[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 30 commits: Ticket 48707 - ldapssotoken for authentication

Timo Aaltonen gitlab at salsa.debian.org
Thu Feb 27 12:23:17 GMT 2020

Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base

38fe7680 by William Brown at 2020-01-23T23:28:17+00:00
Ticket 48707 - ldapssotoken for authentication

Bug Description: This implements LDAP ssotokens, a simple
but cryptographically strong method of providing "cookies" to clients
on request so that they can re-bind to a session at a later time. This
is required for the web portal so that the portal may remain "isolated"
without a strict security audit as the 389-ds server provides all
security features.

Fix Description: This adds the features for cookies with time limits up
to one day to be generated from a rust library. These can be "revoked"
globally by regeneration of the fernet key. Multiple DS servers can
accept the tokens if they all have the same key configured. The TTL
is adjustable based on site preferences. Additionally, sites that do
not compile rust features will not have the feature enabled.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds

- - - - -
54b941de by Mark Reynolds at 2020-01-24T09:08:14-05:00
Issue 49990 - Need to enforce a hard maximum limit for file descriptors

Description: on some platforms the maximum FD limit is high it can cause
             a OOM at server startup.  So we need to add a hard maximum

relates: https://pagure.io/389-ds-base/issue/49990

Reviewed by: firstyear & tbordaz (Thanks!!)

- - - - -
1004e5c1 by Mark Reynolds at 2020-01-24T10:56:35-05:00
Issue 50850 - Fix dsctl healthcheck for python36

Description:  dsctl health check, specifically the certificate expiring
              checks, were using python37 specific functions, but these
              do not work on python36.  Needed to replace fromisoformat()
              with something more portable.

relates: https://pagure.io/389-ds-base/issue/50850

Reviewed by: firstyear(Thanks!)

- - - - -
9b779ed8 by Mark Reynolds at 2020-01-24T11:33:21-05:00
Issue 50853 - Fix NULL pointer deref in config setting

Description:  Need to check if the config init function is defined for
              the attribute before blindly calling it.  This fixes a
              regression from issue 48707.

relates: https://pagure.io/389-ds-base/issue/50853

Reviewed by: tbordaz & mhonek (Thanks!)

- - - - -
a3beee45 by Viktor Ashirov at 2020-01-27T11:26:16+01:00
Issue 49761 - Fix CI test suite issues

Fix plugins acceptace test suite by adding a test attribute to the schema
since the schema filter check can return invalid search results.

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: mhonek (Thanks!)

- - - - -
473d6163 by Thierry Bordaz at 2020-01-27T16:34:29+01:00
Ticket 50857 - Memory leak in ACI using IP subject

Bug Description:
	When a ACI is evaluated (LASIpEval) a context (cookie) is allocated.
	At the end of the connection, the context is freed
	via a callback (LASIpFlush).
	The context contains two LASIpTree_t tree (ipv4 and ipv6)
	In free callback, only ipv4 tree is freed

Fix Description:
	Free ipv6 tree in LASIpTree


Reviewed by: Mark Reynolds

Platforms tested: F31

Flag Day: no

Doc impact: no

- - - - -
7120ecb3 by William Brown at 2020-01-28T12:58:06+10:00
Ticket 50694 - import PEM certs on startup

Bug Description: To make container setup easier, given TLS
material in defined locations we should convert these into
a functional nssdb

Fix Description: Provided that we have:

* /data/config/pwdfile.txt
* /data/tls/server.key
* /data/tls/server.crt
* /data/tls/ca/*.crt

There are imported into the nssdb as such:

/data/tls/ca/ca.crt                                          C,,
Server-Cert                                                  u,u,u

This works on restarts, changes of keys, etc. IE to replace these,
just change out the pem files, and restart, and we "do the right
thing". Importantly, this will allow a much easier deployment of
containerised 389-ds with let's encrypt!


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds, mhonek (thanks)

- - - - -
c70d2ff1 by William Brown at 2020-01-28T13:04:09+10:00
Ticket 50831 add cargo.lock to allow offline builds

Bug Description: We need cargo.lock to be distributed to allow offline
builds of the application

Fix Description: In offline builds without cargo.lock present, the build
fails as the versions are checked.


Author: William Brown <william at blackhats.net.au>

Review by: mhonek

- - - - -
8a3cea67 by Matus Honek at 2020-01-28T03:06:32+00:00
Issue 50737 - Allow building with rust online without vendoring

Bug Description:
Building --rust-enable without --rust-enable-offline still requires
predownloading the libraries.

Fix Description:
Setup .cargo/config on ./configure time allowing to subsequently do make
that would in a case automatically download necessary libraries (in
online mode).

Fixes https://pagure.io/389-ds-base/issue/50737

Author: Matus Honek <mhonek at redhat.com>

Review by: ???

- - - - -
d8a35290 by Matus Honek at 2020-01-30T12:14:19+00:00
Issue 50867 - Fix minor buildsys issues

Gitignore fixes:
- Add svrcore.pc along other .pc files.
- Since 5b1c8e7 bin utils are not created with -bin suffix.

