5.110. ipa

Updated ipa packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments.

Security Fix

A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials.


This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm).
Red Hat would like to thank Petr Menšík for reporting this issue.
This update must be installed on both the IPA client and IPA server. When this update has been applied to the client but not the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the "--force" option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP.
Users of ipa are advised to upgrade to these updated packages, which correct this issue. After installing the update, changes in LDAP are handled by ipa-ldap-updater automatically and are effective immediately.
Updated ipa packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.


The ipa package has been upgraded to upstream version 2.2.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#736865)

Bug Fixes

The Identity Management password policy plug-in for the Directory Server did not properly sort the history of user passwords when it was checking the sanity of a password change. Due to this bug, the user password history was sorted randomly, and, consequently, a random password was removed rather than the oldest password when the list overflowed. As a result, users could bypass the password policy requirement for password repetition. User passwords are now sorted correctly in the Identity Management password plug-in for the Directory Server, and the password policy requirement for password repetition is properly enforced.
Due to a bug in the Identity Management permission plug-in, an attempt to rename a permission always resulted in an error. Consequently, users had to remove the permission and create a new permission with a new name when attempting to rename a permission. With this update, the underlying source code has been modified to address this issue, and users are now able to rename permissions.
Previously, the DNS plug-in did not allow users to set a query or a transfer policy for a zone managed by Identity Management. Therefore, users could not control who could query or transfer zones in the same way they do with zones stored in plain text files. With this update, users can set ACLs for every zone managed by Identity Management; thus, users can control who can query their zones or run zone transfers.
Non-admin users with an appropriate permission can change passwords of other users. However, the target group of this permission was previously not limited. Consequently, a non-admin user with the permission to change passwords could change the password of the admin user and acquire access to the admin account. With this update, the permission was changed to allow password changes for non-admin users only.
When the ipa passwd CLI command was used to change user's password, it returned the following error message when the password change failed:
ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria
User password changes are a subject of a configured password policy. Without a proper error message, it may be difficult to investigate why the password change failed (password complexity, too soon to change password, etc.) and amend the situation. The Directory Server plug-in that is used to change passwords now returns a proper error message if the ipa passwd command fails.
When an Identity Management server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user. Next, a host record is added to the /etc/hosts file so that the custom hostname is resolvable and the installation can continue. However, previously, the record was not added when the IP address was passed using the --ip-address option. As a result, installation failed because subsequent steps could not resolve the machine's IP address. With this update, a host record is added to /etc/hosts even when the IP address is passed via the --ip-address option, and the installation process continues as expected.
Identity Management could not be installed on a server with a custom LDAP server instance even though the LDAP server instance runs on a custom port and therefore does not conflict with Identity Management. As a result, users could not deploy custom LDAP instances on a system with Identity Management. With this update, Identity Management no longer enforces that no LDAP instances exist. Instead, it checks that reserved LDAP ports (389 and 636) are free. Users can combine an Identity Management server with custom LDAP server instances as long as they run on custom ports.
When the Kerberos single sign-on to the Identity Management Web UI failed, the Web UI did not fall back to the login and password authentication. Workstations outside of the Identity Management Kerberos realm, or with incompatible browsers, could not access the Web UI unless a fallback from Kerberos authentication to login and password authentication was configured on the Identity Management web server. The Web UI is now able to fall back to form based authentication when Kerberos authentication cannot be used.
The force-sync, re-initialize, and del sub-commands of the ipa-replica-manage command failed when used against a winsync agreement on an Active Directory machine, limiting the user's ability to control winsync replication agreements. With this update, the ipa-replica-manage was fixed to manage both standard replication agreement and winsync agreements in a more robust way.
The Identity Management installer did not process the host IP address properly when the --no-host-dns option was passed. When a hostname was not resolvable and the --no-host-dns option was used, the ipa-replica-install utility failed during the installation and did not amend the hostname resolution in the same way as the ipa-server-install utility does. With this update, ipa-server-install and ipa-replica-install now share host IP address processing, and both add a record to the /etc/hosts file when the server or replica hostname is not resolvable.
The Identity Management server installation script did not properly handle situations when a server had 2 IP addresses assigned, and failed to proceed with the installation. This update fixes the installation script, and installing the Identity Management server in a dual-NIC configuration works as expected.
When Identity Management is installed with the --external-ca option, the installation is divided in two stages. The second stage of the installation process reads configuration options from a file stored by the first stage. Previously, the installer did not properly store a value with the DNS forwarder IP address, which was then misread by the second stage of the installation process, and name server configuration in the second stage of the installation failed. With this update, the forwarder option is correctly stored, and installation works as expected.
Prior to this update, the Identity Management netgroup plug-in did not validate netgroup names. Consequently, a netgroup with an invalid name could be stored in an LDAP server which could then crash when the invalid value was processed by the NIS plug-in. The Identity Management netgroup plug-in now enforces stricter validation of netgroup names.
