[freeipa PR#4810][opened] fix iPAddress cert issuance for >1 host/service
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/4810
Author: frasertweedale
Title: #4810: fix iPAddress cert issuance for >1 host/service
Action: opened
PR body:
"""
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4810/head:pr4810
git checkout pr4810
3 years, 10 months
FreeIPA 4.8.7 released
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.8.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.8.7
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a
machine-readable (JSON) format, or send email notifications to these
users. EPN provides command-line options to display the list of
affected users. This provides data introspection and helps
understand how many emails would be sent for a given day, or a given
date range. The command-line options can also be used by a
monitoring system to alert whenever a number of emails over the SMTP
quota would be sent. EPN is meant to be launched once a day from an
IPA client (preferred) or replica from a systemd timer. EPN does not
keep state: the list of affected users is built at runtime but never
kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod
group-name --rename new-name'. Protected hostgroups ('ipaservers')
cannot be renamed.
* 7577: [RFE] DNS package check should be called earlier in installation
routine
The ``--setup-dns`` knob and interactive installer now both check
for the presence of freeipa-server-dns early and abort the installer
with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid
'principal'.
When deleting services, report exact name of a system required
principal that couldn't be deleted.
* 8106: ca-certificate file not being parsed correctly on Ubuntu with
p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support
multiple certificates in a single file. IPA installers now write
individual files per each certificate for Debian-based platforms.
* 8217: RFE: ipa-backup should compare locally and globally installed
server roles
ipa-backup now checks whether the local replica's roles match those
used in the cluster and exits with a warning if this is not the case
as backups taken on this host would not be sufficient for a proper
restore. FreeIPA administrators are advised to double check whether
the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to
1.16.2.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to
1024 characters but do not allow to distinguish between passwords
cut off at 1024 characters and passwords with 1024 characters. Thus,
a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit
system accounts with krbPrincipalAux object class. This allows
system accounts to have a keytab that does not expire. The "Default
System Accounts Password Policy" has a minimum password length in
case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to
3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add
hosts as targets
service delegation rules and targets now allow to specify hosts as a
rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal
alias
Memory handling in various FreeIPA KDC functions was improved,
preventing potential crashes when looking up machine account aliases
for Windows machines.
* 8301: The value of the first character in target* keywords is expected
to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr,
targetfilter, etc) to have quoted attributes. Otherwise the aci that
contains unquoted parameters is ignored. Default FreeIPA access
controls were fixed to follow 389-ds syntax. Any third-party ACIs
need to be updated manually.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises
warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP
binds. FreeIPA now disables this feature because changing password
hash in FreeIPA is not allowed by the internal plugins that
synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember
configuration to prevent unintended modification of a default host
group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and
before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. FreeIPA
is not allowing to pass arbitrary code into affected jQuery path but
we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This
makes possible for 3rd-party plugins to supply full set of managed
permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active
Directory forest
A 3rd-party plugin to provide management of IPA resources as users
from trusted Active Directory domains was merged into FreeIPA core.
ID user overrides can now be added to IPA management groups and
roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal
expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password
expiration time in UTC time zone. Previously, a local server time
zone was applied even though UTC was implied in the settings.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.8.7 is a stabilization release for the features delivered as a
part of 4.8 version series.
There are more than 70 bug-fixes details of which can be seen in the
list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/3687[#3687](https://bugzilla.redhat.com/s... [RFE] IPA user account expiry warning.
* https://pagure.io/freeipa/issue/3827[#3827] [RFE] Expose TTL in web UI
* https://pagure.io/freeipa/issue/6474[#6474] Remove ipaplatform dependency from ipa modules
* https://pagure.io/freeipa/issue/6783[#6783] (https://bugzilla.redhat.com/show_bug.cgi?id=1430365[rhbz#1430365]) [RFE] Host-group names command rename
* https://pagure.io/freeipa/issue/6857[#6857] ipa_pwd.c: Use OpenSSL instead of NSS for hashing
* https://pagure.io/freeipa/issue/6884[#6884] (https://bugzilla.redhat.com/show_bug.cgi?id=1441262[rhbz#1441262]) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
* https://pagure.io/freeipa/issue/7255[#7255] baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
* https://pagure.io/freeipa/issue/7577[#7577] (https://bugzilla.redhat.com/show_bug.cgi?id=1579296[rhbz#1579296]) [RFE] DNS package check should be called earlier in installation routine
* https://pagure.io/freeipa/issue/7695[#7695] (https://bugzilla.redhat.com/show_bug.cgi?id=1623763[rhbz#1623763]) ipa service-del should display principal name instead of Invalid 'principal'.