- Comments are not allowed on macro's line; move below.
- Remove some ancient Obsoletes and Conflicts.

Fixes: https://pagure.io/389-ds-base/issue/50867

Author: Matus Honek <mhonek at redhat.com>

Review by: Mark, William (thanks!)

- - - - -
711b9de1 by Ludwig Krispenz at 2020-01-30T13:32:05+01:00
Ticket 49624 cont - DB Deadlock on modrdn appears to corrupt database and entry cache

Bug: If there are deadlocks a transaction will be retried. In the case
	of modrdn operation there is an error in handling the newsuperior
	dn, which has to be reset when the txn is repeated.
     There is also an error in freeing the entry stored in the pblock which can
	lead to a double free
     There is also a memory leak for ec entries

Fix: check if the newsuperior in the pblock was changed before the retry and
	only then free and reset it.
     check and protect pblock entry from double free
     remove ec entry from cache
     fix the txn_test_thread to run

     There is also a message at shutdown that entries remain in the entry cache
	although no leaks are reported and a hash dump didn't show entries.
	Change log level to avoid confusion

Reviewed by: Thierry, William, Viktor - Thanks

- - - - -
52930da0 by Matus Honek at 2020-01-30T12:49:52+00:00
Issue 50823 - dsctl doesn't work with 'slapd-' in the instance name

Bug Description:
DirSrv.list drops all occurrences of 'slapd-' within a serverid
rendering names containing it damaged.

Fix Description:
Remove only the first occurrence of 'slapd-' in the serverid, which is
the prefix that is expected to be removed.

Fixes https://pagure.io/389-ds-base/issue/50823

Author: Matus Honek <mhonek at redhat.com>

Review by: Mark, William (thanks!)

- - - - -
5afacd39 by William Brown at 2020-01-31T02:09:45+00:00
Ticket 50859 - support running only with ldaps socket

Bug Description: As plaintext protocols have shown they are
unable to be effectively secured, we should have the choice to
be able to run the server only as LDAPS for high assurance

Fix Description: Add a test to assert we can move to ldaps only
and back to ldap/ldaps. Add a command to help make this easier for
admins to find and discover.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
493a6644 by William Brown at 2020-02-03T00:47:11+00:00
Ticket 50787 - fix implementation of attr unique

Bug Description: The implementation of attribute unique relies
on a "plugin per config" which is different to most other
handlings. This creates an exception case to the standard
plugin framework in lib389 that was not correctly handled
in the CLI.

Fix Description: Fix the cli to have the correct customised
variants of the commands to support this plugin's behaviour.

> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is disabled
> dsconf localhost plugin attr-uniq enable uid-test
Successfully enabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq enable uid-test
Plugin 'uid-test' already enabled
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is enabled
> dsconf localhost plugin attr-uniq disable uid-test
Successfully disabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq disable uid-test
Plugin 'uid-test' already disabled


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
0362fa3f by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 50117 - Add a new CI test case

Bug Description: After certain failed import operation, impossible to replay an import operation.

Fix Description: Added a test case to Check after certain failed import operation, is it
possible to replay an import operation.

Relates: https://pagure.io/389-ds-base/issue/50117

Review by: mhonek,tbordaz

- - - - -
26d75994 by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 49946 - Add a new CI test case

Bug Description: Upgrade of 389-ds-base could remove replication agreements.

Fix Description: Added a test case to check if agreement starts with "cn=->..." then
after upgrade does it get removed.

Relates: https://pagure.io/389-ds-base/issue/49946

Review by: mhonek

- - - - -
c6ad8481 by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 50028 - Add a new CI test case

Bug Description: There was a request for having -y option for ds-replcheck.

Fix Description: Added a test to Check ds-replcheck works if password file is provided
with -y option.

Relates: https://pagure.io/389-ds-base/issue/50028

Review by: mhonek

- - - - -
fcd6b2e1 by Mark Reynolds at 2020-02-05T09:26:43-05:00
Issue 50873 - Fix issues with healthcheck tool


- Wrong error code reported with result for backend check

- Disk Space Monitor check crashes because it is missing "import copy"

- On a non-LDAPI instance "dsctl healthcheck" does not prompt for bind dn, only for password.

relates: https://pagure.io/389-ds-base/issue/50873

Reviewed by: firstyear(Thanks!)

- - - - -
c6976c18 by Mark Reynolds at 2020-02-05T09:48:15-05:00
Issue 50873 - Fix healthcheck and virtual attr check

Description:  Used the wrong DN to lookup COS definitions

relates: https://pagure.io/389-ds-base/issue/50873

Reviewed by: mreynolds (one line commit rule)

- - - - -
d8988cc3 by Mark Reynolds at 2020-02-06T14:38:04-05:00
Issue 50886 - Typo in the replication debug message

Description:  Fix typo in replication logging message

relates: https://pagure.io/389-ds-base/issue/50886

Reviewed by: mreynolds (one line commit rule)

- - - - -
827c97d9 by Mark Reynolds at 2020-02-07T14:23:50-05:00
Issue 50882 - Fix healthcheck errors for instances that do not have TLS enabled

Bug Description:  The config and FSChecks fail when TLS is not setup

Fix Description:  Properly check for conditions when TLS is not enabled,
                  and ignore errors if TLS related files are not present
                  during the FS permissions check.

relates: https://pagure.io/389-ds-base/issue/50882

Reviewed by: firstyear(thanks!)

