4.94. ipa

Security Fix

CVE-2011-3636

A Cross-Site Request Forgery (CSRF) flaw was found in Red Hat Identity Management. If a remote attacker could trick a user, who was logged into the management web interface, into visiting a specially-crafted URL, the attacker could perform Red Hat Identity Management configuration changes with the privileges of the logged in user.

Due to the changes required to fix CVE-2011-3636, client tools will need to be updated for client systems to communicate with updated Red Hat Identity Management servers. New client systems will need to have the updated ipa-client package installed to be enrolled. Already enrolled client systems will need to have the updated certmonger package installed to be able to renew their system certificate. Note that system certificates are valid for two years by default.

Updated ipa-client and certmonger packages for Red Hat Enterprise Linux 6 were released as part of Red Hat Enterprise Linux 6.2. Future updates will provide updated packages for Red Hat Enterprise Linux 5.

Bug Fixes

BZ#705800

When installation of Identity Management clients failed, the debugging information shown in the /var/log/ipaclient-install.log file did not provide enough information to determine the cause of the failure. With this update, the /var/log/ipaclient-install.log file contains improved debugging messages that make it easier to debug a possible installation failure.

BZ#705794

The Identity Management services were not started after a reboot when the server was installed with the ipa-replica-install command. With this update, after an installation of a replica with ipa-replica-install, the ipa service is enabled using the chkconfig utility so that the Identity Management services are started and available after a reboot.

BZ#704012

Prior to this update, installing an Identity Management replica in a new IP subnet with an Identity Management-controlled DNS server failed. With this update, such operation no longer fails, although, the bind service needs to be restarted when a new reverse zone is added over LDAP.

BZ#703869

Previously, Identity Management replication installations were missing configuration for managed entries. As a consequence, user-private groups and netgroups were not created for host groups if they were created on the replica. This update adds the missing configuration, and user and host group creation work as expected.

BZ#723662

Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug.

BZ#698421

An Identity Management replica would occasionally fail to install while trying to initialize replication with the remote Identity Management server. With this update, the memberOf attribute is rebuilt during installation, thus fixing this issue. Note that the 389 Directory Server (389-ds) may crash if it is restarted while this task is running. Wait for this task to complete before requesting a restart.

BZ#743253

For NIS compatibility reasons, when a host group is created, a net group with the same name is created as well. However, when a host group is created, it was not checked whether there was a net group with the same name already existent. As a consequence, the host group was created, but the net group could not be created and the user was not notified of this. With this update, when a new host group is created, the Identity Management server checks whether a net group with the specified name exists already. If there is such a group, the operation is denied.

BZ#743936

Prior to this update, the Identity Management web user interface loaded the entire Identity Management API name space when it was being started. As a result, JSON requests returned large amount of data, which caused certain browsers to report the script stack space quota is exhausted message and prevent a user from accessing the Web UI. This update split the Web UI initialization to several smaller calls. Browsers no longer report errors and the Web UI works as expected.

BZ#719656

Running the ipa-nis-manage command disabled the NIS listener and also removed the netgroup compatibility suffix. If NIS was disabled, the automatic creation of net groups was disabled as well. Thus, creating a host group would fail to automatically create a net group. With this update, disabling NIS has no effect on the automatic creation of net groups when host groups are created.

BZ#725433

Adding an indirect automount map to a mount point that already exists returned an error, but created the map anyway. As a result, the map could not be removed with Identity Management tools. With this update, the addition of an indirect map requires the creation of a key to store the mount point. If the addition of a map fails because the key already exists, the map is removed.

BZ#744264

Prior to this update, the Web UI Password Policy interface was missing some of the password policy fields that are present in the command line version (specifically, Max failures, Failure reset interval, Lockout duration, and Priority). As a result, users could not set these parameters via the Web UI and had to use the CLI version. This update adds all the missing Password Policy fields to the Web UI.

BZ#696193

When an Identity Management server A was using a KDC on Identity Management server B, and server B does down, on server A it looked as if server B was still operational. This caused clients to fail to enroll. With this update, the underlying source code has been modified to address this issue, and client enrollment works as expected.

