Updated ipa packages that fix multiple bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments.
- Previously, the ipa-replica-install script tried to add the "A" and "PTR" records if the master managed Domain Name System (DNS). If the master did not manage the replica's zone, an error message "DNS zone not found" was returned, and the installation of a replica failed. With this update, the ipa-replica-install script has been fixed to properly handle the described situation, and the replica's installation now succeeds. Please note that the "A" and "PTR" records for the replica need to be added manually.
- Previously, when Identity Management Public Key Infrastructure (PKI) clone in Red Hat Enterprise Linux 7 was being installed, an access to the /ca/ee/ca/profileSubmit URI on the Identity Management server, from which it was replicating, was required. However, Identity Management in Red Hat Enterprise Linux 6 did not export this URI in the httpd proxy configuration. As a consequence, the installation of Identity Management replica with the PKI component in Red Hat Enterprise Linux 7 failed when installed against a Red Hat Enterprise Linux 6 master. With this update, the /ca/ee/ca/profileSubmit URI has been added to Red Hat Enterprise Linux 6 Identity Management proxy configuration and a replica installation now succeeds in this scenario.
- Prior to this update, disabling a sudo rule did not trigger the removal of its entry from the sudo compat tree in Lightweight Directory Access Protocol (LDAP). Consequently, the disabled sudo rules were still followed on clients using the sudo compat tree. This bug has been fixed, and the described problem no longer occurs.
- Previously, an Identity Management password policy was not applied to passwords changed using the Directory Manager or PassSync agent. As a consequence, the default expiration time (90 days) was always applied even if the Identity Management administrator had defined a different policy. The Identity Management Password Change Extended Operation Plug-in has been updated, and the password changes made by the Directory Manager or PassSync agent now respect the "max lifetime" field of the user password policy.
- Previously, an intermittent race condition happened when the ipa-server-install utility tried to read the "preop.pin" value from the CS.cfg file, which was still unwritten to the disk by the pkicreate utility. As a consequence, the Identity Management server installation failed. With this update, ipa-server-install has been modified to anticipate such a race condition. Now, when ipa-server-install is unable to read from CS.cfg, it waits until it times out or the file is written to the disk. Additionally, these events are now properly logged in the installation log if they occur.
- Prior to this update, a bug in the Python readline module caused a stray escape sequence to be prepended to the output of the script that the certmonger utility uses to acquire renewed certificates on the Certification Authority (CA) clones. Consequently, certmonger failed to parse the output of the script and the certificate was not renewed. A patch has been provided to address this bug and certmonger is now able to successfully parse the output of the script and complete the certificate renewal.
- The ipa-client-automount utility uses the Remote Procedure Call (RPC) interface to validate the automount location. Previously, the RPC interface only allowed clients whose API version was earlier than or the same as the server API version to validate the automount location. As a consequence, running ipa-client-automount with a client whose API version was later than the server's failed with an incompatibility error message. With this update, ipa-client-automount has been modified to report a fixed API version in the RPC call and ipa-client-automount now runs successfully when the client API version is later than the server's.
- Previously, the ipa-replica-manage utility contained a bug in the re-initialize command causing the MemberOf task to fail with an error message under certain circumstances. Consequently, when the ipa-replica-manage re-initialize command was run for a Windows Synchronization (WinSync) replication agreement, it succeeded in the re-initialization part, but failed during execution of the MemberOf task which was run after the re-initialization part. The following error message was returned:
Update succeeded Can't contact LDAP serverHowever, the error was harmless as running the MemberOf task was not required in this case. A patch has been applied and the error message is no longer returned in the described scenario.
- Users in Identity Management in Red Hat Enterprise Linux 7 can be added without the password policy explicitly defined in the "krbPwdPolicyReference" attribute in the user object. The User Lockout plug-in locks out users authenticating or binding through the LDAP interface after configured number of failed attempts. In Identity Management in Red Hat Enterprise Linux 7, the plug-in does not require this attribute to be present to correctly apply the lock-out policy. Previously, the Identity Management User Lockout plug-in in Red Hat Enterprise Linux 6 required this attribute to function properly. Consequently, the password lock-out policy was not applied to users created in Identity Management in Red Hat Enterprise Linux 7 that were replicated to Red Hat Enterprise Linux 6. Such users had an unlimited number of authentication attempts in the LDAP interface. The User Lockout plug-in has been updated to respect users without the defined custom policy and to properly fall back to the defined global password policy, and now only a defined number of authentication attempts are allowed to users in the LDAP interface.
- Previously, the validator in Identity Management did not allow slash characters in the DNS names. As a consequence, it was not possible to add reverse zones in the classless form. With this update, the DNS name validators allow slash characters where necessary, and thus the recommendations of RFC 2317 are now followed.
- Prior to this update, Identity Management installers could call the ldapmodify utility without explicitly specifying the authentication method. Consequently, the installer could fail when the authentication method was set in the ldapmodify user configuration. This bug has been fixed, the installer now always calls ldapmodify with the authentication method explicitly specified, and the described problem no longer occurs.
- Previously, when a Red Hat Enterprise Linux 6 master was being installed or upgraded, an extra default value was added to the "nsDS5ReplicaId" attribute of the LDAP entry "cn=replication,cn=etc". In Red Hat Enterprise Linux 7, Identity Management uses a stricter validation, which prevents installing a replica on such a system. As a consequence, after a Red Hat Enterprise Linux 6 master was installed or upgraded on a system with more than one master, installing a Red Hat Enterprise Linux 7 replica failed. This bug has been fixed, the extra value is no longer added, and Red Hat Enterprise Linux 7 replicas can be installed successfully in this scenario.
- Identity Management administration framework API contains two checks on the server side to verify that a request on its API can be passed further:
Prior to this update, the Identity Management server performed the checks in an incorrect order. First, the attribute and parameter check was done, then the API version check. As a consequence, when a client (for example, Red Hat Enterprise Linux 6.5) ran the ipa administration utility against a server with an earlier operating system (for instance, Red Hat Enterprise Linux 6.4), the command returned a confusing error message. For example, instead of stating API incompatibility, an error message regarding an unknown option was displayed. This bug has been fixed, the checks on the server are now performed in the correct order and a correct error message is displayed in this scenario.
- A check to see if the client API version is not higher than the server API version. If it is, the request is rejected.
- A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected.
- Automated configuration of the sudo command has been added to the ipa-client-install utility. By default, ipa-client-install now configures sudo on Identity Management clients by leveraging the newly-added ipa provider in the sssd utility.
- A set of Apache modules has been added to Red Hat Enterprise Linux 6.6 as a Technology Preview. The Apache modules can be used by external applications to achieve tighter interaction with Identity Management beyond simple authentication.
Users of ipa are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.