rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add OTP patches and patch to fix 389-ds ccache

Browse Source 
The OTP patches add basic support for TOTP and Radius.

The 389-ds patch sets KRB5CCNAME in /etc/sysconfig/dirsrv so it can
get a usable ccache.
This commit is contained in:
Rob Crittenden 2013-05-14 14:18:15 -04:00
parent 5e12d2ddce
commit 12216fc83f
8 changed files with 9930 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch Normal file
View File

@ -0,0 +1,49 @@
From f807909bc12041af67b0051d4085b0ee1bee56d7 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 11 Apr 2013 12:30:23 -0400
Subject: [PATCH 1/6] Add ipaUserAuthType and ipaUserAuthTypeClass
This schema addition will be useful for future commits. It allows us to
define permitted external authentication methods on both the user and
global config. The implementation is generic, but the immediate usage
is for otp support.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
---
install/share/60basev3.ldif | 2 ++
install/updates/10-60basev3.update | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 43da2e7..435948f 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -36,6 +36,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -51,3 +52,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY
objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
index 62dd472..476fa3b 100644
--- a/install/updates/10-60basev3.update
+++ b/install/updates/10-60basev3.update
@@ -16,3 +16,7 @@ replace:objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST
# Fix dc syntax (RFC 2247)
replace:attributeTypes:"( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2247' )::( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2247' )"
+
+# Add ipaUserAuthType and ipaUserAuthTypeClass
+add:attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+add:objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
--
1.8.2.1

