diff --git a/.gitignore b/.gitignore index ceefbeb..bf966a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ SOURCES/freeipa-4.9.11.tar.gz /freeipa-4.9.11.tar.gz +/freeipa-4.9.12.tar.gz +/freeipa-4.9.12.tar.gz.asc diff --git a/0001-Only-calculate-LDAP-password-grace-when-the-password.patch b/0001-Only-calculate-LDAP-password-grace-when-the-password.patch deleted file mode 100644 index 528c6c1..0000000 --- a/0001-Only-calculate-LDAP-password-grace-when-the-password.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Jun 2022 13:25:55 +0000 -Subject: [PATCH] Only calculate LDAP password grace when the password is - expired - -The user's pwd expiration was retrieved but inadvertently was never -compared to current time. So any LDAP bind, including from the -IPA API, counted against the grace period. There is no need to go -through the graceperiod code for non-expired passwords. - -https://pagure.io/freeipa/issue/1539 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644 ---- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - Slapi_ValueSet *values = NULL; - long grace_limit = 0; - int grace_user_time; -- char *pwd_expiration = NULL; -+ char *tmpstr = NULL; -+ time_t pwd_expiration; - int pwresponse_requested = 0; - Slapi_PBlock *pbtm = NULL; - Slapi_Mods *smods = NULL; -@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - } - slapi_value_free(&objectclass); - -- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); -- if (pwd_expiration == NULL) { -+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); -+ if (tmpstr == NULL) { - /* No expiration means nothing to do */ - LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn); - goto done; - } -+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr); -+ if (pwd_expiration > time(NULL)) { -+ /* Not expired, nothing to see here */ -+ goto done; -+ } - - ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry, - &values, &actual_type_name, --- -2.36.1 - diff --git a/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch deleted file mode 100644 index 943e986..0000000 --- a/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Fri, 10 Dec 2021 12:15:36 -0300 -Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" - -This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. ---- - freeipa.spec.in | 4 +--- - ipaplatform/base/paths.py | 2 +- - ipaplatform/fedora/paths.py | 1 + - ipaserver/dnssec/bindmgr.py | 1 - - 4 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 8f5c370e5..e20edb7bc 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} - Requires: bind-dyndb-ldap >= 11.2-2 - Requires: bind >= %{bind_version} - Requires: bind-utils >= %{bind_version} --# bind-dnssec-utils is required by the OpenDNSSec integration --# https://pagure.io/freeipa/issue/9026 --Requires: bind-dnssec-utils >= %{bind_version} - %if %{with bind_pkcs11} - Requires: bind-pkcs11 >= %{bind_version} -+Requires: bind-pkcs11-utils >= %{bind_version} - %else - Requires: softhsm >= %{softhsm_version} - Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 7d21367ec..42a47f1df 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -259,7 +259,7 @@ class BasePathNamespace: - IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" - IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" - IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" -- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" -+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" - GETSEBOOL = "/usr/sbin/getsebool" - GROUPADD = "/usr/sbin/groupadd" - USERMOD = "/usr/sbin/usermod" -diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py -index 4e993c063..92a948966 100644 ---- a/ipaplatform/fedora/paths.py -+++ b/ipaplatform/fedora/paths.py -@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): - NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" - if HAS_NFS_CONF: - SYSCONFIG_NFS = '/etc/nfs.conf' -+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" - - - paths = FedoraPathNamespace() -diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py -index 0c79cc03d..a15c0e601 100644 ---- a/ipaserver/dnssec/bindmgr.py -+++ b/ipaserver/dnssec/bindmgr.py -@@ -127,7 +127,6 @@ class BINDMgr: - ) - cmd = [ - paths.DNSSEC_KEYFROMLABEL, -- '-E', 'pkcs11', - '-K', workdir, - '-a', attrs['idnsSecAlgorithm'][0], - '-l', uri --- -2.31.1 - diff --git a/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch b/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch deleted file mode 100644 index ecbb24f..0000000 --- a/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Dec 02 2022 12:21:22 +0000 -Subject: updates: fix memberManager ACI to allow managers from a specified group - - -The original implementation of the member manager added support for both -user and group managers but left out upgrade scenario. This means when -upgrading existing installation a manager whose rights defined by the -group membership would not be able to add group members until the ACI is -fixed. - -Remove old ACI and add a full one during upgrade step. - -Fixes: https://pagure.io/freeipa/issue/9286 -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update -index a168bb9..4a7ba13 100644 ---- a/install/updates/20-aci.update -+++ b/install/updates/20-aci.update -@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can - - # Allow member managers to modify members of user groups - dn: cn=groups,cn=accounts,$SUFFIX --add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) -+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) -+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) - - # Allow member managers to modify members of host groups - dn: cn=hostgroups,cn=accounts,$SUFFIX --add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) -+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) -+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) - - # Hosts can add and delete their own services - dn: cn=services,cn=accounts,$SUFFIX - diff --git a/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch b/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch new file mode 100644 index 0000000..8bad0c6 --- /dev/null +++ b/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch @@ -0,0 +1,261 @@ +From f42a106e84c1fd609350da2540289ce945a7ecbd Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 11 May 2023 10:53:58 +0200 +Subject: [PATCH] user or group name: explain the supported format + +The commands ipa user-add or ipa group-add validate the +format of the user/group name and display the following +message when it does not conform to the expectations: +invalid 'login': may only include letters, numbers, _, -, . and $ + +The format is more complex, for instance '1234567' is an invalid +user name but the failure is inconsistent with the error message. +Modify the error message to point to ipa help user/group and add +more details in the help message. + +Same change for idoverrideuser and idoverridegroup: +The user/group name must follow these rules: +- cannot contain only numbers +- must start with a letter, a number, _ or . +- may contain letters, numbers, _, ., or - +- may end with a letter, a number, _, ., - or $ + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rafael Guterres Jeffman +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipalib/constants.py | 5 +++++ + ipaserver/plugins/baseuser.py | 2 +- + ipaserver/plugins/group.py | 10 ++++++++-- + ipaserver/plugins/idviews.py | 5 +++-- + ipaserver/plugins/stageuser.py | 6 ++++++ + ipaserver/plugins/user.py | 6 ++++++ + ipatests/test_xmlrpc/test_group_plugin.py | 5 +++-- + ipatests/test_xmlrpc/test_stageuser_plugin.py | 3 ++- + ipatests/test_xmlrpc/test_user_plugin.py | 7 ++++--- + 9 files changed, 38 insertions(+), 11 deletions(-) + +diff --git a/ipalib/constants.py b/ipalib/constants.py +index 4b759a573..104419bc2 100644 +--- a/ipalib/constants.py ++++ b/ipalib/constants.py +@@ -319,6 +319,11 @@ MAXHOSTFQDNLEN = 253 + PATTERN_GROUPUSER_NAME = ( + '(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' + ) ++ERRMSG_GROUPUSER_NAME = ( ++ 'may only include letters, numbers, _, -, . and $' ++ ', refer to \'ipa help {}\' for complete format ' ++ 'description' ++) + + # Kerberos Anonymous principal name + ANON_USER = 'WELLKNOWN/ANONYMOUS' +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index 684a65242..bae6c54ff 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -211,7 +211,7 @@ class baseuser(LDAPObject): + takes_params = ( + Str('uid', + pattern=constants.PATTERN_GROUPUSER_NAME, +- pattern_errmsg='may only include letters, numbers, _, -, . and $', ++ pattern_errmsg=constants.ERRMSG_GROUPUSER_NAME.format('user'), + maxlength=255, + cli_name='login', + label=_('User login'), +diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py +index afdad93c1..0333ed622 100644 +--- a/ipaserver/plugins/group.py ++++ b/ipaserver/plugins/group.py +@@ -24,7 +24,7 @@ import logging + + from ipalib import api + from ipalib import Int, Str, Flag +-from ipalib.constants import PATTERN_GROUPUSER_NAME ++from ipalib.constants import PATTERN_GROUPUSER_NAME, ERRMSG_GROUPUSER_NAME + from ipalib.plugable import Registry + from .baseldap import ( + add_external_post_callback, +@@ -70,6 +70,12 @@ converted to non-POSIX groups. + + Every group must have a description. + ++The group name must follow these rules: ++- cannot contain only numbers ++- must start with a letter, a number, _ or . ++- may contain letters, numbers, _, ., or - ++- may end with a letter, a number, _, ., - or $ ++ + POSIX groups must have a Group ID (GID) number. Changing a GID is + supported but can have an impact on your file permissions. It is not necessary + to supply a GID when creating a group. IPA will generate one automatically +@@ -330,7 +336,7 @@ class group(LDAPObject): + takes_params = ( + Str('cn', + pattern=PATTERN_GROUPUSER_NAME, +- pattern_errmsg='may only include letters, numbers, _, -, . and $', ++ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'), + maxlength=255, + cli_name='group_name', + label=_('Group name'), +diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py +index 4f4b3a2f7..6a16884cf 100644 +--- a/ipaserver/plugins/idviews.py ++++ b/ipaserver/plugins/idviews.py +@@ -37,6 +37,7 @@ from ipalib.constants import ( + IPA_ANCHOR_PREFIX, + SID_ANCHOR_PREFIX, + PATTERN_GROUPUSER_NAME, ++ ERRMSG_GROUPUSER_NAME + ) + from ipalib.plugable import Registry + from ipalib.util import (normalize_sshpubkey, validate_sshpubkey, +@@ -1025,7 +1026,7 @@ class idoverrideuser(baseidoverride): + takes_params = baseidoverride.takes_params + ( + Str('uid?', + pattern=PATTERN_GROUPUSER_NAME, +- pattern_errmsg='may only include letters, numbers, _, -, . and $', ++ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('user'), + maxlength=255, + cli_name='login', + label=_('User login'), +@@ -1128,7 +1129,7 @@ class idoverridegroup(baseidoverride): + takes_params = baseidoverride.takes_params + ( + Str('cn?', + pattern=PATTERN_GROUPUSER_NAME, +- pattern_errmsg='may only include letters, numbers, _, -, . and $', ++ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'), + maxlength=255, + cli_name='group_name', + label=_('Group name'), +diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py +index 760dff7ab..51438a83a 100644 +--- a/ipaserver/plugins/stageuser.py ++++ b/ipaserver/plugins/stageuser.py +@@ -94,6 +94,12 @@ usernames that start with a digit or usernames that exceed a certain length + may cause problems for some UNIX systems. + Use 'ipa config-mod' to change the username format allowed by IPA tools. + ++The user name must follow these rules: ++- cannot contain only numbers ++- must start with a letter, a number, _ or . ++- may contain letters, numbers, _, ., or - ++- may end with a letter, a number, _, ., - or $ ++ + + EXAMPLES: + +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index fa8a67d3d..643b44f14 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -88,6 +88,12 @@ usernames that start with a digit or usernames that exceed a certain length + may cause problems for some UNIX systems. + Use 'ipa config-mod' to change the username format allowed by IPA tools. + ++The user name must follow these rules: ++- cannot contain only numbers ++- must start with a letter, a number, _ or . ++- may contain letters, numbers, _, ., or - ++- may end with a letter, a number, _, ., - or $ ++ + Disabling a user account prevents that user from obtaining new Kerberos + credentials. It does not invalidate any credentials that have already + been issued. +diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py +index f9a0e2cfe..27bc21fbc 100644 +--- a/ipatests/test_xmlrpc/test_group_plugin.py ++++ b/ipatests/test_xmlrpc/test_group_plugin.py +@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/group.py` module. + import pytest + + from ipalib import errors ++from ipalib.constants import ERRMSG_GROUPUSER_NAME + from ipatests.test_xmlrpc import objectclasses + from ipatests.test_xmlrpc.xmlrpc_test import ( + fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, +@@ -169,7 +170,7 @@ class TestGroup(XMLRPC_test): + ) + with raises_exact(errors.ValidationError( + name='group_name', +- error=u'may only include letters, numbers, _, -, . and $')): ++ error=ERRMSG_GROUPUSER_NAME.format('group'))): + command() + + def test_create_with_name_starting_with_numeric(self): +@@ -188,7 +189,7 @@ class TestGroup(XMLRPC_test): + ) + with raises_exact(errors.ValidationError( + name='group_name', +- error=u'may only include letters, numbers, _, -, . and $', ++ error=ERRMSG_GROUPUSER_NAME.format('group'), + )): + testgroup.create() + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index fd146876c..bd877aa94 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -12,6 +12,7 @@ import six + + from collections import OrderedDict + from ipalib import api, errors ++from ipalib.constants import ERRMSG_GROUPUSER_NAME + from ipaplatform.constants import constants as platformconstants + + from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact +@@ -357,7 +358,7 @@ class TestCreateInvalidAttributes(XMLRPC_test): + command = invalid.make_create_command() + with raises_exact(errors.ValidationError( + name='login', +- error=u"may only include letters, numbers, _, -, . and $")): ++ error=ERRMSG_GROUPUSER_NAME.format('user'))): + command() + + def test_create_long_uid(self): +diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py +index c156a8793..eadfe6a65 100644 +--- a/ipatests/test_xmlrpc/test_user_plugin.py ++++ b/ipatests/test_xmlrpc/test_user_plugin.py +@@ -31,6 +31,7 @@ import ldap + import re + + from ipalib import api, errors ++from ipalib.constants import ERRMSG_GROUPUSER_NAME + from ipaplatform.constants import constants as platformconstants + from ipapython import ipautil + from ipatests.test_xmlrpc import objectclasses +@@ -502,7 +503,7 @@ class TestUpdate(XMLRPC_test): + ) + with raises_exact(errors.ValidationError( + name='rename', +- error=u'may only include letters, numbers, _, -, . and $')): ++ error=ERRMSG_GROUPUSER_NAME.format('user'))): + command() + + def test_add_radius_username(self, user): +@@ -556,7 +557,7 @@ class TestCreate(XMLRPC_test): + command = testuser.make_create_command() + with raises_exact(errors.ValidationError( + name=u'login', +- error=u'may only include letters, numbers, _, -, . and $')): ++ error=ERRMSG_GROUPUSER_NAME.format('user'))): + command() + + def test_create_with_too_long_login(self): +@@ -730,7 +731,7 @@ class TestCreate(XMLRPC_test): + ) + with raises_exact(errors.ValidationError( + name=u'login', +- error=u'may only include letters, numbers, _, -, . and $', ++ error=ERRMSG_GROUPUSER_NAME.format('user'), + )): + testuser.create() + +-- +2.40.1 + diff --git a/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch deleted file mode 100644 index f5f3cf3..0000000 --- a/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 15 Dec 2021 10:47:02 +0100 -Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied - -When ipa config-mod is called with the option --enable-sid, -the code needs to trap EmptyModlist exception (it is expected -that no LDAP attribute is modified by this operation). -The code had a flaw and was checking: - 'enable_sid' in options -instead of - options['enable_sid'] - -"'enable_sid' in options" always returns true as this option -is a Flag with a default value, hence always present even if -not specified on the command line. - -Fixes: https://pagure.io/freeipa/issue/9063 -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/config.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py -index eae401fc3..24446beb0 100644 ---- a/ipaserver/plugins/config.py -+++ b/ipaserver/plugins/config.py -@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate): - if (isinstance(exc, errors.EmptyModlist) and - call_func.__name__ == 'update_entry' and - ('ca_renewal_master_server' in options or -- 'enable_sid' in options)): -+ options['enable_sid'])): - return - - super(config_mod, self).exc_callback( --- -2.34.1 - -From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 15 Dec 2021 10:51:05 +0100 -Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned - -Add a test to test_config_plugin, that calls ipa config-mod -with the same value as already present in LDAP. -The call must return EmptyModlist. - -Related: https://pagure.io/freeipa/issue/9063 -Reviewed-By: Rob Crittenden ---- - ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py -index e981bb4a0..a8ec9f0e5 100644 ---- a/ipatests/test_xmlrpc/test_config_plugin.py -+++ b/ipatests/test_xmlrpc/test_config_plugin.py -@@ -312,4 +312,13 @@ class test_config(Declarative): - 'value': None, - }, - ), -+ dict( -+ desc='Set the value to the already set value, no modifications', -+ command=( -+ 'config_mod', [], { -+ 'ipasearchrecordslimit': u'100', -+ }, -+ ), -+ expected=errors.EmptyModlist(), -+ ), - ] --- -2.34.1 - diff --git a/0002-webui-Do-not-allow-empty-pagination-size.patch b/0002-webui-Do-not-allow-empty-pagination-size.patch deleted file mode 100644 index 15f0b8b..0000000 --- a/0002-webui-Do-not-allow-empty-pagination-size.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 02d3fb8266d8199fd1ed983de6c57b269546df82 Mon Sep 17 00:00:00 2001 -From: Armando Neto -Date: Fri, 8 Jul 2022 15:56:31 -0300 -Subject: [PATCH] webui: Do not allow empty pagination size - -Pagination size must be required, the current validators are triggered after -form is submitted, thus the only way for check if data is not empty is by making -the field required. - -Fixes: https://pagure.io/freeipa/issue/9192 - -Signed-off-by: Armando Neto -Reviewed-By: Florence Blanc-Renaud ---- - .../ui/src/freeipa/Application_controller.js | 1 + - ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js -index 46aabc9c4dd47aa3874cb3ddf27da048607b7516..140ee8fe0d7adc274396248aae0be2f4559db27a 100644 ---- a/install/ui/src/freeipa/Application_controller.js -+++ b/install/ui/src/freeipa/Application_controller.js -@@ -318,6 +318,7 @@ define([ - $type: 'text', - name: 'pagination_size', - label: '@i18n:customization.table_pagination', -+ required: true, - validators: ['positive_integer'] - } - ] -diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py -index 5f7ffb54ee33e9b453d6b987b7bf84d6f4311ebd..aca9e1a99e1e2cf60790fe8c33a65430e0d535e2 100644 ---- a/ipatests/test_webui/test_misc_cases.py -+++ b/ipatests/test_webui/test_misc_cases.py -@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot - import pytest - import re - -+try: -+ from selenium.webdriver.common.by import By -+except ImportError: -+ pass -+ - - @pytest.mark.tier1 - class TestMiscCases(UI_driver): -@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver): - ver_re = re.compile('version: .*') - assert re.search(ver_re, about_text), 'Version not found' - self.dialog_button_click('ok') -+ -+ @screenshot -+ def test_customization_pagination_input_required(self): -+ """Test if 'pagination size' is required when submitting the form.""" -+ self.init_app() -+ -+ self.profile_menu_action('configuration') -+ self.fill_input('pagination_size', '') -+ self.dialog_button_click('save') -+ -+ pagination_size_elem = self.find( -+ ".widget[name='pagination_size']", By.CSS_SELECTOR) -+ -+ self.assert_field_validation_required(parent=pagination_size_elem) --- -2.36.1 - diff --git a/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch deleted file mode 100644 index f6cf756..0000000 --- a/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Wed, 26 Jan 2022 15:43:39 +0100 -Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys - -The Custodia key export handler is using the default's OpenSSL encryption -scheme for PKCS#12. - -This represents an issue when performing a migration from CentOS Stream 8 (C8S) -to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S -replica talks to the Custodia server on C8S source server. The later creates an -encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's -default encryption scheme, which is no longer supported on C9S. - -This commit enforces a stronger encryption algorigthm by adding following -arguments to the Custodia server handler: - --keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 - -The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. - -Fixes: https://pagure.io/freeipa/issue/9101 - -Signed-off-by: Francisco Trivino -Reviewed-By: Christian Heimes -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/secrets/handlers/pemfile.