Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2165880

Summary: Add RBCD support to IPA
Product: Red Hat Enterprise Linux 9 Reporter: mpanaous
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: unspecified    
Version: 9.2CC: abobrov, abokovoy, amore, bthekkep, dvozenil, fcami, frenaud, ftrivino, gfialova, jrische, pasik, rcritten, sumenon, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.2-1.el9 Doc Type: Enhancement
Doc Text:
.IdM now supports resource-based constrained delegation With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a granular control of delegation on a resource level and access can be set by the owner of the service to which credentials are delegated. RBCD can be useful, for example, in an integration between IdM and Active Directory (AD), because AD enforces the use of RBCD when both target and proxy services belong to different forests. IMPORTANT: Currently, only services in the IdM domain can be configured with RBCD rules. If the target service is part of an AD domain, the permission can only be granted on the AD side. As AD domain controllers cannot resolve IdM service information to create the rule, this is not currently supported. For more information on delegation scenarios, see the link:https://freeipa.readthedocs.io/en/latest/designs/rbcd.html[FreeIPA design page].
 Story Points: ---
Clone Of:
: 2212836 (view as bug list) Environment:
Last Closed: 2023-11-07 08:34:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2212836    

Description mpanaous 2023-01-31 11:01:29 UTC 
Description of problem:
Add RBCD support to FreeIPA

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
https://issues.redhat.com/browse/FREEIPA-7696
Comment 4 Florence Blanc-Renaud 2023-04-06 07:03:21 UTC 
Fixed upstream:
master:
https://pagure.io/freeipa/c/68c113f02b789d5478375adb9927c52fdf1ad2dd
https://pagure.io/freeipa/c/9b777390fbb6d4c683bf7d3e5f74d5443209b1d5
https://pagure.io/freeipa/c/adc9609ff32c680b07ecfaa4c88d71898d7829c9
https://pagure.io/freeipa/c/b035ac8eb948d850bd8883f215b91bbc337d2ec9
https://pagure.io/freeipa/c/4239b77a6db24a3492f2e8ee4d2aea9a7e676272
https://pagure.io/freeipa/c/f78dc0b16332279c16e0b35fbb71f872746b875c
https://pagure.io/freeipa/c/dd5b189a0935586be30b1766b1db2881a3f3f765
https://pagure.io/freeipa/c/667b82a87008884ac3c0f30e3ccd5912f92bc8cb
https://pagure.io/freeipa/c/0bf0b2d251c96c7488f82cb8fa77052666068217


Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/e7506403a988b98cc3381d2d986b53aee48448cb
https://pagure.io/freeipa/c/52e6da9056697e2210736d5528826ae424fec9b1
https://pagure.io/freeipa/c/7a7ba45c10a6da4f9e110f6cc57cfc47e0a16a16
https://pagure.io/freeipa/c/18cd909b4ad854147008a1010c97c75640a54177
https://pagure.io/freeipa/c/5b6ad0e65600a96bb4d6f3b1acf4e16773a03493
https://pagure.io/freeipa/c/7ac6adfaac30473b14b589a71fac42fe147bc0d9
https://pagure.io/freeipa/c/7d68f4f08361760adab90ad4b44c6da2c4ea664d
https://pagure.io/freeipa/c/b63e6a257006e846ef5d0a008d9c3c0f935c09bb
https://pagure.io/freeipa/c/cb18ca31697320a58ae23a67afbfe7a0ff9a55a5
Comment 9 Michal Polovka 2023-06-21 11:57:11 UTC 
Verified using automation from test_integration/test_service_permissions.py::TestServicePermissions::test_service_delegation using ipa-server-4.10.2-1.el9.x86_64 and krb5-server-1.20.1-8.el9.x86_64

Passed 	test_integration/test_service_permissions.py::TestServicePermissions::test_service_delegation

Complete test log is an attachment of this BZ. Marking as pre-verified: tested. Note: The automation currently tests only in-realm RBCD support
Comment 13 Michal Polovka 2023-06-22 09:03:16 UTC 
Verified using automation from test_integration/test_service_permissions.py::TestServicePermissions::test_service_delegation with ipa-server-4.10.2-1.el9.x86_64 and krb5-server-1.20.1-9.el9_2.x86_64

Passed 	test_integration/test_service_permissions.py::TestServicePermissions::test_service_delegation

Full test log is an attachment of this BZ. Marking as verified.
Comment 20 errata-xmlrpc 2023-11-07 08:34:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477