BZ#742327

Permission objects related to DNS were improperly formatted and added before the relevant DNS privileges (that they were members of) were added to LDAP. DNS related permissions contain just limited information. Additionally, the privilege objects, which they were members of, lacked memberof LDAP attributes pointing back to the permissions. Thus, a user could get an incorrect list of permissions that were members of a DNS related privilege. With this update, permission objects formatting has been fixed and the missing memberof LDAP attributes in the relevant DNS privileges are properly added. Users now get a valid list of permissions (containing all the needed information) when displaying a DNS related privilege.

BZ#691531

A certificate not signed by the Identity Management Certificate Authority (CA) imported into Identity Management could not be managed by Identity Management. Performing any operations on a service or a host that would cause Identity Management to attempt to revoke a certificate would fail (for example, disabling or deleting a host or service). With this update, certificates issued by other CAs cannot be imported into an Identity Management host or a service record. Disabling and deleting hosts and services works as expected and correctly revokes certificates.

BZ#741808

An LDAP object migrated using the migrate-ds command could contain a multi-valued RDN attribute. However, the migrate-ds process picked only the first value of the RDN attribute and did not respect the value that was present in the DN in the migrated LDAP object. With this update, the value that is used in the original LDAP object DN is used, rather than the first value of a multi-valued RDN. As a result, LDAP objects with a multi-valued RDN attribute are migrated without any errors.

BZ#741677

When the ipa-client-install was run with the --password option containing a bulk password for client enrollment, the password could be printed to Identity Management client install log in a plain-text format. This behavior has been fixed, and passwords are no longer logged in the install log file.

BZ#726943

By default, the Identity Management Web UI adds a redirect from the web root to /ipa/ui. This makes it look like no other web resources may be used. With this update, during the installation process, the --no-ui-redirect option can be used to disable the default Rewrite rule. This may also be commented out manually in the /etc/httpd/conf.d/ipa-rewrite.conf. As a result, the web server root can point to any specified place. However, /ipa must remain available to Identity Management.

BZ#745957

The Identity Management Web UI did not take into account when a non-admin user was a member of an administrative role, which has more privileges than just performing self-service actions. With this update, non-admin users with an administrative role are shown the full administrative tabset as expected.

BZ#746056

Identity Management Web UI did not allow addition of an external user (that is, user that is not managed by Identity Management) as a RunAs user for a Sudo rule. An external RunAs user could be added to a Sudo rule via the command line only. With this update, adding an external user as a RunAs user is possible in the Web UI.

BZ#726123

The automountkey-del command includes a --continue option which has no function and does not affect anything. With this update, the --continue has been hidden, and will be deprecated in the next major release.

BZ#723622

Prior to this update, the ipa-getkeytab command failed with Bind errors. If 32-bit packages were used on a 64-bit system, the 32-bit cyrus-sasl-gssapi package was required. This update adds architecture-specific Requires to the RPM spec file, and retrieving of keytabs no longer fails.

BZ#707009

Installing an Identity Management server signed by an external CA fails with the following error:

cannot concatenate 'str' and 'NoneType' objects

This was because the required information was not being passed so the installation failed when constructing the Kerberos principal name for the Dogtag 389-ds instance. This information is now provided by the installer, thus fixing this issue.

BZ#727282

In the Identity Management Web GUI, attempting to view a certificate of a host returned the unknown command u'show' error message. Users could only use the command-line to view host certificates. The certificate buttons including Get, View, Revoke, and Restore for hosts and services have been fixed to use the correct entity name, and viewing of certificates in the Web UI works as expected.

BZ#726526

The number of ports that needed to be open between Identity Management replicas was too high. Managing such a number of ports required planning because new rules were needed for each replication agreement. With this update, Dogtag is now proxied via the existing Apache web server on ports 80 and 443, which already need to be open. Ports 944[3-6] no longer need to be open in the firewall.

BZ#727921

It is possible to add a host group as a member of a net group; however, that relationship did not appear when viewing a host group. With this update, net group membership is displayed when viewing a host group.

BZ#726715

When importing automaster maps, the auto.direct mount mounted on /- was ignored because it was considered a duplicate. Consequently, direct maps needed to be added manually. This update adds an exception for the auto.direct map when importing so that its keys can be added, and importing direct maps works as expected.

BZ#728118

The output of adding or showing a sudo rule with a runAsGroup included a reference to a ipasudorunasgroup_group attribute, making the output unclear. A proper label was added for runAsGroup and the sudo option, which makes the output more understandable.

