Updated ipa packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.
The ipa packages have been upgraded to upstream version 3.0.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#827602)
- It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica.
- When a master was removed from a replicated environment via the "ipa-replica-manage del" command, the metadata for that master was still contained in the other servers, thus the Directory Server replication plug-in produced warnings about the outdated metadata. Now, the Directory Server CLEANALLRUV task is triggered to handle outdated metadata in the whole replicated Directory Server environment and deleting an Identity Management replica no longer causes problems.
- When the "ipactl" command was used to start Identity Management, it waited only 6 seconds for the Directory Server to start and when the Directory Server did not start in time, the start procedure was aborted. A higher default start up wait value was added. A configurable value, "startup_timeout", can be added to /etc/ipa/default.conf or /etc/ipa/server.conf files when the default value of 120 seconds is not sufficient to start the Directory Server.
- Previously, DNS records could not be renamed and administrators had to re-enter all DNS records under certain names when the name changed. Now, rename operations for DNS records names and the rename option in the Identity Management CLI interface are able to rename a DNS name and all of its records to other names within the same zone.
- Before, when installing Identity Management, there was an option to choose a certificate subject base with a Common Name (CN) as one component. However, it is illegal to have more than one CN attribute in a certificate subject. This caused the Identity Management installation to fail. Now, the CN attribute in a subject base option is no longer allowed, administrators are warned when they choose an incorrect certificate subject base and Identity Management installs properly.
- The Identity Management Certificate Authority component did not accept Directory Manager passwords which were set to a non-ASCII control character, "&" or "\". Use of these characters in passwords caused a malformed XML error and the Identity Management installation failed when such characters were a part of the Directory Manager password. Currently, these characters are not allowed in the Identity Management installer and IdM installs successfully.
- The Identity Management server or client used programs from the policycoreutils package when SELinux was enabled. However, the installers did not check if the package was actually installed. This caused the Identity Management installation to terminate with a python backtrace when SELinux was enabled and the policycoreutils package was not installed on a system. Currently, the Identity Management installers no longer fail when SELinux is enabled and the policycoreutils package is missing, but, instead, ask the administrator to install it first.
- The "ipa" command or Identity Management installers forced a set of address families (IPv4, IPv6) when a network connection was established, instead of letting the system choose the right address family for the new connection. In some cases this caused the connection, command or installer to fail, or the connection to take longer than normal. Automatic address family detection has been implemented and is now respected, with the result that network connections established with an "ipa" command are faster and less vulnerable to errors caused by non-common network settings.
- Identity Management DNS modules used a "pull" model for updating DNS records provisioned to the BIND name server by a bind-dyndb-ldap plug-in. When a DNS zone LDAP entry or DNS records present in bind-dyndb-ldap cache were changed via Identity Management CLI or Web UI, the update was not provisioned to the BIND nameserver until a zone was checked with a periodic poll or the DNS record in the cache expired. Now, persistent search is enabled by default for new Identity Management installations and for running Identity Management server instances. A change to the DNS zone LDAP entry or to the DNS record that is already cached by bind-dydnb-ldap is instantly provisioned to the BIND name server and thus resolvable.
- The default value of the Directory Server in-memory entry cache was configured to a lower value than the size of an administrator's deployment, which caused the Directory Server to underperform. Now, the Identity Management package requires an updated version of the Directory Server, which warns administrators when the in-memory cache is too small and allows administrators to adjust the value appropriate to ratio of deployment.
- When users were migrated from the remote Directory Server, entries in the Identity Management Directory Server did not have complete Kerberos data needed for Kerberos authentication, even though the users passed the Identity Management password migration page. The migrated Identity Management user was not able to authenticate via Identity Management until the password was manually reset. Currently, the Kerberos authentication data generates properly during the migration process and users can successfully access Identity Management.
- The Identity Management Kerberos data back end did not support an option to control automatic user log-on attributes, which were updated with every authentication. Administrators with large deployments and high numbers of authentication events in their Identity Management realm could not disable these automatic updates to avoid numerous Directory Server modification and replication events. Now, users can utilize options in Identity Management to customize automatic Kerberos authentication attribute updates.
- Previously, Identity Management enforced lowercase letters for all user IDs which caused some operations, such as password changes, to fail when the user ID was uppercase. Also, the WinSync agreement with Active Directory replicated such user information into the Identity Management database. Currently, the Identity Management WinSync plug-in can convert user names and Kerberos principal user parts to lowercase, and passwords replicated from Active Directory via the Winsync agreement can now be changed.
- When Identity Management replicas were deleted using the "ipa-replica-manage" command, the script did not verify if the deletion would orphan other Identity Management replicas. Users unaware of the Identity Management replication graph structure might accidentally delete a replica forcing them to reinstall the orphaned replicas. Now, the "ipa-replica-manage" command will not allow users to delete a remote replica if such operation would orphan a replica with a replication agreement.
