This reverts commit 191880bc9f.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
SSSD 2.9.0 provides support for passkey in rawhide.
Note that f37 and f38 ship 2.9.0 without the passkey feature
but this is not an issue as IPA has a "Recommends: sssd-passkey"
definition, not a "Requires:"
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The package sssd-passkey provides the executable
/usr/libexec/sssd/passkey_child
which is not mandatory but recommended.
Add a weak dependency from ipa client package on sssd-passkey.
TBD: when a new version of sssd is released with passkey
support, bump the SSSD version.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.
This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.
Signed-off-by: Jerry James <loganjerry@gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.
Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.
Fixes: https://pagure.io/freeipa/issue/9374
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Add also a dependency on sssd-krb5 for freeipa-client.
https://pagure.io/freeipa/issue/9267
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136
The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.
It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.
Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.
pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
CLI times from before and after:
original:
-------------------------------
Number of entries returned 5011
-------------------------------
real 0m21.155s
user 0m0.835s
sys 0m0.159s
using OpenSSL:
real 0m5.747s
user 0m0.864s
sys 0m0.148s
OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests. See ipaserver/wsgi.py for the gory details.
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:
Package krb5 was not found in the pkg-config search path.
Perhaps you should add the directory containing `krb5.pc'
to the PKG_CONFIG_PATH environment variable
Package 'krb5', required by 'virtual:world', not found
`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build. It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Per the Fedora packaging guidelines¹.
The GPG key was generated using details found on the wiki². The
following commands can be used to fetch the signing key via fingerprint
and extract it:
fpr=0E63D716D76AC080A4A33513F40800B6298EB963
gpg --keyserver keys.openpgp.org --receive-keys $fpr
gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.
[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
Fixes: https://pagure.io/freeipa/issue/9342
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With ff6e701b00 it was replaced
with `werkzeug`.
https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
github. Patches are accepted to keep it on life support, but for the
most part, please consider using other options.
Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This change fixes rpminspect issues reported when building
for RHEL, like the following one:
Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.
Waiver Authorization: Anyone
Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file. It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros. You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section). The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file. So Patch47
is applied with a %patch47 macro.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.
Fixes: https://pagure.io/freeipa/issue/9290
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.
No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.
Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.
Fixes: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test@IPA.TEST instead of admin principal.
The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107
Bump the selinux-policy version to install the fix.
Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.
SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.
SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.
Fixes:https://pagure.io/freeipa/issue/9155
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.
The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The IPA tools will create /var/log/ipaupgrade.log with mode
0600. If for some reason this file doesn't exist during
upgrade then it will be created by the RPM transaction with
mode 0644 (because of umask).
So always set the mode once the snippets are done. This
will ensure that a newly created log will have the expected
mode and also fix any previous incorrectly set mode.
Fixes: https://pagure.io/freeipa/issue/8899
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Antonio Torres Moríñigo <atorresm@protonmail.com>
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.
There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME
The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.
--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.
This command can be run multiple times.
Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.
Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
The spec file requires python3-coverage although it is not
used in the project.
Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.
This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.
Fixes: https://pagure.io/freeipa/issue/8874
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
jsl package is orphaned in Fedora 34+ as it cannot be built.
Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Older augeas does not support new options provided by chrony:
sourcedir /run/chrony-dhcp
ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.
Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise
Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.
Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.
On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.
Fixes: https://pagure.io/freeipa/issue/8632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Template the autoconf phase.
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609
- Dogtag PKI adopted to work with 389-ds with the fix,
https://github.com/dogtagpki/pki/issues/3458
FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.
RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.
In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.
Fixes: https://pagure.io/freeipa/issue/8705
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11
Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.
Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>