BZ#728614

Using the ipa-replica-install did not ensure that the dbus service was running. Consequently, tracking certificates with certmonger returned an error and the installation failed. With this update, prior to starting certmonger, it is checked whether the dbus-daemon is running.

BZ#733436

The Identity Management server installer and ipactl use two different methods to determine whether Identity Management is configured. If the Identity Management uninstallation was not complete, ipactl may have claimed that the Identity Management server is not configured while the Identity Management server installer refused to continue because Identity Management was configured. With this update, a common function that checks whether the Identity Management server is configured has been added. During the uninstallation process of the Identity Management server, checks are run that report left-over files so that users can manually resolve these.

BZ#714238

Prior to this update, the error message returned when setting an integer value that was too large on 64-bit systems was confusing. This update limits the integer values to 2147483647 on all platforms, making error messages consistent on 32 and 64-bit systems.

BZ#729245

Adding an option to a sudo rule with the sudurole-add-option command did not display a summary after the option was added. With this update, a summary is printed in the form of Added option 'x' to Sudo Rule 'y'.

BZ#730436

Under rare circumstances, certain operations may have caused the 389 Directory Server (389-ds) to crash or not function properly. This was because NSPR (Netscape Portable Runtime) read/write locks used by 389-ds were not re-entrant. These locks were replaced with POSIX thread read-write locks in the Identity Management 389-ds plugins, and the aforementioned crashes no longer occur.

BZ#729246

Removing an option from a sudo rule with the sudurole-remove-option command did not display a summary after the option was removed. With this update, a summary is printed in the form of Removed option 'x' to Sudo Rule 'y'.

BZ#729377

Installing an Identity Management server using the --no-host-dns option without a DNS resolvable host name caused the installation to fail with DNS errors. This update moves the no-host-dns test so that it is tested before any DNS lookups occur, and installations with the --no-host-dns option do not perform any DNS validation.

BZ#732468

When Identity Management client A/PTR DNS records did not match, the ipa-getkeytab and ipa-join commands did not operate properly, and the client could not be enrolled to the Identity Management server. As a result, client installations failed every time. With this update, matching client A/PTR DNS records are no longer a requirement for ipa-getkeytab and ipa-join, and client installations succeed even when the aforementioned records do not match.

BZ#730713

Selecting a check box for users, groups, hosts, or host groups when deleting a list of objects in an HBAC rule in the Identity Management Web UI left the check box checked even when the operation was complete and the entry was re-edited. With this update, the selection is cleared when the page is refreshed.

BZ#730751

When editing an HBAC rule in the Identity Management Web UI, the delete button was enabled even when no selection was made. This update disables the delete button when nothing is selected.

BZ#729089

Removing an external host value by checking the update dns check box rendered the action successful even though the host was not removed. With this update, the host is removed successfully in the aforementioned scenario.

BZ#728950

If an 389-ds certificate expired, the Identity Management services did not start .This update adds new options for 389-ds which allow to control how 389-ds reacts to an expired certificate. The default setting is to warn the user and start the services.

BZ#729665

Checking/unchecking the Hide already enrolled check box when adding/removing members from a group had no effect. This update removes this check box.

BZ#726725

Passing an empty map name to the automountmap or automountkey command returned the following error:

Map: 
ipa: ERROR: 'automountmapautomountmapname' is required

This was because Identity Management tries to hide the LDAP implementation and often provides a different value for options and errors than is actually used. It may also use contrived internal names for uniqueness. With this update, Identity Management returns the correct values depending on the context so that a more useful error message is returned. As a result, in the aforementioned scenario, the correct value, automountmap, is now returned.

BZ#714600

The default SSSD configuration did not store passwords if offline. Consequently, when a machine was disconnected from the network, SSSD was unable to authenticate any users. With this update, the krb5_store_password_if_offline parameter is set to True in the /etc/sssd/sssd.conf by default. Note that the --no-krb5-offline-passwords option of the ipa-client-install command may be used if storing passwords for offline use is not desired.

BZ#726722

Passing an empty location to the automountmap or automountkey command returned the following error:

Location: 
ipa: ERROR: 'automountlocationcn' is required

This was because Identity Management tries to hide the LDAP implementation and often provides a different value for options and errors than is actually used. It may also use contrived internal names for uniqueness. With this update, Identity Management returns the correct values depending on the context so that a more useful error message is returned. As a result, in the aforementioned scenario, the correct value, automountlocation, is now returned.