Certain Identity Management replica agreements ignored a list of attributes that should have been excluded from replication. Identity Management attributes that are generated locally on each master by the LDAP server plug-in (in this case, the memberOf attribute) were being replicated. This forced all Identity Management replicas' LDAP servers to re-process the memberOf data and increase the load on the LDAP servers. When many entries were added to a replica in a short period of time, or when a replica was being re-initialized from another master, all replicas were flooded with memberOf changes, which caused high load on all replica machines and caused performance issues. New replica agreements, added by the ipa-replica-install utility, no longer ignore lists of attributes excluded from replication. Re-initialization or a high number of added entries in an Identity Management LDAP server no longer causes performance issues caused by memberOf processing. Old replica agreements have also been updated to contain the correct list of attributes excluded from replication.
The ipa automountmap-add-indirect command creates a new map and adds a key to the parent map (auto.master by default) which references the new indirect map. Because map nesting is only allowed in the auto.master map, a submount map referenced in other maps needs to follow a standard submount format (that is, <key> <origin> <mapname>) so that the referenced map is correctly loaded from LDAP. However, the automountmap-add-indirect sub-command did not follow this distinction and the <origin> and <mapname> attributes were not filled correctly. Therefore, submount maps referenced in a non-auto.master map were not recognized as automount maps by the autofs client software, and were not mounted. Submount maps referenced in a map that is not an auto.master map now follow a standard submount format, with the correct <key>, <origin> (-fstype=autofs), and <mapname> (ldap:$MAP_NAME). autofs client software is now able to correctly process submount maps both in auto.master and in other maps, and mount them.
Prior to this update, the Identity Management user plug-in used a hard-coded default value for user's home directory instead of using the value that was configured. When an administrator changed the default user home directory in the Identity Management config plug-in from the default value to a custom value, this value was not honored when a user was added. This update fixes this bug, and when a new user is created without a custom home directory specified via a special option, the default configured home directory is used.
The Identity Management certificate template did not include a subjectKeyIdentifier field even though it is marked with the SHOULD keyword in the RFC 3280 document. Because of this, certain applications processing these certificates could report errors. With this update, the certificate template for both current and new IPA server installations now contain the subjectKeyIdentifier field.
Identity Management host and DNS plug-ins did not properly process hostnames or DNS zone names with a trailing dot. Consequently, the created host record FQDN attribute contained two values instead of one normalized value. This may have caused issues in further host record processing. With this update, all hostnames are normalized using a format without a trailing dot. The Identity Management DNS plug-in now accepts DNS zone names in both formats — with and without a trailing dot.
Previously, CSVs were split in both CLI and server part of Identity Management processing. As a result, values which contained escaped comma characters were incorrectly split for the second time. With this update, CSV processing is done only in the client interface. Identity Management RPC interfaces (both XML-RPC and JSON-RPC) no longer process CSVs. Comma escaping was also replaced with quoting.
The Identity Management server uninstall process removed system users that were added as a part of an Identity Management installation. This included dirsrv or pkiuser users, which the Directory Server uses to run its instances. These users also own log files produced by the Directory Server. If an Identity Management server was installed again, and the newly added system users' UIDs changed, the Directory Server could fail to start because the Directory Server instance was not permitted to write to the log files owned by the old system users with different UIDs. With this update, system users generated by an Identity Management server installation are no longer removed during the uninstall process.
Identity Management plug-ins for LDAP ACI management (permission, selfservice, and delegation plug-ins) did not process their options in a robust way and had a relaxed validation of passed values. ACI management plug-ins could return Internal Errors when empty options or the --raw option were passed. An Internal Error was also returned when an invalid attribute was passed to the ACI attribute list option. Option processing is now more robust and more strict in validation. Proper errors are now returned when invalid or empty option values are passed.
Objects which have an enabled/disabled state (that is, user accounts, sudo rules, HBAC rules, SELinux policies) were not distinguished in related search pages in the Web UI. Lines containing disabled objects are now grayed out in the search pages, and enabled columns have a different icon for each state.
An Identity Management certificate did not read a custom user certificate subject base when validating a new certificate issuer. When an Identity Management server is installed with a custom subject base, and does not use the default subject base, issuing new certificates in the Identity Management Certificate Authority may return invalid issuer errors. With this update, a custom user certificate subject base is always read before the certificate issuer is validated, and the aforementioned errors are no longer returned when certificates are issued.
Clicking Cancel in an error dialog in the Web UI when an unexpected error, such as an internal server error, was received made the Web UI unusable because the error message replaced the page content. With this update, error messages have their own containers, which fixes the aforementioned issue.
Identity Management did not configure its Directory Server instance to always keep its RootDSE available anonymously and decrypted. As a consequence, when a user changed the nsslapd-minssf attribute in the Directory Server instance configuration to increase security demands on the connection to the instance, some applications (for example, SSSD) may have stopped working as they could no longer read RootDSE anonymously. To fix this issue, Identity Management now sets the nsslapd-minssf-exclude-rootdse option in the Directory Server instance configuration. Users and applications can access RootDSE in an Identity Management Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections.
Previously, the Netgroup page in the Web UI did not have input fields for specifying all options. With this update, the entire Netgroup page has been redesigned to add this functionality.
Identity Management DNS plug-in did not validate the contents of DNS records. Some DNS record types (for example, MX, LOC, or SRV) have a complex data structure which needs to be stored, otherwise the record is not resolvable. Relaxed DNS plug-in validation let users create invalid records which then could not be resolved even though they were stored in LDAP. With this update, every DNS record type (except the experimental A6 DNS record type) is now validated with respect to a relevant RFC document. The validation covers most common user errors and also provides the user with guidance on why the entered record is invalid. Users are also able to create more complex DNS records without detailed knowledge of their structure as the improved DNS plug-in interface provides guidance when creating DNS records. Also, the DNS plug-in does not let users enter invalid records any more.