- Identity Management Web UI was not fully compatible with the Microsoft Internet Explorer browser, which caused glitches when working with the Identity Management administration interface. Identity Management Web UI is now compatible with Microsoft Internet Explorer versions 9 or later and glitches no longer occur when working with the Web UI.
- Several attributes in the Identity Manager Directory Server that are used to store links to other objects in the directory were not added to the Directory Server Referential Integrity plug-in configuration. When a referred object was deleted or renamed it caused some links to break in the affected attribute and made them point to an invalid object. This update adds all attributes storing links to other objects to the Referential Integrity plug-in configuration, which are updated when the referred object is deleted or renamed.
- The Identity Management Web UI Administrator interface was not enabled for users who were indirect members of administrative roles. These users were not able to perform administrative tasks in the Web UI. Presently, indirect members of administrative roles can use the Web UI Administrator interface and are able to perform administrative tasks within the Identity Management Web UI.
- Normally, Identity Management SSH capabilities allow storage of public user or host SSH keys, but the keys did not accept the OpenSSH-style public key format. This caused Identity Management to estimate public key type based on the public key blob, which could have caused an issue in the future with new public key types. Now, Identity Management stores SSH public keys in extended OpenSSH format and SSH public keys now contain all required parts, making the functionality acceptable in more deployments.
- Previously, Identity Management Web UI used a jQuery library to raise errors when processing Directory Server records with some strings, for example, sudo commands with the "??" string in the name, which, in turn, caused the Web UI to be unable to show, modify or add such records. With this jQuery library update, Identity Management Web UI no longer reports errors for these strings and processes them normally.
- The Identity Management "dnszone-add" command accepts the "--name-server" option specifying a host name of the primary name server resolving the zone. The option considered all host names as fully qualified domain names (FQDN) even though they were not FQDN, for example, name server "ns.example.com." for zone example.com and were relative to the zone name, such as, name server "ns" for zone "example.com." Users were not able to specify the name server in the relative name format when using the Identity Management "dnszone-add" command. Presently, Identity Management detects the name server format correctly and the "dnszone-add" command can process both relative and fully qualified domain names.
- After upgrading to Red Hat Identity Management 2.2, it was not possible to add SSH public keys in the Web UI. However, SSH public keys could be added on the command line by running the "ipa user-mod user --sshpubkey" command. This update allows SSH public keys to be added in the Web UI normally.
- Previously, the IPA automatic certificate renewal, in some cases, did not function properly and some certificates were not renewed while other certificates with the same "Not After" values were renewed. Certmonger is now updated, users can serialize access to the NSS databases to prevent corruption and do not have to renew and restart all the services at the same time.
- A 389-ds-base variable set during the PKI install "nsslapd-maxbersize" was not dynamically initialized and a restart was required for it to take effect. This caused installation to fail during the replication phase when building a replica from a PKI-CA master with a large CRL. This update includes an LDIF file (/usr/share/pki/ca/conf/database.ldif) to set the default maxbersize to a larger value and allows PKI-CA Replica Installs when CRL exceeds the default maxber value.
- Previously, on new IPA server installations, the root CA certificate lifetime was only valid for 8 years and users had to renew the certificate after it expired, which caused some inconvenience. This issue was fixed in Dogtag and this update increases the FreeIPA root CA validity to 20 years.
- The "ipa-replica-install" command sometimes failed to add the idnsSOAserial attribute for a new zone and in some cases, zones were added, but with missing data and did not replicate back to the master. With this update, the idnsSOAserial attribute sets properly and synchronizes across all servers and zones are added correctly.
- The "ipa-replica-prepare" command failed when a reverse zone did not have SOA serial data and reported a traceback error, which was difficult to read, when the problem occurred. Now, the "ipa-replica-prepare" command functions properly and if SOA serial data is missing, returns a more concise error message.
- When either dirsrv or krb5kdc were down, the "service named restart" command in the ipa-upgradeconfig failed during the upgrade of the ipa packages. With this update, the "service named restart" command functions normally and installation no longer fails during upgrades.
- Previously, the IPA install on a server with no IPv4 address failed with a "Can't contact LDAP server" error. With this update, both the server and replica install correctly and error messages no longer occur.
- Users who upgraded from IPA version 2.2 to version 3.0 encountered certmonger errors and the update failed with the error message, "certmonger failed to start tracking certificate." With this update, IPA 2.2 properly upgrades to version 3.0 without any errors.
- Before, users were unable to install the ipa-server-trust-ad package on a 32-bit platform and when doing so received the error message "Unable to read consumer identity." This update provides fixes in the spec file, and the package now installs properly on 32-bit platforms.