BZ#714919

Prior to this update, the ipa-client-install command did not configure a hostname in the /etc/sysconfig/network file. Consequently, when the --hostname value was passed to the client installer, that value was used during enrollment. However, the system hostname did not match the name of the machine. With this update, the /etc/sysconfig/network file is updated upon installation and /bin/hostname is executed with the hostname of the machine. The name used in the enrollment process now matches the hostname of the machine.

BZ#715112

Renaming users (via ipa user-mod --setattr) may have returned a Not Found error. Renaming the actual users was successful, but their user-private groups were not updated. With this update, the 389-ds plugin has been modified so that the ipa_modrdn plugin runs last. This plugin manages renaming of the Kerberos principal name of the user. Renaming a user now also renames the user-private group.

BZ#736684

If an Identity Management client was installed and there was a too large of a time difference between the client and the Identity Management server, a KDC running on the Identity Management server may have refused any Kerberos authentication request from the client. Consequently, the installation process could fail as it could not get a valid Kerberos ticket. With this update, time is always synchronized with the NTP servers configured for the client domain or the Identity Management server itself. If the time synchronization succeeds, the time on the client machine is fixed and Kerberos authentication and the installation itself successfully continue.

BZ#737048

The ipa-client-install command always ran /usr/sbin/authconfig to add the pam_krb5.so entry to PAM configuration files in the /etc/pam.d/ directory. However, this entry was not needed when an Identity Management client is installed with SSSD support, which is the default behavior. As a result, an unnecessary record was added to the PAM configuration. With this update, /usr/sbin/authconfig is not run if the Identity Management client is configured with SSSD support.

BZ#717724

The certificate subject base was editable post-install which caused the change to not be propagated to the CA. With this update, the certificate subject base is read-only and the value cannot be modified post installation.

BZ#737581

Prior to this update, a new host could be added to an Identity Management server without proper validation. For example, a host with an invalid hostname or a hostname containing a whitespace character could be created. With this update, proper validation of hostnames for any host has been added, and only hosts with valid hostnames can now be added to an Identity Management server.

BZ#717965

The Identity Management configuration stored a value for Password Expiration Notification but did not display it by default (when using the ipa config-show command). This update adds Password Expiration Notification to the default list of attributes to shown by default when running the ipa config-show command.

BZ#745698

Identity Management installation tools accepted invalid IP addresses in their --forwarder or --ip-address options. Consequently, installation could eventually fail, for example because of an invalid name server configuration. With this update, all IP addresses passed to the ipa-server-install, ipa-replica-install and ipa-dns-install commands are checked for validity.

BZ#739040

When the ipa-client-install command detected that the client hostname was not resolvable, it tried to add a DNS record to the Identity Management server. However, it did not expect that the client could have been using an IPv6 machine, and the installation process failed. This update adds a check to make sure that the process for adding a DNS record to the Identity Management server works for both IPv4 and IPv6, and the Identity Management client installation works as expected.

BZ#739640

When a new service was added via the Add New Service Web UI dialog box, the Web UI did not check if the service name field was filled in. When the dialog box was confirmed with the service name field empty, a new service named undefined was created. With this update, the service name field is required to be filled in.

BZ#693496

Prior to this update, the ipa-nis-manage tool crashed with a python exception when attempting to use an LDAPI connection only. With this update, ipa-nis-manage correctly falls back to GSSAPI or a password-based authentication if the LDAPI connection fails.

BZ#723233

An attempt to create a rule with an invalid type returned an error which informed users that only allow and deny are accepted as types:

ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')

However, rules of the type deny are not allowed. With this update, the deny type was deprecated because SSSD determined that properly enforcing the deny type was extremely difficult and dependent on how other libraries present host information.

BZ#743680

The ipa-server-install command did not update the system hostname when it was installed with a custom hostname. It passed the hostname to services using their own configurations. However, some services failed to function properly as they did not expect an Identity Management server to use a custom hostname and not a system hostname. With this update, the system hostname is updated to the value passed via ipa-server-install's --hostname option. The system hostname is also set in the system network configuration in /etc/sysconfig/network so that it is properly set after a system reboot. Refer to Section 2.8, “Authentication” for a known limitation regarding Identity Management server installations with custom hostnames.