For a list of major features that were added by this update, refer to Red Hat Enterprise Linux 6.3 Release Notes.
When the number of failed login attempts exceeds the maximum that is configured, the account is locked. However, an investigation of the lock-out status of a particular user was difficult as the number of failed login attempts was not replicated. Identity Management now includes a new ipa user-status command that provides the number of failed login attempts on all configured replicas along with the time of the last successful or failed login attempt.
When a new user is added, a User Private Group (UPG) is created and assigned as that user's primary group by default. However, there may be use cases when an administrator wants to use a common group assigned as a primary group for all users. The Directory Server plug-in that handles the creation of UPGs can now be disabled with a new utility — ipa-managed-entries. This utility lets administrators disable automatic creation of UPGs, and allows all new users to share a common group as their primary group.
When an Identity Management server is configured with DNS support, DNS zone dynamic update policy allows Identity Management clients to update a relevant DNS forward record if the client IP address changes. However, for security reasons, clients cannot be allowed to update their reverse records because they would be able to change any record in the reverse zone. With this update, an Identity Management DNS zone can be configured to allow automatic updates of client reverse records when the forward record is updated with the new IP address. As a result, both forward and reverse records for a client machine can be updated when the client IP address changes.
The Identity Management host plug-in did not allow storing of machine MAC addresses. Administrators could not assign MAC addresses to host entries in Identity Management. With this update, a new attribute for MAC addresses was added to the Identity Management host plug-in. Administrators can now assign a MAC address to a host entry. The value can then be read from the Identity Management LDAP server with, for example, the following command:
~]$ getent ethers <hostname>
When a forward DNS record was created, no corresponding reverse record was created even when both the forward and the reverse zone were managed by Identity Management. Users always had to create both the forward and the reverse records manually. With this update, both CLI and Web UI now have the option to automatically create a reverse record when an IPv4 or IPv6 forward record is created.
Prior to this update, all DNS records in an Identity Management Directory Server instance were publicly accessible. With a publicly accessible DNS tree in the Directory Server instance, anyone with access to the server could acquire all DNS data. This operation is normally restricted with access control rules. It is a common security practice to keep this information restricted to only a selected group of users. Therefore, with this update, the entire LDAP tree with DNS records is now accessible only to the LDAP driver which feeds the data to the name server, admin users, or users with a new permission called Read DNS Entries. As a result, only permitted users can now access all DNS records in Identity Management Directory Server instances.
The Identity Management server did not allow the creation of DNS zones with conditional forwarding, which lets the name server forward all zone requests to a custom forwarder. With this update, the Identity Management DNS plug-in allows users to create a DNS zone and set a conditional forwarder and a forwarding policy for that zone.
Support for SSH public key management was added to Identity Management server; OpenSSH on Identity Management clients is automatically configured to use the public keys stored on the Identity Management server. This feature is a Technology Preview.
The DNS page in the Web UI did not allow navigation from A or AAAA records to the related PTR records. This update adds a link which points to a related PTR record if it exists.
Users are advised to upgrade to these updated ipa packages, which fix these bugs and add these enhancements.