[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 27 commits: Ticket 48707 - ldapssotoken for authentication
Timo Aaltonen
gitlab at salsa.debian.org
Thu Feb 27 12:23:19 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base
Commits:
38fe7680 by William Brown at 2020-01-23T23:28:17+00:00
Ticket 48707 - ldapssotoken for authentication
Bug Description: This implements LDAP ssotokens, a simple
but cryptographically strong method of providing "cookies" to clients
on request so that they can re-bind to a session at a later time. This
is required for the web portal so that the portal may remain "isolated"
without a strict security audit as the 389-ds server provides all
security features.
Fix Description: This adds the features for cookies with time limits up
to one day to be generated from a rust library. These can be "revoked"
globally by regeneration of the fernet key. Multiple DS servers can
accept the tokens if they all have the same key configured. The TTL
is adjustable based on site preferences. Additionally, sites that do
not compile rust features will not have the feature enabled.
https://pagure.io/389-ds-base/issue/48707
Author: William Brown <william at blackhats.net.au>
Review by: mreynolds
- - - - -
54b941de by Mark Reynolds at 2020-01-24T09:08:14-05:00
Issue 49990 - Need to enforce a hard maximum limit for file descriptors
Description: on some platforms the maximum FD limit is high it can cause
a OOM at server startup. So we need to add a hard maximum
limit.
relates: https://pagure.io/389-ds-base/issue/49990
Reviewed by: firstyear & tbordaz (Thanks!!)
- - - - -
1004e5c1 by Mark Reynolds at 2020-01-24T10:56:35-05:00
Issue 50850 - Fix dsctl healthcheck for python36
Description: dsctl health check, specifically the certificate expiring
checks, were using python37 specific functions, but these
do not work on python36. Needed to replace fromisoformat()
with something more portable.
relates: https://pagure.io/389-ds-base/issue/50850
Reviewed by: firstyear(Thanks!)
- - - - -
9b779ed8 by Mark Reynolds at 2020-01-24T11:33:21-05:00
Issue 50853 - Fix NULL pointer deref in config setting
Description: Need to check if the config init function is defined for
the attribute before blindly calling it. This fixes a
regression from issue 48707.
relates: https://pagure.io/389-ds-base/issue/50853
Reviewed by: tbordaz & mhonek (Thanks!)
- - - - -
a3beee45 by Viktor Ashirov at 2020-01-27T11:26:16+01:00
Issue 49761 - Fix CI test suite issues
Description:
Fix plugins acceptace test suite by adding a test attribute to the schema
since the schema filter check can return invalid search results.
Relates: https://pagure.io/389-ds-base/issue/49761
Reviewed by: mhonek (Thanks!)
- - - - -
473d6163 by Thierry Bordaz at 2020-01-27T16:34:29+01:00
Ticket 50857 - Memory leak in ACI using IP subject
Bug Description:
When a ACI is evaluated (LASIpEval) a context (cookie) is allocated.
At the end of the connection, the context is freed
via a callback (LASIpFlush).
The context contains two LASIpTree_t tree (ipv4 and ipv6)
In free callback, only ipv4 tree is freed
Fix Description:
Free ipv6 tree in LASIpTree
https://pagure.io/389-ds-base/issue/50857
Reviewed by: Mark Reynolds
Platforms tested: F31
Flag Day: no
Doc impact: no
- - - - -
7120ecb3 by William Brown at 2020-01-28T12:58:06+10:00
Ticket 50694 - import PEM certs on startup
Bug Description: To make container setup easier, given TLS
material in defined locations we should convert these into
a functional nssdb
Fix Description: Provided that we have:
* /data/config/pwdfile.txt
* /data/tls/server.key
* /data/tls/server.crt
* /data/tls/ca/*.crt
There are imported into the nssdb as such:
/data/tls/ca/ca.crt C,,
Server-Cert u,u,u
This works on restarts, changes of keys, etc. IE to replace these,
just change out the pem files, and restart, and we "do the right
thing". Importantly, this will allow a much easier deployment of
containerised 389-ds with let's encrypt!
https://pagure.io/389-ds-base/issue/50694
Author: William Brown <william at blackhats.net.au>
Review by: mreynolds, mhonek (thanks)
- - - - -
c70d2ff1 by William Brown at 2020-01-28T13:04:09+10:00
Ticket 50831 add cargo.lock to allow offline builds
Bug Description: We need cargo.lock to be distributed to allow offline
builds of the application
Fix Description: In offline builds without cargo.lock present, the build
fails as the versions are checked.
https://pagure.io/389-ds-base/issue/50831
Author: William Brown <william at blackhats.net.au>
Review by: mhonek
- - - - -
8a3cea67 by Matus Honek at 2020-01-28T03:06:32+00:00
Issue 50737 - Allow building with rust online without vendoring
Bug Description:
Building --rust-enable without --rust-enable-offline still requires
predownloading the libraries.
Fix Description:
Setup .cargo/config on ./configure time allowing to subsequently do make
that would in a case automatically download necessary libraries (in
online mode).
