4.71. ipa-client

An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5.
[Updated 20 December 2011] This advisory has been updated with the correct product name (that is, Red Hat Enterprise Linux 5) in the Details section. The package included in this revised update has not been changed in any way from the package included in the original advisory.
The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy and Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials.

Bug Fix

BZ#768058
The RHSA-2011-1533 security advisory, which fixed a security vulnerability in the IPA web-based service, caused incompatibility with older versions of ipa-client. As a consequence, ipa-client was unable to correctly submit enrollment requests to IPA. With this update, ipa-client has been modified and it now operates correctly with newer versions of IPA. Interoperability with older versions of IPA remains unaffected.
All users of ipa-client are advised to upgrade to this updated package, which fixes this bug.
An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5.
IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server.

Bug Fix

BZ#736658
Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug.
Users of ipa-client are advised to upgrade to this updated package, which fixes this bug.
An updated ipa-client package that fixes various bugs and adds several enhancements is now available for Red Hat Enterprise Linux 5.
The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials.
The ipa-client package has been upgraded to upstream version 2.1.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#753936)

Bug Fixes

BZ#723667
Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on the delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables credential delegation.
BZ#752226
A previous change to the Referer server required that a caller to the IPA server API include the Referer header in its request. Previously, requests from the certmonger and ipa administrative tools did not provide the header, and the tool requests could fail with the error "Missing or invalid HTTP Referer". However, the requests are transferred using curl and curl does not allow setting of arbitrary headers. To resolve this problem, the code has been changed so that the curl version is stored in the HTTP request field X-Original-User-Agent and the rest of the header is overridden. As a result, the correct header is used for the requests and the problem no longer occurs.
BZ#739068
If the user ran the ipa-client-install command with the password defined (for example, "ipa-client-install --principal=admin --password=SecretPsswd"), the /var/log/ipaclient-install.log file contained the password in plain text. With this update, the underlying code is modified and the provided password is no longer saved in the logs in this scenario.
BZ#710143
Previously, KDC (Key Distribution Center) autodiscovery failed if the domain name differed from the Kerberos realm name. This happened because the ipa-client-install utility always assumed that the realm name was identical to the domain name. Now the realm is used when performing autodiscovery and the problem no longer occurs.
BZ#750338
The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, the ipa-client package spec file did not contain the cyrus-sasl-gssapi dependency for some architectures. As a result, installation on some platforms could fail. This update adds the missing dependency to the spec file and the installation process finishes successfully.
BZ#723620
The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, when installing 32-bit packages on a 64-bit system, the macro determining the required architecture version of the cyrus-sasl-gssapi package did not work correctly. As a result, an incorrect version of cyrus-sasl-gssapi was installed and the system failed to work; for example, the ipa-getkeytab command failed with the following error because the 32-bit GSSAPI SASL mechanism was not available:
SASL Bind failed. This update corrects the macro and the problem no longer occurs.
All ipa-client users are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.