ipa bug fix update

Updated ipa packages that fix several bugs are now available.

Red Hat Enterprise IPA is an integrated security information management
solution for centrally managing Identity, Policy and Auditing.

This update fixes the following bugs:

* if UDP transport (tpi_clts) was defined in /etc/netconfig, rpcbind bound
to a random UDP port between 600 and 1024, as well as its standard port,
111. Kerberos 4 (krb4) uses port 750 and was turned on by default. If
rpcbind used port 750, IPA installation or startup failed. krb4 is now off
by default.

* when certain memberOf-related operations were under high load, a missing
member entry could lead the memberOf plug-in to infinitely recurse, causing
the Directory to run out of stack space and crash. A missing member entry
now triggers an entry check. User entries are ignored (there is no need to
remove a non-existent entry's memberOf value). Group entries have entries
referring to it fixed. This prevents the recursive loop and removes
dangling memberOf attributes.

* memberOf used separate operations for each memberOf value change. When
deleting groups in nested hierarchies, poor performance resulted. The
memberOf plug-in now generates a list of required values and uses one
replace operation to over-write previous memberOf values. This is faster;
fixes membership inconsistencies; and ensures clients do not see partially
updated entries during a memberOf operation.

* if an entry had a direct and indirect group membership and the direct
membership was removed, the indirect membership was also removed. When
deleting direct memberships, IPA now checks for indirect group membership:
if found, the memberOf attribute is not altered.

* the memberOf fixup task previously checked that all direct membership
groups were in the memberOf attribute; added all indirect memberships
allowed from the direct membership group list; and then trimmed groups with
no relationship to the entry. For example, if user1 was a direct group1
member and group1 was a direct group2 member, user1 was not made a memberOf
group2. Fixup now removes all memberOf values and rebuilds them from
Directory values, first adding direct membership groups, then adding nested
memberships allowed from the direct membership groups, ensuring direct and
indirect memberships are correctly generated.

* a password change request could crash Directory Server. The first
argument in the slapi_pw_find_sv() function was an unterminated array,
making it possible to search to the end of a segment, causing a segfault.
This array is now terminated.

* administrators adding entries with ldapadd could not change data in the
"userPassword" attribute, getting an "Insufficient access" error instead.

* ipa-server-certinstall assumed CA certificates were in /etc/dirsrv/
slapd-DOMAIN.COM/ (the period denotes a realm), but the IPA installer put
certificates in /etc/dirsrv/slapd-DOMAIN-COM/ (the hyphen denotes a
DS-instance). ipa-server-certinstall now assumes CA certificates are in a
DS-instance-based path.

* after installing SSL certificates from PKCS#12 files, permissions and
group membership for files in /etc/httpd/alias were set incorrectly. The
files placed in /etc/httpd/alias now have the correct permissions (0640)
and group membership (apache).

* ipa-replica-prepare assumed certificates were self-signed, failing with
an "unable to retrieve key CA certificate" error if they were not. Now,
PKCS#12 files can be provided during installation and when a replica is
created.

* ipa-delgroup used a substring search by default and failed if multiple
group entries were returned. The command now iterates through the returned
entries and only deletes exact matches to the search string.

All ipa users should upgrade to these updated packages, which resolve these
issues.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

439628 - memberOf: does not verify all the indirect groups before deleting a memberOf value
443241 - memberOf: Fixup task does not fix memberOf attribute of indirect groups
451014 - ipa-server-certinstall - Directory name error
451098 - ipa-server-certinstall for httpd problem
451936 - ipa-server-install fails due to rpcbind taking 750/udp
452402 - ipa-replica-prepare assumes self-signed certificate
452537 - Infinite recursion caused by missing entry in memberOf plug-in
453011 - Poor memberOf performance for group deletion
453185 - Not easily reproduceable crash in password change
453222 - "ipa-delgroup it" gets confused with group "editors"