Fixes https://pagure.io/389-ds-base/issue/50737
Author: Matus Honek <mhonek at redhat.com>
Review by: ???
- - - - -
d8a35290 by Matus Honek at 2020-01-30T12:14:19+00:00
Issue 50867 - Fix minor buildsys issues
Description:
Gitignore fixes:
- Add svrcore.pc along other .pc files.
- Since 5b1c8e7 bin utils are not created with -bin suffix.
RPM:
- Comments are not allowed on macro's line; move below.
- Remove some ancient Obsoletes and Conflicts.
Fixes: https://pagure.io/389-ds-base/issue/50867
Author: Matus Honek <mhonek at redhat.com>
Review by: Mark, William (thanks!)
- - - - -
711b9de1 by Ludwig Krispenz at 2020-01-30T13:32:05+01:00
Ticket 49624 cont - DB Deadlock on modrdn appears to corrupt database and entry cache
Bug: If there are deadlocks a transaction will be retried. In the case
of modrdn operation there is an error in handling the newsuperior
dn, which has to be reset when the txn is repeated.
There is also an error in freeing the entry stored in the pblock which can
lead to a double free
There is also a memory leak for ec entries
Fix: check if the newsuperior in the pblock was changed before the retry and
only then free and reset it.
check and protect pblock entry from double free
remove ec entry from cache
fix the txn_test_thread to run
There is also a message at shutdown that entries remain in the entry cache
although no leaks are reported and a hash dump didn't show entries.
Change log level to avoid confusion
Reviewed by: Thierry, William, Viktor - Thanks
- - - - -
52930da0 by Matus Honek at 2020-01-30T12:49:52+00:00
Issue 50823 - dsctl doesn't work with 'slapd-' in the instance name
Bug Description:
DirSrv.list drops all occurrences of 'slapd-' within a serverid
rendering names containing it damaged.
Fix Description:
Remove only the first occurrence of 'slapd-' in the serverid, which is
the prefix that is expected to be removed.
Fixes https://pagure.io/389-ds-base/issue/50823
Author: Matus Honek <mhonek at redhat.com>
Review by: Mark, William (thanks!)
- - - - -
5afacd39 by William Brown at 2020-01-31T02:09:45+00:00
Ticket 50859 - support running only with ldaps socket
Bug Description: As plaintext protocols have shown they are
unable to be effectively secured, we should have the choice to
be able to run the server only as LDAPS for high assurance
environments.
Fix Description: Add a test to assert we can move to ldaps only
and back to ldap/ldaps. Add a command to help make this easier for
admins to find and discover.
https://pagure.io/389-ds-base/issue/50859
Author: William Brown <william at blackhats.net.au>
Review by: mreynolds (Thanks!)
- - - - -
493a6644 by William Brown at 2020-02-03T00:47:11+00:00
Ticket 50787 - fix implementation of attr unique
Bug Description: The implementation of attribute unique relies
on a "plugin per config" which is different to most other
handlings. This creates an exception case to the standard
plugin framework in lib389 that was not correctly handled
in the CLI.
Fix Description: Fix the cli to have the correct customised
variants of the commands to support this plugin's behaviour.
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is disabled
> dsconf localhost plugin attr-uniq enable uid-test
Successfully enabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq enable uid-test
Plugin 'uid-test' already enabled
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is enabled
> dsconf localhost plugin attr-uniq disable uid-test
Successfully disabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq disable uid-test
Plugin 'uid-test' already disabled
https://pagure.io/389-ds-base/issue/50787
Author: William Brown <william at blackhats.net.au>
Review by: ???
- - - - -
0362fa3f by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 50117 - Add a new CI test case
Bug Description: After certain failed import operation, impossible to replay an import operation.
Fix Description: Added a test case to Check after certain failed import operation, is it
possible to replay an import operation.
Relates: https://pagure.io/389-ds-base/issue/50117
Review by: mhonek,tbordaz
- - - - -
26d75994 by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 49946 - Add a new CI test case
Bug Description: Upgrade of 389-ds-base could remove replication agreements.
Fix Description: Added a test case to check if agreement starts with "cn=->..." then
after upgrade does it get removed.
Relates: https://pagure.io/389-ds-base/issue/49946
Review by: mhonek
- - - - -
c6ad8481 by Akshay Adhikari at 2020-02-05T17:06:03+05:30
Issue 50028 - Add a new CI test case
Bug Description: There was a request for having -y option for ds-replcheck.
Fix Description: Added a test to Check ds-replcheck works if password file is provided
with -y option.
Relates: https://pagure.io/389-ds-base/issue/50028
Review by: mhonek
- - - - -
fcd6b2e1 by Mark Reynolds at 2020-02-05T09:26:43-05:00
Issue 50873 - Fix issues with healthcheck tool
Description:
- Wrong error code reported with result for backend check
- Disk Space Monitor check crashes because it is missing "import copy"
- On a non-LDAPI instance "dsctl healthcheck" does not prompt for bind dn, only for password.
relates: https://pagure.io/389-ds-base/issue/50873
Reviewed by: firstyear(Thanks!)
