:07:45 +0530
-Subject: [PATCH] mark xfail for
- test_idoverride_with_auto_private_group[hybrid]
-
-Related : https://github.com/SSSD/sssd/issues/5989
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipatests/test_integration/test_trust.py | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index ff2dd9cc8..54bd15462 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.pytest_ipa.integration import tasks
- from ipatests.pytest_ipa.integration import fips
-+from ipatests.util import xfail_context
- from ipapython.dn import DN
- from collections import namedtuple
- from contextlib import contextmanager
-@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
- assert (uid == self.uid_override and gid == self.gid_override)
- test_group = self.clients[0].run_command(
- ["id", nonposixuser]).stdout_text
-- assert "domain users@{0}".format(self.ad_domain) in test_group
-+ version = tasks.get_sssd_version(self.clients[0])
-+ with xfail_context(version <= tasks.parse_version('2.6.3')
-+ and type == "hybrid",
-+ 'https://github.com/SSSD/sssd/issues/5989'):
-+ assert "domain users@{0}".format(self.ad_domain) in test_group
-
- @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
- def test_nonposixuser_nondefault_primary_group(self, type):
---
-2.35.1
-
-From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 10 Feb 2022 17:29:45 +0530
-Subject: [PATCH] Mark xfail
- test_gidnumber_not_corresponding_existing_group[true,hybrid]
-
-Related : https://github.com/SSSD/sssd/issues/5988
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipatests/test_integration/test_trust.py | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index 54bd15462..c12837815 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
- raiseonerr=False)
- tasks.assert_error(result, "no such user")
- else:
-- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-- assert uid == gid
-- assert uid == '10060'
-+ sssd_version = tasks.get_sssd_version(self.clients[0])
-+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
-+ 'https://github.com/SSSD/sssd/issues/5988'):
-+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
-+ assert uid == gid
-+ assert uid == '10060'
-
- @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
- def test_only_uid_number_auto_private_group_default(self, type):
---
-2.35.1
-
diff --git a/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
new file mode 100644
index 0000000..e1a74ff
--- /dev/null
+++ b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -0,0 +1,69 @@
+From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Fri, 10 Dec 2021 12:15:36 -0300
+Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
+
+This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
+---
+ freeipa.spec.in | 4 +---
+ ipaplatform/base/paths.py | 2 +-
+ ipaplatform/fedora/paths.py | 1 +
+ ipaserver/dnssec/bindmgr.py | 1 -
+ 4 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 8f5c370e5..e20edb7bc 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
+ Requires: bind-dyndb-ldap >= 11.2-2
+ Requires: bind >= %{bind_version}
+ Requires: bind-utils >= %{bind_version}
+-# bind-dnssec-utils is required by the OpenDNSSec integration
+-# https://pagure.io/freeipa/issue/9026
+-Requires: bind-dnssec-utils >= %{bind_version}
+ %if %{with bind_pkcs11}
+ Requires: bind-pkcs11 >= %{bind_version}
++Requires: bind-pkcs11-utils >= %{bind_version}
+ %else
+ Requires: softhsm >= %{softhsm_version}
+ Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 7d21367ec..42a47f1df 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -259,7 +259,6 @@ class BasePathNamespace:
+ IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
+ IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
+ IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
+- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
+ GETSEBOOL = "/usr/sbin/getsebool"
+ GROUPADD = "/usr/sbin/groupadd"
+diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
+index 4e993c063..92a948966 100644
+--- a/ipaplatform/fedora/paths.py
++++ b/ipaplatform/fedora/paths.py
+@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
+ if HAS_NFS_CONF:
+ SYSCONFIG_NFS = '/etc/nfs.conf'
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+
+
+ paths = FedoraPathNamespace()
+diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
+index 0c79cc03d..a15c0e601 100644
+--- a/ipaserver/dnssec/bindmgr.py
++++ b/ipaserver/dnssec/bindmgr.py
+@@ -127,7 +127,6 @@ class BINDMgr:
+ )
+ cmd = [
+ paths.DNSSEC_KEYFROMLABEL,
+- '-E', 'pkcs11',
+ '-K', workdir,
+ '-a', attrs['idnsSecAlgorithm'][0],
+ '-l', uri
+--
+2.31.1
diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
deleted file mode 100644
index 48bb8e0..0000000
--- a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 26 Nov 2021 11:13:51 +0200
-Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
- MS-SFU updates
-
-New versions of MS-KILE and MS-SFU after Windows Server November 2021
-security updates add PAC_REQUESTER_SID buffer check behavior:
-
- - PAC_REQUESTER_SID should only be added for TGT requests
-
- - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
- the ticket resolves to the account with the same SID as the
- PAC_REQUESTER_SID. If it doesn't KDC must respond with
- KDC_ERR_TKT_REVOKED
-
-Change requester SID check to skip exact check for non-local
-PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
-we know about.
-
-If requester SID is the same as in PAC, we already do cname vs PAC SID
-verification.