BZ#707001

When installing an Identity Management server and using an external CA to sign it, the specified command line options were not properly validated. In such a case, the resulting CSR contained only the string null. This update adds better detection of whether the CA 389-ds instance has been installed to identify the current stage of the installation, thus fixing this issue.

BZ#723778

When deleting an automount location, the command appeared to be successful, but there was no feedback provided on the output. With this update, a summary of all automount commands is shown.

BZ#723781

When adding an automount location, the command appeared to be successful, but there was no feedback provided on the output. With this update, a summary of all automount commands is shown.

BZ#707133

Prior to this update, the ipa-nis-manage command did not return an exit status of 0 when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned.

BZ#737997

When a new user was added, its login was normalized and lower-cased. However, its principal was not normalized and contained the original login. Consequently, if a new user with an uppercase letter in its login was added, a disconnect between a user login and its principal was created. The Identity Management server then refused to create a password for that user. This update normalizes both the new user long and its principal, thus fixing this issue.

BZ#737994

Certain Identity Management commands require a file to be passed. For example, a cert-request command requires a CSR file. If the command contains a validation rule for the required file, it needs to be executed before it can be processed. However, if the file was passed in the CLI command interactively (and not as a command option), the validation rule was applied to the file path and not the file contents. As a result, a validation rule could fail and the command then returned an error until the file was passed as a command option. With this update, a validation rule is applied to file contents only, and users can pass the required file on the command line both interactively and via a command option.

BZ#726454

Previously, there was no indicator in a host entry that a one-time password was set. This update adds a new output attribute for host entries, has_password, that is set when the host has a password set. If has_password is True, a password has been set on the host. However, there is no way to see what that password is once it has been set.

BZ#716287

When a host is enrolled, the user that does the enrollment is stored in the attribute enrolledBy on the host. Prior to this update, an administrator was able to change this value by using the ipa host-mod --setattr. This action should not be allowed. This update fixes this behavior and write permissions have been removed from the enrolledBy attribute.

BZ#714924

When configuring an Identity Management client to use SSSD, if an error occurred while looking up users, the following error message was displayed:

nss_ldap is not able to use DNS discovery

This update modifies this error message to be more specific.

BZ#736617

The ipa-client-install command did not configure /usr/sbin/ntpdate to use correct NTP servers in the /etc/ntp/step-tickers. Additionally, the ipa-client-install did not store the state of the ntpd service before installation. Consequently, when an Identity Management client is installed, ntpdate may have used incorrect servers to synchronize with. When the Identity Management client was uninstalled, the ntpd may have been set to an incorrect state. With this update ipa-client-install configures ntpdate to use the IPA NTP server for synchronization. When an IPA client is uninstalled, both ntpdate configuration and ntpd status are restored.

BZ#714597

The IPA-generated /etc/krb5.conf file contained values which were not present in the standard configuration file (specifically: ticket_lifetime, renew_lifetime, and forwardable in the [libdefaults] section, and the entire [appdefaults] section). This update removes these unnecessary values and sections.

BZ#680504

DNS forward and reverse entries are stored discretely. Removing one does not remove the other unless specifically requested. Previously, it was unclear how to remove the required entries. This update adds a new interactive mode (via ipa dnsrecord-del) to the command line application which guides the user through the process of removing the required entries.

BZ#725763

Summary data displayed when adding an automount key has been modified to include the map and the key.

BZ#717625

Updating values in the configuration tab in the Identity Management Web UI returned an error. This was because the Web UI was searching for a primary key configuration. With this update, it no longer searches for the key, and the configuration tab works as expected.

BZ#717020

When activating or deactivating a user in the Identity Management Web UI, the user is updated without having to click the Update button. With this update, a message box is displayed indicating that the change is going into effect immediately.

BZ#716432

If 389-ds debugging was enabled, superfluous content appeared in the ipactl output. With this update, the amount of information displayed in the ipactl output has been reduced. The previously reported data is not available in the 389-ds error log only.

BZ#714799

The ipa-client-install did not successfully run on a client when a one-time password was set on a host in the Identity Management Web UI. Consequently, clients could not be enrolled using a one-time password if it was set in the Web UI. With this update, the krbLastPwdChange value is no longer set in the host entry when setting a host one-time password, thus fixing this issue.

BZ#713798

Prior to this update, DNS lookups were not being forwarded if they originated in a subnet that was not managed by Identity Management. With this update, the Identity Management DNS is configured to allow recursion by default, thus fixing this issue.

