- Issued:
- 2016-12-06
- Updated:
- 2016-12-06
RHBA-2016:2863 - ipa bug fix update
Synopsis
ipa bug fix update
Type/Severity
Bug Fix Advisory None
Topic
Updated ipa packages that fix several bugs are now available for Red Hat Enterprise Linux 7.
Description
Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
This update fixes the following bugs:
-
When using a previously-installed third-party certificate to sign the certificate signing request (CSR) during an Identity Management (IdM) external certificate authority (CA) installation, the third-party certificate trust flags in the network security services (NSS) database were reset. Consequently, the certificate was no longer marked as trusted, and the IdM CA installation failed. This update applies a patch and as a result, installing an IdM CA works correctly in the described scenario. (BZ#1389249)
-
Previously, the Identity Management (IdM) web UI was unable to determine if a certificate has been revoked. As a consequence, some certificate-related user interface elements behaved incorrectly. A patch has been provided to fix the problems. As a result, the IdM web UI is now able to determine if a certificate has been revoked. (BZ#1389252)
-
Previously, when installing a third-party service certificate, the ipa-server-certinstall utility did not verify if the certificate was issued by a certificate authority (CA) known to Identity Management (IdM). Consequently, certificates issued by an unknown CA could be installed, and services using these certificates failed to start or worked incorrectly. A patch has been applied and as a result, the ipa-server-certinstall utility now verifies if the certificate to be installed has been issued by a CA known to IdM. (BZ#1389348)
-
Previously, due to a bug in the principal name normalization, the "ipa passwd" command failed to convert user names to lower case. As a consequence, users synchronized from Active Directory (AD) with a mixed case user name were unable to change their passwords. The user principal name normalization has been fixed and as a result, the "ipa passwd" command now works correctly. (BZ#1389350)
-
Previously, after running the ipa-replica-install command to set up a new Identity Management (IdM) replica in domain level 1, the certificate authority (CA) certificate was not published. As a consequence, users were not able to download the certificate from the replica to, for example, import into certificate it in the web browser. The CA certificate publishing process has been enhanced and is now independent of the IdM domain level. As a result, the CA certificate is now correctly stored in the "/usr/share/ipa/html/ca.crt" file and users are able to download it from the web server. (BZ#1389379)
-
A bug in the Identity Management (IdM) LDAP server caused replication to fail in certain scenarios with a replica that ran an older version of the 389-ds-base package. Consequently, the "ipa-replica-install" command failed when the replication partner on Red Hat Enterprise Linux 6. The problem has been fixed and as a result, the "ipa-replica-install" command no longer fails when the replication partner runs an older version of the 389-ds-base package. (BZ#1389434)
-
Services created in Identity Management (IdM) before version 4.4 do not have a canonical name set. However, IdM 4.4 uses the canonical name to list services in the web UI. As a consequence, when upgrading to IdM 4.4, services created in earlier versions were not displayed in the web UI. A patch has been applied to support both canonical and principal names. As a result, all services are now displayed correctly in the IdM web UI. (BZ#1390662)