- This update introduces SELinux User Mapping rules which can be used in Identity Management in conjunction with HBAC rules to define the users, groups and hosts to which the rules apply.
- Support for SSH public key management added to the IPA server and OpenSSH on IPA clients is automatically configured to use the public keys stored on the IPA server. Now, when a host enrolled in Identity Management connects to another enrolled host, the SSH public key is verified in the central Identity Management storage.
- The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows users to create a trust relationship between an Identity Management and an Active Directory domain. Users from the Active Directory domain can access resources and services from the Identity Management domain with their AD credentials and data does not need to be synchronized between the Identity Management and Active Directory domain controllers.
- An automated solution to configure automount on clients for automount maps configured in the central Identity Management server was added. After an Identity Management client has been configured, administrators may use the provided ipa-client-automount script to configure client hosts to use automount maps configured in the Identity Management server.
- Users using the Identity Management Web UI were previously forced to log in to client machines enrolled in Identity Management in order to update a password that had expired or been reset. With this update, users are able to more conveniently change an expired or reset password from the Web UI itself.
- This update allows the ipa-client-install interface to accept prioritization of IPA servers that clients connect to. Previously, administrators could not configure a prioritized IPA server that SSSD should connect to before connecting to other servers which were potentially returned in a SRV DNS query. Now, when a new option "--fixed-primary" is passed to the "ipa-client-install" command, the discovered or user-provided server is configured as the first value in the ipa_server directive in the "/etc/sssd/sssd.conf" file. Thus, SSSD will always try to connect to this host first.
- This enchancement allows MAC address attributes for host entries in Identity Management and publishes them in the Identity Management NIS server. Users can utilize the "--macaddress" option to configure MAC addresses for an Identity Management host entry and, when NIS is enabled, MAC address can be read by an ethers map.
- Each ipa command line request previously required full and time-consuming Kerberos authentication, particularly when a series of commands were scripted. This update enhances the command line to take advantage of server-side sessions using a secure cookie, which provides a significant performance improvement due to avoidance of full Kerberos authentication for each ipa command. The session cookie is stored in the session keyring; refer to the keyctl(1) man page for more information about the key management facility.
- This update introduces Web UI and CLI "Create Password Policy" entry labels and specifies measurement units, for example, "seconds" for all configured policy fields. Previously, missing measurement units in the Identity Management Web UI or CLI "Create Password Policy" might have confused some users. Now, all missing measurement units are specified in configured policy fields.
- This update allows administrators to delegate write privileges to a selected zone only, whereas, when administrators wanted to delegate privileges to update the DNS zone to other Identity Management users, they had to allow write access to the entire DNS tree. Now, administrators can use the "dnszone-add-permission" command to create a system permission allowing its assignee to read and write only a selected DNS zone managed by Identity Management.
- Prior to this update, administrators could not configure a slave DNS server because it could not function properly unless an SOA serial number was changed every time a DNS record was changed. With this update, SOA serial numbers are automatically increased when a record in a DNS zone managed by Identity Management is updated. This feature takes advantage of and requires the persistent search data refresh mechanism, which is enabled by default in the Identity Management server install script. Administrators can now configure a slave DNS server for zones managed by Identity Management.
- This update prevents deletion of the last administrator, because administrators could accidentally delete the last user from the Identity Management Administrators group, which could only be repaired with direct LDAP modification by the Directory Manager. Now, Identity Management does not allow administrators to delete or disable the last member in the administrator group and Identity Management always has at least one active administrator.
- This enhancement warns users in the Identity Management Web UI when their password is about to expire. When the Identity Management user password is about to expire in a configurable number of days, the user is notified in the Identity Management Web UI about this and is offered a link to reset the password.
- The Identity Management Firefox browser configuration script now checks if the browser is configured to send Referrer header in HTTP requests for Identity Management. Previously, Firefox browsers which did not have the "network.http.sendRefererHeader" configuration option set to "True" would fail to connect to the Identity Management Web UI, even though they ran the configuration script. Presently, the configuration option is set correctly and the Firefox browser can connect to the Web UI.
- This enhancement allows Identity Management client installer to accept a fixed set of Identity Management servers and circumvent automatic server discovery via DNS SRV records. Some network environments may contain SRV records which are not suitable for Identity Management client and should not be used by the client at all. The "--fixed-primary" option of ipa-client-install can now be used to configure SSSD to not use DNS SRV records to auto-discover Identity Management servers and the client install script now accepts a fixed list of Identity Management servers which is then passed to SSSD.
- This update introduces an auto-renew of Identity Management Subsystem Certificates. The default validity period for a new Certificate Authority is 10 years and the CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for two years and if the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates and the subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.
Users of ipa are advised to upgrade to these updated packages, which address this security issue, fix these bugs and add these enhancements.