288
0002-Add-IPA-OTP-schema-and-ACLs.patch Normal file
View File

@ -0,0 +1,288 @@
From edca6946f81e01ddc5f3d5a8389560a704f11d7b Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 11 Apr 2013 13:24:46 -0400
Subject: [PATCH 2/6] Add IPA OTP schema and ACLs
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
---
install/share/70ipaotp.ldif | 28 +++++++++++++++++++++++
install/share/Makefile.am | 1 +
install/share/copy-schema-to-ca.py | 1 +
install/share/default-aci.ldif | 10 +++++++-
install/updates/10-70ipaotp.update | 25 ++++++++++++++++++++
install/updates/40-otp.update | 9 ++++++++
install/updates/Makefile.am | 4 +++-
ipalib/constants.py | 1 +
ipaserver/install/dsinstance.py | 3 ++-
ipaserver/install/plugins/update_anonymous_aci.py | 25 ++++++++++++++------
10 files changed, 97 insertions(+), 10 deletions(-)
create mode 100644 install/share/70ipaotp.ldif
create mode 100644 install/updates/10-70ipaotp.update
create mode 100644 install/updates/40-otp.update
diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif
new file mode 100644
index 0000000..3cfe872
--- /dev/null
+++ b/install/share/70ipaotp.ldif
@@ -0,0 +1,28 @@
+# IPA OTP schema
+# BaseOID: 2.16.840.1.113730.3.8.16
+# See RFC 4517 for Syntax OID definitions
+dn: cn=schema
+attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP')
+objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
+objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
+objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index f8f9b74..8823723 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -11,6 +11,7 @@ app_DATA = \
60ipadns.ldif \
61kerberos-ipav3.ldif \
65ipasudo.ldif \
+ 70ipaotp.ldif \
anonymous-vlv.ldif \
bootstrap-template.ldif \
caJarSigningCert.cfg.template \
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
index 4e2054e..1888f12 100755
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@@ -31,6 +31,7 @@ SCHEMA_FILENAMES = (
"60ipadns.ldif",
"61kerberos-ipav3.ldif",
"65ipasudo.ldif",
+ "70ipaotp.ldif",
"05rfc2247.ldif",
)
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index f173f79..18881ec 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
@@ -96,3 +96,11 @@ dn: cn=ipa,cn=etc,$SUFFIX
changetype: modify
add: aci
aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+
+# Let users manage their own tokens
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
+aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
diff --git a/install/updates/10-70ipaotp.update b/install/updates/10-70ipaotp.update
new file mode 100644
index 0000000..600ef9c
--- /dev/null
+++ b/install/updates/10-70ipaotp.update
@@ -0,0 +1,25 @@
+dn: cn=schema
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $$ ipatokenOwner $$ ipatokenDisabled $$ ipatokenNotBefore $$ ipatokenNotAfter $$ ipatokenVendor $$ ipatokenModel $$ ipatokenSerial) X-ORIGIN 'IPA OTP')
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $$ ipatokenOTPalgorithm $$ ipatokenOTPdigits $$ ipatokenTOTPclockOffset $$ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $$ ipatokenRadiusServer $$ ipatokenRadiusSecret) MAY (description $$ ipatokenRadiusTimeout $$ ipatokenRadiusRetries $$ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
diff --git a/install/updates/40-otp.update b/install/updates/40-otp.update
new file mode 100644
index 0000000..ff36c87
--- /dev/null
+++ b/install/updates/40-otp.update
@@ -0,0 +1,9 @@
+dn: cn=otp,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: otp
+
+dn: $SUFFIX
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'
+add: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index ab3f411..787a51c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
10-60basev2.update \
10-60basev3.update \
+ 10-70ipaotp.update \
10-RFC2307bis.update \
10-RFC4876.update \
10-config.update \
@@ -13,6 +14,7 @@ app_DATA = \
10-ssh.update \
10-bind-schema.update \
10-uniqueness.update \
+ 10-schema_compat.update \
19-managed-entries.update \
20-aci.update \
20-dna.update \
@@ -20,7 +22,6 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
- 10-schema_compat.update \
20-user_private_groups.update \
20-winsync_index.update \
21-replicas_container.update \
@@ -32,6 +33,7 @@ app_DATA = \
40-replication.update \
40-dns.update \
40-automember.update \
+ 40-otp.update \
45-roles.update \
50-lockout-policy.update \
50-groupuuid.update \
diff --git a/ipalib/constants.py b/ipalib/constants.py
index ecb9255..de08457 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -109,6 +109,7 @@ DEFAULT_CONFIG = (
('container_dna', DN(('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
('container_dna_posix_ids', DN(('cn', 'posix-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
('container_realm_domains', DN(('cn', 'Realm Domains'), ('cn', 'ipa'), ('cn', 'etc'))),
+ ('container_otp', DN(('cn', 'otp'))),
# Ports, hosts, and URIs:
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e6bb054..7c809ec 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -409,7 +409,8 @@ class DsInstance(service.Service):
"60basev3.ldif",
"60ipadns.ldif",
"61kerberos-ipav3.ldif",
- "65ipasudo.ldif"):
+ "65ipasudo.ldif",
+ "70ipaotp.ldif"):
target_fname = schema_dirname(self.serverid) + schema_fname
shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
os.chmod(target_fname, 0440) # read access for dirsrv user/group
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
index 2b7446a..1e75113 100644
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -20,8 +20,6 @@
from copy import deepcopy
from ipaserver.install.plugins import FIRST, LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
-#from ipalib.frontend import Updater
-#from ipaserver.install.plugins import baseupdate
from ipalib import api
from ipalib.aci import ACI
from ipalib.plugins import aci
@@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate):
aciname = u'Enable Anonymous access'
aciprefix = u'none'
ldap = self.obj.backend
+ targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
+ filter = None
(dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
@@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate):
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
attrs = rawaci.target['targetattr']['expression']
+ rawfilter = rawaci.target.get('targetfilter', None)
+ if rawfilter is not None:
+ filter = rawfilter['expression']
update_attrs = deepcopy(attrs)
@@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate):
needed_attrs.append(attr)
update_attrs.extend(needed_attrs)
- if len(attrs) == len(update_attrs):
+ if (len(attrs) == len(update_attrs) and
+ filter == targetfilter):
root_logger.debug("Anonymous ACI already update-to-date")
return (False, False, [])
- else:
- root_logger.debug("New Anonymous ACI attributes needed: %s",
- needed_attrs)
for tmpaci in acistrs:
candidate = ACI(tmpaci)
@@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate):
acistrs.remove(tmpaci)
break
- rawaci.target['targetattr']['expression'] = update_attrs
+ if len(attrs) != len(update_attrs):
+ root_logger.debug("New Anonymous ACI attributes needed: %s",
+ needed_attrs)
+
+ rawaci.target['targetattr']['expression'] = update_attrs
+
+ if filter != targetfilter:
+ root_logger.debug("New Anonymous ACI targetfilter needed.")
+
+ rawaci.set_target_filter(targetfilter)
+
acistrs.append(unicode(rawaci))
entry_attrs['aci'] = acistrs
--
1.8.2.1