-
Previously, Kerberos failed to reopen libkrad sockets. Consequently, one-time password (OTP) authentication could fail when the socket changed the state. A patch has been provided to fix the problem. As a result, two-factor authentication no longer fails in the described situation. (BZ#1391026, BZ#1389364)
Users of ipa are advised to upgrade to these updated packages, which fix these bugs.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions | 7.7 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions | 7.6 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions | 7.4 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions | 7.3 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 7.7 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 7.6 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 7.5 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 7.4 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 7.3 | x86_64 |
| Red Hat Enterprise Linux for Scientific Computing | 7 | x86_64 |
| Red Hat Enterprise Linux for Power, little endian | 7 | ppc64le |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | 7.7 | ppc64le |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | 7.6 | ppc64le |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | 7.5 | ppc64le |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | 7.4 | ppc64le |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | 7.3 | ppc64le |
| Red Hat Enterprise Linux for Power, big endian | 7 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 7.7 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 7.6 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 7.5 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 7.4 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 7.3 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 7 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 7.7 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 7.6 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 7.5 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 7.4 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 7.3 | s390x |
| Red Hat Enterprise Linux Workstation | 7 | x86_64 |
| Red Hat Enterprise Linux Server | 7 | x86_64 |
| Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions | 7.7 | ppc64le |
| Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions | 7.6 | ppc64le |
| Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions | 7.4 | ppc64le |
| Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions | 7.3 | ppc64le |
| Red Hat Enterprise Linux Server - TUS | 7.7 | x86_64 |
| Red Hat Enterprise Linux Server - TUS | 7.6 | x86_64 |
| Red Hat Enterprise Linux Server - TUS | 7.3 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 7 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian | 7 | ppc64le |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian | 7 | ppc64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 7 | s390x |
| Red Hat Enterprise Linux Server - AUS | 7.7 | x86_64 |
| Red Hat Enterprise Linux Server - AUS | 7.6 | x86_64 |
| Red Hat Enterprise Linux Server - AUS | 7.4 | x86_64 |
| Red Hat Enterprise Linux Server - AUS | 7.3 | x86_64 |
| Red Hat Enterprise Linux EUS Compute Node | 7.7 | x86_64 |
| Red Hat Enterprise Linux EUS Compute Node | 7.6 | x86_64 |
| Red Hat Enterprise Linux EUS Compute Node | 7.5 | x86_64 |
| Red Hat Enterprise Linux EUS Compute Node | 7.4 | x86_64 |
| Red Hat Enterprise Linux EUS Compute Node | 7.3 | x86_64 |