BZ#713481

When removing a runAsGroup value from a sudo rule, the command appeared to be successful, but the group information data included in the output was not updated and did not show the proper membership. This update fixes this bug, and data is refreshed before being returned.

BZ#713380

When removing a runasuser (via ipa sudorule-remove-runasuser) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group to runasuser is properly displayed.

BZ#713069

Comma-separated values were not handled properly when the --externaluser option was specified for the sudorule-mod command. As a result, erroneous values were stored in the entry. With this update, the --externaluser option was removed from the sudorule-mod command. It is advisable to use the sudorule-add-user command instead.

BZ#731804

Upgrading Identity Management from version 2.0.0-23 caused the 389-ds configuration to be modified to not accept requests. With this update, the upgrade process is more robust and always restores the 389-ds configuration. As a result, upgrading Identity Management no longer leaves the system in an inconsistent state.

BZ#731805

Different error types could cause various error messages to appear in the Identity Management Web UI. This update makes all error messages in the Web UI consistent.

BZ#732084

Disabling SELinux (SELINUX=disabled in /etc/selinux/config) and attempting to restart the ipa service caused the ipa service to fail to start. This update ignores the value returned by restorecon, and the ipa service now starts as expected whether SELinux is enabled or disabled.

BZ#712889

A request to set a certificate revocation reason to 7 would cause the request to fail and the certificate was not revoked. Reason 7 is not a valid revocation reason according to RFC 5280. With this update, an error message is returned to the user, informing of the fact that, when used, reason 7 is not a valid revocation reason.

BZ#726028

Previously, renaming an automount key did not work properly because DN of the key was being updated but not the value within the entry. Renaming an automount key now updates the DN and the stored key value, thus fixing this issue.

BZ#711786

When setting runAsGroup in a sudo role as a user, the name of that user is returned as the name of a group that may also be used as the runAsGroup. As a result, the sudo rule was erroneous and referred to a non-existent group. This was because the search filter for determining the CN value was too generic. This update adds a test which assures user names no longer appear as runAsGroup values.

BZ#711761

Prior to this update, removing a sudo rule option failed on the server because the code which handled sudo rule option removal was not robust enough and if the input did not exactly match the stored value, it failed. With this update, removing sudo rule options works as expected.

BZ#711671, BZ#711667

Previously, comma-separated values were not handled properly when using sudorule-mod's --runasexternaluser or --runasexternalgroup options. With this update, the aforementioned options have been deprecated. It is advisable to use the sudorule-add-runasuser or sudorule-runasgroup commands instead.

BZ#710601, BZ#710598, BZ#710592

Prior to this update, leading and trailing spaces were allowed in some parameter values. This update adds a validator that disallows the use of leading and trailing spaces.

BZ#710530

Passing an empty password when prompted to by the ipa-nis-manage command did not display an error and did not exit the command. With this update, passing an empty password causes an error to appear (No password supplied), and the command is exited with the status code 1.

BZ#710494

The ipa-nis-manage command has an option, -y, to specify the Directory Manager password in a file. This option caused the command to crash if the file did not exist. An exception handler around the password reader has been added, and a proper error message is displayed when the supplied password file is non-existent or is not readable.

BZ#710253

When adding a runasuser (via ipa sudorule-add-runasuser) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group to runasuser is properly displayed.

BZ#738693

A user with a valid Kerberos ticket can change an IPA password with the ipa passwd command. Prior to this update, the command did not require entering the old password. Consequently, anyone with access to that user's shell could change his Identity Management password without knowing the old password. With this update, the old password is always required in order to change a user's password. The only exception is the administrator user.

BZ#710245

A removed sudorule option appeared in the output when that option was removed. With this update, option values are refreshed before being returned, and the output of the delete command is consistent with the actual data.

BZ#710240

Adding a duplicate sudorule option did not generate any errors messages. With this update, rather than ignoring duplicate values, an error is returned when a duplicate sudorule option is added.

BZ#739195

When attempting to unprovision a host keytab in the Identity Management Web UI Unprovisioning Host dialog, there was no option to cancel the process. This update adds the Cancel button to the Unprovisioning Host dialog.

BZ#709665, BZ#709645

When removing external hosts from a sudorule, the output shown after the command completed contained the hosts that were removed. With this update, external host information is refreshed before it is returned to the client.