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py -index 4e8eff0e3..ad36bd020 100644 ---- a/ipaserver/secrets/handlers/pemfile.py -+++ b/ipaserver/secrets/handlers/pemfile.py -@@ -31,6 +31,9 @@ def export_key(args, tmpdir): - '-out', pk12file, - '-inkey', args.keyfile, - '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), -+ '-keypbe', 'AES-256-CBC', -+ '-certpbe', 'AES-256-CBC', -+ '-macalg', 'sha384', - ]) - - with open(pk12file, 'rb') as f: --- -2.34.1 - diff --git a/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch deleted file mode 100644 index 1e342e5..0000000 --- a/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 1 Feb 2022 16:43:09 +0100 -Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users - -Since 5d51ae5, principal keys were dropped in case user auth indicator -was not including password. Thereafter, the key removal behavior was -removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. -Support for hardened pre-auth methods (FAST and SPAKE) was added in -d057040, and the removal of principal keys was restored afterwards by -f0d12b7, but not taking the new hardened auth indicator into account. - -Fixes: https://pagure.io/freeipa/issue/9065 -Related to: https://pagure.io/freeipa/issue/8001 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 15f3df4fe..0d0d3748c 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - &res_key_data, &result, &mkvno); - switch (ret) { - case 0: -- /* Only set a principal's key if password auth can be used. Otherwise -- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH -- * reply for AS-REQs which indicate the password authentication is -- * available. This might confuse applications like e.g. SSSD which try -- * to determine suitable authentication methods and corresponding -- * prompts with the help of MIT Kerberos' responder interface which -- * acts on the returned pre-authentication methods. A typical example -- * is enforced OTP authentication where of course keys are available -- * for the first factor but password authentication should not be -- * advertised by the KDC. */ -- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { -+ /* Only set a principal's key if password or hardened auth can be used. -+ * Otherwise the KDC would add pre-authentication methods to the -+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password -+ * authentication is available. This might confuse applications like -+ * e.g. SSSD which try to determine suitable authentication methods and -+ * corresponding prompts with the help of MIT Kerberos' responder -+ * interface which acts on the returned pre-authentication methods. A -+ * typical example is enforced OTP authentication where of course keys -+ * are available for the first factor but password authentication -+ * should not be advertised by the KDC. */ -+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && -+ (ua != IPADB_USER_AUTH_NONE)) { - /* This is the same behavior as ENOENT below. */ - ipa_krb5_free_key_data(res_key_data, result); - break; --- -2.34.1 - -From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 1 Feb 2022 19:38:29 +0100 -Subject: [PATCH] ipatests: add case for hardened-only ticket policy - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- - 1 file changed, 28 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py -index 63e75ae67..9489fbc97 100644 ---- a/ipatests/test_integration/test_krbtpolicy.py -+++ b/ipatests/test_integration/test_krbtpolicy.py -@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): - result = master.run_command('klist | grep krbtgt') - assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True - -- def test_krbtpolicy_hardended(self): -- """Test a hardened kerberos ticket policy with 10 min tickets""" -+ def test_krbtpolicy_password_and_hardended(self): -+ """Test a pwd and hardened kerberos ticket policy with 10min tickets""" - master = self.master - master.run_command(['ipa', 'user-mod', USER1, - '--user-auth-type', 'password', -@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): - result = master.run_command('klist | grep krbtgt') - assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True - -+ def test_krbtpolicy_hardended(self): -+ """Test a hardened kerberos ticket policy with 30min tickets""" -+ master = self.master -+ master.run_command(['ipa', 'user-mod', USER1, -+ '--user-auth-type', 'hardened']) -+ master.run_command(['ipa', 'config-mod', -+ '--user-auth-type', 'hardened']) -+ master.run_command(['ipa', 'krbtpolicy-mod', USER1, -+ '--hardened-maxlife', '1800']) -+ -+ tasks.kdestroy_all(master) -+ -+ master.run_command(['kinit', USER1], -+ stdin_text=PASSWORD + '\n') -+ result = master.run_command('klist | grep krbtgt') -+ assert maxlife_within_policy(result.stdout_text, 1800, -+ slush=1800) is True -+ -+ tasks.kdestroy_all(master) -+ -+ # Verify that the short policy only applies to USER1 -+ master.run_command(['kinit', USER2], -+ stdin_text=PASSWORD + '\n') -+ result = master.run_command('klist | grep krbtgt') -+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True -+ - def test_krbtpolicy_password(self): - """Test the kerberos ticket policy which issues 20 min tickets""" - master = self.master --- -2.34.1 - diff --git a/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch deleted file mode 100644 index 3ac05fa..0000000 --- a/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 28 Jan 2022 16:58:42 +0100 -Subject: [PATCH] ipa-pki-proxy.conf: provide access to - /kra/admin/kra/getStatus - -The access to /kra/admin/kra/getStatus will be needed -in order to fix pki-healthcheck. -Note that this commit is a pre-requisite for the fix -to be done on PKI side. No test added since the full -integration test already exists in test_replica_promotion.py, -in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - -Fixes: https://pagure.io/freeipa/issue/9099 -Related: https://pagure.io/freeipa/issue/8582 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - install/share/ipa-pki-proxy.conf.template | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template -index 96708482c..7a46f20b9 100644 ---- a/install/share/ipa-pki-proxy.conf.template -+++ b/install/share/ipa-pki-proxy.conf.template -@@ -1,4 +1,4 @@ --# VERSION 16 - DO NOT REMOVE THIS LINE -+# VERSION 17 - DO NOT REMOVE THIS LINE - - ProxyRequests Off - -@@ -11,7 +11,7 @@ ProxyRequests Off - - - # matches for admin port and installer -- -+ - SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - SSLVerifyClient none - ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET --- -2.34.1 - diff --git a/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch deleted file mode 100644 index 14d1f0c..0000000 --- a/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch +++ /dev/null @@ -1,755 +0,0 @@ -From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001 -From: Sumedh Sidhaye -Date: Fri, 14 Jan 2022 19:55:13 +0530 -Subject: [PATCH] Added test automation for SHA384withRSA CSR support - -Scenario 1: -Setup master with --ca-signing-algorithm=SHA384withRSA -Run certutil and check Signing Algorithm - -Scenario 2: -Setup a master -Stop services -Modify default.params.signingAlg in CS.cfg -Restart services -Resubmit cert (Resubmitted cert should have new Algorithm) - -Pagure Link: https://pagure.io/freeipa/issue/8906 - -Signed-off-by: Sumedh Sidhaye -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Antonio Torres ---- - .../test_integration/test_installation.py | 63 +++++++++++++++++++ - 1 file changed, 63 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 0947241ae..f2d372c0c 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration.env_config import get_global_config - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup -+from ipatests.test_integration.test_cert import get_certmonger_fs_id - from ipaplatform import services - - -@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest): - tasks.install_replica( - self.master, self.replicas[0], setup_ca=False, setup_dns=False - ) -+ -+ -+class TestInstallwithSHA384withRSA(IntegrationTest): -+ num_replicas = 0 -+ -+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup): -+ tasks.install_master( -+ self.master, -+ extra_args=['--ca-signing-algorithm=SHA384withRSA'], -+ ) -+ -+ # check Signing Algorithm post installation -+ dashed_domain = self.master.domain.realm.replace(".", '-') -+ cmd_args = ['certutil', '-L', '-d', -+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain), -+ '-n', 'Server-Cert'] -+ result = self.master.run_command(cmd_args) -+ assert 'SHA-384 With RSA Encryption' in result.stdout_text -+ -+ def test_install_master_modify_existing(self, server_cleanup): -+ """ -+ Setup a master -+ Stop services -+ Modify default.params.signingAlg in CS.cfg -+ Restart services -+ Resubmit cert (Resubmitted cert should have new Algorithm) -+ """ -+ tasks.install_master(self.master) -+ self.master.run_command(['ipactl', 'stop']) -+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH, -+ encoding='utf-8') -+ new_lines = [] -+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA" -+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA" -+ for line in cs_cfg_content.split('\n'): -+ if line.startswith('ca.signing.defaultSigningAlgorithm'): -+ new_lines.append(replace_str) -+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'): -+ new_lines.append(ocsp_rep_str) -+ else: -+ new_lines.append(line) -+ self.master.put_file_contents(paths.CA_CS_CFG_PATH, -+ '\n'.join(new_lines)) -+ self.master.run_command(['ipactl', 'start']) -+ -+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] -+ result = self.master.run_command(cmd) -+ request_id = get_certmonger_fs_id(result.stdout_text) -+ -+ # resubmit RA Agent cert -+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] -+ self.master.run_command(cmd) -+ -+ tasks.wait_for_certmonger_status(self.master, -+ ('CA_WORKING', 'MONITORING'), -+ request_id) -+ -+ cmd_args = ['openssl', 'x509', '-in', -+ paths.RA_AGENT_PEM, '-noout', '-text'] -+ result = self.master.run_command(cmd_args) -+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption' -+ assert assert_str in result.stdout_text --- -2.34.1 - -From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001 -From: Sumedh Sidhaye -Date: Thu, 25 Nov 2021 17:48:20 +0530 -Subject: [PATCH] Extend test to see if replica is not shown when running - `ipa-replica-manage list -v ` - -Related: https://pagure.io/freeipa/issue/8605 - -Signed-off-by: Sumedh Sidhaye -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_simple_replication.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py -index 8de385144..17092a499 100644 ---- a/ipatests/test_integration/test_simple_replication.py -+++ b/ipatests/test_integration/test_simple_replication.py -@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest): - # has to be run with --force, there is no --unattended - self.master.run_command(['ipa-replica-manage', 'del', - self.replicas[0].hostname, '--force']) -- result = self.master.run_command(['ipa-replica-manage', 'list']) -+ result = self.master.run_command( -+ ['ipa-replica-manage', 'list', '-v', self.master.hostname]) - assert self.replicas[0].hostname not in result.stdout_text --- -2.34.1 - -From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Fri, 26 Nov 2021 12:11:21 +0530 -Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica - teardown - -Fixture `expire_certs` moves date back after renewing the certs. -This is causing the ipa-replica to fail. This fix first uninstalls -the server then moves back the date. - -Fixes: https://pagure.io/freeipa/issue/9052 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index 39904d5de..5b56054b4 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest): - setup_dns=False, extra_args=['--no-ntp'] - ) - -+ @classmethod -+ def uninstall(cls, mh): -+ # Uninstall method is empty as the uninstallation is done in -+ # the fixture -+ pass -+ - @pytest.fixture - def expire_certs(self): - # move system date to expire certs -@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest): - yield - - # move date back on replica and master -- for host in self.master, self.replicas[0]: -+ for host in self.replicas[0], self.master: -+ tasks.uninstall_master(host) - tasks.move_date(host, 'start', '-3years-1days') - - def test_renew_expired_cert_replica(self, expire_certs): --- -2.34.1 - -From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 13 Dec 2021 17:37:05 +0530 -Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit. - -related : https://pagure.io/freeipa/issue/8962 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_installation.py | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 95cfaad54..0947241ae 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest): - ) - assert "nsslapd-db-locks" not in result.stdout_text - -+ def test_nsslapd_sizelimit(self): -+ """ Test for default value of nsslapd-sizelimit. -+ -+ Related : https://pagure.io/freeipa/issue/8962 -+ """ -+ result = tasks.ldapsearch_dm( -+ self.master, -+ "cn=config", -+ ["nsslapd-sizelimit"], -+ scope="base" -+ ) -+ assert "nsslapd-sizelimit: 100000" in result.stdout_text -+ - def test_admin_root_alias_CVE_2020_10747(self): - # Test for CVE-2020-10747 fix - # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 --- -2.34.1 - -From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 25 Nov 2021 13:10:05 +0530 -Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to - segfault - -When empty cert request is submitted to certmonger, it goes to -segfault. This fix test that if something like this happens, -certmonger should gracefuly handle it - -and some PEP8 fixes - -related: https://pagure.io/certmonger/issue/191 - -Signed-off-by: Mohammad Rizwan ---- - ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++- - 1 file changed, 78 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py -index 5ffb8c608..0518d7954 100644 ---- a/ipatests/test_integration/test_cert.py -+++ b/ipatests/test_integration/test_cert.py -@@ -14,6 +14,7 @@ import random - import re - import string - import time -+import textwrap - - from ipaplatform.paths import paths - from ipapython.dn import DN -@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest): - tasks.kinit_admin(self.master) - tasks.user_add(self.master, user) - -- for id in (0,1): -+ for id in (0, 1): - csr_file = f'{id}.csr' - key_file = f'{id}.key' - cert_file = f'{id}.crt' -@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest): - error_msg = 'ipa: ERROR: The certificate for ' \ - '{} is not available on this server.'.format(lwca) - assert error_msg in result.stderr_text -+ -+ def test_certmonger_empty_cert_not_segfault(self): -+ """Test empty cert request doesn't force certmonger to segfault -+ -+ Test scenario: -+ create a cert request file in /var/lib/certmonger/requests which is -+ missing most of the required information, and ask request a new -+ certificate to certmonger. The wrong request file should not make -+ certmonger crash. -+ -+ related: https://pagure.io/certmonger/issue/191 -+ """ -+ empty_cert_req_content = textwrap.dedent(""" -+ id=dogtag-ipa-renew-agent -+ key_type=UNSPECIFIED -+ key_gen_type=UNSPECIFIED -+ key_size=0 -+ key_gen_size=0 -+ key_next_type=UNSPECIFIED -+ key_next_gen_type=UNSPECIFIED -+ key_next_size=0 -+ key_next_gen_size=0 -+ key_preserve=0 -+ key_storage_type=NONE -+ key_perms=0 -+ key_requested_count=0 -+ key_issued_count=0 -+ cert_storage_type=FILE -+ cert_perms=0 -+ cert_is_ca=0 -+ cert_ca_path_length=0 -+ cert_no_ocsp_check=0 -+ last_need_notify_check=19700101000000 -+ last_need_enroll_check=19700101000000 -+ template_is_ca=0 -+ template_ca_path_length=-1 -+ template_no_ocsp_check=0 -+ state=NEED_KEY_PAIR -+ autorenew=0 -+ monitor=0 -+ submitted=19700101000000 -+ """) -+ # stop certmonger service -+ self.master.run_command(['systemctl', 'stop', 'certmonger']) -+ -+ # place an empty cert request file to certmonger request dir -+ self.master.put_file_contents( -+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), -+ empty_cert_req_content -+ ) -+ -+ # start certmonger, it should not fail -+ self.master.run_command(['systemctl', 'start', 'certmonger']) -+ -+ # request a new cert, should succeed and certmonger doesn't goes -+ # to segfault -+ result = self.master.run_command([ -+ "ipa-getcert", "request", -+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), -+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), -+ ]) -+ request_id = re.findall(r'\d+', result.stdout_text) -+ -+ # check if certificate is in MONITORING state -+ status = tasks.wait_for_request(self.master, request_id[0], 50) -+ assert status == "MONITORING" -+ -+ self.master.run_command( -+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]] -+ ) -+ self.master.run_command([ -+ 'rm', '-rf', -+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), -+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'), -+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key') -+ ]) --- -2.34.1 - -From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 6 Dec 2021 20:50:01 +0530 -Subject: [PATCH] ipatests: webui: Tests for subordinate ids. - -Added web-ui tests to verify where operations -using subordinate ids are working as expected. - -Related : https://pagure.io/freeipa/issue/8361 - -Signed-off-by: Anuja More -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++ - ipatests/test_webui/ui_driver.py | 28 ++++++ - 2 files changed, 169 insertions(+) - create mode 100644 ipatests/test_webui/test_subid.py - -diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py -new file mode 100644 -index 000000000..26decdba0 ---- /dev/null -+++ b/ipatests/test_webui/test_subid.py -@@ -0,0 +1,141 @@ -+ -+""" -+Tests for subordinateid. -+""" -+ -+from ipatests.test_webui.ui_driver import UI_driver -+import ipatests.test_webui.data_config as config_data -+import ipatests.test_webui.data_user as user_data -+from ipatests.test_webui.ui_driver import screenshot -+import re -+ -+ -+class test_subid(UI_driver): -+ -+ def add_user(self, pkey, name, surname): -+ self.add_record('user', { -+ 'pkey': pkey, -+ 'add': [ -+ ('textbox', 'uid', pkey), -+ ('textbox', 'givenname', name), -+ ('textbox', 'sn', surname), -+ ] -+ }) -+ -+ def set_default_subid(self): -+ self.navigate_to_entity(config_data.ENTITY) -+ self.check_option('ipauserdefaultsubordinateid', 'checked') -+ self.facet_button_click('save') -+ -+ def get_user_count(self, user_pkey): -+ self.navigate_to_entity('subid', facet='search') -+ self.apply_search_filter(user_pkey) -+ self.wait_for_request() -+ return self.get_rows() -+ -+ @screenshot -+ def test_set_defaultsubid(self): -+ """ -+ Test to verify that enable/disable is working for -+ adding subids to new users. -+ """ -+ self.init_app() -+ self.add_record(user_data.ENTITY, user_data.DATA2) -+ self.navigate_to_entity(config_data.ENTITY) -+ # test subid can be enabled/disabled. -+ self.set_default_subid() -+ assert self.get_field_checked('ipauserdefaultsubordinateid') -+ self.set_default_subid() -+ assert not self.get_field_checked('ipauserdefaultsubordinateid') -+ -+ @screenshot -+ def test_user_defaultsubid(self): -+ """ -+ Test to verify that subid is generated for new user. -+ """ -+ self.init_app() -+ user_pkey = "some-user" -+ -+ self.set_default_subid() -+ assert self.get_field_checked('ipauserdefaultsubordinateid') -+ -+ before_count = self.get_user_count(user_pkey) -+ assert len(before_count) == 0 -+ -+ self.add_user(user_pkey, 'Some', 'User') -+ after_count = self.get_user_count(user_pkey) -+ assert len(after_count) == 1 -+ -+ @screenshot -+ def test_user_subid_mod_desc(self): -+ """ -+ Test to verify that auto-assigned subid description is modified. -+ """ -+ self.init_app() -+ self.navigate_to_record("some-user") -+ self.switch_to_facet('memberof_subid') -+ rows = self.get_rows() -+ self.navigate_to_row_record(rows[-1]) -+ self.fill_textbox("description", "some-user-subid-desc") -+ self.facet_button_click('save') -+ -+ @screenshot -+ def test_admin_subid(self): -+ """ -+ Test to verify that subid range is created with owner admin. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', 'admin') -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ self.assert_no_error_dialog() -+ -+ @screenshot -+ def test_admin_subid_negative(self): -+ """ -+ Test to verify that readding the subid fails with error. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', 'admin') -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog') -+ text = self.get_text('.modal-body div p', err_dialog) -+ text = text.strip() -+ pattern = r'Subordinate id with with name .* already exists.' -+ assert re.search(pattern, text) is not None -+ self.close_all_dialogs() -+ -+ @screenshot -+ def test_user_subid_add(self): -+ """ -+ Test to verify that subid range is created for given user. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ before_count = self.get_rows() -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', user_data.PKEY2) -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ self.assert_no_error_dialog() -+ after_count = self.get_rows() -+ assert len(before_count) < len(after_count) -+ -+ @screenshot -+ def test_subid_del(self): -+ """ -+ Test to remove subordinate id for given user. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ user_uid = self.get_record_pkey("some-user", "ipaowner", -+ table_name="ipauniqueid") -+ before_count = self.get_rows() -+ self.delete_record(user_uid, table_name="ipauniqueid") -+ after_count = self.get_rows() -+ assert len(before_count) > len(after_count) -diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py -index 46fd512ae..77fd74e49 100644 ---- a/ipatests/test_webui/ui_driver.py -+++ b/ipatests/test_webui/ui_driver.py -@@ -1151,6 +1151,34 @@ class UI_driver: - return row - return None - -+ def get_row_by_column_value(self, key, column_name, parent=None, -+ table_name=None): -+ """ -+ Get the first matched row element of a search table with given key -+ matched against selected column. None if not found -+ """ -+ rows = self.get_rows(parent, table_name) -+ s = "td div[name='%s']" % column_name -+ for row in rows: -+ has = self.find(s, By.CSS_SELECTOR, row) -+ if has.text == key: -+ return row -+ return None -+ -+ def get_record_pkey(self, key, column, parent=None, table_name=None): -+ """ -+ Get record pkey if value of column is known -+ """ -+ row = self.get_row_by_column_value(key, -+ column_name=column, -+ parent=parent, -+ table_name=table_name) -+ val = None -+ if row: -+ el = self.find("td input", By.CSS_SELECTOR, row) -+ val = el.get_attribute("value") -+ return val -+ - def navigate_to_row_record(self, row, pkey_column=None): - """ - Navigate to record by clicking on a link. --- -2.34.1 - -From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001 -From: Michal Polovka -Date: Fri, 7 Jan 2022 12:12:26 +0100 -Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML - configuration file - -FullLoader class for YAML loader was introduced in version 5.1 which -also deprecated default loader. SafeLoader, however, stays consistent -across the versions and brings added security. - -This fix is necessary as PyYAML > 5.1 is not available in downstream. - -Related: https://pagure.io/freeipa/issue/9009 - -Signed-off-by: Michal Polovka -Reviewed-By: Rob Crittenden ---- - ipatests/test_webui/ui_driver.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py -index 77fd74e49..519efee9b 100644 ---- a/ipatests/test_webui/ui_driver.py -+++ b/ipatests/test_webui/ui_driver.py -@@ -192,7 +192,7 @@ class UI_driver: - if not NO_YAML and os.path.isfile(path): - try: - with open(path, 'r') as conf: -- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader) -+ cls.config = yaml.safe_load(stream=conf) - except yaml.YAMLError as e: - pytest.skip("Invalid Web UI config.\n%s" % e) - except IOError as e: --- -2.34.1 - -From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 18 Nov 2021 18:43:22 +0530 -Subject: [PATCH] PEP8 Fixes - -Signed-off-by: Mohammad Rizwan ---- - .../test_integration/test_replica_promotion.