| Red Hat Enterprise Linux Desktop | 7 | x86_64 |
Updated Packages
- krb5-server-ldap-1.14.1-27.el7_3.aarch64.rpm
- krb5-devel-1.14.1-27.el7_3.aarch64.rpm
- ipa-client-4.4.0-14.el7_3.aarch64.rpm
- ipa-admintools-4.4.0-14.el7_3.noarch.rpm
- ipa-debuginfo-4.4.0-14.el7_3.x86_64.rpm
- ipa-client-4.4.0-14.el7_3.ppc64le.rpm
- libkadm5-1.14.1-27.el7_3.x86_64.rpm
- python2-ipalib-4.4.0-14.el7_3.noarch.rpm
- krb5-pkinit-1.14.1-27.el7_3.aarch64.rpm
- krb5-devel-1.14.1-27.el7_3.s390x.rpm
- krb5-pkinit-1.14.1-27.el7_3.ppc64.rpm
- ipa-server-trust-ad-4.4.0-14.el7_3.x86_64.rpm
- ipa-client-common-4.4.0-14.el7_3.noarch.rpm
- krb5-libs-1.14.1-27.el7_3.ppc.rpm
- krb5-workstation-1.14.1-27.el7_3.aarch64.rpm
- ipa-server-4.4.0-14.el7_3.x86_64.rpm
- krb5-devel-1.14.1-27.el7_3.x86_64.rpm
- ipa-server-dns-4.4.0-14.el7_3.noarch.rpm
- krb5-workstation-1.14.1-27.el7_3.ppc64le.rpm
- libkadm5-1.14.1-27.el7_3.aarch64.rpm
- libkadm5-1.14.1-27.el7_3.ppc64.rpm
- libkadm5-1.14.1-27.el7_3.s390x.rpm
- krb5-pkinit-1.14.1-27.el7_3.ppc64le.rpm
- python2-ipaclient-4.4.0-14.el7_3.noarch.rpm
- ipa-client-4.4.0-14.el7_3.s390x.rpm
- ipa-debuginfo-4.4.0-14.el7_3.s390x.rpm
- krb5-devel-1.14.1-27.el7_3.ppc64le.rpm
- krb5-debuginfo-1.14.1-27.el7_3.ppc64le.rpm
- krb5-libs-1.14.1-27.el7_3.aarch64.rpm
- ipa-4.4.0-14.el7_3.src.rpm
- ipa-debuginfo-4.4.0-14.el7_3.aarch64.rpm
- krb5-debuginfo-1.14.1-27.el7_3.ppc64.rpm
- krb5-pkinit-1.14.1-27.el7_3.x86_64.rpm
- ipa-debuginfo-4.4.0-14.el7_3.ppc64le.rpm
- ipa-client-4.4.0-14.el7_3.ppc64.rpm
- krb5-1.14.1-27.el7_3.src.rpm
- krb5-libs-1.14.1-27.el7_3.ppc64.rpm
- krb5-server-1.14.1-27.el7_3.aarch64.rpm
- krb5-server-ldap-1.14.1-27.el7_3.ppc64le.rpm
- ipa-server-common-4.4.0-14.el7_3.noarch.rpm
- krb5-debuginfo-1.14.1-27.el7_3.aarch64.rpm
- krb5-server-1.14.1-27.el7_3.ppc64le.rpm
- krb5-server-ldap-1.14.1-27.el7_3.ppc64.rpm
- krb5-libs-1.14.1-27.el7_3.s390.rpm
- krb5-workstation-1.14.1-27.el7_3.s390x.rpm
- ipa-debuginfo-4.4.0-14.el7_3.ppc64.rpm
- krb5-libs-1.14.1-27.el7_3.s390x.rpm
- krb5-server-1.14.1-27.el7_3.s390x.rpm
- krb5-debuginfo-1.14.1-27.el7_3.ppc.rpm
- krb5-workstation-1.14.1-27.el7_3.ppc64.rpm
- krb5-devel-1.14.1-27.el7_3.ppc.rpm
- krb5-libs-1.14.1-27.el7_3.i686.rpm
- krb5-debuginfo-1.14.1-27.el7_3.x86_64.rpm
- krb5-debuginfo-1.14.1-27.el7_3.i686.rpm
- krb5-devel-1.14.1-27.el7_3.ppc64.rpm
- libkadm5-1.14.1-27.el7_3.ppc64le.rpm
- krb5-debuginfo-1.14.1-27.el7_3.s390.rpm
- krb5-server-1.14.1-27.el7_3.ppc64.rpm
- krb5-server-1.14.1-27.el7_3.x86_64.rpm
- krb5-workstation-1.14.1-27.el7_3.x86_64.rpm
- ipa-client-4.4.0-14.el7_3.x86_64.rpm
- krb5-devel-1.14.1-27.el7_3.s390.rpm
- libkadm5-1.14.1-27.el7_3.ppc.rpm
- krb5-debuginfo-1.14.1-27.el7_3.s390x.rpm
- krb5-libs-1.14.1-27.el7_3.x86_64.rpm
- krb5-pkinit-1.14.1-27.el7_3.s390x.rpm
- python2-ipaserver-4.4.0-14.el7_3.noarch.rpm
- ipa-python-compat-4.4.0-14.el7_3.noarch.rpm
- libkadm5-1.14.1-27.el7_3.i686.rpm
- krb5-devel-1.14.1-27.el7_3.i686.rpm
- krb5-libs-1.14.1-27.el7_3.ppc64le.rpm
- libkadm5-1.14.1-27.el7_3.s390.rpm
- ipa-common-4.4.0-14.el7_3.noarch.rpm
- krb5-server-ldap-1.14.1-27.el7_3.x86_64.rpm
- krb5-server-ldap-1.14.1-27.el7_3.s390x.rpm
Fixes
- This content is not included.BZ - 1389249
- This content is not included.BZ - 1389252
- This content is not included.BZ - 1389348
- This content is not included.BZ - 1389350
- This content is not included.BZ - 1389379
- This content is not included.BZ - 1389434
- This content is not included.BZ - 1390662
- This content is not included.BZ - 1390673
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.