-
-With these changes FreeIPA works against Windows Server 2019 with
-November 2021 security fixes in cross-realm S4U2Self operations.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
- 1 file changed, 34 insertions(+), 13 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 538cfbba9..1b972c167 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- "local [%s], PAC [%s]",
- dom ? dom : "<failed to display>",
- sid ? sid : "<failed to display>");
-- return KRB5KDC_ERR_POLICY;
-+ return KRB5KDC_ERR_TGT_REVOKED;
- }
- }
-
-@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
- if (kerr != 0) {
- krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
-- return KRB5KDC_ERR_POLICY;
-+ return KRB5KDC_ERR_TGT_REVOKED;
- }
-
- ied = (struct ipadb_e_data *)client_actual->e_data;
-@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- "local [%s] vs PAC [%s]",
- local_sid ? local_sid : "<failed to display>",
- pac_sid ? pac_sid : "<failed to display>");
-- kerr = KRB5KDC_ERR_POLICY;
-+ kerr = KRB5KDC_ERR_TGT_REVOKED;
- goto done;
- }
-
-@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
- /* Check that requester SID is the same as in the PAC entry */
- if (requester_sid != NULL) {
- struct dom_sid client_sid;
-+ bool is_from_trusted_domain = false;
- kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
- if (kerr) {
- goto done;
- }
- result = dom_sid_check(&client_sid, requester_sid, true);
- if (!result) {
-- /* memctx is freed by the caller */
-- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-- char *req_sid = dom_sid_string(tmpctx, requester_sid);
-- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-- "different from what PAC requester claims. "
-- "PAC [%s] vs PAC requester [%s]",
-- pac_sid ? pac_sid : "<failed to display>",
-- req_sid ? req_sid : "<failed to display>");
-- kerr = KRB5KDC_ERR_POLICY;
-- goto done;
-+ struct ipadb_context *ipactx = ipadb_get_context(context);
-+ if (!ipactx || !ipactx->mspac) {
-+ return KRB5_KDB_DBNOTINITED;
-+ }
-+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
-+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
-+ /* Iterate through list of trusts and check if this SID belongs to
-+ * one of the domains we trust */
-+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
-+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
-+ requester_sid, false);
-+ if (result) {
-+ is_from_trusted_domain = true;
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (!is_from_trusted_domain) {
-+ /* memctx is freed by the caller */
-+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-+ "different from what PAC requester claims. "
-+ "PAC [%s] vs PAC requester [%s]",
-+ pac_sid ? pac_sid : "<failed to display>",
-+ req_sid ? req_sid : "<failed to display>");
-+ kerr = KRB5KDC_ERR_TGT_REVOKED;
-+ goto done;
-+ }
- }
- }
-
---
-2.31.1
-
diff --git a/SOURCES/freeipa-4.9.10.tar.gz.asc b/SOURCES/freeipa-4.9.10.tar.gz.asc
new file mode 100644
index 0000000..2804c24
--- /dev/null
+++ b/SOURCES/freeipa-4.9.10.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmKp71wACgkQaYdvcqbi
+008rbg/9G5w7KXgJcrhwBx5qqd4fqzSnwJdyN5oaBIEKNsAigMD7LIYawqgnO3g/
+/3FmJTbeCrOj9EoakvE1YNRT+75oxAO+rMFcRvFHlJyfMCa3r3lrS4LrlQiiyNwZ
+IHovcXr0Q3fizhp/V3acyZqx2pbnSh24CK4q5a1CNUs8SPkEFcOfpAJIMQCHeH6t
+ScfxuWOp8R1FnaNQc/9x3vy3ySQbHMxIWLSfJy7pk7FhLGAvgVNQBAz70Bg7BfR1
+R1V6syGeaPmqLOQw0jV05YMxyKwkbnSK/h2DlCg/iNQ/S71rXhOpuk01dDf73CI4
+Fu1H9TX50Indq31+4qbOlKZqDshhNzRRpn2m2qVvzeTfObHlZMbYNyVamovP9fEZ
+pfJcppI8aNDURjqpf/sVy4G8mhI5FQS+Q7bKvv9C04iE3XpTutg8q5mLMXGwWekY
+yeklBAmdygOKsY1uWb7BCH9eoWCVWKIwi4m5uYteZNxBt4aqsa/VFsxCE1P2T7/S
++yc1Jo7hXWW8v3wm+dIGJj+Lz9YlJxC9SAiC72a6kTwIe2gnKlxoYbqe/18hEWm6
+0jESl2LiXfBhXz0YQlv2HjcPWZMMrNuhSCGTMgzP8KfZB258mtxpbBTk5/e9Wgsk
+29GCfaMWFUqZsrteG10HT/P6cotre6EVffQl9lNlPNQpX+DUKy4=
+=azus
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc
deleted file mode 100644
index c14420c..0000000
--- a/SOURCES/freeipa-4.9.8.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
-00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
-MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
-XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
-E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
-q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
-BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
-CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
-UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
-q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
-urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
-w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
-=t9up
------END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index ec2a8c3..924263b 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -146,8 +146,8 @@
# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4
-# RHEL 8.3+, F32+
-%global sssd_version 2.4.0
+# RHEL 8.7+, F35+, adds IdP integration
+%global sssd_version 2.7.0
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3
@@ -178,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.8
+%define IPA_VERSION 4.9.10
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@@ -191,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 7%{?rc_version:.%rc_version}%{?dist}
+Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -211,24 +211,21 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
-Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
-Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
-Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
-Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
-Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
-Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
-Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
-Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
-Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
-Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
-Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
-Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
-Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
+Patch0001: 0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch
+Patch0002: 0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
+Patch0003: 0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch
+Patch0004: 0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch
+Patch0005: 0005-Add-end-to-end-integration-tests-for-external-IdP.patch
+Patch0006: 0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch
+Patch0007: 0007-webui-Allow-grace-login-limit_rhbz#2109243.patch
+Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch
+Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch
+Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
+Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%endif
%endif
# RHEL spec file only: END
-Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -325,7 +322,9 @@ BuildRequires: python3-wheel
%if %{with doc}
BuildRequires: python3-sphinx
-BuildRequires: python3-m2r
+BuildRequires: plantum1
+BuildRequires: fontconfig
+BuildRequires: google-noto-sans-vf-fonts
%endif
#
@@ -474,6 +473,8 @@ Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
Requires: samba-client-libs >= %{samba_version}
+# Due to RHBZ#2100916, libvert-libev is required by ipa-otp.
+Requires: libverto-libev >= 0.3.2-1
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -648,7 +649,12 @@ Requires: python3-sssdconfig >= %{sssd_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
Requires: krb5-workstation >= %{krb5_version}
-Requires: authselect >= 0.4-2
+# authselect: sssd profile with-subid
+%if 0%{?fedora} >= 36
+Requires: authselect >= 1.4.0
+%else
+Requires: authselect >= 1.2.5
+%endif
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
# All Fedora 28+ and RHEL8+ contain the service in hostname package
@@ -660,6 +666,7 @@ Requires: xmlrpc-c >= 1.27.4
Requires: jansson
%endif
Requires: sssd-ipa >= %{sssd_version}
+Requires: sssd-idp >= %{sssd_version}
Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version}
Requires: bind-utils
@@ -1051,6 +1058,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
+rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la
rm %{buildroot}/%{plugin_dir}/libtopology.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@@ -1234,6 +1242,7 @@ if [ $1 -gt 1 ] ; then
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
+ chmod 0600 /var/log/ipaupgrade.lo
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@@ -1409,6 +1418,7 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1*
%{_mandir}/man1/ipa-replica-install.1*
@@ -1712,8 +1722,60 @@ fi
# with selinux
%endif
-
%changelog
+* Mon Aug 22 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-6
+- webui: Allow grace login limit
+ Resolves: RHBZ#2109243
+- check_repl_update: in progress is a boolean
+ Resolves: RHBZ#2117303
+- Disabling gracelimit does not prevent LDAP binds
+ Resolves: RHBZ#2109236
+- Set passwordgracelimit to match global policy on group pw policies
+ Resolves: RHBZ#2115475
+
+* Tue Jul 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-5
+- webui: Do not allow empty pagination size
+ Resolves: RHBZ#2094672
+
+* Tue Jul 12 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-4
+- Add end to end integration tests for external IdP
+ Resolves: RHBZ#2106346
+
+* Thu Jul 07 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-3
+- Add explicit dependency for libvert-libev
+ Resolves: RHBZ#2104929
+
+* Fri Jul 01 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-2
+- Preserve user: fix the confusing summary
+ Resolves: RHBZ#2022028
+- Only calculate LDAP password grace when the password is expired
+ Related: RHBZ#782917
+
+* Wed Jun 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-1
+- Rebase to upstream release 4.9.10
+ Remove upstream patches 0002 to 0016 that are part of version 4.9.10
+ Remove patches 1101 that is part of version 4.9.10
+ Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases
+ Add patches 0001 and 0002 to fix build on RHEL 8.7
+ Resolves: RHBZ#2079466
+ Resolves: RHBZ#2063155
+ Resolves: RHBZ#1958777
+ Resolves: RHBZ#2068088
+ Resolves: RHBZ#2004646
+ Resolves: RHBZ#782917
+ Resolves: RHBZ#2059396
+ Resolves: RHBZ#2092015
+
+* Tue Apr 5 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-8
+- Backport latest test fixes in python3-ipatests
+ Resolves: RHBZ#2060841
+- extdom: user getorigby{user|group}name if available
+ Resolves: RHBZ#2062379
+- Set the mode on ipaupgrade.log during RPM post snipppet
+ Resolves: RHBZ#2061957
+- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
+ Resolves: RHBZ#1909630
+
* Thu Feb 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-7
- ipatests: Backport test fixes in python3-ipatests.
Resolves: RHBZ#2057505