BZ#707312

Previously, new DNS zones were not available until the bind service was restarted. With this update, an updated bind-dyndb-ldap package added a zone refresh option that Identity Management uses to refresh the zone list in DNS. The default setting is 30 seconds. As a result, new DNS zones are not immediately available, but the bind service does not have to be restarted anymore.

BZ#740320

When a new group was being created via the Identity Management Web UI, unchecking the Posix check box was not taken into account and a posix group was created every time. With this update, the underlying source code has been modified to address this issue, and creating non-posix groups works as expected.

BZ#707229

The --no-host-dns option of the ipa-server-install command still checked that the forward and reverse DNS entries existed and matched. Installation of an Identity Management server using a host name that could not be resolved would then fail. This update removes any DNS validation when the --no-host-dns option is used.

BZ#705804

The subject name of a CA agent certificate used by Identity Management was not very specific. This update changes the subject name from RA Subsystem to IPA RA.

BZ#702685

If a remote LDAP server that was being used while migrating to Identity Management contained an LDAP search reference, the migration failed. With this update, the migration process logs any search references and skips them, assuring a successful migration.

BZ#740885

For an HBAC rule, you can choose to add a host in the Accessing section of the Identity Management Web UI. Clicking on Enroll without selecting a host did not return an error indicating that a host was not selected. With this update, the Enroll button is disabled until a host is chosen.

BZ#740891

For an HBAC rule, you can choose to delete a host in the Accessing section of the Identity Management Web UI. Clicking on Enroll without selecting a host did not return an error indicating that a host was not selected. With this update, the Enroll button is disabled until a host is chosen.

BZ#741050

The ipa-client-install command always checked the specified server whether it was a valid Identity Management server. However, if the Identity Management server was configured to restrict access for anonymous binds (via the nsslapd-allow-anonymous-access option), the check failed and the installation processes returned an error and ended. With this update, when the ipa-client-install command detects that the chosen server does not allow anonymous binds, it skips server verification, reports a warning, and lets the user join the Identity Management server.

BZ#701325

The X509v3 certificate shown in a host or service record in the Identity Management Web UI was not properly formatted. This update converts the certificate from the base64 format to the PEM format.

BZ#698219

The Apache service communicates with 389-ds early on during the start-up (to attempt to retrieve the LDAP schema). Previously, if that communication failed, the Apache service would have to be restarted. This race condition could cause a restarted Identity Management server become unavailable. With this update, the communication between Apache and 389-ds is retried when it fails, thus fixing this issue.

BZ#697878

The Identity Management server installation could fail with an error informing of the fact that the LDAP server could not be reached. This was because the installation process did not wait for the 389-ds server to fully start after a restart. With this update, the installation process waits for the 389-ds server to be fully started.

BZ#742875

When an Identity Management server was installed, it did not properly check the system's static lookup table (/etc/hosts) for records which could interfere with its IP address or hostname, and cause forward or reverse DNS queries to be resolved to different values than expected. The installation process now always checks for any conflicting records in the /etc/hosts file.

BZ#696282

A certificate subject base with an incorrect format provided by the user could cause an installation process to fail in the CA step with a non-descriptive error. With this update, the subject base of a certificate is validated, and the installation no longer fails.

BZ#696268

Providing an IP address during the Identity Management server installation via the --ip-address option caused the installed server to not function properly. With this update, it is verified whether the provided IP address is a configured interface on the system. Providing an IP address that is not associated with a local network interface will return an error message.

BZ#743788

The IPA Web UI was missing a title on several pages. This update adds the missing titles.

BZ#693771

Including non-ASCII characters in the zonemgr email address could cause an installation to fail with an unclear message. This update adds a validator which requires the zonemgr to contain ASCII characters only.

BZ#681978

Uninstalling an Identity Management client on a machine which has the Identity Management server installed on it as well caused the server to break. The client uninstaller now detects the installation state of an installed server. An attempt to uninstall a client from a machine which also contains the server will result in an error message. The client can be uninstalled when the server is uninstalled.

BZ#744024

Prior to this update, the ipa-client-install command did not return an exit status of 0 when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned.

BZ#744074

Prior to this update, the Identity Management Web UI allowed a user to delete a global Password Policy. If a global Password Policy is deleted, any attempt to add a user with a Kerberos password fails. Additionally, neither the CLI nor the Web UI version of Identity Management could be used to add this policy back. With this update, deleting the global Password Policy is denied.

