On 03/20/2013 08:41 AM, Sean Murray wrote:
> Hi
>
> I cant configure ipa to as dns, please see bottom.
>
> On 03/04/2013 09:09 PM, Pat Riehecky wrote:
>> Synopsis: Low: ipa security, bug fix and enhancement update
>> Issue Date: 2013-02-21
>> CVE Numbers: CVE-2012-4546
>> -- 
>>
>> It was found that the current default configuration of IPA servers did not
>> publish correct CRLs (Certificate Revocation Lists). The default configuration
>> specifies that every replica is to generate its own CRL; however, this can
>> result in inconsistencies in the CRL contents provided to clients from
>> different Identity Management replicas. More specifically, if a certificate is
>> revoked on one Identity Management replica, it will not show up on another
>> Identity Management replica. (CVE-2012-4546)
>> -- 
>>
>> SL6
>> x86_64
>> ipa-client-3.0.0-25.el6.x86_64.rpm
>> ipa-debuginfo-3.0.0-25.el6.x86_64.rpm
>> ipa-python-3.0.0-25.el6.x86_64.rpm
>> ipa-admintools-3.0.0-25.el6.x86_64.rpm
>> ipa-server-3.0.0-25.el6.x86_64.rpm
>> ipa-server-selinux-3.0.0-25.el6.x86_64.rpm
>> ipa-server-trust-ad-3.0.0-25.el6.x86_64.rpm
>> i386
>> ipa-client-3.0.0-25.el6.i686.rpm
>> ipa-debuginfo-3.0.0-25.el6.i686.rpm
>> ipa-python-3.0.0-25.el6.i686.rpm
>> ipa-admintools-3.0.0-25.el6.i686.rpm
>> ipa-server-3.0.0-25.el6.i686.rpm
>> ipa-server-selinux-3.0.0-25.el6.i686.rpm
>> ipa-server-trust-ad-3.0.0-25.el6.i686.rpm
>>
>> The following packages were added for dependency resolution
>> SL6
>> x86_64
>> certmonger-0.61-3.el6.x86_64.rpm
>> mod_nss-1.0.8-18.el6.x86_64.rpm
>> nss-3.14.0.0-12.el6.i686.rpm
>> nss-3.14.0.0-12.el6.x86_64.rpm
>> nss-devel-3.14.0.0-12.el6.i686.rpm
>> nss-devel-3.14.0.0-12.el6.x86_64.rpm
>> nss-pkcs11-devel-3.14.0.0-12.el6.i686.rpm
>> nss-pkcs11-devel-3.14.0.0-12.el6.x86_64.rpm
>> nss-sysinit-3.14.0.0-12.el6.x86_64.rpm
>> nss-tools-3.14.0.0-12.el6.x86_64.rpm
>> nss-util-3.14.0.0-2.el6.i686.rpm
>> nss-util-3.14.0.0-2.el6.x86_64.rpm
>> nss-util-devel-3.14.0.0-2.el6.i686.rpm
>> nss-util-devel-3.14.0.0-2.el6.x86_64.rpm
>> policycoreutils-2.0.83-19.24.el6.x86_64.rpm
>> policycoreutils-gui-2.0.83-19.24.el6.x86_64.rpm
>> policycoreutils-newrole-2.0.83-19.24.el6.x86_64.rpm
>> policycoreutils-python-2.0.83-19.24.el6.x86_64.rpm
>> policycoreutils-sandbox-2.0.83-19.24.el6.x86_64.rpm
>>
>> i386
>> certmonger-0.61-3.el6.i686.rpm
>> mod_nss-1.0.8-18.el6.i686.rpm
>> nss-3.14.0.0-12.el6.i686.rpm
>> nss-devel-3.14.0.0-12.el6.i686.rpm
>> nss-pkcs11-devel-3.14.0.0-12.el6.i686.rpm
>> nss-sysinit-3.14.0.0-12.el6.i686.rpm
>> nss-tools-3.14.0.0-12.el6.i686.rpm
>> nss-util-3.14.0.0-2.el6.i686.rpm
>> nss-util-devel-3.14.0.0-2.el6.i686.rpm
>> policycoreutils-2.0.83-19.24.el6.i686.rpm
>> policycoreutils-gui-2.0.83-19.24.el6.i686.rpm
>> policycoreutils-newrole-2.0.83-19.24.el6.i686.rpm
>> policycoreutils-python-2.0.83-19.24.el6.i686.rpm
>> policycoreutils-sandbox-2.0.83-19.24.el6.i686.rpm
>
> I think bind-dyndb-ldap-2.3.2 needs to be added to that dependency list.
>
> On attempting to configure ipa-server-3.0.0 for dns it complains the 
> bind-dyndb-ldap
> is not installed. On installing it says it needs 2.3.2 but only 
> 1.1.0-0.9.b1.el6_3.1 is available.
> It is however available in 6.4 though, where 3.0.0 will happily run more 
> than likely.
>
> Although the source packages
> http://ftp.scientificlinux.org/linux/scientific/6.4/SRPMS/vendor/bind-dyndb-ldap-1.1.0-0.9.b1.el6_3.1.src.rpm 
>
> is the latest but
> http://ftp.scientificlinux.org/linux/scientific/6.4/i386/os/Packages/bind-dyndb-ldap-2.3-2.el6.i686.rpm 
>
> I cant find the src to build it myself.
>
> There was mention of a similar problem in the transition from 6.1 to 6.2 at
> http://listserv.fnal.gov/scripts/wa.exe?A2=ind1201&L=scientific-linux-users&T=0&P=6283 
>
>
> Must I simply wait for 6.4 ?
>
> Thanks
> Sean
>
>

I'm pushing the updated bind-dyndb-ldap package at this time.  It should be 
available in the next 45 minutes.

Pat


-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/