ELBA-2018-3187
- ULN >
- Oracle Linux Errata repository >
- ELBA-2018-3187
ELBA-2018-3187 - ipa bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2018-11-06 |
Description
[4.6.4-10.0.1]
- Blank out header-logo.png product-name.png
- Replace login-screen-logo.png [20362818]
[4.6.4-10.el7]
- Resolves: 1630361 PKINIT fails in FIPS mode
- Ensure that public cert and CA bundle are readable
- Always make ipa.p11-kit world-readable
- Make /etc/httpd/alias world readable & executable
- Fix permission of public files in upgrader
[4.6.4-9.el7]
- Resolves: #1624755 Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured'
- ipa-replica-install: properly use the file store
- Resolves: #1623486 PKINIT configuration did not succeed message is received during Replica-install
- ipa-replica-install: fix pkinit setup
- Related: #1624289 AVC denials noticed during test execution for SUB-CA test-suite in FIPS mode
- Update minimum selinux-policy to 3.13.1-224
[4.6.4-8.el7]
- Resolves #1508498 Authn/TOTP defined users periodically prompt for just password credentials to access resources
- Clear next field when returnining list elements in queue.c
- Add cmocka unit tests for ipa otpd queue code
- Resolves #1622168 ipa-otpd: fix potential double-free and infinite loop in queue code
- Clear next field when returnining list elements in queue.c
- Add cmocka unit tests for ipa otpd queue code
- Resolves #1603444 ipa-server-install script is failing when using the '--no-dnssec-validation' parameter combined with the '--forwarder'
- ipa-server-install: do not perform forwarder validation with --no-dnssec-validation
[4.6.4-7.el7]
- Resolves: #1609882 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound
- ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
- Resolves: #1598662 Replica installation fails with connection refused error
- Do not set ca_host when --setup-ca is used
- Resolves: #1577108 Improve Custodia client and key distribution handling
- Fix KRA replica installation from CA master
- Resolves: #1515314 ipa-replica-install fails with PIN error [ CA-less environment ]
- Fix ipa-replica-install when key not protected by PIN
- Resolves: #1480502 ipa server uninstall with -v option displays 'IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442'
- uninstall -v: remove Tracebacks
- Resolves: #1368345 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system'
- ipa commands: print 'IPA is not configured' when ipa is not setup
- Disable message about log in ipa-backup if IPA is not configured
- Resolves: #1591824 Installation of replica against a specific master
- Do not set ca_host when --setup-ca is used
- Resolves: #1594141 Replication races in DogtagInstance.setup_admin
- Catch ACIError instead of invalid credentials
- Resolves: #1623112 ipa-replica-install defines nsds5replicabinddngroup before the group contains the DN of the replication manager
- DS replication settings: fix regression with <3.3 master
- Resolves: #1623113 Replica install: certmonger sometimes fails
- Wait for client certificates
- Auto-retry failed certmonger requests
[4.6.4-6.el7]
- Resolves: #1590647 ldapmodify userPassword reflects on krblastpwdchange on RHEL6 but not RHEL7
- In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange
- Resolves: #1600074 ipa-server-upgrade displays 'DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or havent been updated'
- Re-open the ldif file to prevent error message
- Resolves: #1608783 ipa trust-add fails in FIPS mode.
- Move fips_enabled to a common library to share across different plugins
- ipasam: do not use RC4 in FIPS mode
[4.6.4-5.el7]
- Resolves: #1607616 Traceback in messages file during ipa-server-install: File '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', line 541, in
- Removing filesystem encoding check
- Resolves: #1598044 plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported.
- Removing filesystem encoding check
[4.6.4-4.el7]
- Resolves: #1600525 ipa-client-install --uninstall fails to uninstall client.
- ipa client uninstall: clean the state store when restoring hostname
- Resolves: #1598117 client uninstall fails when installed using non-existing hostname
- ipa client uninstall: clean the state store when restoring hostname
- Resolves: #1596168 ipa help topics displays 'ipa: ERROR: an internal error has occurred'
- Fix regression: Handle unicode where str is expected
- Resolves: #1591824 Installation of replica against a specific master
- Query for server role IPA master
- Only create DNS SRV records for ready server
- Delay enabling services until end of installer
- replicainstall: DS SSL replica install pick right certmonger host
- Fix CA topology warning
- Fix race condition in get_locations_records()
- Fix DNSSEC install regression
- Handle races in replica config
- Resolves: #1591647 Increase WSGI worker process count
- Use 4 WSGI workers on 64bit systems
- Resolves: #1565633 nsds5ReplicaReleaseTimeout should be set by default.
- Tune DS replication settings
- Resolves: #1607616 Traceback in messages file during ipa-server-install: File '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', line 541, in
- Removing filesystem encoding check
- Resolves: #1598044 plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported.