BZ#692955

Attempting to set the manager value of a user resulted in the following error message:

value #0 invalid per syntax: Invalid syntax.

This was because the value required a full LDAP DN syntax. With this update, when storing or retrieving the manager value, the value is automatically translated between a login name and a DN. Setting the manager value now requires a login name only.

BZ#744422

During the installation of a Identity Management server, the ipa-server-install called kdb5_ldap_util to populate the directory with realm information. In the process of doing so, it passes the Kerberos master database password and the Kerberos directory password as parameters. As a result, a user could list all running processes during the IPA server installation and discover the aforementioned passwords. With this update, kdb5_ldap_util's interactive mode is used to pass the passwords instead of passing them via CLI parameters.

BZ#692950

When setting up DNS during an interactive installation, a reverse zone was always created regardless of the --no-reverse option. This update fixes this behavior, and a reverse zone is not created unless specified.

BZ#745392

When the ipa-client-install command attempted to auto-discover the Identity Management server in its domain, it did not use any timeout when a server was found and was being checked. If the found server was unresponsive during the auto-discovery, the ipa-client-install command got stuck and did not continue. This update adds a 30 second timeout to the ipa-client-install auto-discovery server check.

BZ#692144

Using the --no-sssd option of the ipa-client-install command did not properly back up and restore the existing /etc/sssd/sssd.conf file. With this update, the underlying source code has been modified to address this issue, and the --no-sssd option works as expected.

BZ#690473

Using the --hostname option to set a value outside an Identity Management-managed DNS domain did not return an error and did not add the host to DNS. The DNS updating utility, nsupdate, was modified to properly return an error when an update fails.

BZ#690185

Uninstalling an Identity Management client did not restore certain files when that client was previously installed with the --force option. This was because the --force option was able to re-install over an already installed system, causing the original saved files to be lost. This behavior is no longer permitted; the client must be first uninstalled and only then it can be re-installed.

BZ#689810

Adding a duplicate user resulted in a generic error message which was not specific enough to discover the reason of the error. With this update, the object type and the primary key are returned in the error message, making the error message more understandable.

BZ#689023

When adding a new password policy, the Identity Management Web UI did not prompt for a required field, priority. This update requires the priority field to be filled in.

BZ#688925

The process of setting up an Identity Management replica became unresponsive if the master could not be reached. This update adds a new utility, ipa-replica-conncheck, which verifies that the replica and the master can communicate in both directions.

BZ#688266

If the domain did not match the realm, enrolling a client could fail with the following error:

Cannot resolve network address for KDC

This was because a temporary /etc/krb5.conf file was used during enrollment to contact the Identity Management KDC. The process was always relying on DNS auto-discovery to find the correct KDC and not the values provided by the end-user. With this update, enrollment works even if the domain does not match the realm.

BZ#683641

If a one-time password was set on a host, an administrator was unable to enroll it and the following error message would be returned:

No permission to join this host to the IPA domain.

A delegated administrator did not have permissions to write the Kerberos principal name. This update adds permissions for the delegated administrator to be able to add a one-time password, but not change or remove an existing one.

BZ#681979

The --on-master lacked proper documentation. This update makes the option invisible and removes it from documentation entirely.

BZ#747443

Realm-Domain mapping was not specified in a client's Kerberos configuration when the client was outside of an Identity Management domain. In such a case, Certmonger would fail to issue a host certificate. Realm-Domain mapping is now properly configured when the client is outside of the Identity Management domain.

BZ#748754

Arguments for the Kerberos KDC, contained in the /etc/sysconfig/krb5kdc file, were not formatted properly on multi-CPU systems. As a consequence, the KDC could not use the intended number of CPUs and reported an error when it was (re)started. With this update, the aforementioned arguments are now properly formatted, fixing this issue.

BZ#749352

Prior to this update, the ypcat command's netgroup output did not show users in netgroup triples. Consequently, NIS-based authorization did not work as expected, and access was denied when it should have been allowed. This was caused by a syntax error in the triple rule. This update fixes this error, and users are now properly included in the netgroup triples.

BZ#736170

The ipa package has been upgraded to upstream version 2.1.3 which provides a number of bug fixes and enhancements over the previous version.