187
0003-ipa-kdb-Add-OTP-support.patch Normal file
View File

@ -0,0 +1,187 @@
From 5b15278283d3be6d615c98963807facf34da31eb Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 11 Apr 2013 13:50:42 -0400
Subject: [PATCH 3/6] ipa-kdb: Add OTP support
If OTP is enabled for a user, then:
1. Long-term keys are not provided to KDB
2. The user string 'otp' is defined to KDB
Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.
https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP
---
daemons/ipa-kdb/ipa_kdb.c | 38 +++++++++++++++++++++++++++++++++++-
daemons/ipa-kdb/ipa_kdb.h | 13 ++++++++++++
daemons/ipa-kdb/ipa_kdb_principals.c | 28 ++++++++++++++++++++++++++
3 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e5c718e..8464264 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -173,9 +173,42 @@ done:
return base;
}
+static const struct {
+ const char *name;
+ enum ipadb_user_auth flag;
+} userauth_table[] = {
+ { "disabled", IPADB_USER_AUTH_DISABLED },
+ { "password", IPADB_USER_AUTH_PASSWORD },
+ { "radius", IPADB_USER_AUTH_RADIUS },
+ { "otp", IPADB_USER_AUTH_OTP },
+ { }
+};
+
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
+ enum ipadb_user_auth *userauth)
+{
+ struct berval **vals;
+ int i, j;
+
+ *userauth = IPADB_USER_AUTH_EMPTY;
+ vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
+ if (!vals)
+ return;
+
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; userauth_table[j].name; j++) {
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
+ *userauth |= userauth_table[j].flag;
+ break;
+ }
+ }
+ }
+}
+
int ipadb_get_global_configs(struct ipadb_context *ipactx)
{
- char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR, NULL };
+ char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR,
+ IPA_USER_AUTH_TYPE, NULL };
struct berval **vals = NULL;
LDAPMessage *res = NULL;
LDAPMessage *first;
@@ -203,6 +236,9 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
goto done;
}
+ /* Check for permitted authentication types. */
+ ipadb_get_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
+
vals = ldap_get_values_len(ipactx->lcontext, first,
"ipaConfigString");
if (!vals || !vals[0]) {
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 9daaab8..54869d8 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -75,9 +75,18 @@
#define IPA_SETUP "ipa-setup-override-restrictions"
#define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData"
+#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
struct ipadb_mspac;
+enum ipadb_user_auth {
+ IPADB_USER_AUTH_EMPTY = 0,
+ IPADB_USER_AUTH_DISABLED = 1 << 0,
+ IPADB_USER_AUTH_PASSWORD = 1 << 1,
+ IPADB_USER_AUTH_RADIUS = 1 << 2,
+ IPADB_USER_AUTH_OTP = 1 << 3,
+};
+
struct ipadb_context {
char *uri;
char *base;
@@ -92,6 +101,7 @@ struct ipadb_context {
bool disable_last_success;
bool disable_lockout;
char **authz_data;
+ enum ipadb_user_auth user_auth;
};
#define IPA_E_DATA_MAGIC 0x0eda7a
@@ -259,3 +269,6 @@ void ipadb_audit_as_req(krb5_context kcontext,
krb5_timestamp authtime,
krb5_error_code error_code);
+/* AUTH METHODS */
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
+ enum ipadb_user_auth *user_auth);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 11c155e..3566e1e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -64,6 +64,7 @@ static char *std_principal_attrs[] = {
"nsaccountlock",
"passwordHistory",
IPA_KRB_AUTHZ_DATA_ATTR,
+ IPA_USER_AUTH_TYPE,
"objectClass",
NULL
@@ -228,6 +229,9 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
krb5_db_entry **kentry,
uint32_t *polmask)
{
+ krb5_octet otp_string[] = {'o', 't', 'p', 0, '[', ']', 0 };
+ enum ipadb_user_auth user_ua = IPADB_USER_AUTH_EMPTY;
+ enum ipadb_user_auth *active_ua = &user_ua;
struct ipadb_context *ipactx;
LDAP *lcontext;
krb5_db_entry *entry;
@@ -262,6 +266,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
entry->magic = KRB5_KDB_MAGIC_NUMBER;
entry->len = KRB5_KDB_V1_BASE_LENGTH;
+ /* Get the user's user_auth settings. */
+ ipadb_get_user_auth(ipactx->lcontext, lentry, &user_ua);
+
+ /* TODO: Should we confirm the existence of ipatokenRadiusConfigLink in
+ * the case of RADIUS? Existence of a token for OTP? */
+
+ /* Determine which user_auth policy is active: user or global. */
+ if ((ipactx->user_auth & IPADB_USER_AUTH_DISABLED)
+ || user_ua == IPADB_USER_AUTH_EMPTY)
+ active_ua = &ipactx->user_auth;
+
/* ignore mask for now */
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
@@ -393,6 +408,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
&res_key_data, &result, &mkvno);
switch (ret) {
case 0:
+ /* Only set a principal's key if password auth should be used. */
+ if ((*active_ua & ~IPADB_USER_AUTH_DISABLED) != IPADB_USER_AUTH_EMPTY
+ && !(*active_ua & IPADB_USER_AUTH_PASSWORD)) {
+ /* This is the same behavior as ENOENT below. */
+ break;
+ }
+
entry->key_data = res_key_data;
entry->n_key_data = result;
if (mkvno) {
@@ -515,6 +537,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
ied->authz_data = authz_data_list;
}
+ /* If enabled, set the otp user string, enabling otp. */
+ if ((*active_ua & (IPADB_USER_AUTH_RADIUS | IPADB_USER_AUTH_OTP)) &&
+ !(*active_ua & IPADB_USER_AUTH_DISABLED)) {
+ ret = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
+ sizeof(otp_string), otp_string);
+ }
kerr = 0;
--
1.8.2.1

