diff --git a/0007-ipa-kdb-search-for-password-policies-globally.patch b/0007-ipa-kdb-search-for-password-policies-globally.patch new file mode 100644 index 0000000..5b04552 --- /dev/null +++ b/0007-ipa-kdb-search-for-password-policies-globally.patch @@ -0,0 +1,38 @@ +From b9b919e127c453eda02ea142d7cd80c16aa5ca31 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 15 Dec 2016 16:30:00 +0200 +Subject: [PATCH] ipa-kdb: search for password policies globally + +With the CoS templates now used to create additional password policies +per object type that are placed under the object subtrees, DAL driver +needs to search for the policies in the whole tree. + +Individual policies referenced by the krbPwdPolicyReference attribute +are always searched by their full DN and with the base scope. However, +when KDC asks a DAL driver to return a password policy by name, we don't +have any specific base to search. The original code did search by the +realm subtree. + +Fixes https://fedorahosted.org/freeipa/ticket/6561 + +Reviewed-By: Martin Babinsky +--- + daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644 +--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name, + } + + kerr = ipadb_simple_search(ipactx, +- ipactx->realm_base, LDAP_SCOPE_SUBTREE, ++ ipactx->base, LDAP_SCOPE_SUBTREE, + src_filter, std_pwdpolicy_attrs, &res); + if (kerr) { + goto done; +-- +2.7.4 + diff --git a/freeipa.spec b/freeipa.spec index 05c6c0c..5af197d 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -36,7 +36,7 @@ Name: freeipa Version: %{VERSION} -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,6 +51,7 @@ Patch0003: 0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch Patch0004: 0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch Patch0005: 0005-certprofile-mod-correctly-authorise-config-update.patch Patch0006: 0006-password-policy-Add-explicit-default-password-policy.patch +Patch0007: 0007-ipa-kdb-search-for-password-policies-globally.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.5 @@ -1474,6 +1475,11 @@ fi %endif # ONLY_CLIENT %changelog +* Thu Dec 15 2016 Pavel Vomacka - 4.3.2-4 +- Require nss 3.27.0-1.2 and nss-tools 3.27.0-1.2 + Otherwise nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) occurres +- ipa-kdb: search for password policies globally + * Wed Dec 14 2016 Pavel Vomacka - 4.3.2-3 - Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services