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index 1a4e9bc12..c328b1a08 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - assert res.returncode == 1 - assert expected_err in res.stderr_text - -- - @replicas_cleanup - def test_one_command_installation(self): - """ -@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - Firewall(self.replicas[0]).enable_services(["freeipa-ldap", - "freeipa-ldaps"]) - self.replicas[0].run_command(['ipa-replica-install', '-w', -- self.master.config.admin_password, -- '-n', self.master.domain.name, -- '-r', self.master.domain.realm, -- '--server', self.master.hostname, -- '-U']) -+ self.master.config.admin_password, -+ '-n', self.master.domain.name, -+ '-r', self.master.domain.realm, -+ '--server', self.master.hostname, -+ '-U']) - # Ensure that pkinit is properly configured, test for 7566 - result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) - assert "PKINIT is enabled" in result.stdout_text -@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest): - result1 = client.run_command(['ipa-replica-install', '-U', '-w', - self.master.config.dirman_password], - raiseonerr=False) -- assert(result1.returncode == 0), ( -+ assert (result1.returncode == 0), ( - 'Failed to promote the client installed with the upcase domain name') - - def test_client_rollback(self): -@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest): - assert("An error occurred while removing SSSD" not in - result.stdout_text) - -+ - class TestRenewalMaster(IntegrationTest): - - topology = 'star' --- -2.34.1 - -From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 18 Nov 2021 18:36:58 +0530 -Subject: [PATCH] Test cases for ipa-replica-conncheck command - -Following test cases would be checked: -- when called with --principal (it should then prompt for a password) -- when called with --principal / --password -- when called without principal and password but with a kerberos TGT, - kinit admin done before calling ipa-replica-conncheck -- when called without principal and password, and without any kerberos - TGT (it should default to principal=admin and prompt for a password) - -related: https://pagure.io/freeipa/issue/9047 - -Signed-off-by: Mohammad Rizwan ---- - .../test_replica_promotion.py | 70 +++++++++++++++++++ - 1 file changed, 70 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index b9c56f775..1a4e9bc12 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest): - self.assertCARenewalMaster(master, replica.hostname) - self.assertCARenewalMaster(replica, replica.hostname) - -+ def test_replica_concheck(self): -+ """Test cases for ipa-replica-conncheck command -+ -+ Following test cases would be checked: -+ - when called with --principal (it should then prompt for a password) -+ - when called with --principal / --password -+ - when called without principal and password but with a kerberos TGT, -+ kinit admin done before calling ipa-replica-conncheck -+ - when called without principal and password, and without any kerberos -+ TGT (it should default to principal=admin and prompt for a password) -+ -+ related: https://pagure.io/freeipa/issue/9047 -+ """ -+ exp_str1 = "Connection from replica to master is OK." -+ exp_str2 = "Connection from master to replica is OK" -+ tasks.kdestroy_all(self.replicas[0]) -+ # when called with --principal (it should then prompt for a password) -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm, -+ '-p', self.replicas[0].config.admin_name], -+ stdin_text=self.master.config.admin_password -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called with --principal / --password -+ result = self.replicas[0].run_command([ -+ 'ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm, -+ '-p', self.replicas[0].config.admin_name, -+ '-w', self.master.config.admin_password -+ ]) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called without principal and password, and without -+ # any kerberos TGT, it should default to principal=admin -+ # and prompt for a password -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm], -+ stdin_text=self.master.config.admin_password -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called without principal and password but with a kerberos TGT, -+ # kinit admin done before calling ipa-replica-conncheck -+ tasks.kinit_admin(self.replicas[0]) -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm] -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ tasks.kdestroy_all(self.replicas[0]) -+ - def test_automatic_renewal_master_transfer_ondelete(self): - # Test that after replica uninstallation, master overtakes the cert - # renewal master role from replica (which was previously set there) --- -2.34.1 - diff --git a/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch deleted file mode 100644 index f8b3b9f..0000000 --- a/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch +++ /dev/null @@ -1,104 +0,0 @@ -From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 28 Jan 2022 16:46:35 -0500 -Subject: [PATCH] Don't always override the port in import_included_profiles - -I can only guess to the original purpose of this override. I -believe it was because this is called in the installer prior -to Apache being set up. The expectation was that this would -only be called locally. It predates the RestClient class. - -RestClient will attempt to find an available service. In this -case, during a CA installation, the local server is not -considered available because it lacks an entry in -cn=masters. So it will never be returned as an option. - -So by overriding the port to 8443 the remote connection will -likely fail because we don't require that the port be open. - -So instead, instantiate a RestClient and see what happens. - -There are several use-cases: - -1. Installing an initial server. The RestClient connection - should fail, so we will fall back to the override port and - use the local server. If Apache happens to be running with - a globally-issued certificate then the RestClient will - succeed. In this case if the connected host and the local - hostname are the same, override in that case as well. - -2. Installing as a replica. In this case the local server should - be ignored in all cases and a remote CA will be picked with - no override done. - -3. Switching from CA-less to CA-ful. The web server will be - trusted but the RestClient login will fail with a 404. Fall - back to the override port in this case. - -The motivation for this is trying to install an EL 8.x replica -against an EL 7.9 server. 8.5+ includes the ACME service and -a new profile is needed which doesn't exist in 7. This was -failing because the RestClient determined that the local server -wasn't running a CA so tried the remote one (7.9) on the override -port 8443. Since this port isn't open: failure. - -Chances are that adding the profile is still going to fail -because again, 7.9 lacks ACME capabilities, but it will fail in -a way that allows the installation to continue. - -I suspect that all of the overrides can similarly handled, or -handled directly within the RestClient class, but for the sake -of "do no harm" I'm only changing this instance for now. - -https://pagure.io/freeipa/issue/9100 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++- - 1 file changed, 29 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 8c8bf1b3a..ad206aad4 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1953,7 +1953,35 @@ def import_included_profiles(): - cn=['certprofiles'], - ) - -- api.Backend.ra_certprofile.override_port = 8443 -+ # At this point Apache may or may not be running with a valid -+ # certificate. The local server is not yet recognized as a full -+ # CA yet so it isn't discoverable. So try to do some detection -+ # on what port to use, 443 (remote) or 8443 (local) for importing -+ # the profiles. -+ # -+ # api.Backend.ra_certprofile invokes the RestClient class -+ # which will discover and login to the CA REST API. We can -+ # use this information to detect where to import the profiles. -+ # -+ # If the login is successful (e.g. doesn't raise an exception) -+ # and it returns our hostname (it prefers the local host) then -+ # we override and talk locally. -+ # -+ # Otherwise a NetworkError means we can't connect on 443 (perhaps -+ # a firewall) or we get an HTTP error (valid TLS certificate on -+ # Apache but no CA, login fails with 404) so we override to the -+ # local server. -+ # -+ # When override port was always set to 8443 the RestClient could -+ # pick a remote server and since 8443 isn't in our firewall profile -+ # setting up a new server would fail. -+ try: -+ with api.Backend.ra_certprofile as profile_api: -+ if profile_api.ca_host == api.env.host: -+ api.Backend.ra_certprofile.override_port = 8443 -+ except (errors.NetworkError, errors.RemoteRetrieveError) as e: -+ logger.debug('Overriding CA port: %s', e) -+ api.Backend.ra_certprofile.override_port = 8443 - - for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: - dn = DN(('cn', profile_id), --- -2.34.1 - diff --git a/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch deleted file mode 100644 index e083b06..0000000 --- a/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 31 Jan 2022 17:31:50 -0500 -Subject: [PATCH] Remove ipa-join errors from behind the debug option - -This brings it inline with the previous XML-RPC output which -only hid the request and response from the output and not -any errors returned. - -https://pagure.io/freeipa/issue/9103 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Peter Keresztes Schmidt ---- - client/ipa-join.c | 27 +++++++++------------------ - 1 file changed, 9 insertions(+), 18 deletions(-) - -diff --git a/client/ipa-join.c b/client/ipa-join.c -index d98739a9a..5888a33bf 100644 ---- a/client/ipa-join.c -+++ b/client/ipa-join.c -@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - - json_str = json_dumps(json, 0); - if (!json_str) { -- if (debug) -- fprintf(stderr, _("json_dumps() failed\n")); -+ fprintf(stderr, _("json_dumps() failed\n")); - - rval = 17; - goto cleanup; -@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - CURLcode res = curl_easy_perform(curl); - if (res != CURLE_OK) - { -- if (debug) -- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); -+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); - - rval = 17; - goto cleanup; -@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code); - - if (resp_code != 200) { -- if (debug) -- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); -+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); - - if (!quiet && resp_code == 401) - fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n")); -@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { - - j_root = json_loads(payload, 0, &j_error); - if (!j_root) { -- if (debug) -- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { - - *j_result_obj = json_object_get(j_root, "result"); - if (!*j_result_obj) { -- if (debug) -- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); -+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); - - rval = 17; - goto cleanup; -@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet) - &tmp_hostdn, - "krbprincipalname", &tmp_princ, - "krblastpwdchange", &tmp_pwdch) != 0) { -- if (debug) -- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co - "nshardwareplatform", uinfo.machine); - - if (!json_req) { -- if (debug) -- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); -+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) { - - if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}", - "result", result) != 0) { -- if (debug) -- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); - - rval = 20; - goto cleanup; -@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) { - host); - - if (!json_req) { -- if (debug) -- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); -+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; --- -2.34.1 - diff --git a/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch deleted file mode 100644 index ef581d8..0000000 --- a/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 7 Feb 2022 10:39:55 -0500 -Subject: [PATCH] Enable the ccache sweep timer during installation - -The timer was only being enabled during package installation -if IPA was configured. So effectively only on upgrade. - -Add as a separate installation step after the ccache directory -is configured. - -Fixes: https://pagure.io/freeipa/issue/9107 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/httpinstance.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py -index 732bb58d4..50ccf5e50 100644 ---- a/ipaserver/install/httpinstance.py -+++ b/ipaserver/install/httpinstance.py -@@ -140,6 +140,8 @@ class HTTPInstance(service.Service): - self.step("publish CA cert", self.__publish_ca_cert) - self.step("clean up any existing httpd ccaches", - self.remove_httpd_ccaches) -+ self.step("enable ccache sweep", -+ self.enable_ccache_sweep) - self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) - if not self.is_kdcproxy_configured(): - self.step("create KDC proxy config", self.create_kdcproxy_conf) -@@ -177,6 +179,11 @@ class HTTPInstance(service.Service): - [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES] - ) - -+ def enable_ccache_sweep(self): -+ ipautil.run( -+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer'] -+ ) -+ - def __configure_http(self): - self.update_httpd_service_ipa_conf() - self.update_httpd_wsgi_conf() --- -2.34.1 - -From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Wed, 9 Feb 2022 18:56:21 +0530 -Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during - installation - -This test checks that ipa-ccache-sweep.timer is enabled by default -during the ipa installation. - -related: https://pagure.io/freeipa/issue/9107 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Alexander Bokovoy ---- - .../test_integration/test_installation.py | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index f2d372c0c..63edbaa2b 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest): - - # Tweak sysrestore.state to drop installation section - self.master.run_command( -- ['sed','-i', r's/\[installation\]/\[badinstallation\]/', -+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/', - os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) - - # Re-run installation check and it should fall back to old method -@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest): - - # Restore installation section. - self.master.run_command( -- ['sed','-i', r's/\[badinstallation\]/\[installation\]/', -+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/', - os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) - - # Uninstall and confirm that the old method reports correctly -@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host): - break - return(pid) - -+ - def get_ipa_services_pids(host): - ipa_services_name = [ - "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", -@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest): - def test_install_master(self): - tasks.install_master(self.master, setup_dns=False, setup_kra=True) - -+ def test_ipa_ccache_sweep_timer_enabled(self): -+ """Test ipa-ccache-sweep.timer enabled by default during installation -+ -+ This test checks that ipa-ccache-sweep.timer is enabled by default -+ during the ipa installation. -+ -+ related: https://pagure.io/freeipa/issue/9107 -+ """ -+ result = self.master.run_command( -+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'], -+ raiseonerr=False -+ ) -+ assert 'enabled' in result.stdout_text -+ - def test_install_dns(self): - tasks.install_dns(self.master) - --- -2.34.1 - diff --git a/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch deleted file mode 100644 index c384f15..0000000 --- a/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 18:49:06 +0530 -Subject: [PATCH] ipatests: remove additional check for failed units. - -On RHEL tests are randomly failing because of this check -and the test doesn't need to check this. - -Related : https://pagure.io/freeipa/issue/9108 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_otp.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index d8ce527ca..6e70ddcb3 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest): - check_services = self.master.run_command( - ['systemctl', 'list-units', '--state=failed'] - ) -- assert "0 loaded units listed" in check_services.stdout_text - assert "ipa-otpd" not in check_services.stdout_text - # Be sure no services are running and failed units - self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) --- -2.34.1 - diff --git a/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch deleted file mode 100644 index 3c8109e..0000000 --- a/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Thu, 10 Feb 2022 14:23:12 +0100 -Subject: [PATCH] ipa_cldap: fix memory leak - -ipa_cldap_encode_netlogon() allocates memory to store binary data as part of -berval (bv_val) when processing a CLDAP packet request from a worker. The -data is used by ipa_cldap_respond() but bv_val is not freed later on. - -This commit is adding the corresponding free() after ipa_cldap_respond() -is completed. - -Discovered by LeakSanitizer - -Fixes: https://pagure.io/freeipa/issue/9110 -Signed-off-by: Francisco Trivino -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -index db4a3d061..252bcf647 100644 ---- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -@@ -287,6 +287,7 @@ done: - ipa_cldap_respond(ctx, req, &reply); - - ipa_cldap_free_kvps(&req->kvps); -+ free(reply.bv_val); - free(req); - return; - } --- -2.34.1 - diff --git a/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch deleted file mode 100644 index e7081cd..0000000 --- a/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Sun, 5 Dec 2021 17:38:58 +0100 -Subject: [PATCH] ipatests: fix - TestOTPToken::test_check_otpd_after_idle_timeout - -The test sets 389-ds nsslapd-idletimeout to 60s, then does a -kinit with an otp token (which makes ipa-otpd create a LDAP -connection), then sleeps for 60s. The expectation is that -ns-slapd will detect that the LDAP conn from ipa-otpd is idle -and close the connection. -According to 389ds doc, the idle timeout is enforced when the -connection table is walked. By doing a ldapsearch, the test -"wakes up" ns-slapd and forces the detection of ipa-otpd -idle connection. - -Fixes: https://pagure.io/freeipa/issue/9044 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_otp.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index 353470897..d8ce527ca 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest): - otpvalue = totp.generate(int(time.time())).decode("ascii") - kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) - time.sleep(60) -+ # ldapsearch will wake up slapd and force walking through -+ # the connection list, in order to spot the idle connections -+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base") - - def test_cb(cmd_jornalctl): - # check if LDAP connection is timed out --- -2.34.1 - diff --git a/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch b/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch deleted file mode 100644 index fc37fb1..0000000 --- a/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch +++ /dev/null @@ -1,407 +0,0 @@ -From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 17 Jan 2022 16:57:52 +0530 -Subject: [PATCH] ipatests: Tests for Autoprivate group. - -Added tests using posix AD trust and non posix AD trust. -For option --auto-private-groups=[hybrid/true/false] - -Related : https://pagure.io/freeipa/issue/8807 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - .../nightly_ipa-4-9_latest.yaml | 2 +- - .../nightly_ipa-4-9_latest_selinux.yaml | 2 +- - .../nightly_ipa-4-9_previous.yaml | 2 +- - ipatests/test_integration/test_trust.py | 242 +++++++++++++++++- - 4 files changed, 240 insertions(+), 8 deletions(-) - -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -index 6817421b2..8b1f58c4d 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -@@ -1627,7 +1627,7 @@ jobs: - build_url: '{fedora-latest-ipa-4-9/build_url}' - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-latest -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -index 817329756..a11376ab8 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -@@ -1743,7 +1743,7 @@ jobs: - selinux_enforcing: True - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-latest -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -index 4196265c7..3f8ce8b76 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -@@ -1627,7 +1627,7 @@ jobs: - build_url: '{fedora-previous-ipa-4-9/build_url}' - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-previous -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 0634badbb..ff2dd9cc8 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest): - cls.check_sid_generation() - tasks.sync_time(cls.master, cls.ad) - -- cls.child_ad = cls.ad_subdomains[0] -- cls.ad_subdomain = cls.child_ad.domain.name -- cls.tree_ad = cls.ad_treedomains[0] -- cls.ad_treedomain = cls.tree_ad.domain.name -- -+ if cls.num_ad_subdomains > 0: -+ cls.child_ad = cls.ad_subdomains[0] -+ cls.ad_subdomain = cls.child_ad.domain.name -+ if cls.num_ad_treedomains > 0: -+ cls.tree_ad = cls.ad_treedomains[0] -+ cls.ad_treedomain = cls.tree_ad.domain.name - # values used in workaround for - # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 - cls.srv_gc_record_name = \ -@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest): - expected_text = 'iparangetype: %s\n' % expected_type - assert expected_text in result.stdout_text - -+ def mod_idrange_auto_private_group( -+ self, option='false' -+ ): -+ """ -+ Set the auto-private-group option of the default trusted -+ AD domain range. -+ """ -+ tasks.kinit_admin(self.master) -+ rangename = self.ad_domain.upper() + '_id_range' -+ error_msg = "ipa: ERROR: no modifications to be performed" -+ cmd = ["ipa", "idrange-mod", rangename, -+ "--auto-private-groups", option] -+ result = self.master.run_command(cmd, raiseonerr=False) -+ if result.returncode != 0: -+ tasks.assert_error(result, error_msg) -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ test = self.master.run_command(["ipa", "idrange-show", rangename]) -+ assert "Auto private groups: {0}".format(option) in test.stdout_text -+ -+ def get_user_id(self, host, username): -+ """ -+ User uid gid is parsed from the output of id user command. -+ """ -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ self.master.run_command(["id", username]) -+ test_id = host.run_command(["id", username]) -+ regex = r"^uid=(?P\d+).*gid=(?P\d+).