- - - - -
c6976c18 by Mark Reynolds at 2020-02-05T09:48:15-05:00
Issue 50873 - Fix healthcheck and virtual attr check
Description: Used the wrong DN to lookup COS definitions
relates: https://pagure.io/389-ds-base/issue/50873
Reviewed by: mreynolds (one line commit rule)
- - - - -
d8988cc3 by Mark Reynolds at 2020-02-06T14:38:04-05:00
Issue 50886 - Typo in the replication debug message
Description: Fix typo in replication logging message
relates: https://pagure.io/389-ds-base/issue/50886
Reviewed by: mreynolds (one line commit rule)
- - - - -
827c97d9 by Mark Reynolds at 2020-02-07T14:23:50-05:00
Issue 50882 - Fix healthcheck errors for instances that do not have TLS enabled
Bug Description: The config and FSChecks fail when TLS is not setup
Fix Description: Properly check for conditions when TLS is not enabled,
and ignore errors if TLS related files are not present
during the FS permissions check.
relates: https://pagure.io/389-ds-base/issue/50882
Reviewed by: firstyear(thanks!)
- - - - -
02d23f06 by Ludwig Krispenz at 2020-02-11T17:47:37+01:00
Ticket - 49623-cont cenotaph errors on modrdn operations
Bug: In modrdn operations a cenotaph entries are created to track the time when
an entry had existed. But in cases where rentries were renamed in cycles
reusing the dns again and again this failed with an error: "faild to add cenotaph"
Fix: Previous versions of cenotaphs with the same dn are not used (or maybe in very unlikely
scenarios) so there is no need to change the dn construction to be able to keep all
versions of the same cenotaph. Instead, if the creation of the cenotaph fails because
it already exists, the existin cenotaph is moodified with the lifespan data of the
cenotaph that was tried to add.
Reviewed by: Thierry, thanks
- - - - -
5878a311 by Anuj Borah at 2020-02-12T14:49:00+05:30
Issue: 50686 - Port fractional replication test cases from TET to python3 part 1
Bug Description: Port fractional replication test cases from TET to python3 part 1
Relates: https://pagure.io/389-ds-base/issue/50686
Author: aborah
Reviewed by: Viktor Ashirov
- - - - -
e6fc427c by Mark Reynolds at 2020-02-12T20:19:58-05:00
Issue 49845 - README does not contain complete information on building
Description: Update READNME.md with clearer instructions and requirements
for building the server. Also added a check for libasan
to configure.am.
relates: https://pagure.io/389-ds-base/issue/49845
Reviewed by: firstyear(Thanks!)
- - - - -
c6198c53 by Mark Reynolds at 2020-02-13T10:47:43-05:00
Issue 50855 - UI: Port Server Tab to React
Description: Ported the server tab to reactJS. Also made other changes:
- Moved Password policy to the database tab tree.
- Moved the Security Tab to the Server Tab tree.
- Fixed all the typeAhead errors
- Removed unused CSS classes
relates: https://pagure.io/389-ds-base/issue/50855
Reviewed by: spichugi(Thanks!)
- - - - -
605db5be by Mark Reynolds at 2020-02-13T11:47:04-05:00
Issue 50855 - remove unused file from UI
Description: Remove pwpolicy,jsx as it was accidentally added to the last commit
- - - - -
776c6edf by Mark Reynolds at 2020-02-13T14:58:44-05:00
Bump version to 1.4.3.3
- - - - -
30 changed files:
- .cargo/config → .cargo/config.in
- .gitignore
- Makefile.am
- README.md
- VERSION.sh
- configure.ac
- + dirsrvtests/tests/suites/auth_token/__init__.py
- + dirsrvtests/tests/suites/auth_token/basic_auth_test.py
- dirsrvtests/tests/suites/ds_tools/replcheck_test.py
- + dirsrvtests/tests/suites/fractional/fractional_test.py
- dirsrvtests/tests/suites/import/regression_test.py
- dirsrvtests/tests/suites/plugins/acceptance_test.py
- dirsrvtests/tests/suites/replication/regression_test.py
- + dirsrvtests/tests/suites/tls/tls_ldaps_only_test.py
- + dirsrvtests/tests/tickets/ticket49623_2_test.py
- ldap/admin/src/defaults.inf.in
- ldap/servers/plugins/replication/repl5_plugins.c
- ldap/servers/plugins/replication/urp.c
- ldap/servers/slapd/back-ldbm/cache.c
- ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c
- ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
- ldap/servers/slapd/bind.c
- ldap/servers/slapd/extendop.c
- ldap/servers/slapd/libglobs.c
- ldap/servers/slapd/proto-slap.h
- ldap/servers/slapd/pw_verify.c
- ldap/servers/slapd/pw_verify.h
- ldap/servers/slapd/slap.h
- lib/libaccess/lasip.cpp
- rpm.mk
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/fda9349416b20636d605d60fc62a410303cc0e43...776c6edf5dbaabccd6d2e12a4ebd6b39598dc142
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/fda9349416b20636d605d60fc62a410303cc0e43...776c6edf5dbaabccd6d2e12a4ebd6b39598dc142
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200227/eb751dc3/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list