* https://pagure.io/freeipa/issue/8017[#8017] (https://bugzilla.redhat.com/show_bug.cgi?id=1817927[rhbz#1817927]) host-add --password logs cleartext userpassword to Apache error log
* https://pagure.io/freeipa/issue/8064[#8064] Request for IPA CI to enable DS audit/auditfail logging
* https://pagure.io/freeipa/issue/8066[#8066] (https://bugzilla.redhat.com/show_bug.cgi?id=1750242[rhbz#1750242]) Don't use -t option to klist in adtrust code when timestamp is not needed
* https://pagure.io/freeipa/issue/8082[#8082] (https://bugzilla.redhat.com/show_bug.cgi?id=1756432[rhbz#1756432]) Default client configuration breaks ssh in FIPS mode.
* https://pagure.io/freeipa/issue/8101[#8101] Wrong pytest requirement in specfile
* https://pagure.io/freeipa/issue/8106[#8106] ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
* https://pagure.io/freeipa/issue/8120[#8120] (https://bugzilla.redhat.com/show_bug.cgi?id=1769791[rhbz#1769791]) Invisible part of notification area in Web UI intercepts clicks of some page elements
* https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new Fedora translation platform
* https://pagure.io/freeipa/issue/8163[#8163] (https://bugzilla.redhat.com/show_bug.cgi?id=1782572[rhbz#1782572]) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019]
* https://pagure.io/freeipa/issue/8164[#8164] (https://bugzilla.redhat.com/show_bug.cgi?id=1788907[rhbz#1788907]) Renewed certs are not picked up by IPA CAs
* https://pagure.io/freeipa/issue/8186[#8186] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
* https://pagure.io/freeipa/issue/8217[#8217] (https://bugzilla.redhat.com/show_bug.cgi?id=1810154[rhbz#1810154]) RFE: ipa-backup should compare locally and globally installed server roles
* https://pagure.io/freeipa/issue/8222[#8222] Upgrade dojo.js
* https://pagure.io/freeipa/issue/8247[#8247] test_fips PR-CI templates have a too-short timeout
* https://pagure.io/freeipa/issue/8251[#8251] [Azure] Catch coredumps
* https://pagure.io/freeipa/issue/8254[#8254] [Azure] 'Tox' task fails against Python3.8
* https://pagure.io/freeipa/issue/8261[#8261] [ipatests] Integration tests fail on non-firewalld distros
* https://pagure.io/freeipa/issue/8262[#8262] test_ipahealthcheck needs a higher timeout than 3600
* https://pagure.io/freeipa/issue/8264[#8264] Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
* https://pagure.io/freeipa/issue/8265[#8265] [ipatests] `/var/log/ipaupgrade.log` is not collected
* https://pagure.io/freeipa/issue/8266[#8266] test_webui_server requires a higher timeout than 3600
* https://pagure.io/freeipa/issue/8268[#8268] Prevent use of too long passwords
* https://pagure.io/freeipa/issue/8272[#8272] Use /run instead of /var/run
* https://pagure.io/freeipa/issue/8273[#8273] (https://bugzilla.redhat.com/show_bug.cgi?id=1834385[rhbz#1834385]) Man page syntax issue detected by rpminspect
* https://pagure.io/freeipa/issue/8276[#8276] Add default password policy for sysaccounts
* https://pagure.io/freeipa/issue/8283[#8283] Failures and AVCs with OpenDNSSEC 2.1
* https://pagure.io/freeipa/issue/8284[#8284] Upgrade jQuery version to actual one
* https://pagure.io/freeipa/issue/8287[#8287] named not starting after #8079, ipa-ext.conf breaks bind
* https://pagure.io/freeipa/issue/8289[#8289] ipa servicedelegationtarget-add-member does not allow to add hosts as targets
* https://pagure.io/freeipa/issue/8290[#8290] API inconsistencies
* https://pagure.io/freeipa/issue/8291[#8291] krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