1998
0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch Normal file
View File

File diff suppressed because it is too large Load Diff

5603
0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1711
0006-Add-OTP-support-to-ipa-pwd-extop.patch Normal file
View File

File diff suppressed because it is too large Load Diff

76
freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch Normal file
View File

@ -0,0 +1,76 @@
From 1be93108c4c1506ea50879d645c47ab6843a6ee1 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Tue, 14 May 2013 18:36:50 +0200
Subject: [PATCH] Set KRB5CCNAME so that dirsrv can work with newer krb5-server
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
https://fedorahosted.org/freeipa/ticket/3628
---
install/tools/ipa-upgradeconfig | 1 +
ipaserver/install/dsinstance.py | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0..8e9357f20fe7c9a88908def6a2e3b2104f07d73a 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -919,6 +919,7 @@ def main():
http.configure_httpd_ccache()
ds = dsinstance.DsInstance()
+ ds.configure_dirsrv_ccache()
fix_schema_file_syntax(ds)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..3b841417e717587675d3ac748ec02182b3e14672 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,6 +26,7 @@
import time
import tempfile
import base64
+import stat
from ipapython.ipa_log_manager import *
from ipapython import ipautil, sysrestore, dogtag, ipaldap
@@ -213,6 +214,7 @@ def __common_setup(self, enable_ssl=False):
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("configure autobind for root", self.__root_autobind)
self.step("configure new location for managed entries", self.__repoint_managed_entries)
+ self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
self.step("restarting directory server", self.__restart_instance)
def __common_post_setup(self):
@@ -515,6 +517,22 @@ def __config_lockout_module(self):
def __repoint_managed_entries(self):
self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)
+ def configure_dirsrv_ccache(self):
+ pent = pwd.getpwnam("dirsrv")
+ ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+ filepath = '/etc/sysconfig/dirsrv'
+ if not os.path.exists(filepath):
+ # file doesn't exist; create it with correct ownership & mode
+ open(filepath, 'a').close()
+ os.chmod(filepath,
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+ os.chown(filepath, 0, 0)
+
+ replacevars = {'KRB5CCNAME': ccache}
+ old_values = ipautil.backup_config_and_replace_variables(
+ self.fstore, filepath, replacevars=replacevars)
+ ipaservices.restore_context(filepath)
+
def __managed_entries(self):
self._ldap_mod("managed-entries.ldif", self.sub_dict)
--
1.8.1.4

19
freeipa.spec
View File

@ -8,7 +8,7 @@
Name: freeipa
Version: 3.2.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -17,6 +17,14 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: 0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
Patch2: 0002-Add-IPA-OTP-schema-and-ACLs.patch
Patch3: 0003-ipa-kdb-Add-OTP-support.patch
Patch4: 0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
Patch5: 0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch
Patch6: 0006-Add-OTP-support-to-ipa-pwd-extop.patch
Patch7: freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1.0
BuildRequires: svrcore-devel
@ -74,6 +82,8 @@ BuildRequires: m2crypto
BuildRequires: check
BuildRequires: libsss_idmap-devel
BuildRequires: java-1.7.0-openjdk
BuildRequires: libverto-devel
BuildRequires: systemd
# Find out Kerberos middle version to infer ABI changes in DAL driver
# We cannot load DAL driver into KDC with wrong ABI.
@ -689,6 +699,7 @@ fi
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-compliance
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
%{_libexecdir}/ipa-otpd
%{_sysconfdir}/cron.d/ipa-compliance
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
@ -701,6 +712,8 @@ fi
%{_libexecdir}/freeipa-systemd-upgrade
# Fedora spec file only: END
# END
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
%dir %{python_sitelib}/ipaserver
%dir %{python_sitelib}/ipaserver/install
%dir %{python_sitelib}/ipaserver/install/plugins
@ -906,6 +919,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
- Add OTP patches
- Add patch to set KRB5CCNAME for 389-ds-base
* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
- Update to upstream 3.2.0 GA
- ipa-client-install fails if /etc/ipa does not exist (#961483)