*groups=(?P\d+)" -+ match = re.match(regex, test_id.stdout_text) -+ uid = match.group('uid') -+ gid = match.group('gid') -+ return uid, gid -+ -+ @contextmanager -+ def set_idoverrideuser(self, user, uid, gid): -+ """ -+ Fixture to add/remove idoverrideuser for default idview, -+ also creates idm group with the provided gid because -+ gid overrides requires an existing group. -+ """ -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ tasks.kinit_admin(self.master) -+ try: -+ args = ["ipa", "idoverrideuser-add", "Default Trust View", -+ "--gid", gid, "--uid", uid, user] -+ self.master.run_command(args) -+ tasks.group_add(self.master, "idgroup", -+ extra_args=["--gid", gid]) -+ yield -+ finally: -+ self.master.run_command([ -+ "ipa", "idoverrideuser-del", "Default Trust View", user] -+ ) -+ self.master.run_command(["ipa", "group-del", "idgroup"]) -+ - def remove_trust(self, ad): - tasks.remove_trust_with_ad(self.master, - ad.domain.name, ad.hostname) -@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust): - self.master.run_command(['rm', '-f', ad_zone_file]) - tasks.configure_dns_for_trust(self.master, self.ad) - self.remove_trust(self.ad) -+ -+ -+class TestNonPosixAutoPrivateGroup(BaseTestTrust): -+ """ -+ Tests for auto-private-groups option with non posix AD trust -+ Related : https://pagure.io/freeipa/issue/8807 -+ """ -+ topology = 'line' -+ num_ad_domains = 1 -+ num_clients = 1 -+ num_ad_subdomains = 0 -+ num_ad_treedomains = 0 -+ uid_override = "99999999" -+ gid_override = "78878787" -+ -+ def test_add_nonposix_trust(self): -+ tasks.configure_dns_for_trust(self.master, self.ad) -+ tasks.establish_trust_with_ad( -+ self.master, self.ad_domain, -+ extra_args=['--range-type', 'ipa-ad-trust']) -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_auto_private_groups_default_trusted_range(self, type): -+ """ -+ Modify existing range for default trusted AD domain range -+ with auto-private-groups set as true/hybrid/false and test -+ user with no posix attributes. -+ """ -+ self.mod_idrange_auto_private_group(type) -+ nonposixuser = "nonposixuser@%s" % self.ad_domain -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -+ if type == "true": -+ assert uid == gid -+ else: -+ test_group = self.clients[0].run_command(["id", nonposixuser]) -+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain) -+ grp_str = "groups={0}(domain users@{1})".format(gid, -+ self.ad_domain) -+ assert gid_str in test_group.stdout_text -+ assert grp_str in test_group.stdout_text -+ assert uid != gid -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_idoverride_with_auto_private_group(self, type): -+ """ -+ Override ad trusted user in default trust view -+ and set auto-private-groups=[hybrid,true,false] -+ and ensure that overridden values takes effect. -+ """ -+ nonposixuser = "nonposixuser@%s" % self.ad_domain -+ with self.set_idoverrideuser(nonposixuser, -+ self.uid_override, -+ self.gid_override -+ ): -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -+ assert (uid == self.uid_override and gid == self.gid_override) -+ test_group = self.clients[0].run_command( -+ ["id", nonposixuser]).stdout_text -+ assert "domain users@{0}".format(self.ad_domain) in test_group -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_nonposixuser_nondefault_primary_group(self, type): -+ """ -+ Test for non default primary group. -+ For hybrid/false gid corresponds to the group testgroup1. -+ """ -+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1) -+ if type == "true": -+ assert uid == gid -+ else: -+ test_group = self.clients[0].run_command(["id", nonposixuser1]) -+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain) -+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain) -+ assert (gid_str in test_group.stdout_text -+ and group in test_group.stdout_text) -+ -+ -+class TestPosixAutoPrivateGroup(BaseTestTrust): -+ """ -+ Tests for auto-private-groups option with posix AD trust -+ Related : https://pagure.io/freeipa/issue/8807 -+ """ -+ topology = 'line' -+ num_ad_domains = 1 -+ num_clients = 1 -+ num_ad_subdomains = 0 -+ num_ad_treedomains = 0 -+ uid_override = "99999999" -+ gid_override = "78878787" -+ -+ def test_add_posix_trust(self): -+ tasks.configure_dns_for_trust(self.master, self.ad) -+ tasks.establish_trust_with_ad( -+ self.master, self.ad_domain, -+ extra_args=['--range-type', 'ipa-ad-trust-posix']) -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_gidnumber_not_corresponding_existing_group(self, type): -+ """ -+ Test checks that sssd can resolve AD users which -+ contain posix attributes (uidNumber and gidNumber) -+ but there is no group with the corresponding gidNumber. -+ """ -+ posixuser = "testuser2@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ if type != "true": -+ result = self.clients[0].run_command(['id', posixuser], -+ raiseonerr=False) -+ tasks.assert_error(result, "no such user") -+ else: -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ assert uid == '10060' -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_only_uid_number_auto_private_group_default(self, type): -+ """ -+ Test checks that posix user with only uidNumber defined -+ and gidNumber not set, auto-private-group -+ is set to false/true/hybrid -+ """ -+ posixuser = "testuser1@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ if type == "true": -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ else: -+ for host in [self.master, self.clients[0]]: -+ result = host.run_command(['id', posixuser], raiseonerr=False) -+ tasks.assert_error(result, "no such user") -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_auto_private_group_primary_group(self, type): -+ """ -+ Test checks that AD users which contain posix attributes -+ (uidNumber and gidNumber) and there is primary group -+ with gid number defined. -+ """ -+ posixuser = "testuser@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ test_grp = self.clients[0].run_command(["id", posixuser]) -+ assert uid == '10042' -+ if type == "true": -+ assert uid == gid -+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format( -+ self.ad_domain, self.ad_domain) -+ assert groups in test_grp.stdout_text -+ else: -+ assert gid == '10047' -+ groups = "10047(testgroup@{0})".format(self.ad_domain) -+ assert groups in test_grp.stdout_text -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_idoverride_with_auto_private_group(self, type): -+ """ -+ Override ad trusted user in default trust view -+ and set auto-private-groups=[hybrid,true,false] -+ and ensure that overridden values takes effect. -+ """ -+ posixuser = "testuser@%s" % self.ad_domain -+ with self.set_idoverrideuser(posixuser, -+ self.uid_override, -+ self.gid_override): -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert(uid == self.uid_override -+ and gid == self.gid_override) -+ result = self.clients[0].run_command(['id', posixuser]) -+ assert "10047(testgroup@{0})".format( -+ self.ad_domain) in result.stdout_text --- -2.35.1 - -From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 17:07:45 +0530 -Subject: [PATCH] mark xfail for - test_idoverride_with_auto_private_group[hybrid] - -Related : https://github.com/SSSD/sssd/issues/5989 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index ff2dd9cc8..54bd15462 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -15,6 +15,7 @@ from ipaplatform.paths import paths - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration import fips -+from ipatests.util import xfail_context - from ipapython.dn import DN - from collections import namedtuple - from contextlib import contextmanager -@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - assert (uid == self.uid_override and gid == self.gid_override) - test_group = self.clients[0].run_command( - ["id", nonposixuser]).stdout_text -- assert "domain users@{0}".format(self.ad_domain) in test_group -+ version = tasks.get_sssd_version(self.clients[0]) -+ with xfail_context(version <= tasks.parse_version('2.6.3') -+ and type == "hybrid", -+ 'https://github.com/SSSD/sssd/issues/5989'): -+ assert "domain users@{0}".format(self.ad_domain) in test_group - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) - def test_nonposixuser_nondefault_primary_group(self, type): --- -2.35.1 - -From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 17:29:45 +0530 -Subject: [PATCH] Mark xfail - test_gidnumber_not_corresponding_existing_group[true,hybrid] - -Related : https://github.com/SSSD/sssd/issues/5988 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 54bd15462..c12837815 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - raiseonerr=False) - tasks.assert_error(result, "no such user") - else: -- (uid, gid) = self.get_user_id(self.clients[0], posixuser) -- assert uid == gid -- assert uid == '10060' -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'), -+ 'https://github.com/SSSD/sssd/issues/5988'): -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ assert uid == '10060' - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) - def test_only_uid_number_auto_private_group_default(self, type): --- -2.35.1 - diff --git a/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch b/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch index d5fe2d3..ef09a82 100644 --- a/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch +++ b/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch @@ -4,20 +4,20 @@ Date: Mon, 19 Dec 2022 14:57:03 -0300 Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports" This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a. ---- - ipapython/dnsutil.py | 41 ------------------------- - ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------ - 2 files changed, 81 deletions(-) diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 58de365ab..4baeaf8cc 100644 ---- a/ipapython/dnsutil.py -+++ b/ipapython/dnsutil.py -@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver): +--- a/ipapython/dnsutil.py 2023-05-19 05:12:52.471239297 -0300 ++++ b/ipapython/dnsutil.py 2023-05-24 12:20:13.588867053 -0300 +@@ -145,55 +145,6 @@ nameservers.remove(ipv4_loopback) self.nameservers = nameservers -- @dns.resolver.Resolver.nameservers.setter +- @property +- def nameservers(self): +- return self._nameservers +- +- @nameservers.setter - def nameservers(self, nameservers): - """ - *nameservers*, a ``list`` of nameservers with optional ports: @@ -54,7 +54,11 @@ index 58de365ab..4baeaf8cc 100644 - nameservers = _nameservers - - # Call dns.resolver.Resolver.nameservers setter -- dns.resolver.Resolver.nameservers.__set__(self, nameservers) +- if hasattr(dns.resolver.Resolver, "nameservers"): +- dns.resolver.Resolver.nameservers.__set__(self, nameservers) +- else: +- # old dnspython (<2) doesn't have 'nameservers' property +- self._nameservers = nameservers - # Set nameserver_ports after successfull call to setter - self.nameserver_ports = nameserver_ports - @@ -62,23 +66,29 @@ index 58de365ab..4baeaf8cc 100644 class DNSZoneAlreadyExists(dns.exception.DNSException): supp_kwargs = {'zone', 'ns'} diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py -index 09463c69d..5e7a46197 100644 +index 9070d89ad..5e7a46197 100644 --- a/ipatests/test_ipapython/test_dnsutil.py +++ b/ipatests/test_ipapython/test_dnsutil.py -@@ -101,43 +101,3 @@ class TestSortURI: +@@ -101,48 +101,3 @@ class TestSortURI: assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3] assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3] assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2] - - -class TestDNSResolver: -- def test_nameservers(self): -- res = dnsutil.DNSResolver() +- @pytest.fixture(name="res") +- def resolver(self): +- """Resolver that doesn't read /etc/resolv.conf +- +- /etc/resolv.conf is not mandatory on systems +- """ +- return dnsutil.DNSResolver(configure=False) +- +- def test_nameservers(self, res): - res.nameservers = ["4.4.4.4", "8.8.8.8"] - assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - -- def test_nameservers_with_ports(self): -- res = dnsutil.DNSResolver() +- def test_nameservers_with_ports(self, res): - res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] - assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} @@ -87,8 +97,7 @@ index 09463c69d..5e7a46197 100644 - assert res.nameservers == ["4.4.4.4", "8.8.8.8"] - assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} - -- def test_nameservers_with_bad_ports(self): -- res = dnsutil.DNSResolver() +- def test_nameservers_with_bad_ports(self, res): - try: - res.nameservers = ["4.4.4.4 port a"] - except ValueError: @@ -109,6 +118,3 @@ index 09463c69d..5e7a46197 100644 - pass - else: - pytest.fail("No fail on bad port 65536") --- -2.38.1 - diff --git a/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch deleted file mode 100644 index 48bb8e0..0000000 --- a/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 26 Nov 2021 11:13:51 +0200 -Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and - MS-SFU updates - -New versions of MS-KILE and MS-SFU after Windows Server November 2021 -security updates add PAC_REQUESTER_SID buffer check behavior: - - - PAC_REQUESTER_SID should only be added for TGT requests - - - if PAC_REQUESTER_SID is present, KDC must verify that the cname on - the ticket resolves to the account with the same SID as the - PAC_REQUESTER_SID. If it doesn't KDC must respond with - KDC_ERR_TKT_REVOKED - -Change requester SID check to skip exact check for non-local -PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains -we know about. - -If requester SID is the same as in PAC, we already do cname vs PAC SID -verification. - -With these changes FreeIPA works against Windows Server 2019 with -November 2021 security fixes in cross-realm S4U2Self operations. - -Fixes: https://pagure.io/freeipa/issue/9031 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++--------- - 1 file changed, 34 insertions(+), 13 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 538cfbba9..1b972c167 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - "local [%s], PAC [%s]", - dom ? dom : "", - sid ? sid : ""); -- return KRB5KDC_ERR_POLICY; -+ return KRB5KDC_ERR_TGT_REVOKED; - } - } - -@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - kerr = ipadb_get_principal(context, client_princ, flags, &client_actual); - if (kerr != 0) { - krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed."); -- return KRB5KDC_ERR_POLICY; -+ return KRB5KDC_ERR_TGT_REVOKED; - } - - ied = (struct ipadb_e_data *)client_actual->e_data; -@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - "local [%s] vs PAC [%s]", - local_sid ? local_sid : "", - pac_sid ? pac_sid : ""); -- kerr = KRB5KDC_ERR_POLICY; -+ kerr = KRB5KDC_ERR_TGT_REVOKED; - goto done; - } - -@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, - /* Check that requester SID is the same as in the PAC entry */ - if (requester_sid != NULL) { - struct dom_sid client_sid; -+ bool is_from_trusted_domain = false; - kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid); - if (kerr) { - goto done; - } - result = dom_sid_check(&client_sid, requester_sid, true); - if (!result) { -- /* memctx is freed by the caller */ -- char *pac_sid = dom_sid_string(tmpctx, &client_sid); -- char *req_sid = dom_sid_string(tmpctx, requester_sid); -- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " -- "different from what PAC requester claims. " -- "PAC [%s] vs PAC requester [%s]", -- pac_sid ? pac_sid : "", -- req_sid ? req_sid : ""); -- kerr = KRB5KDC_ERR_POLICY; -- goto done; -+ struct ipadb_context *ipactx = ipadb_get_context(context); -+ if (!ipactx || !ipactx->mspac) { -+ return KRB5_KDB_DBNOTINITED; -+ } -+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */ -+ if (is_s4u && (ipactx->mspac->trusts != NULL)) { -+ /* Iterate through list of trusts and check if this SID belongs to -+ * one of the domains we trust */ -+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, -+ requester_sid, false); -+ if (result) { -+ is_from_trusted_domain = true; -+ break; -+ } -+ } -+ } -+ -+ if (!is_from_trusted_domain) { -+ /* memctx is freed by the caller */ -+ char *pac_sid = dom_sid_string(tmpctx, &client_sid); -+ char *req_sid = dom_sid_string(tmpctx, requester_sid); -+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " -+ "different from what PAC requester claims. " -+ "PAC [%s] vs PAC requester [%s]", -+ pac_sid ? pac_sid : "", -+ req_sid ? req_sid : ""); -+ kerr = KRB5KDC_ERR_TGT_REVOKED; -+ goto done; -+ } - } - } - --- -2.31.1 - diff --git a/freeipa-4.9.11.tar.gz.asc b/freeipa-4.9.11.tar.gz.asc deleted file mode 100644 index 47ddb7d..0000000 --- a/freeipa-4.9.11.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi -00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ -4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG -KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7 -go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI -wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv -EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf -+y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr -WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc -oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut -IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd -umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E= -=8YVm ------END PGP SIGNATURE----- diff --git a/freeipa-4.9.8.tar.gz.asc b/freeipa-4.9.8.tar.gz.asc deleted file mode 100644 index c14420c..0000000 --- a/freeipa-4.9.8.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi -00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe -MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM -XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q -E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp -q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6 -BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA -CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C -UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi -q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy -urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo -w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg= -=t9up ------END PGP SIGNATURE----- diff --git a/freeipa.spec b/freeipa.spec deleted file mode 100644 index 6de0f77..0000000 --- a/freeipa.spec +++ /dev/null @@ -1,3184 +0,0 @@ -%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") - -# ipatests enabled by default, can be disabled with --without ipatests -%bcond_without ipatests -# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml -# On RHEL 8 we should use --with ipa_join_xml -%bcond_with ipa_join_xml - -# Linting is disabled by default, needed for upstream testing -%bcond_with lint - -# Build documentation with sphinx -%bcond_with doc - -# Build Python wheels -%bcond_with wheels - -# 389-ds-base 1.4 no longer supports i686 platform, build only client -# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 -%ifarch %{ix86} - %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} -%endif - -# Define ONLY_CLIENT to only make the ipa-client and ipa-python -# subpackages -%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} -%if %{ONLY_CLIENT} - %global enable_server_option --disable-server -%else - %global enable_server_option --enable-server -%endif - -%if %{ONLY_CLIENT} - %global with_ipatests 0 -%endif - -# Whether to build ipatests -%if %{with ipatests} - %global with_ipatests_option --with-ipatests -%else - %global with_ipatests_option --without-ipatests -%endif - -# Whether to use XML-RPC with ipa-join -%if %{with ipa_join_xml} - %global with_ipa_join_xml_option --with-ipa-join-xml -%else - %global with_ipa_join_xml_option --without-ipa-join-xml -%endif - -# lint is not executed during rpmbuild -# %%global with_lint 1 -%if %{with lint} - %global linter_options --enable-pylint --without-jslint --enable-rpmlint -%else - %global linter_options --disable-pylint --without-jslint --disable-rpmlint -%endif - -# Include SELinux subpackage -%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 - %global with_selinux 1 - %global selinuxtype targeted - %global modulename ipa -%endif - -%if 0%{?rhel} -%global package_name ipa -%global alt_name freeipa -%global krb5_version 1.19.1-15 -%global krb5_kdb_version 8.0 -# 0.7.16: https://github.com/drkjam/netaddr/issues/71 -%global python_netaddr_version 0.7.19 -# Require 4.7.0 which brings Python 3 bindings -%global samba_version 4.15.2-2 -%global selinux_policy_version 3.14.3-52 -%global slapi_nis_version 0.56.4 -%global python_ldap_version 3.1.0-1 -%if 0%{?rhel} < 9 -# Bug 1929067 - PKI instance creation failed with new 389-ds-base build -%global ds_version 1.4.3.16-12 -%else -# DNA interval enabled -%global ds_version 2.0.5-1 -%endif - -# Fix for TLS 1.3 PHA, RHBZ#1775158 -%global httpd_version 2.4.37-21 -%global bind_version 9.11.20-6 - -%else -# Fedora -%global package_name freeipa -%global alt_name ipa -# Fix for CVE-2020-28196 -%global krb5_version 1.18.2-29 -# 0.7.16: https://github.com/drkjam/netaddr/issues/71 -%global python_netaddr_version 0.7.16 -# Require 4.7.0 which brings Python 3 bindings -# Require 4.12 which has DsRGetForestTrustInformation access rights fixes -%global samba_version 2:4.12.10 - -# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface -%global selinux_policy_version 3.14.5-45 -%global slapi_nis_version 0.56.5 - -%global krb5_kdb_version 8.0 - -# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 -%global python_ldap_version 3.1.0-1 - -# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700 -# and has DNA interval enabled -%if 0%{?fedora} < 34 -%global ds_version 1.4.4.16-1 -%else -%global ds_version 2.0.7-1 -%endif - -# Fix for TLS 1.3 PHA, RHBZ#1775146 -%global httpd_version 2.4.41-9 - -%global bind_version 9.11.24-1 -# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. -# Some packages don't provide new dist aliases. -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ -%{?python_disable_dependency_generator} -# Fedora -%endif - -# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 -# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) -%if 0%{?fedora} || 0%{?rhel} >= 9 - %global openssl_pkcs11_version 0.4.10-6 - %global softhsm_version 2.5.0-4 -%else - %global with_bind_pkcs11 1 -%endif - -%if 0%{?rhel} == 8 -# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 -%global pki_version 10.10.5 -%else -# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 -%global pki_version 10.10.5 -%endif - -# RHEL 8.3+, F32+ has 0.79.13 -%global certmonger_version 0.79.7-3 - -# RHEL 8.2+, F32+ has 3.58 -%global nss_version 3.44.0-4 - -# RHEL 8.7+, F35+, adds IdP integration -%global sssd_version 2.7.0 - -%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) -%global kdcproxy_version 0.4-3 - -%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 -# systemd with resolved enabled -# see https://pagure.io/freeipa/issue/8275 -%global systemd_version 246.6-3 -%else -%global systemd_version 239 -%endif - -# augeas support for new chrony options -# see https://pagure.io/freeipa/issue/8676 -# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 -%if 0%{?fedora} >= 33 -%global augeas_version 1.12.0-6 -%else -%if 0%{?rhel} >= 9 -%global augeas_version 1.12.1-0 -%else -%global augeas_version 1.12.0-3 -%endif -%endif - -%global plugin_dir %{_libdir}/dirsrv/plugins -%global etc_systemd_dir %{_sysconfdir}/systemd/system -%global gettext_domain ipa - -%define _hardened_build 1 - -# Work-around fact that RPM SPEC parser does not accept -# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.10.0 -# Release candidate version -- uncomment with one percent for RC versions -#%%global rc_version %%nil -%define AT_SIGN @ -# redefine IPA_VERSION only if its value matches the Autoconf placeholder -%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" - %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser -%endif - -%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") - -Name: %{package_name} -Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} -Summary: The Identity, Policy and Audit system - -License: GPLv3+ -URL: http://www.freeipa.org/ -Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz -# Only use detached signature for the distribution builds. If it is a developer build, skip it -%if %{NON_DEVELOPER_BUILD} -Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc -%endif - -# RHEL spec file only: START: Change branding to IPA and Identity Management -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -# RHEL spec file only: END: Change branding to IPA and Identity Management - -# RHEL spec file only: START -%if %{NON_DEVELOPER_BUILD} -%if 0%{?rhel} >= 8 -Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch -Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch -Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch -%endif -%endif -# RHEL spec file only: END - -# For the timestamp trick in patch application -BuildRequires: diffstat - -BuildRequires: openldap-devel -# For KDB DAL version, make explicit dependency so that increase of version -# will cause the build to fail due to unsatisfied dependencies. -# DAL version change may cause code crash or memory leaks, it is better to fail early. -BuildRequires: krb5-kdb-version = %{krb5_kdb_version} -BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version} -BuildRequires: krb5-devel >= %{krb5_version} -BuildRequires: pkgconfig(krb5) -%if %{with ipa_join_xml} -# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation -BuildRequires: xmlrpc-c-devel >= 1.27.4 -%else -BuildRequires: libcurl-devel -BuildRequires: jansson-devel -%endif -BuildRequires: popt-devel -BuildRequires: gcc -BuildRequires: make -BuildRequires: pkgconfig -BuildRequires: pkgconf -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: make -BuildRequires: libtool -BuildRequires: gettext -BuildRequires: gettext-devel -BuildRequires: python3-devel -BuildRequires: python3-setuptools -BuildRequires: systemd >= %{systemd_version} -# systemd-tmpfiles which is executed from make install requires apache user -BuildRequires: httpd -BuildRequires: nspr-devel -BuildRequires: openssl-devel -BuildRequires: libini_config-devel -BuildRequires: cyrus-sasl-devel -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= %{ds_version} -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libuuid-devel -BuildRequires: libpwquality-devel -BuildRequires: libsss_idmap-devel -BuildRequires: libsss_certmap-devel -BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} -BuildRequires: nodejs(abi) -# use old dependency on RHEL 8 for now -%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 -BuildRequires: python3-rjsmin -%else -BuildRequires: uglify-js -%endif -BuildRequires: libverto-devel -BuildRequires: libunistring-devel -# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 -# 0.13.0-2: fix for missing dependency on python-six -BuildRequires: python3-lesscpy >= 0.13.0-2 -BuildRequires: cracklib-dicts -# ONLY_CLIENT -%endif - -# -# Build dependencies for makeapi/makeaci -# -BuildRequires: python3-cffi -BuildRequires: python3-dns -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-libsss_nss_idmap -BuildRequires: python3-netaddr >= %{python_netaddr_version} -BuildRequires: python3-pyasn1 -BuildRequires: python3-pyasn1-modules -BuildRequires: python3-six -BuildRequires: python3-psutil - -# -# Build dependencies for wheel packaging and PyPI upload -# -%if %{with wheels} -BuildRequires: dbus-glib-devel -BuildRequires: libffi-devel -BuildRequires: python3-tox -%if 0%{?fedora} <= 28 -BuildRequires: python3-twine -%else -BuildRequires: twine -%endif -BuildRequires: python3-wheel -# with_wheels -%endif - -%if %{with doc} -BuildRequires: python3-sphinx -BuildRequires: plantuml -BuildRequires: fontconfig -BuildRequires: google-noto-sans-vf-fonts -%endif - -# -# Build dependencies for lint and fastcheck -# -%if %{with lint} - -# python3-pexpect might not be available in RHEL9 -%if 0%{?fedora} || 0%{?rhel} < 9 -BuildRequires: python3-pexpect -%endif - -# jsl is orphaned in Fedora 34+ -%if 0%{?fedora} < 34 -BuildRequires: jsl -%endif - -BuildRequires: git -BuildRequires: nss-tools -BuildRequires: rpmlint -BuildRequires: softhsm - -BuildRequires: keyutils -BuildRequires: python3-augeas -BuildRequires: python3-cffi -BuildRequires: python3-cryptography >= 1.6 -BuildRequires: python3-dateutil -BuildRequires: python3-dbus -BuildRequires: python3-dns >= 1.15 -BuildRequires: python3-docker -BuildRequires: python3-gssapi >= 1.2.0 -BuildRequires: python3-jinja2 -BuildRequires: python3-jwcrypto >= 0.4.2 -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-lib389 >= %{ds_version} -BuildRequires: python3-libipa_hbac -BuildRequires: python3-libsss_nss_idmap -BuildRequires: python3-lxml -BuildRequires: python3-netaddr >= %{python_netaddr_version} -BuildRequires: python3-netifaces -BuildRequires: python3-paste -BuildRequires: python3-pki >= %{pki_version} -BuildRequires: python3-polib -BuildRequires: python3-pyasn1 -BuildRequires: python3-pyasn1-modules -BuildRequires: python3-pycodestyle -# .wheelconstraints.in limits pylint version in Azure and tox tests -BuildRequires: python3-pylint -BuildRequires: python3-pytest-multihost -BuildRequires: python3-pytest-sourceorder -BuildRequires: python3-qrcode-core >= 5.0.0 -BuildRequires: python3-samba -BuildRequires: python3-six -BuildRequires: python3-sss -BuildRequires: python3-sss-murmur -BuildRequires: python3-sssdconfig >= %{sssd_version} -BuildRequires: python3-systemd -BuildRequires: python3-yaml -BuildRequires: python3-yubico -# with_lint -%endif - -# -# Build dependencies for unit tests -# -%if ! %{ONLY_CLIENT} -BuildRequires: libcmocka-devel -# Required by ipa_kdb_tests -BuildRequires: krb5-server >= %{krb5_version} -# ONLY_CLIENT -%endif - -# Build dependencies for SELinux policy -%if %{with selinux} -BuildRequires: selinux-policy-devel >= %{selinux_policy_version} -%endif - -%description -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). - - -%if ! %{ONLY_CLIENT} - -%package server -Summary: The IPA authentication server -Requires: %{name}-server-common = %{version}-%{release} -Requires: %{name}-client = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipaserver = %{version}-%{release} -Requires: python3-ldap >= %{python_ldap_version} -Requires: 389-ds-base >= %{ds_version} -Requires: openldap-clients > 2.4.35-4 -Requires: nss-tools >= %{nss_version} -Requires(post): krb5-server >= %{krb5_version} -Requires(post): krb5-server >= %{krb5_base_version} -Requires: krb5-kdb-version = %{krb5_kdb_version} -Requires: krb5-pkinit-openssl >= %{krb5_version} -Requires: cyrus-sasl-gssapi%{?_isa} -Requires: chrony -Requires: httpd >= %{httpd_version} -Requires(preun): python3 -Requires(postun): python3 -Requires: python3-gssapi >= 1.2.0-5 -Requires: python3-systemd -Requires: python3-mod_wsgi -Requires: mod_auth_gssapi >= 1.5.0 -Requires: mod_ssl >= %{httpd_version} -Requires: mod_session >= %{httpd_version} -# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 -Requires: mod_lookup_identity >= 0.9.9 -Requires: acl -Requires: systemd-units >= %{systemd_version} -Requires(pre): systemd-units >= %{systemd_version} -Requires(post): systemd-units >= %{systemd_version} -Requires(preun): systemd-units >= %{systemd_version} -Requires(postun): systemd-units >= %{systemd_version} -Requires(pre): shadow-utils -Requires: selinux-policy >= %{selinux_policy_version} -Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= %{pki_version} -Requires: pki-kra >= %{pki_version} -# pki-acme package was split out in pki-10.10.0 -Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) -Requires: policycoreutils >= 2.1.12-5 -Requires: tar -Requires(pre): certmonger >= %{certmonger_version} -Requires(pre): 389-ds-base >= %{ds_version} -Requires: fontawesome-fonts -Requires: open-sans-fonts -%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 -# https://pagure.io/freeipa/issue/8632 -Requires: openssl > 1.1.1i -%else -Requires: openssl -%endif -Requires: softhsm >= 2.0.0rc1-1 -Requires: p11-kit -Requires: %{etc_systemd_dir} -Requires: gzip -Requires: oddjob -# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 -Requires: gssproxy >= 0.7.0-2 -Requires: sssd-dbus >= %{sssd_version} -Requires: libpwquality -Requires: cracklib-dicts -# NDR libraries are internal in Samba and change with version without changing SONAME -%ipa_requires_gt samba-client-libs - -Provides: %{alt_name}-server = %{version} -Conflicts: %{alt_name}-server -Obsoletes: %{alt_name}-server < %{version} - -# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the -# entire SELinux policy is stored in the system policy -Obsoletes: freeipa-server-selinux < 3.3.0 - -# upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server <= 4.2.0 - -# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to -# member. -Conflicts: nss-pam-ldapd < 0.8.4 - -# RHEL spec file only: START: Do not build tests -%if 0%{?rhel} == 8 -# ipa-tests subpackage was moved to separate srpm -Conflicts: ipa-tests < 3.3.3-9 -%endif -# RHEL spec file only: END: Do not build tests - -%description server -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package -n python3-ipaserver -Summary: Python libraries used by IPA server -BuildArch: noarch -%{?python_provide:%python_provide python3-ipaserver} -Requires: %{name}-server-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -# we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-ldap >= %{python_ldap_version} -Requires: python3-augeas -Requires: augeas-libs >= %{augeas_version} -Requires: python3-dbus -Requires: python3-dns >= 1.15 -Requires: python3-gssapi >= 1.2.0 -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-kdcproxy >= %{kdcproxy_version} -Requires: python3-lxml -Requires: python3-pki >= %{pki_version} -Requires: python3-pyasn1 >= 0.3.2-2 -Requires: python3-sssdconfig >= %{sssd_version} -Requires: python3-psutil -Requires: rpm-libs -# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support -%if 0%{?rhel} -Requires: python3-urllib3 >= 1.24.2-3 -%else -Requires: python3-urllib3 >= 1.25.7 -%endif - -%description -n python3-ipaserver -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package server-common -Summary: Common files used by IPA server -BuildArch: noarch -Requires: %{name}-client-common = %{version}-%{release} -Requires: httpd >= %{httpd_version} -Requires: systemd-units >= %{systemd_version} -%if 0%{?rhel} >= 8 && ! 0%{?eln} -Requires: system-logos-ipa >= 80.4 -%endif - -Provides: %{alt_name}-server-common = %{version} -Conflicts: %{alt_name}-server-common -Obsoletes: %{alt_name}-server-common < %{version} - -%description server-common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package server-dns -Summary: IPA integrated DNS server with support for automatic DNSSEC signing -BuildArch: noarch -Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 11.2-2 -Requires: bind >= %{bind_version} -Requires: bind-utils >= %{bind_version} -# bind-dnssec-utils is required by the OpenDNSSec integration -# https://pagure.io/freeipa/issue/9026 -Requires: bind-dnssec-utils >= %{bind_version} -%if %{with bind_pkcs11} -Requires: bind-pkcs11 >= %{bind_version} -%else -Requires: softhsm >= %{softhsm_version} -Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} -%endif -# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 -# RHEL 8.3+ and Fedora 32+ have 2.1 -Requires: opendnssec >= 2.1.6-5 -%{?systemd_requires} - -Provides: %{alt_name}-server-dns = %{version} -Conflicts: %{alt_name}-server-dns -Obsoletes: %{alt_name}-server-dns < %{version} - -# upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server <= 4.2.0 - -%description server-dns -IPA integrated DNS server with support for automatic DNSSEC signing. -Integrated DNS server is BIND 9. OpenDNSSEC provides key management. - - -%package server-trust-ad -Summary: Virtual package to install packages required for Active Directory trusts -Requires: %{name}-server = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} - -Requires: samba >= %{samba_version} -Requires: samba-winbind -Requires: sssd-winbind-idmap -Requires: libsss_idmap -%if 0%{?rhel} -Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 -%endif -Requires(post): python3 -Requires: python3-samba -Requires: python3-libsss_nss_idmap -Requires: python3-sss - -# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 -# on the installes where server-trust-ad subpackage is installed because -# IPA AD trusts cannot be used at the same time with the locator plugin -# since Winbindd will be configured in a different mode -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives -Requires(preun): %{_sbindir}/update-alternatives - -Provides: %{alt_name}-server-trust-ad = %{version} -Conflicts: %{alt_name}-server-trust-ad -Obsoletes: %{alt_name}-server-trust-ad < %{version} - -%description server-trust-ad -Cross-realm trusts with Active Directory in IPA require working Samba 4 -installation. This package is provided for convenience to install all required -dependencies at once. - -# ONLY_CLIENT -%endif - - -%package client -Summary: IPA authentication for use on clients -Requires: %{name}-client-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.2.0-5 -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-ldap >= %{python_ldap_version} -Requires: python3-sssdconfig >= %{sssd_version} -Requires: cyrus-sasl-gssapi%{?_isa} -Requires: chrony -Requires: krb5-workstation >= %{krb5_version} -# authselect: sssd profile with-subid -%if 0%{?fedora} >= 36 -Requires: authselect >= 1.4.0 -%else -Requires: authselect >= 1.2.5 -%endif -Requires: curl -# NIS domain name config: /usr/lib/systemd/system/*-domainname.service -# All Fedora 28+ and RHEL8+ contain the service in hostname package -Requires: hostname -Requires: libcurl >= 7.21.7-2 -%if %{with ipa_join_xml} -Requires: xmlrpc-c >= 1.27.4 -%else -Requires: jansson -%endif -Requires: sssd-ipa >= %{sssd_version} -Requires: sssd-idp >= %{sssd_version} -Requires: certmonger >= %{certmonger_version} -Requires: nss-tools >= %{nss_version} -Requires: bind-utils -Requires: oddjob-mkhomedir -Requires: libsss_autofs -Requires: autofs -Requires: libnfsidmap -Requires: nfs-utils -Requires: sssd-tools >= %{sssd_version} -Requires(post): policycoreutils - -# https://pagure.io/freeipa/issue/8530 -Recommends: libsss_sudo -Recommends: sudo -Requires: (libsss_sudo if sudo) - -Provides: %{alt_name}-client = %{version} -Conflicts: %{alt_name}-client -Obsoletes: %{alt_name}-client < %{version} - -Provides: %{alt_name}-admintools = %{version} -Conflicts: %{alt_name}-admintools -Obsoletes: %{alt_name}-admintools < 4.4.1 - -Obsoletes: %{name}-admintools < 4.4.1 -Provides: %{name}-admintools = %{version}-%{release} - -%if 0%{?rhel} == 8 -# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module -Conflicts: crypto-policies < 20200629-1 -%endif - -%if 0%{?rhel} == 9 -# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and -# AD-SUPPORT-LEGACY policy modules -Conflicts: crypto-policies < 20220223-1 -%endif - -%description client -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. -This package provides command-line tools for IPA administrators. - -%package client-samba -Summary: Tools to configure Samba on IPA client -Group: System Environment/Base -Requires: %{name}-client = %{version}-%{release} -Requires: python3-samba -Requires: samba-client -Requires: samba-winbind -Requires: samba-common-tools -Requires: samba -Requires: sssd-winbind-idmap -Requires: tdb-tools -Requires: cifs-utils - -%description client-samba -This package provides command-line tools to deploy Samba domain member -on the machine enrolled into a FreeIPA environment - -%package client-epn -Summary: Tools to configure Expiring Password Notification in IPA -Group: System Environment/Base -Requires: %{name}-client = %{version}-%{release} -Requires: systemd-units >= %{systemd_version} -Requires(post): systemd-units >= %{systemd_version} -Requires(preun): systemd-units >= %{systemd_version} -Requires(postun): systemd-units >= %{systemd_version} - -%description client-epn -This package provides a service to collect and send expiring password -notifications via email (SMTP). - -%package -n python3-ipaclient -Summary: Python libraries used by IPA client -BuildArch: noarch -%{?python_provide:%python_provide python3-ipaclient} -Requires: %{name}-client-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipalib = %{version}-%{release} -Requires: python3-augeas -Requires: augeas-libs >= %{augeas_version} -Requires: python3-dns >= 1.15 -Requires: python3-jinja2 - -%description -n python3-ipaclient -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. - -%package client-common -Summary: Common files used by IPA client -BuildArch: noarch - -Provides: %{alt_name}-client-common = %{version} -Conflicts: %{alt_name}-client-common -Obsoletes: %{alt_name}-client-common < %{version} -# python2-ipa* packages are no longer available in 4.8. -Obsoletes: python2-ipaclient < 4.8.0-1 -Obsoletes: python2-ipalib < 4.8.0-1 -Obsoletes: python2-ipaserver < 4.8.0-1 -Obsoletes: python2-ipatests < 4.8.0-1 - - -%description client-common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. - - -%package python-compat -Summary: Compatiblity package for Python libraries used by IPA -BuildArch: noarch -Obsoletes: %{name}-python < 4.2.91 -Provides: %{name}-python = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipalib = %{version}-%{release} - -Provides: %{alt_name}-python-compat = %{version} -Conflicts: %{alt_name}-python-compat -Obsoletes: %{alt_name}-python-compat < %{version} - -Obsoletes: %{alt_name}-python < 4.2.91 -Provides: %{alt_name}-python = %{version} - -%description python-compat -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -This is a compatibility package to accommodate %{name}-python split into -python3-ipalib and %{name}-common. Packages still depending on -%{name}-python should be fixed to depend on python2-ipaclient or -%{name}-common instead. - - -%package -n python3-ipalib -Summary: Python3 libraries used by IPA -BuildArch: noarch -%{?python_provide:%python_provide python3-ipalib} -Provides: python3-ipapython = %{version}-%{release} -%{?python_provide:%python_provide python3-ipapython} -Provides: python3-ipaplatform = %{version}-%{release} -%{?python_provide:%python_provide python3-ipaplatform} -Requires: %{name}-common = %{version}-%{release} -# we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-ldap >= %{python_ldap_version} -Requires: gnupg2 -Requires: keyutils -Requires: python3-cffi -Requires: python3-cryptography >= 1.6 -Requires: python3-dateutil -Requires: python3-dbus -Requires: python3-dns >= 1.15 -Requires: python3-gssapi >= 1.2.0 -Requires: python3-jwcrypto >= 0.4.2 -Requires: python3-libipa_hbac -Requires: python3-netaddr >= %{python_netaddr_version} -Requires: python3-netifaces >= 0.10.4 -Requires: python3-pyasn1 >= 0.3.2-2 -Requires: python3-pyasn1-modules >= 0.3.2-2 -Requires: python3-pyusb -Requires: python3-qrcode-core >= 5.0.0 -Requires: python3-requests -Requires: python3-six -Requires: python3-sss-murmur -Requires: python3-yubico >= 1.3.2-7 -%if 0%{?rhel} && 0%{?rhel} == 8 -Requires: platform-python-setuptools -%else -Requires: python3-setuptools -%endif - -%description -n python3-ipalib -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are using IPA with Python 3, you need to install this package. - - -%package common -Summary: Common files used by IPA -BuildArch: noarch -Conflicts: %{name}-python < 4.2.91 - -Provides: %{alt_name}-common = %{version} -Conflicts: %{alt_name}-common -Obsoletes: %{alt_name}-common < %{version} - -Conflicts: %{alt_name}-python < %{version} - -%if %{with selinux} -# This ensures that the *-selinux package and all it’s dependencies are not -# pulled into containers and other systems that do not use SELinux. The -# policy defines types and file contexts for client and server. -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%endif - -%description common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are using IPA, you need to install this package. - - -%if %{with ipatests} - -%package -n python3-ipatests -Summary: IPA tests and test tools -BuildArch: noarch -%{?python_provide:%python_provide python3-ipatests} -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-ipaserver = %{version}-%{release} -Requires: iptables -Requires: python3-cryptography >= 1.6 -%if 0%{?fedora} -# These packages do not exist on RHEL and for ipatests use -# they are installed on the controller through other means -Requires: ldns-utils -Requires: python3-pexpect -# update-crypto-policies -Requires: crypto-policies-scripts -Requires: python3-polib -Requires: python3-pytest >= 3.9.1 -Requires: python3-pytest-multihost >= 0.5 -Requires: python3-pytest-sourceorder -Requires: sshpass -%endif -Requires: python3-sssdconfig >= %{sssd_version} -Requires: tar -Requires: xz -Requires: openssh-clients -%if 0%{?rhel} -AutoReqProv: no -%endif - -%description -n python3-ipatests -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -This package contains tests that verify IPA functionality under Python 3. - -# with ipatests -%endif - - -%if %{with selinux} -# SELinux subpackage -%package selinux -Summary: FreeIPA SELinux policy -BuildArch: noarch -Requires: selinux-policy-%{selinuxtype} -Requires(post): selinux-policy-%{selinuxtype} -%{?selinux_requires} - -%description selinux -Custom SELinux policy module for FreeIPA -# with selinux -%endif - - -%prep -# Update timestamps on the files touched by a patch, to avoid non-equal -# .pyc/.pyo files across the multilib peers within a build, where "Level" -# is the patch prefix option (e.g. -p1) -# Taken from specfile for sssd and python-simplejson -UpdateTimestamps() { - Level=$1 - PatchFile=$2 - - # Locate the affected files: - for f in $(diffstat $Level -l $PatchFile); do - # Set the files to have the same timestamp as that of the patch: - touch -c -r $PatchFile $f - done -} - -%setup -n freeipa-%{version}%{?rc_version} -q - -# To allow proper application patches to the stripped po files, strip originals -pushd po -for i in *.po ; do - msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1 - mv $i.tmp $i || exit 1 -done -popd - -for p in %patches ; do - %__patch -p1 -i $p - UpdateTimestamps -p1 $p -done - -%build -# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 -export PATH=/usr/bin:/usr/sbin:$PATH - -export PYTHON=%{__python3} -autoreconf -ivf -%configure --with-vendor-suffix=-%{release} \ - %{enable_server_option} \ - %{with_ipatests_option} \ - %{with_ipa_join_xml_option} \ - %{linter_options} - -# run build in default dir -# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 -%make_build -Onone - - -%check -make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} - - -%install -# Please put as much logic as possible into make install. It allows: -# - easier porting to other distributions -# - rapid devel & install cycle using make install -# (instead of full RPM build and installation each time) -# -# All files and directories created by spec install should be marked as ghost. -# (These are typically configuration files created by IPA installer.) -# All other artifacts should be created by make install. - -%make_install - -# don't package ipasphinx for now -rm -rf %{buildroot}%{python3_sitelib}/ipasphinx* - -%if %{with ipatests} -mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} -mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} -mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} -ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 -ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 -ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 -ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests -ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config -ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task -# with_ipatests -%endif - -# remove files which are useful only for make uninstall -find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; - -%if 0%{?rhel} -# RHEL spec file only: START -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png -%endif -# RHEL spec file only: END - -%find_lang %{gettext_domain} - -%if ! %{ONLY_CLIENT} -# Remove .la files from libtool - we don't want to package -# these files -rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_winsync.la -rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la -rm %{buildroot}/%{plugin_dir}/libipa_uuid.la -rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la -rm %{buildroot}/%{plugin_dir}/libipa_lockout.la -rm %{buildroot}/%{plugin_dir}/libipa_cldap.la -rm %{buildroot}/%{plugin_dir}/libipa_dns.la -rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la -rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la -rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_range_check.la -rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la -rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la -rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la -rm %{buildroot}/%{plugin_dir}/libtopology.la -rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la -rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la - -# So we can own our Apache configuration -mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con - -mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 -touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so - -# ONLY_CLIENT -%endif - -/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf -/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt - -%if ! %{ONLY_CLIENT} -mkdir -p %{buildroot}%{_sysconfdir}/cron.d -# ONLY_CLIENT -%endif - -%if ! %{ONLY_CLIENT} - -%post server -# NOTE: systemd specific section - /bin/systemctl --system daemon-reload 2>&1 || : -# END -if [ $1 -gt 1 ] ; then - /bin/systemctl condrestart certmonger.service 2>&1 || : -fi -/bin/systemctl reload-or-try-restart dbus -/bin/systemctl reload-or-try-restart oddjobd - -%tmpfiles_create ipa.conf - -%posttrans server -# don't execute upgrade and restart of IPA when server is not installed -%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 - -if [ $? -eq 0 ]; then - # This is necessary for Fedora system upgrades which by default - # work with the network being offline - /bin/systemctl start network-online.target - - # Restart IPA processes. This must be also run in postrans so that plugins - # and software is in consistent state. This will also perform the - # system upgrade. - # NOTE: systemd specific section - - /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 - if [ $? -eq 0 ]; then - /bin/systemctl restart ipa.service >/dev/null - fi - - /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 - if [ $? -eq 1 ]; then - /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null - fi -fi -# END - - -%preun server -if [ $1 = 0 ]; then -# NOTE: systemd specific section - /bin/systemctl --quiet stop ipa.service || : - /bin/systemctl --quiet disable ipa.service || : - /bin/systemctl reload-or-try-restart dbus - /bin/systemctl reload-or-try-restart oddjobd -# END -fi - - -%pre server -# Stop ipa_kpasswd if it exists before upgrading so we don't have a -# zombie process when we're done. -if [ -e /usr/sbin/ipa_kpasswd ]; then -# NOTE: systemd specific section - /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : -# END -fi - - -%pre server-common -# create users and groups -# create kdcproxy group and user -getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy -getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy -# create ipaapi group and user -getent group ipaapi >/dev/null || groupadd -f -r ipaapi -getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi -# add apache to ipaaapi group -id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi - - -%post server-dns -%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - -%preun server-dns -%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - -%postun server-dns -%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - - -%postun server-trust-ad -if [ "$1" -ge "1" ]; then - if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then - %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null - fi -fi - - -%post server-trust-ad -%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ - winbind_krb5_locator.so /dev/null 90 -/bin/systemctl reload-or-try-restart dbus -/bin/systemctl reload-or-try-restart oddjobd - - -%posttrans server-trust-ad -%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 -if [ $? -eq 0 ]; then -# NOTE: systemd specific section - /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : -# END -fi - - -%preun server-trust-ad -if [ $1 -eq 0 ]; then - %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null - /bin/systemctl reload-or-try-restart dbus - /bin/systemctl reload-or-try-restart oddjobd -fi - -# ONLY_CLIENT -%endif - -%preun client-epn -%systemd_preun ipa-epn.service -%systemd_preun ipa-epn.timer - -%postun client-epn -%systemd_postun ipa-epn.service -%systemd_postun ipa-epn.timer - -%post client-epn -%systemd_post ipa-epn.service -%systemd_post ipa-epn.timer - -%post client -if [ $1 -gt 1 ] ; then - # Has the client been configured? - restore=0 - test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - - if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then - if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then - echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew - cat /etc/krb5.conf >> /etc/krb5.conf.ipanew - mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf - fi - fi - - if [ $restore -ge 2 ]; then - if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then - sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew - mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf - cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem - cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem - fi - - %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 - %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 - chmod 0600 /var/log/ipaupgrade.log - SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" - if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then - sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" - fi - fi -fi - - -%if %{with selinux} -# SELinux contexts are saved so that only affected files can be -# relabeled after the policy module installation -%pre selinux -%selinux_relabel_pre -s %{selinuxtype} - -%post selinux -semodule -d ipa_custodia &> /dev/null || true; -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 - -%postun selinux -if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulename} - semodule -e ipa_custodia &> /dev/null || true; -fi - -%posttrans selinux -%selinux_relabel_post -s %{selinuxtype} -# with_selinux -%endif - - -%triggerin client -- openssh-server < 8.2 -# Has the client been configured? -restore=0 -test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - -if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then - if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then - sed -r ' - /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d - ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew - - if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ - s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - fi - - mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - chmod 600 /etc/ssh/sshd_config - - /bin/systemctl condrestart sshd.service 2>&1 || : - fi -fi - - -%triggerin client -- openssh-server >= 8.2 -# Has the client been configured? -restore=0 -test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - -if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then - # If the snippet already exists, skip - if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then - # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf - grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf - # Remove the values from sshd_conf - sed -ri ' - /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d - ' /etc/ssh/sshd_config - - /bin/systemctl condrestart sshd.service 2>&1 || : - fi - # If the snippet has been created, ensure that it is included - # either by /etc/ssh/sshd_config.d/*.conf or directly - if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then - if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then - if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then - # Include the snippet - echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew - cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew - mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - fi - fi - fi -fi - - -%if ! %{ONLY_CLIENT} - -%files server -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-backup -%{_sbindir}/ipa-restore -%{_sbindir}/ipa-ca-install -%{_sbindir}/ipa-kra-install -%{_sbindir}/ipa-server-install -%{_sbindir}/ipa-replica-conncheck -%{_sbindir}/ipa-replica-install -%{_sbindir}/ipa-replica-manage -%{_sbindir}/ipa-csreplica-manage -%{_sbindir}/ipa-server-certinstall -%{_sbindir}/ipa-server-upgrade -%{_sbindir}/ipa-ldap-updater -%{_sbindir}/ipa-otptoken-import -%{_sbindir}/ipa-compat-manage -%{_sbindir}/ipa-nis-manage -%{_sbindir}/ipa-managed-entries -%{_sbindir}/ipactl -%{_sbindir}/ipa-advise -%{_sbindir}/ipa-cacert-manage -%{_sbindir}/ipa-winsync-migrate -%{_sbindir}/ipa-pkinit-manage -%{_sbindir}/ipa-crlgen-manage -%{_sbindir}/ipa-cert-fix -%{_sbindir}/ipa-acme-manage -%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit -%{_libexecdir}/certmonger/ipa-server-guard -%dir %{_libexecdir}/ipa -%{_libexecdir}/ipa/ipa-ccache-sweeper -%{_libexecdir}/ipa/ipa-custodia -%{_libexecdir}/ipa/ipa-custodia-check -%{_libexecdir}/ipa/ipa-httpd-kdcproxy -%{_libexecdir}/ipa/ipa-httpd-pwdreader -%{_libexecdir}/ipa/ipa-pki-retrieve-key -%{_libexecdir}/ipa/ipa-pki-wait-running -%{_libexecdir}/ipa/ipa-otpd -%{_libexecdir}/ipa/ipa-print-pac -%{_libexecdir}/ipa/ipa-subids -%dir %{_libexecdir}/ipa/custodia -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent -%dir %{_libexecdir}/ipa/oddjob -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid -%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf -%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%dir %{_libexecdir}/ipa/certmonger -%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* -# NOTE: systemd specific section -%attr(644,root,root) %{_unitdir}/ipa.service -%attr(644,root,root) %{_unitdir}/ipa-otpd.socket -%attr(644,root,root) %{_unitdir}/ipa-otpd@.service -%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service -%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer -# END -%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_winsync.so -%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so -%attr(755,root,root) %{plugin_dir}/libipa_uuid.so -%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so -%attr(755,root,root) %{plugin_dir}/libipa_lockout.so -%attr(755,root,root) %{plugin_dir}/libipa_dns.so -%attr(755,root,root) %{plugin_dir}/libipa_range_check.so -%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so -%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so -%attr(755,root,root) %{plugin_dir}/libtopology.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so -%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so -%{_mandir}/man1/ipa-replica-conncheck.1* -%{_mandir}/man1/ipa-replica-install.1* -%{_mandir}/man1/ipa-replica-manage.1* -%{_mandir}/man1/ipa-csreplica-manage.1* -%{_mandir}/man1/ipa-server-certinstall.1* -%{_mandir}/man1/ipa-server-install.1* -%{_mandir}/man1/ipa-server-upgrade.1* -%{_mandir}/man1/ipa-ca-install.1* -%{_mandir}/man1/ipa-kra-install.1* -%{_mandir}/man1/ipa-compat-manage.1* -%{_mandir}/man1/ipa-nis-manage.1* -%{_mandir}/man1/ipa-managed-entries.1* -%{_mandir}/man1/ipa-ldap-updater.1* -%{_mandir}/man8/ipactl.8* -%{_mandir}/man1/ipa-backup.1* -%{_mandir}/man1/ipa-restore.1* -%{_mandir}/man1/ipa-advise.1* -%{_mandir}/man1/ipa-otptoken-import.1* -%{_mandir}/man1/ipa-cacert-manage.1* -%{_mandir}/man1/ipa-winsync-migrate.1* -%{_mandir}/man1/ipa-pkinit-manage.1* -%{_mandir}/man1/ipa-crlgen-manage.1* -%{_mandir}/man1/ipa-cert-fix.1* -%{_mandir}/man1/ipa-acme-manage.1* - - -%files -n python3-ipaserver -%doc README.md Contributors.txt -%license COPYING -%{python3_sitelib}/ipaserver -%{python3_sitelib}/ipaserver-*.egg-info - - -%files server-common -%doc README.md Contributors.txt -%license COPYING -%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy -%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf -# NOTE: systemd specific section -%{_tmpfilesdir}/ipa.conf -%attr(644,root,root) %{_unitdir}/ipa-custodia.service -%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf -# END -%{_usr}/share/ipa/wsgi.py* -%{_usr}/share/ipa/kdcproxy.wsgi -%{_usr}/share/ipa/ipaca*.ini -%{_usr}/share/ipa/*.ldif -%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif -%{_usr}/share/ipa/*.uldif -%{_usr}/share/ipa/*.template -%dir %{_usr}/share/ipa/advise -%dir %{_usr}/share/ipa/advise/legacy -%{_usr}/share/ipa/advise/legacy/*.template -%dir %{_usr}/share/ipa/profiles -%{_usr}/share/ipa/profiles/README -%{_usr}/share/ipa/profiles/*.cfg -%dir %{_usr}/share/ipa/html -%{_usr}/share/ipa/html/ssbrowser.html -%{_usr}/share/ipa/html/unauthorized.html -%dir %{_usr}/share/ipa/migration -%{_usr}/share/ipa/migration/index.html -%{_usr}/share/ipa/migration/migration.py* -%dir %{_usr}/share/ipa/ui -%{_usr}/share/ipa/ui/index.html -%{_usr}/share/ipa/ui/reset_password.html -%{_usr}/share/ipa/ui/sync_otp.html -%{_usr}/share/ipa/ui/*.ico -%{_usr}/share/ipa/ui/*.css -%dir %{_usr}/share/ipa/ui/css -%{_usr}/share/ipa/ui/css/*.css -%dir %{_usr}/share/ipa/ui/js -%dir %{_usr}/share/ipa/ui/js/dojo -%{_usr}/share/ipa/ui/js/dojo/dojo.js -%dir %{_usr}/share/ipa/ui/js/libs -%{_usr}/share/ipa/ui/js/libs/*.js -%dir %{_usr}/share/ipa/ui/js/freeipa -%{_usr}/share/ipa/ui/js/freeipa/app.js -%{_usr}/share/ipa/ui/js/freeipa/core.js -%dir %{_usr}/share/ipa/ui/js/plugins -%dir %{_usr}/share/ipa/ui/images -%if 0%{?rhel} -%{_usr}/share/ipa/ui/images/facet-*.png -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -%else -%{_usr}/share/ipa/ui/images/*.jpg -%{_usr}/share/ipa/ui/images/*.png -%endif -%dir %{_usr}/share/ipa/wsgi -%{_usr}/share/ipa/wsgi/plugins.py* -%dir %{_sysconfdir}/ipa -%dir %{_sysconfdir}/ipa/html -%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html -%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf -%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt -%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf -%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con -%dir %{_usr}/share/ipa/updates/ -%{_usr}/share/ipa/updates/* -%dir %{_localstatedir}/lib/ipa -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy -%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade -%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca -%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds -%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish -%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa -%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia -%dir %{_usr}/share/ipa/schema.d -%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README -%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login -%{_usr}/share/ipa/ipakrb5.aug - -%files server-dns -%doc README.md Contributors.txt -%license COPYING -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec -%{_libexecdir}/ipa/ipa-dnskeysyncd -%{_libexecdir}/ipa/ipa-dnskeysync-replica -%{_libexecdir}/ipa/ipa-ods-exporter -%{_sbindir}/ipa-dns-install -%{_mandir}/man1/ipa-dns-install.1* -%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service - -%files server-trust-ad -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-adtrust-install -%{_usr}/share/ipa/smb.conf.empty -%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_cldap.so -%{_datadir}/ipa/ipa-cldap-conf.ldif -%{_mandir}/man1/ipa-adtrust-install.1* -%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf -%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf -%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains - -# ONLY_CLIENT -%endif - - -%files client -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-client-install -%{_sbindir}/ipa-client-automount -%{_sbindir}/ipa-certupdate -%{_sbindir}/ipa-getkeytab -%{_sbindir}/ipa-rmkeytab -%{_sbindir}/ipa-join -%{_bindir}/ipa -%config %{_sysconfdir}/bash_completion.d -%config %{_sysconfdir}/sysconfig/certmonger -%{_mandir}/man1/ipa.1* -%{_mandir}/man1/ipa-getkeytab.1* -%{_mandir}/man1/ipa-rmkeytab.1* -%{_mandir}/man1/ipa-client-install.1* -%{_mandir}/man1/ipa-client-automount.1* -%{_mandir}/man1/ipa-certupdate.1* -%{_mandir}/man1/ipa-join.1* -%dir %{_libexecdir}/ipa/acme -%{_libexecdir}/ipa/acme/certbot-dns-ipa - -%files client-samba -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-client-samba -%{_mandir}/man1/ipa-client-samba.1* - - -%files client-epn -%doc README.md Contributors.txt -%dir %{_sysconfdir}/ipa/epn -%license COPYING -%{_sbindir}/ipa-epn -%{_mandir}/man1/ipa-epn.1* -%{_mandir}/man5/epn.conf.5* -%attr(644,root,root) %{_unitdir}/ipa-epn.service -%attr(644,root,root) %{_unitdir}/ipa-epn.timer -%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf -%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template - -%files -n python3-ipaclient -%doc README.md Contributors.txt -%license COPYING -%dir %{python3_sitelib}/ipaclient -%{python3_sitelib}/ipaclient/*.py -%{python3_sitelib}/ipaclient/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/install -%{python3_sitelib}/ipaclient/install/*.py -%{python3_sitelib}/ipaclient/install/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/plugins -%{python3_sitelib}/ipaclient/plugins/*.py -%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/remote_plugins -%{python3_sitelib}/ipaclient/remote_plugins/*.py -%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/remote_plugins/2_* -%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py -%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* -%{python3_sitelib}/ipaclient-*.egg-info - - -%files client-common -%doc README.md Contributors.txt -%license COPYING -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb -# old dbm format -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db -# new sql format -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt -%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit -%dir %{_localstatedir}/lib/ipa-client -%dir %{_localstatedir}/lib/ipa-client/pki -%dir %{_localstatedir}/lib/ipa-client/sysrestore -%{_mandir}/man5/default.conf.5* -%dir %{_usr}/share/ipa/client -%{_usr}/share/ipa/client/*.template - - -%files python-compat -%doc README.md Contributors.txt -%license COPYING - - -%files common -f %{gettext_domain}.lang -%doc README.md Contributors.txt -%license COPYING -%dir %{_usr}/share/ipa -%dir %{_libexecdir}/ipa - -%files -n python3-ipalib -%doc README.md Contributors.txt -%license COPYING - -%{python3_sitelib}/ipapython/ -%{python3_sitelib}/ipalib/ -%{python3_sitelib}/ipaplatform/ -%{python3_sitelib}/ipapython-*.egg-info -%{python3_sitelib}/ipalib-*.egg-info -%{python3_sitelib}/ipaplatform-*.egg-info - - -%if %{with ipatests} - - -%files -n python3-ipatests -%doc README.md Contributors.txt -%license COPYING -%{python3_sitelib}/ipatests -%{python3_sitelib}/ipatests-*.egg-info -%{_bindir}/ipa-run-tests-3 -%{_bindir}/ipa-test-config-3 -%{_bindir}/ipa-test-task-3 -%{_bindir}/ipa-run-tests-%{python3_version} -%{_bindir}/ipa-test-config-%{python3_version} -%{_bindir}/ipa-test-task-%{python3_version} -%{_bindir}/ipa-run-tests -%{_bindir}/ipa-test-config -%{_bindir}/ipa-test-task -%{_mandir}/man1/ipa-run-tests.1* -%{_mandir}/man1/ipa-test-config.1* -%{_mandir}/man1/ipa-test-task.1* - -# with ipatests -%endif - - -%if %{with selinux} -%files selinux -%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} -# with selinux -%endif - -%changelog -* Thu Jul 28 2022 Francisco Trivino - 4.10.0-5 -- Resolves: rhbz#2109645 - - Rebuild for samba-4.16.3-101.el9 - -* Thu Jul 21 2022 Francisco Trivino - 4.10.0-4 -- Resolves: rhbz#2109645 - - Rebuild for samba-4.16.3-100.el9 - -* Fri Jul 15 2022 Florence Blanc-Renaud - 4.10.0-3 -- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value - -* Thu Jun 30 2022 Florence Blanc-Renaud - 4.10.0-2 -- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind - -* Thu Jun 30 2022 Florence Blanc-Renaud - 4.10.0-1 -- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates -- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted - -* Fri Jun 17 2022 Florence Blanc-Renaud - 4.9.10-1 -- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release -- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.' -- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD -- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages -- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command -- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind -- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf -- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml - -* Wed Apr 06 2022 Florence Blanc-Renaud - 4.9.8-8 -- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9 - - tests: ensure AD-SUPPORT subpolicy is active in more cases - - ipatests: fix check for AD topology being present - -* Thu Mar 24 2022 Florence Blanc-Renaud - 4.9.8-7 -- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9 - - KRB instance: make provision to work with crypto policy without SHA-1 HMAC types - - tests: ensure AD-SUPPORT subpolicy is active - - ipatests: extend AES keyset to SHA2-based ones - - freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream - - Kerberos instance: default to AES256-SHA2 for master key encryption - - test_otp: do not use paramiko unless it is really needed - - test_krbtpolicy: skip SPAKE-related tests in FIPS mode - - Support AES for KRA archival wrapping - - Set AES as default for KRA archival wrapping - -* Thu Feb 24 2022 Florence Blanc-Renaud - 4.9.8-6 -- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests - - ipatests: Tests for Autoprivate group. - - mark xfail for test_idoverride_with_auto_private_group[hybrid] - - Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid] - -* Mon Feb 14 2022 Alexander Bokovoy - 4.9.8-5 -- Resolves: rhbz#2053025 - - add IPA test suite fixes - -* Mon Feb 14 2022 Alexander Bokovoy - 4.9.8-4 -- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak - - fix memory leak in CLDAP responder - -* Fri Feb 11 2022 Florence Blanc-Renaud - 4.9.8-3 -- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes - - Don't always override the port in import_included_profiles -- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation - - Test ipa-ccache-sweep.timer enabled by default during installation - - Enable the ccache sweep timer during installation -- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output - - Remove ipa-join errors from behind the debug option - -* Thu Feb 03 2022 Florence Blanc-Renaud - 4.9.8-2 -- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' - - Config plugin: return EmptyModlist when no change is applied - - config plugin: add a test ensuring EmptyModlist is returned -- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests - - ipatests: webui: Tests for subordinate ids. - - ipatests: webui: Use safe-loader for loading YAML configuration file - - ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown - - Test cases for ipa-replica-conncheck command - - PEP8 Fixes - - ipatests: Test empty cert request doesn't force certmonger to segfault - - ipatests: Test default value of nsslapd-sizelimit. - - Extend test to see if replica is not shown when running `ipa-replica-manage list -v ` - - Added test automation for SHA384withRSA CSR support -- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened - - ipa-kdb: do not remove keys for hardened auth-enabled users - - ipatests: add case for hardened-only ticket policy -- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy - - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus - -* Thu Dec 02 2021 Florence Blanc-Renaud - 4.9.8-1 -- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9 -- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1' -- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade -- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump -- Resolves: rhbz#1986054 - fix automountlocation-tofiles output -- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec -- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets - - ipa-kdb: issue PAC_REQUESTER_SID only for TGTs - - ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates - -* Tue Oct 5 2021 Florence Blanc-Renaud - 4.9.6-9 -- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance' - - Parse getStatus as JSON not XML - - Parse cert chain as JSON not XML - - Specify PKI installation log paths - - Make Dogtag return XML for ipa cert-find - -* Fri Sep 17 2021 Florence Blanc-Renaud - 4.9.6-8 -- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding - - Don't store entries with a usercertificate in the LDAP cache - - ipatests: Test that a user can be issued multiple certificates - -* Fri Sep 10 2021 Florence Blanc-Renaud - 4.9.6-7 -- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server - - selinux policy: allow custodia to access /proc/cpuinfo -- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT - - extdom: return LDAP_NO_SUCH_OBJECT if domains differ -- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID. - - subid: subid-match: display the owner's ID not DN -- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled - - migrate-ds: workaround to detect compat tree - -* Thu Aug 26 2021 Florence Blanc-Renaud - 4.9.6-6 -- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests - - ipatests: Test unsecure nsupdate. - - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser - - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files - - ipatests: test to renew certs on replica using ipa-cert-fix - - ipatests: wait while http/ldap/pkinit cert get renew on replica - - ipatests: refactor test_ipa_cert_fix with tasks - - ipatests: use whole date for journalctl --since -* Tue Aug 17 2021 Florence Blanc-Renaud - 4.9.6-5 -- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided - - ipa-getkeytab: add option to discover servers using DNS SRV - - ipa-getkeytab: fix compiler warnings - - ipatests: test ipa-getkeytab server option -- Resolves: rhbz#1986329 ipa-server install failure without DNS - - Fix ldapupdate.get_sub_dict() for missing named user -- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg - - freeipa.spec.in: remove python3-pexpect from Requires -- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests - - ipatests: use whole date when calling journalctl --since - - ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab - - ipatests: test_ipahealthcheck: print a message if a system is healthy - - ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency - - webui tests: close notification when revoking cert - - ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg - - webui tests: fix algo for finding available idrange - - ipatests: smbclient "-k" => "--use-kerberos=desired" - - test_acme: refactor with tasks - - test_acme: make password renewal more robust - - tasks.py: fix flake8-reported issues - - ipatests: Test for OTP when the LDAP connection timed out. - - ipatests: verify that getcert output includes the issued date - - ipatests: Look for warning into stderr instead of stdout - - ipatests: use krb5_trace in TestIpaAdTrustInstall - - ipatests: Test ldapsearch with base scope works with compat tree. - - ipatests: skip test_basesearch_compat_tree on fedora. - - ipatests: Refactor test_check_otpd_after_idle_timeout - -* Mon Aug 09 2021 Mohan Boddu - 4.9.6-4.1 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 - -* Fri Jul 23 2021 Rob Crittenden - 4.9.6-4 -- Use new method in check to prevent removal of last KRA (#1985072) -- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952) -- Fix index definition for memberOf (#1952028) - -* Thu Jul 15 2021 Florence Blanc-Renaud - 4.9.6-3 -- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services -- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota" -- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA -- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage - -* Fri Jul 9 2021 Florence Blanc-Renaud - 4.9.6-2 -- Resolves: rhbz#1955440 ipa installation fails to configure chrony -- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage -- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add -- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services - -* Wed Jun 30 2021 Florence Blanc-Renaud - 4.9.6-1 -- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version -- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache -- Resolves: rhbz#1975139 Upgrade error: Add failure missing required attribute "objectclass" -- Resolves: rhbz#1973024 CA_less ipa-server-install fails if CA cert subject contains non ascii chars -- Resolves: rhbz#1966101 [RFE] - IDM - Allow specifying permanent logging settings for BIND -- Resolves: rhbz#1962570 IPA in c9s should not require redhat-logos-ipa as a runtime package -- Resolves: rhbz#1957736 [RFE] IPA to allow configuring auto-private-groups at idrange level - -* Wed Jun 16 2021 Mohan Boddu - 4.9.3-2.1 -- Rebuilt for RHEL 9 BETA for openssl 3.0 - Related: rhbz#1971065 - -* Tue Apr 20 2021 Florence Blanc-Renaud - 4.9.3-2 -- RHEL 9 Beta mass rebuild. Resolves: rhbz#1951304 - -* Wed Mar 31 2021 Alexander Bokovoy - 4.9.3-1 -- Upstream release FreeIPA 4.9.3 - -* Fri Feb 26 2021 Alexander Bokovoy - 4.9.2-4 -- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609 - -* Tue Feb 23 2021 Alexander Bokovoy - 4.9.2-3 -- Only use python-platform on RHEL 8 - -* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-2 -- Fix ipatests dependency to python3-pexpect - -* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 -- Upstream release FreeIPA 4.9.2 - -* Wed Jan 27 2021 Alexander Bokovoy - 4.9.1-1 -- Upstream release FreeIPA 4.9.1 - -* Tue Jan 26 2021 Fedora Release Engineering - 4.9.0-2.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Jan 20 2021 Rob Crittenden - 4.9.0-2 -- Set client keytab location for 389ds (RHBZ#1918075) - -* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy - 4.9.0-1 -- FreeIPA 4.9.0 final release - -* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy - 4.9.0-0.6.rc3 -- Refactor DNSSEC paths creation code (upstream PR#5340) - -* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.5.rc3 -- FreeIPA 4.9.0 release candidate 3 -- Enforce C.UTF-8 locale in systemd service units -- Fold up fixes from Rawhide and RHEL 8.4 testing - -* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.4.rc2 -- Fix upgrade script for CA rule rewrites -- Fix permissions for /run/ipa/ccaches - -* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy - 4.9.0-0.3.rc2 -- Correct SELinux policy requirements - -* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy - 4.9.0-0.2.rc2 -- FreeIPA 4.9.0 release candidate 2 - -* Thu Nov 19 2020 Alexander Bokovoy - 4.9.0-0.1.rc1 -- Use correct bind PKCS11 engine dependencies -- Fix SELinux build requirement -- Fix linting requirements - -* Wed Nov 18 2020 Alexander Bokovoy - 4.9.0-0.rc1 -- FreeIPA 4.9.0 release candidate 1 -- Synchronize spec file with upstream and RHEL - -* Wed Oct 28 2020 Adam Williamson - 4.8.10-7 -- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+ - -* Tue Oct 13 2020 Alexander Bokovoy - 4.8.10-6 -- Handle sshd_config upgrade properly - Fixes: rhbz#1887928 - -* Tue Sep 29 2020 Alexander Bokovoy - 4.8.10-5 -- Properly handle upgrade case when systemd-resolved is enabled - -* Mon Sep 28 2020 Alexander Bokovoy - 4.8.10-4 -- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf -- Add NetworkManager and systemd-resolved configuration files to backup - -* Sun Sep 27 2020 Alexander Bokovoy - 4.8.10-3 -- Fix dependency between freeipa-selinux and freeipa-common -- Resolves: rhbz#1883005 - -* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-2 -- Support upgrade F32 -> F33 with systemd-resolved - -* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-1 -- Upstream release FreeIPA 4.8.10 - -* Fri Aug 21 2020 Alexander Bokovoy - 4.8.9-2 -- Backport fix for detecting older installations on upgrade - -* Thu Aug 20 2020 François Cami - 4.8.9-1 -- Upstream release FreeIPA 4.8.9 - -* Mon Aug 03 2020 Alexander Bokovoy - 4.8.7-5 -- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32 - -* Sat Aug 01 2020 Fedora Release Engineering - 4.8.7-4 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Thu Jul 30 2020 Merlin Mathesius - 4.8.7-3 -- Conditional fixes for ELN to set krb5-kdb version appropriately - -* Mon Jul 27 2020 Fedora Release Engineering - 4.8.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jun 10 2020 Alexander Bokovoy - 4.8.7-1 -- Upstream release FreeIPA 4.8.7 - -* Tue May 26 2020 Miro Hrončok - 4.8.6-2 -- Rebuilt for Python 3.9 - -* Fri Mar 27 2020 Alexander Bokovoy - 4.8.6-1 -- Upstream release FreeIPA 4.8.6 - -* Sat Mar 21 2020 Alexander Bokovoy - 4.8.5-2 -- Roll up post-release fixes from upstream -- Move freeipa-selinux to be a dependency of freeipa-common - -* Wed Mar 18 2020 Alexander Bokovoy - 4.8.5-1 -- Upstream release FreeIPA 4.8.5 -- Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in - SELinux external policy support - -* Tue Mar 03 2020 Alexander Bokovoy - 4.8.4-8 -- Support opendnssec 2.1 -- Resolves: #1809492 - -* Mon Feb 17 2020 François Cami - 4.8.4-7 -- Fix audit_as_req() callback usage -- Resolves: #1803786 - -* Sat Feb 01 2020 Alexander Bokovoy - 4.8.4-6 -- Fix constraint delegation for krb5 1.18 update -- Resolves: #1797096 - -* Tue Jan 28 2020 Fedora Release Engineering - 4.8.4-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Tue Jan 28 2020 Alexander Bokovoy - 4.8.4-4 -- Rebuild against krb5 1.18 beta - -* Sun Jan 26 2020 Alexander Bokovoy - 4.8.4-3 -- Rebuild against Samba 4.12RC1 - -* Mon Dec 16 2019 Adam Williamson - 4.8.4-2 -- Backport PR #4045 to fix overlapping DNS zone check bugs - -* Sat Dec 14 2019 Alexander Bokovoy - 4.8.4-1 -- New upstream release 4.8.4 - -* Tue Nov 26 2019 Alexander Bokovoy - 4.8.3-1 -- New upstream release 4.8.3 -- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() -- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch - -* Tue Nov 12 2019 Rob Crittenden - 4.8.2-1 -- New upstream release 4.8.2 -- Replace %%{_libdir} macro in BuildRequires (#1746882) -- Restore user-nsswitch.conf before calling authselect (#1746557) -- ipa service-find does not list cifs service created by - ipa-client-samba (#1731433) -- Occasional 'whoami.data is undefined' error in FreeIPA web UI - (#1699109) -- ipa-kra-install fails due to fs.protected_regular=1 (#1698384) - -* Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-5 -- Don't create log files from helper scripts -- Fixes: rhbz#1754189 - -* Tue Oct 08 2019 Christian Heimes - 4.8.1-4 -- Fix compatibility issue with preexec_fn in Python 3.8 -- Fixes: rhbz#1759290 - -* Tue Oct 1 2019 Alexander Bokovoy - 4.8.1-3 -- Fix ipasam for compatibility with Samba 4.11 -- Fixes: rhbz#1757089 - -* Mon Aug 19 2019 Miro Hrončok - 4.8.1-2 -- Rebuilt for Python 3.8 - -* Wed Aug 14 2019 Alexander Bokovoy - 4.8.1-1 -- New upstream release 4.8.1 -- Fixes: rhbz#1732528 -- Fixes: rhbz#1732524 - -* Thu Jul 25 2019 Fedora Release Engineering - 4.8.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed Jul 03 2019 Alexander Bokovoy - 4.8.0-1 -- New upstream release 4.8.0 -- New subpackage: freeipa-client-samba - -* Sat May 11 2019 Alexander Bokovoy - 4.7.90.pre1-6 -- Upgrade: handle situation when trusts were configured but not established yet - Fixed: rhbz#1708808 - -* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-5 -- Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17 - -* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-4 -- Rebuild to drop upper limit for Kerberos package - After krb5-server will provide krb5-kdb-version, we'll switch to it - -* Wed May 1 2019 Adam Williamson - 4.7.90.pre1-3 -- Backport PR #3104 to fix a font path error - -* Wed May 1 2019 Alexander Bokovoy - 4.7.90.pre1-2 -- Revert MINSSF defaults because realmd cannot join FreeIPA right now - as it uses anonymous LDAP connection for the discovery and validation - -* Mon Apr 29 2019 Alexander Bokovoy - 4.7.90.pre1-1 -- First release candidate for FreeIPA 4.8.0 - -* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-8 -- Fixed: rhbz#1696963 (Failed to install replica) - -* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-7 -- Support Samba 4.10 -- Support 389-ds 1.4.1.2-2.fc30 or later - -* Thu Feb 28 2019 Alexander Bokovoy - 4.7.2-6 -- Support new nfs-utils behavior (#1668836) -- ipa-client-automount now works without /etc/sysconfig/nfs - -* Tue Feb 19 2019 François Cami - 4.7.2-5 -- Fix FTBS due to Samba having removed talloc_strackframe.h - and memory.h (#1678670) -- Fix CA setup when fs.protected_regular=1 (#1677027) - -* Mon Feb 11 2019 Alexander Bokovoy - 4.7.2-4 -- Disable python dependency generator in Rawhide as not all required packages support it yet -- Require python-kdcproxy 0.4.1 or later on Rawhide - -* Fri Feb 8 2019 Alexander Bokovoy - 4.7.2-3 -- Fix compile issues after a mass rebuild using upstream patches - -* Thu Jan 31 2019 Fedora Release Engineering - 4.7.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Dec 03 2018 Alexander Bokovoy - 4.7.2-1 -- Upstream release FreeIPA 4.7.2 - -* Wed Nov 28 2018 Adam Williamson - 4.7.1-4 -- Update PR #2610 patch to tiran's modified version - -* Tue Nov 27 2018 Adam Williamson - 4.7.1-3 -- Backport PR #2610 to fix for authselect 1.0.2+ (see #1645708) - -* Sun Nov 11 2018 Alexander Bokovoy - 4.7.1-2 -- Rebuild for krb5-1.17 (#1648673) -- Bump required SSSD version to 2.0.0-4 to get back pysss.getgrouplist() API - -* Fri Oct 5 2018 Rob Crittenden - 4.7.1-1 -- Update to upstream 4.7.1 - -* Tue Sep 25 2018 Christian Heimes - 4.7.0-5 -- Remove Python 2 support from Fedora 30 -- https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal - -* Tue Sep 4 2018 Thomas Woerner - 4.7.0-4 -- Enable python2 client packages for f30 for now again - -* Tue Sep 4 2018 Thomas Woerner - 4.7.0-3 -- Force generation of aclocal.m4 and configuration scripts -- Fix only client build for Fedora>=28 and RHEL>7 -- Bring back special patch handling for Fedora - -* Mon Sep 3 2018 Thomas Woerner - 4.7.0-2 -- Restore SELinux context of session_dir /etc/httpd/alias (pagure#7662) -- Restore SELinux context of template_dir /var/log/dirsrv/slapd-X (pagure#7662) -- Add "389-ds-base-legacy-tools" to requires -- Refactor os-release and platform information (#1609475) -- Don't check for systemd service (#1609475) -- Switched to upstream spec file with small adaptions - -* Thu Jul 26 2018 Thomas Woerner - 4.7.0-1 -- Update to upstream 4.7.0 -- New BuildRequires for nodejs and uglify-js -- New Requires for 389-ds-base-legacy-tools in server (RHBZ#1606541) -- Do not build python2-ipaserver and python2-ipatests for Fedora 29 and up -- Do not build any python2 packages for Fedora 30 -- Added ipatest man pages to python3-ipatests packages also -- Added ipatest bindir links to python3-ipatests for Fedora up to 28 -- Dropped explicit copy of freeipa.template, install is doing this now -- Added upstream fix: (f3faecb) Fix $-style format string in ipa_ldap_init -- Added upstream fix: (4b592fe,1a7baa2) Added reason to raise of errors.NotFound - -* Mon Jul 16 2018 Alexander Bokovoy - 4.6.90.pre2-11 -- Use version-aware macros for Python - -* Fri Jul 13 2018 Fedora Release Engineering - 4.6.90.pre2-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Jul 02 2018 Miro Hrončok - 4.6.90.pre2-9 -- Rebuilt for Python 3.7 - -* Wed Jun 27 2018 Rob Crittenden - 4.6.90.pre2-8 -- Build UI using py3-lesscpy - -* Tue Jun 19 2018 Rob Crittenden - 4.6.90.pre2-7 -- *-domainname.service moved to the hostname package in F29 (#1592355) - -* Tue Jun 19 2018 Miro Hrončok - 4.6.90.pre2-6 -- Rebuilt for Python 3.7 - -* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-5 -- Change BuildRequires from python-lesscpy to python3-lesscpy - -* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-4.1 -- Rename service fedora-domainname.service to nis-domainname.service - (#1588192) -- Fix bad date in changelog - -* Wed May 16 2018 Alexander Bokovoy - 4.6.90.pre2-3 -- Fine tune packaging of server templates so that it doesn't include - freeipa.template which always go to freeipa-client-common - -* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-2 -- Exclude /usr/share from client-only builds - -* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-1 -- Update to upstream 4.6.90.pre2 - -* Wed May 02 2018 Alexander Bokovoy - 4.6.90.pre1-7 -- Fix upgrade when named.conf does not exist -- Resolves rhbz#1573671 -- Requires newer slapi-nis to avoid hitting rhbz#1573636 - -* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6.1 -- Change upgrade code to use DIR-based ccache and no kinit (#1558818) -- Require pki-symkey until pki-core has proper dependencies - -* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6 -- Change upgrade code to use DIR-based ccache and no kinit (#1558818) - -* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-5 -- Apply upstream fix for #1558354 -- Run upgrade under file-based ccache (#1558818) -- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617 - -* Tue Mar 20 2018 Adam Williamson - 4.6.90.pre1-4 -- Fix upgrades harder (extension of -3 patch) (#1558354) - -* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-3 -- Fix upgrade from F27 to F28 (#1558354) - -* Mon Mar 19 2018 Rob Crittenden - 4.6.90.pre1-2 -- Patch to fix GUI login for non-admin users (#1557609) - -* Fri Mar 16 2018 Rob Crittenden - 4.6.90.pre1-1 -- Update to upstream 4.6.90.pre1 - -* Tue Feb 20 2018 Rob Crittenden - 4.6.3-5 -- Disable i686 server builds because 389-ds no longer provides - builds on that arch. (#1544386) - -* Fri Feb 09 2018 Igor Gnatenko - 4.6.3-4 -- Escape macros in %%changelog - -* Thu Feb 8 2018 Rob Crittenden - 4.6.3-3 -- Don't fail on upgrades if KRA is not installed -- Remove Conflicts between mod_wsgi and python3-mod_wsgi - -* Wed Feb 07 2018 Fedora Release Engineering - 4.6.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Jan 31 2018 Rob Crittenden - 4.6.3-1 -- Update to upstream 4.6.3 - -* Wed Jan 03 2018 Lumír Balhar - 4.6.1-5 -- Fix directory ownership in python3 subpackage - -* Tue Oct 17 2017 Rob Crittenden - 4.6.1-4 -- Update workaround patch to prevent SELinux execmem AVC (#1491508) - -* Mon Oct 16 2017 Alexander Bokovoy - 4.6.1-3 -- Another attempt at fix for bug #1491053 - -* Fri Oct 06 2017 Tomas Krizek - 4.6.1-2 -- Rebuild against krb5-1.16 - -* Fri Sep 22 2017 Tomas Krizek - 4.6.1-1 -- Fixes #1491053 Firefox reports insecure TLS configuration when visiting - FreeIPA web UI after standard server deployment - -* Wed Sep 13 2017 Adam Williamson - 4.6.0-3 -- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context -- Fixes #1491056 FreeIPA enrolment via kickstart fails - -* Wed Sep 06 2017 Adam Williamson - 4.6.0-2 -- Fixes #1488640 "unknown command 'undefined'" error when changing password in web UI -- BuildRequires diffstat (for the use in patch application) - -* Mon Sep 04 2017 Tomas Krizek - 4.6.0-1 -- Rebase to upstream 4.6.0 - -* Wed Aug 02 2017 Fedora Release Engineering - 4.5.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 4.5.