- - - - -
02d23f06 by Ludwig Krispenz at 2020-02-11T17:47:37+01:00
Ticket - 49623-cont cenotaph errors on modrdn operations

Bug: In modrdn operations a cenotaph entries are created to track the time when
	an entry had existed. But in cases where rentries were renamed in cycles
	reusing the dns again and again this failed with an error: "faild to add cenotaph"

Fix: Previous versions of cenotaphs with the same dn are not used (or maybe in very unlikely
	scenarios) so there is no need to change the dn construction to be able to keep all
	versions of the same cenotaph. Instead, if the creation of the cenotaph fails because
	it already exists, the existin cenotaph is moodified with the lifespan data of the
	cenotaph that was tried to add.

Reviewed by: Thierry, thanks

- - - - -
5878a311 by Anuj Borah at 2020-02-12T14:49:00+05:30
Issue: 50686 - Port fractional replication test cases from TET to python3 part 1

Bug Description: Port fractional replication test cases from TET to python3 part 1

Relates: https://pagure.io/389-ds-base/issue/50686

Author: aborah

Reviewed by: Viktor Ashirov

- - - - -
e6fc427c by Mark Reynolds at 2020-02-12T20:19:58-05:00
Issue 49845 - README does not contain complete information on building

Description:  Update READNME.md with clearer instructions and requirements
              for building the server.  Also added a check for libasan
              to configure.am.

relates: https://pagure.io/389-ds-base/issue/49845

Reviewed by: firstyear(Thanks!)

- - - - -
c6198c53 by Mark Reynolds at 2020-02-13T10:47:43-05:00
Issue 50855 - UI: Port Server Tab to React

Description:  Ported the server tab to reactJS.  Also made other changes:

             - Moved Password policy to the database tab tree.
             - Moved the Security Tab to the Server Tab tree.
             - Fixed all the typeAhead errors
             - Removed unused CSS classes

relates: https://pagure.io/389-ds-base/issue/50855

Reviewed by: spichugi(Thanks!)

- - - - -
605db5be by Mark Reynolds at 2020-02-13T11:47:04-05:00
Issue 50855 - remove unused file from UI

Description:  Remove pwpolicy,jsx as it was accidentally added to the last commit

- - - - -
776c6edf by Mark Reynolds at 2020-02-13T14:58:44-05:00
Bump version to

- - - - -
4beba62a by Timo Aaltonen at 2020-02-27T14:15:18+02:00
Merge branch 'upstream'

- - - - -
151e9074 by Timo Aaltonen at 2020-02-27T14:15:40+02:00
New upstream release.

- - - - -
15916104 by Timo Aaltonen at 2020-02-27T14:23:03+02:00
Add debian/gitlab-ci.yaml.

- - - - -

30 changed files:

- .cargo/config → .cargo/config.in
- .gitignore
- Makefile.am
- configure.ac
- debian/changelog
- + debian/gitlab-ci.yaml
- + dirsrvtests/tests/suites/auth_token/__init__.py
- + dirsrvtests/tests/suites/auth_token/basic_auth_test.py
- dirsrvtests/tests/suites/ds_tools/replcheck_test.py
- + dirsrvtests/tests/suites/fractional/fractional_test.py
- dirsrvtests/tests/suites/import/regression_test.py
- dirsrvtests/tests/suites/plugins/acceptance_test.py
- dirsrvtests/tests/suites/replication/regression_test.py
- + dirsrvtests/tests/suites/tls/tls_ldaps_only_test.py
- + dirsrvtests/tests/tickets/ticket49623_2_test.py
- ldap/admin/src/defaults.inf.in
- ldap/servers/plugins/replication/repl5_plugins.c
- ldap/servers/plugins/replication/urp.c
- ldap/servers/slapd/back-ldbm/cache.c
- ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c
- ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
- ldap/servers/slapd/bind.c
- ldap/servers/slapd/extendop.c
- ldap/servers/slapd/libglobs.c
- ldap/servers/slapd/proto-slap.h
- ldap/servers/slapd/pw_verify.c
- ldap/servers/slapd/pw_verify.h
- ldap/servers/slapd/slap.h

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/bbe0b1f8d29eeac9443b6528c0502e473a32eaf1...15916104d0983a2a09b33326e19350e65883ff92

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/bbe0b1f8d29eeac9443b6528c0502e473a32eaf1...15916104d0983a2a09b33326e19350e65883ff92
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200227/9a22a8ae/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list