* https://pagure.io/freeipa/issue/8297[#8297] Fix new pylint 2.5.0 warnings and errors
* https://pagure.io/freeipa/issue/8298[#8298] [WebUI] Cover membership management with UI tests
* https://pagure.io/freeipa/issue/8300[#8300] Replace uglify-js with python3-rjsmin
* https://pagure.io/freeipa/issue/8301[#8301] The value of the first character in target* keywords is expected to be a double quote
* https://pagure.io/freeipa/issue/8306[#8306] Adopt Black code style
* https://pagure.io/freeipa/issue/8307[#8307] make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
* https://pagure.io/freeipa/issue/8308[#8308] (https://bugzilla.redhat.com/show_bug.cgi?id=1829787[rhbz#1829787]) ipa service-del deletes the required principal when specified in lower/upper case
* https://pagure.io/freeipa/issue/8309[#8309] Convert ipaplatform from namespace package to regular package
* https://pagure.io/freeipa/issue/8311[#8311] (https://bugzilla.redhat.com/show_bug.cgi?id=1825829[rhbz#1825829]) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
* https://pagure.io/freeipa/issue/8312[#8312] Fix api.env.in_tree detection logic
* https://pagure.io/freeipa/issue/8313[#8313] Values of api.env.mode are inconsistent
* https://pagure.io/freeipa/issue/8315[#8315] (https://bugzilla.redhat.com/show_bug.cgi?id=1833266[rhbz#1833266]) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
* https://pagure.io/freeipa/issue/8316[#8316] [Azure] Whitelist clock_adjtime syscall
* https://pagure.io/freeipa/issue/8317[#8317] XML-RCP and CLI tests depend on internal --force option
* https://pagure.io/freeipa/issue/8319[#8319] Support server referrals for enterprise principals
* https://pagure.io/freeipa/issue/8322[#8322] [RFE] Changing default hostgroup is too easy
* https://pagure.io/freeipa/issue/8323[#8323] [Build failure] Race: make po fails on parallel build
* https://pagure.io/freeipa/issue/8325[#8325] [WebUI] Fix htmlPrefilter issue in jQuery
* https://pagure.io/freeipa/issue/8328[#8328] krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
* https://pagure.io/freeipa/issue/8330[#8330] [Azure] Build job fails on `tests` container preparation
* https://pagure.io/freeipa/issue/8335[#8335] [WebUI] manage IPA resources as a user from a trusted Active Directory domain
* https://pagure.io/freeipa/issue/8338[#8338] [WebUI] Host detail with no assigned ID view makes invalid RPC call
* https://pagure.io/freeipa/issue/8339[#8339] [WebUI] User details tab headers don't show member count when on settings tab
* https://pagure.io/freeipa/issue/8348[#8348] Allow managed permissions with ldap:///self bind rule
* https://pagure.io/freeipa/issue/8349[#8349] bind-9.16 and dnssec-enable
* https://pagure.io/freeipa/issue/8350[#8350] bind-9.16 and DLV
* https://pagure.io/freeipa/issue/8352[#8352] RPC API crashes when a user is disabled while a session exists
* https://pagure.io/freeipa/issue/8357[#8357] Allow managing IPA resources as a user from a trusted Active Directory forest
* https://pagure.io/freeipa/issue/8358[#8358] TTL of DNS record can be set to negative value
* https://pagure.io/freeipa/issue/8359[#8359] [WebUI] dnsrecord_mod results in JS error
* https://pagure.io/freeipa/issue/8362[#8362] (https://bugzilla.redhat.com/show_bug.cgi?id=1826659[rhbz#1826659]) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
* https://pagure.io/freeipa/issue/8363[#8363] DNS config upgrade code fails
== Detailed changelog since 4.8.6
Detailed changelog can be found at https://www.freeipa.org/page/Releases/4.8.7
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 10 months