[Pkg-freeipa-devel] freeipa: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Nov 11 08:27:06 UTC 2014
VERSION | 2 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 ++++++++++---------
install/updates/10-schema_compat.update | 30 ++++++++++++++--------
ipaserver/install/ldapupdate.py | 6 ++++
ipaserver/install/plugins/updateclient.py | 3 ++
5 files changed, 44 insertions(+), 23 deletions(-)
New commits:
commit 65a0b586ef72318bf3821a5252f89606e907fa56
Author: Petr Vobornik <pvoborni at redhat.com>
Date: Thu Nov 6 12:47:20 2014 +0100
Become IPA 4.0.5
diff --git a/VERSION b/VERSION
index af988d0..e64d5ea 100644
--- a/VERSION
+++ b/VERSION
@@ -20,7 +20,7 @@
########################################################
IPA_VERSION_MAJOR=4
IPA_VERSION_MINOR=0
-IPA_VERSION_RELEASE=4
+IPA_VERSION_RELEASE=5
########################################################
# For 'pre' releases the version will be #
commit 013e2eae2041729d5ee6ad4dc825bc4f24234ec6
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Wed Nov 5 13:50:41 2014 -0500
Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa..1f595d0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Try to do OTP first. */
syncreq = sync_request_present(pb);
- if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
- slapi_entry_free(entry);
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
- NULL, NULL, 0, NULL);
- return 1;
- }
+ if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+ goto invalid_creds;
+
+ /* Ensure that there is a password. */
+ if (credentials->bv_len == 0)
+ goto invalid_creds;
/* Authenticate the user. */
ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* Attempt to handle a token synchronization request. */
- if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
- slapi_entry_free(entry);
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
- NULL, NULL, 0, NULL);
- return 1;
- }
+ if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+ goto invalid_creds;
/* Attempt to write out kerberos keys for the user. */
ipapwd_write_krb_keys(pb, dn, entry, credentials);
slapi_entry_free(entry);
return 0;
+
+invalid_creds:
+ slapi_entry_free(entry);
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+ NULL, NULL, 0, NULL);
+ return 1;
}
/* Init pre ops */
commit a56a6aff88e9f3fd092fe45056aeb19f15cc2f9f
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date: Wed Oct 29 16:23:03 2014 +0100
Deadlock in schema compat plugin (between automember_update_membership task and dse update)
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index e5bc703..e462bb2 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before
commit d6697b683d3f3517c41e5bbb4b9033fa860fd9d0
Author: Martin Basti <mbasti at redhat.com>
Date: Tue Nov 4 15:59:50 2014 +0100
Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast at redhat.com>
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6bed046..47f0399 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -889,3 +889,9 @@ class LDAPUpdate:
self._run_updates(updates)
return self.modified
+
+ def close_connection(self):
+ """Close ldap connection"""
+ if self.conn:
+ self.conn.unbind()
+ self.conn = None
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 7566b6c..8f5c5b5 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -122,6 +122,9 @@ class updateclient(backend.Executioner):
for update in self.order(updatetype):
(restart, apply_now, res) = self.run(update.name, **kw)
if restart:
+ # connection has to be closed before restart, otherwise
+ # ld instance will try to reuse old non-valid connection
+ ld.close_connection()
self.restart(dm_password, live_run)
if apply_now:
More information about the Pkg-freeipa-devel
mailing list