- Removing filesystem encoding check
[4.6.4-3.el7]
- Resolves: #1603514 Replica install fails with 'Certificate issuance failed (CA_REJECTED)' - ACIError
[4.6.4-2.el7]
- Resolves: #1594142 SRV lookup doesnt correctly sort results
- Sort and shuffle SRV record by priority and weight
- Resolves: #1594141 Replication races in DogtagInstance.setup_admin
- Fix replication races in Dogtag admin code
- Use common replication wait timeout of 5min
- Improve and fix timeout bug in wait_for_entry()
- Resolves: #1591824 Installation of replica against a specific master
- Always set ca_host when installing replica
- Resolves: #1591647 Increase WSGI worker process count
- Increase WSGI process count to 5 on 64bit
- Resolves: #1394034 Custom SELinux User Map order is changed after updating IPA
- Use replace instead of add to set new default ipaSELinuxUserMapOrder
- Resolves: #1381535 ipa config-mod returns 'Configured size limit exceeded'
- ipaserver config plugin: Increase search records minimum limit
[4.6.4-1.el7]
- Resolves: #1561581 Rebase IPA to latest 4.6.x version
- Resolves: #1234219 [WebUI] Error message could be better while adding idrange with untrusted domain name.
- Resolves: #1274488 ipa-client-install should use previously entered username when performing setup validation
- Resolves: #1289487 Priority field missing in Password Policy detail tab
- Resolves: #1339129 ipa vault-archive overwrites an existing value without warning
- Resolves: #1368345 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system'
- Resolves: #1424735 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process
- Resolves: #1427105 RFE - Option to add custom OID or display name in IPA Cert
- Resolves: #1434924 ipa-restore fails when umask is set to 0027
- Resolves: #1441262 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
- Resolves: #1452081 Suggest user to install libyubikey package instead of traceback
- Resolves: #1458183 Users can delete their last active OTP token
- Resolves: #1478366 Crash noticed during IPA upgrade process due to ipa package
- Resolves: #1480502 ipa server uninstall with -v option displays 'IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442'
- Resolves: #1481936 Limit number of times the DNS response for the ipa-server A and AAAA records are done during uninstallation.
- Resolves: #1483139 ipa-restore command doesnt exit with failure if wrong directory managers password is provided
- Resolves: #1485429 domain resolution order field in Identity->ID Views->Settings tab missing in WebUI
- Resolves: #1485851 ipa param-find: command displays internal error
- Resolves: #1494198 ipa-replica-manage re-initialize TypeError: 'NoneType' object does not support item assignment
- Resolves: #1504565 API schema generated by server doesnt follow language requested by client.
- Resolves: #1505925 kdc segfault in openldap libs when ipa-server is installed and custom pkinit is configured
- Resolves: #1506709 ipa trust-add - Filter out overlapping namespace domains automatically
- Resolves: #1513041 ipa-restore does not enable/start oddjobd
- Resolves: #1515314 ipa-replica-install fails with PIN error [ CA-less environment ]
- Resolves: #1515374 Custodia keys are not removed on uninstall
- Resolves: #1518932 The Issuer DN field in IPA is not updating properly
- Resolves: #1519723 admins group is not including all permissions of Role 'User Administrator'
- Resolves: #1527020 nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during install even if another value was provided in an LDIF ( --dirsrv-config-file )
- Resolves: #1534726 IPA 'Generate OTP' option in web gui does not show OTP code when no reverse zone is managed
- Resolves: #1547641 ipa: Please log something after restarting the KDC
- Resolves: #1547995 CRL url on replicas gets incorrectly redirected
- Resolves: #1549187 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain
- Resolves: #1553594 ldappasswd cause the IPA embedded Directory server to SIGSEGV
- Resolves: #1568748 Allow hosts to delete their own services
- Resolves: #1576133 Radius Proxy OTP Auth in IPA is not failing over to the second server in a radius-proxy
- Resolves: #1577108 Improve Custodia client and key distribution handling
[4.5.4-10.el7.2]
- Resolves: #1565633 nsds5ReplicaReleaseTimeout should be set by default
- Add nsds5ReplicaReleaseTimeout to replica config
- Fix upgrade (update_replica_config) in single master mode
- Resolves: #1577108 Improve Custodia client and key distribution handling
- Use single Custodia instance in installers
- Resolves: #1577805 4.5.0 -> 4.5.4 upgrade breaks in ipa-server-upgrade: No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
- Dont try to backup CS.cfg during upgrade if CA is not configured
[4.5.4-11.el7]
- Resolves: #1518157 Clarify the need to restart services in ipa-server-certinstall(1)
- Add a notice to restart ipa services after certs are installed
- Resolves: #1544679 OTP and Radius Authentication does not work in FIPS mode
- Fix OTP validation in FIPS mode
- Increase the default token key size
- Revert 'Dont allow OTP or RADIUS in FIPS mode'
- Log errors from NSS during FIPS OTP key import
- Resolves: #1470916 ipa client pointing to replica shows KDC has no support for encryption type
- ipa-replica-install: make sure that certmonger picks the right master
- Resolves: #1542627 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface
- replica-install: pass --ip-address to client install
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
