4.71. ipa-client

The RHSA-2011-1533 security advisory, which fixed a security vulnerability in the IPA web-based service, caused incompatibility with older versions of ipa-client. As a consequence, ipa-client was unable to correctly submit enrollment requests to IPA. With this update, ipa-client has been modified and it now operates correctly with newer versions of IPA. Interoperability with older versions of IPA remains unaffected.

Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug.

Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on the delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables credential delegation.

A previous change to the Referer server required that a caller to the IPA server API include the Referer header in its request. Previously, requests from the certmonger and ipa administrative tools did not provide the header, and the tool requests could fail with the error "Missing or invalid HTTP Referer". However, the requests are transferred using curl and curl does not allow setting of arbitrary headers. To resolve this problem, the code has been changed so that the curl version is stored in the HTTP request field X-Original-User-Agent and the rest of the header is overridden. As a result, the correct header is used for the requests and the problem no longer occurs.

If the user ran the ipa-client-install command with the password defined (for example, "ipa-client-install --principal=admin --password=SecretPsswd"), the /var/log/ipaclient-install.log file contained the password in plain text. With this update, the underlying code is modified and the provided password is no longer saved in the logs in this scenario.

Previously, KDC (Key Distribution Center) autodiscovery failed if the domain name differed from the Kerberos realm name. This happened because the ipa-client-install utility always assumed that the realm name was identical to the domain name. Now the realm is used when performing autodiscovery and the problem no longer occurs.

The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, the ipa-client package spec file did not contain the cyrus-sasl-gssapi dependency for some architectures. As a result, installation on some platforms could fail. This update adds the missing dependency to the spec file and the installation process finishes successfully.

The cyrus-sasl-gssapi package is a soft dependency needed by some IPA client tools. Previously, when installing 32-bit packages on a 64-bit system, the macro determining the required architecture version of the cyrus-sasl-gssapi package did not work correctly. As a result, an incorrect version of cyrus-sasl-gssapi was installed and the system failed to work; for example, the ipa-getkeytab command failed with the following error because the 32-bit GSSAPI SASL mechanism was not available:

SASL Bind failed. This update corrects the macro and the problem no longer occurs.