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Jul 21 2017 Tomas Krizek - 4.5.3-1 -- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3 - -* Thu Jul 13 2017 Alexander Bokovoy - 4.5.2-4 -- Make sure tmpfiles.d snippet for replica is in place after install - -* Mon Jul 10 2017 Alexander Bokovoy - 4.5.2-3 -- Fix build with Samba 4.7.0-RC1 -- Increase java stack for rhino calls to get around crashes on ppc64-le - -* Tue Jun 20 2017 Tomas Krizek - 4.5.2-2 -- Patch: Fix IP address checks -- Patch: python-netifaces fix - -* Sun Jun 18 2017 Tomas Krizek - 4.5.2-1 -- Update to upstream 4.5.2 - see https://www.freeipa.org/page/Releases/4.5.2 - -* Thu May 25 2017 Tomas Krizek - 4.5.1-1 -- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1 -- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes - -* Tue May 23 2017 Tomas Krizek - 4.4.4-2 -- Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide -- Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2 -- Fixes #1446744 python2-ipaclient subpackage does not own %%{python_sitelib}/ipaclient/plugins -- Fixes #1440525 surplus 'the' in output of `ipa-adtrust-install` -- Fixes #1411810 ipa-replica-install fails with 406 Client Error -- Fixes #1405814 ipa plugins: ERROR an internal error occured - -* Fri Mar 24 2017 Tomas Krizek - 4.4.4-1 -- Update to upstream 4.4.4 - see https://www.freeipa.org/page/Releases/4.4.4 -- Add upstream signature file for tarball - -* Wed Mar 1 2017 Alexander Bokovoy - 4.4.3-8 -- Use different method to keep /usr/bin/ipa on Python 2 -- Fixes #1426847 - -* Mon Feb 27 2017 Tomas Krizek - 4.4.3-7 -- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for - ca-del, ca-disable and ca-enable commands - -* Mon Feb 27 2017 Alexander Bokovoy - 4.4.3-6 -- Rebuild to pick up system-python dependency change -- Fixes #1426847 - Cannot upgrade freeipa-client on rawhide - -* Wed Feb 15 2017 Tomas Krizek - 4.4.3-5 -- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11 -- Fixes #1412739 - ipa-kdb: support DAL version 6.1 - -* Fri Feb 10 2017 Fedora Release Engineering - 4.4.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Sat Jan 21 2017 Igor Gnatenko - 4.4.3-3 -- Rebuild for xmlrpc-c - -* Thu Dec 22 2016 Miro Hrončok - 4.4.3-2 -- Rebuild for Python 3.6 - -* Fri Dec 16 2016 Pavel Vomacka - 4.4.3-1 -- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3 - -* Wed Dec 14 2016 Pavel Vomacka - 4.4.2-4 -- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod -- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services - by abusing password policy - -* Tue Nov 29 2016 Petr Vobornik - 4.4.2-3 -- Fixes 1389866 krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV - -* Fri Oct 21 2016 Petr Vobornik - 4.4.2-2 -- Rebuild against krb5-1.15 - -* Thu Oct 13 2016 Petr Vobornik - 4.4.2-1 -- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2 - -* Thu Sep 01 2016 Alexander Bokovoy - 4.4.1-1 -- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1 - -* Fri Aug 19 2016 Petr Vobornik - 4.3.2-2 -- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does - not happen to run during dnf upgrade -- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check - in certificate revocation -- Fixes 1364338 - Freeipa cannot be build on fedora 25 - -* Fri Jul 22 2016 Petr Vobornik - 4.3.2-1 -- Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2 - -* Tue Jul 19 2016 Fedora Release Engineering - 4.3.1-2 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Thu Mar 24 2016 Petr Vobornik - 4.3.1-1 -- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1 - -* Thu Feb 04 2016 Petr Vobornik - 4.3.0-3 -- Fix build with Samba 4.4 -- Update SELinux requires to fix connection check during installation - -* Wed Feb 03 2016 Fedora Release Engineering - 4.3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Fri Dec 18 2015 Petr Vobornik - 4.3.0-1 -- Update to upstream 4.3.0 - see http://www.freeipa.org/page/Releases/4.3.0 - -* Mon Dec 07 2015 Petr Vobornik - 4.2.3-2 -- Workarounds for SELinux execmem violations in cryptography - -* Mon Nov 02 2015 Petr Vobornik - 4.2.3-1 -- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 -- fix #1274905 - -* Wed Oct 21 2015 Alexander Bokovoy - 4.2.2-2 -- Depend on samba-common-tools for the trust-ad subpackage after - samba package split -- Rebuild against krb5 1.14 to fix bug #1273957 - -* Thu Oct 8 2015 Petr Vobornik - 4.2.2-1 -- Update to upstream 4.2.2 - see http://www.freeipa.org/page/Releases/4.2.2 - -* Mon Sep 7 2015 Petr Vobornik - 4.2.1-1 -- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1 - -* Wed Jun 17 2015 Fedora Release Engineering - 4.1.4-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Tue May 12 2015 Alexander Bokovoy - 4.1.4-4 -- Fix typo in the patch to fix bug #1219834 - -* Mon May 11 2015 Alexander Bokovoy - 4.1.4-3 -- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834) - -* Mon Mar 30 2015 Petr Vobornik - 4.1.4-2 -- Replace mod_auth_kerb usage with mod_auth_gssapi - -* Thu Mar 26 2015 Alexander Bokovoy - 4.1.4-1 -- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4 -- fix CVE-2015-1827 (#1206047) -- Require slapi-nis 0.54.2 and newer for CVE-2015-0283 fixes - -* Tue Mar 17 2015 Petr Vobornik - 4.1.3-3 -- Timeout ipa-client install if ntp server is unreachable #4842 -- Skip time sync during client install when using --no-ntp #4842 - -* Wed Mar 04 2015 Petr Vobornik - 4.1.3-2 -- Add missing sssd python dependencies -- https://bugzilla.redhat.com/show_bug.cgi?id=1197218 - -* Wed Feb 18 2015 Petr Vobornik - 4.1.3-1 -- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3 - -* Mon Jan 19 2015 Alexander Bokovoy - 4.1.2-2 -- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb -- Use python-dateutil15 until we validate python-dateutil 2.x - -* Tue Nov 25 2014 Petr Vobornik - 4.1.2-1 -- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2 -- fix CVE-2014-7850 - -* Thu Nov 20 2014 Simo Sorce - 4.1.1-2 -- Patch blokers and feature freze exceptions -- Resolves: bz1165674 -- Resolves: bz1165856 (CVE-2014-7850) -- Fixes DNS install issue that prevents the server from working - -* Thu Nov 06 2014 Petr Vobornik - 4.1.1-1 -- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1 -- fix CVE-2014-7828 - -* Wed Oct 22 2014 Petr Vobornik - 4.1.0-2 -- fix armv7hl stack oversize build failure -- fix https://fedorahosted.org/freeipa/ticket/4660 - -* Tue Oct 21 2014 Petr Vobornik - 4.1.0-1 -- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0 - -* Fri Sep 12 2014 Petr Viktorin - 4.0.3-1 -- Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3 - -* Fri Sep 05 2014 Petr Viktorin - 4.0.2-1 -- Update to upstream 4.0.1 - see http://www.freeipa.org/page/Releases/4.0.2 - -* Tue Sep 02 2014 Pádraig Brady - 4.0.1-3 -- rebuild for libunistring soname bump - -* Sat Aug 16 2014 Fedora Release Engineering - 4.0.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jul 25 2014 Martin Kosek 4.0.1-1 -- Update to upstream 4.0.1 - -* Mon Jul 07 2014 Petr Viktorin 4.0.0-1 -- Update to upstream 4.0.0 -- Remove the server-strict package - -* Sat Jun 07 2014 Fedora Release Engineering - 3.3.5-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Wed May 21 2014 Petr Vobornik 3.3.5-3 -- Increase Java stack size for Web UI build on aarch64 - -* Wed Apr 16 2014 Peter Robinson 3.3.5-2 -- Add rhino as dependency to fix FTBFS - -* Fri Mar 28 2014 Martin Kosek - 3.3.5-1 -- Update to upstream 3.3.5 - -* Tue Feb 11 2014 Martin Kosek - 3.3.4-3 -- Move ipa-otpd socket directory to /var/run/krb5kdc -- Require krb5-server 1.11.5-3 supporting the new directory -- ipa_lockout plugin did not work with users's without krbPwdPolicyReference - -* Wed Jan 29 2014 Martin Kosek - 3.3.4-2 -- Fix hardened build - -* Tue Jan 28 2014 Martin Kosek - 3.3.4-1 -- Update to upstream 3.3.4 -- Install CA anchor into standard location (#928478) -- ipa-client-install part of ipa-server-install fails on reinstall (#1044994) -- Remove mod_ssl workaround (RHEL bug #1029046) -- Enable syncrepl plugin to support bind-dyndb-ldap 4.0 - -* Fri Jan 3 2014 Martin Kosek - 3.3.3-5 -- Build crashed with rhino exception on s390 architectures (#1040576) - -* Thu Dec 12 2013 Martin Kosek - 3.3.3-4 -- Build crashed with rhino exception on PPC architectures (#1040576) - -* Tue Dec 3 2013 Martin Kosek - 3.3.3-3 -- Fix -Werror=format-security errors (#1037070) - -* Mon Nov 4 2013 Martin Kosek - 3.3.3-2 -- ipa-server-install crashed when freeipa-server-trust-ad subpackage was not - installed - -* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 -- Update to upstream 3.3.3 - -* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 -- Update to upstream 3.3.2 - -* Thu Aug 29 2013 Petr Viktorin - 3.3.1-1 -- Bring back Fedora-only changes - -* Thu Aug 29 2013 Petr Viktorin - 3.3.1-0 -- Update to upstream 3.3.1 - -* Wed Aug 14 2013 Alexander Bokovoy - 3.3.0-2 -- Remove freeipa-systemd-upgrade as non-systemd installs are not supported - anymore by Fedora project - -* Wed Aug 7 2013 Martin Kosek - 3.3.0-1 -- Update to upstream 3.3.0 - -* Sat Aug 03 2013 Fedora Release Engineering - 3.2.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Jul 17 2013 Martin Kosek - 3.2.2-1 -- Update to upstream 3.2.2 -- Drop freeipa-server-selinux subpackage -- Drop redundant directory /var/cache/ipa/sessions -- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost -- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency - issues when there are still old parts of software (like entitlements plugin) - -* Fri Jun 7 2013 Martin Kosek - 3.2.1-1 -- Update to upstream 3.2.1 - -* Tue May 14 2013 Rob Crittenden - 3.2.0-2 -- Add OTP patches -- Add patch to set KRB5CCNAME for 389-ds-base - -* Fri May 10 2013 Rob Crittenden - 3.2.0-1 -- Update to upstream 3.2.0 GA -- ipa-client-install fails if /etc/ipa does not exist (#961483) -- Certificate status is not visible in Service and Host page (#956718) -- ipa-client-install removes needed options from ldap.conf (#953991) -- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) -- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) -- Require nss 3.14.3-12.0 to address certutil certificate import - errors (#953485) -- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 - environments. (#953464) -- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) -- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) -- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for - socket based connections (#960222) -- Require libsss_nss_idmap-python -- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to - member is now done automatically and having it in the config file raises - an error. -- Add backup and restore tools, directory. -- require at least systemd 38 which provides the journal (we no longer - need to require syslog.target) -- Update Requires on policycoreutils to 2.1.14-37 -- Update Requires on selinux-policy to 3.12.1-42 -- Update Requires on 389-ds-base to 1.3.1.0 -- Remove a Requires for java-atk-wrapper - -* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 -- Remove release from krb5-server in strict sub-package to allow for rebuilds. - -* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 -- Add a Requires for java-atk-wrapper until we can determine which package - should be pulling it in, dogtag or tomcat. - -* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 -- Update to upstream 3.2.0 Beta 1 - -* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 -- Update to upstream 3.2.0 Prerelease 1 -- Use upstream reference spec file as a base for Fedora spec file - -* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 -- Rebuild for broken deps -- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 - -* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 -- Rebuild for broken deps in rawhide -- Fix 389-ds-base strict dep to be 1.3.0.3 - -* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 -- Update to upstream 3.1.2 -- CVE-2012-4546: Incorrect CRLs publishing -- CVE-2012-5484: MITM Attack during Join process -- CVE-2013-0199: Cross-Realm Trust key leak -- Updated strict dependencies to 389-ds-base = 1.3.0.2 and - pki-ca = 10.0.1 - -* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 -- Remove redundat Requires versions that are already in Fedora 17 -- Replace python-crypto Requires with m2crypto -- Add missing Requires(post) for client and server-trust-ad subpackages -- Restart httpd service when server-trust-ad subpackage is installed -- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes - -* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 -- Updated to upstream 3.1.0 GA -- Set minimum for sssd to 1.9.2 -- Set minimum for pki-ca to 10.0.0-1 -- Set minimum for 389-ds-base to 1.3.0 -- Set minimum for selinux-policy to 3.11.1-60 -- Remove unneeded dogtag package requires - -* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 -- Update Requires on krb5-server to 1.11 - -* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 -- Configure CA replication to use TLS instead of SSL - -* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 -- Updated to upstream 3.0.0 GA -- Set minimum for samba to 4.0.0-153. -- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so - plugin to /dev/null since they cannot be used when trusts are configured -- Restrict krb5-server to 1.10. -- Update BR for 389-ds-base to 1.3.0 -- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca -- Add Requires on zip for generating FF browser extension - -* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 -- Updated to upstream 3.0.0 rc 2 -- Include new FF configuration extension -- Set minimum Requires of selinux-policy to 3.11.1-33 -- Set minimum Requires dogtag to 10.0.0-0.43.b1 -- Add new optional strict sub-package to allow users to limit other - package upgrades. - -* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 -- Require samba packages instead of obsoleted samba4 packages - -* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 -- Updated to upstream 3.0.0 rc 1 -- Update BR for 389-ds-base to 1.2.11.14 -- Update BR for krb5 to 1.10 -- Update BR for samba4-devel to 4.0.0-139 (rc1) -- Add BR for python-polib -- Update BR and Requires on sssd to 1.9.0 -- Update Requires on policycoreutils to 2.1.12-5 -- Update Requires on 389-ds-base to 1.2.11.14 -- Update Requires on selinux-policy to 3.11.1-21 -- Update Requires on dogtag to 10.0.0-0.33.a1 -- Update Requires on certmonger to 0.60 -- Update Requires on tomcat to 7.0.29 -- Update minimum version of bind to 9.9.1-10.P3 -- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 -- Remove Requires on authconfig from python sub-package - -* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 -- Rebuild against samba4 beta8 - -* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 -- Rebuild against samba4 beta7 - -* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 -- Adopt to samba4 beta6 (libsecurity -> libsamba-security) -- Add dependency to samba4-winbind - -* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 -- Updated to upstream 3.0.0 beta 2 - -* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 -- Updated to current upstream state of 3.0.0 beta 2 development - -* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 -- Rebuild against samba4 beta4 - -* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 -- Updated to upstream 3.0.0 beta 1 - -* Thu May 3 2012 Rob Crittenden - 2.2.0-1 -- Updated to upstream 2.2.0 GA -- Update minimum n-v-r of certmonger to 0.53 -- Update minimum n-v-r of slapi-nis to 0.40 -- Add Requires in client to oddjob-mkhomedir and python-krbV -- Update minimum selinux-policy to 3.10.0-110 - -* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 -- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) -- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. -- Add Conflicts on mod_ssl -- Update minimum n-v-r of 389-ds-base to 1.2.10.4 -- Update minimum n-v-r of sssd to 1.8.0 -- Update minimum n-v-r of slapi-nis to 0.38 -- Update minimum n-v-r of pki-* to 9.0.18 -- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 -- Update conflicts on bind to < 9.9.0-1 -- Drop requires on krb5-server-ldap -- Add patch to remove escaping arguments to pkisilent - -* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 -- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) - -* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 -- Force to use 389-ds 1.2.10-0.8.a7 or above -- Improve upgrade script to handle systemd 389-ds change -- Fix freeipa to work with python-ldap 2.4.6 - -* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 -- Fix ipa-replica-install crashes -- Fix ipa-server-install and ipa-dns-install logging -- Set minimum version of pki-ca to 9.0.17 to fix sslget problem - caused by FEDORA-2011-17400 update (#771357) - -* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 -- Allow Web-based migration to work with tightened SE Linux policy (#769440) -- Rebuild slapi plugins against re-enterant version of libldap - -* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 -- Allow longer dirsrv startup with systemd: - - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - - Helps with restarts during upgrade for ipa-ldap-updater -- Fix pylint warnings from F16 and Rawhide - -* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 -- Update to upstream 2.1.4 (CVE-2011-3636) - -* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 -- Update SELinux policy to allow ipa_kpasswd to connect ldap and - read /dev/urandom. (#759679) - -* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 -- Fix wrong path in packaging freeipa-systemd-upgrade - -* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 -- Introduce upgrade script to recover existing configuration after systemd migration - as user has no means to recover FreeIPA from systemd migration -- Upgrade script: - - recovers symlinks in Dogtag instance install - - recovers systemd configuration for FreeIPA's directory server instances - - recovers freeipa.service - - migrates directory server and KDC configs to use proper keytabs for systemd services - -* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 -- Rebuilt for glibc bug#747377 - -* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 -- clean up spec -- Depend on sssd >= 1.6.2 for better user experience - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 -- Fix Fedora package changelog after merging systemd changes - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 -- Fix postin scriplet for F-15/F-16 - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 -- 2.1.3 - -* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 -- Default to systemd for Fedora 16 and onwards - -* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 -- Update to upstream 2.1.0 - -* Fri May 6 2011 Simo Sorce - 2.0.1-2 -- Fix bug #702633 - -* Mon May 2 2011 Rob Crittenden - 2.0.1-1 -- Update minimum selinux-policy to 3.9.16-18 -- Update minimum pki-ca and pki-selinux to 9.0.7 -- Update minimum 389-ds-base to 1.2.8.0-1 -- Update to upstream 2.0.1 - -* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 -- Update to upstream GA release -- Automatically apply updates when the package is upgraded - -* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 -- Update to upstream freeipa-2.0.0.rc2 -- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in -- Set minimum version of sssd to 1.5.1 -- Patch to include SuiteSpotGroup when setting up 389-ds instances -- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled - -* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 -- Set the N-V-R so rc1 is an update to beta2. - -* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 -- Set minimum version of sssd to 1.5.1 -- Update to upstream freeipa-2.0.0.rc1 -- Move server-only binaries from admintools subpackage to server - -* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 -- Set min version of 389-ds-base to 1.2.8 -- Set min version of mod_nss 1.0.8-10 -- Set min version of selinux-policy to 3.9.7-27 -- Add dogtag themes to Requires -- Update to upstream freeipa-2.0.0.pre2 - -* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 -- Remove unnecessary moving of v1 CA serial number file in post script -- Add Obsoletes for server-selinxu subpackage -- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da - -* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 -- Prepare spec file for release -- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 - -* Tue Jan 25 2011 Rob Crittenden - 1.99-41 -- Re-arrange doc and defattr to clean up rpmlint warnings -- Remove conditionals on older releases -- Move some man pages into admintools subpackage -- Remove some explicit Requires in client that aren't needed -- Consistent use of buildroot vs RPM_BUILD_ROOT - -* Wed Jan 19 2011 Adam Young - 1.99-40 -- Moved directory install/static to install/ui - -* Thu Jan 13 2011 Simo Sorce - 1.99-39 -- Remove dependency on nss_ldap/nss-pam-ldapd -- The official client is sssd and that's what we use by default. - -* Thu Jan 13 2011 Simo Sorce - 1.99-38 -- Remove radius subpackages - -* Thu Jan 13 2011 Rob Crittenden - 1.99-37 -- Set minimum pki-ca and pki-silent versions to 9.0.0 - -* Wed Jan 12 2011 Rob Crittenden - 1.99-36 -- Drop BuildRequires on mozldap-devel - -* Mon Dec 13 2010 Rob Crittenden - 1.99-35 -- Add Requires on krb5-pkinit-openssl - -* Fri Dec 10 2010 Jr Aquino - 1.99-34 -- Add ipa-host-net-manage script - -* Tue Dec 7 2010 Simo Sorce - 1.99-33 -- Add ipa init script - -* Fri Nov 19 2010 Rob Crittenden - 1.99-32 -- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin - -* Wed Nov 3 2010 Rob Crittenden - 1.99-31 -- remove ipa-fix-CVE-2008-3274 - -* Wed Oct 6 2010 Rob Crittenden - 1.99-30 -- Remove duplicate %%files entries on share/ipa/static -- Add python default encoding shared library - -* Mon Sep 20 2010 Rob Crittenden - 1.99-29 -- Drop requires on python-configobj (not used any more) -- Drop ipa-ldap-updater message, upgrades are done differently now - -* Wed Sep 8 2010 Rob Crittenden - 1.99-28 -- Drop conflicts on mod_nss -- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) -- Drop a slew of conditionals on older Fedora releases (< 12) -- Add a few conditionals against RHEL 6 -- Add Requires of nss-tools on ipa-client - -* Fri Aug 13 2010 Rob Crittenden - 1.99-27 -- Set minimum version of certmonger to 0.26 (to pck up #621670) -- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) -- Set minimum version of pki-ca to 1.3.6 -- Set minimum version of sssd to 1.2.1 - -* Tue Aug 10 2010 Rob Crittenden - 1.99-26 -- Add BuildRequires for authconfig - -* Mon Jul 19 2010 Rob Crittenden - 1.99-25 -- Bump up minimum version of python-nss to pick up nss_is_initialize() API - -* Thu Jun 24 2010 Adam Young - 1.99-24 -- Removed python-asset based webui - -* Thu Jun 24 2010 Rob Crittenden - 1.99-23 -- Change Requires from fedora-ds-base to 389-ds-base -- Set minimum level of 389-ds-base to 1.2.6 for the replication - version plugin. - -* Tue Jun 1 2010 Rob Crittenden - 1.99-22 -- Drop Requires of python-krbV on ipa-client - -* Mon May 17 2010 Rob Crittenden - 1.99-21 -- Load ipa_dogtag.pp in post install - -* Mon Apr 26 2010 Rob Crittenden - 1.99-20 -- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. - -* Thu Mar 4 2010 Rob Crittenden - 1.99-19 -- No need to create /var/log/ipa_error.log since we aren't using - TurboGears any more. - -* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 -- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included - -* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 -- Added Require mod_wsgi, added share/ipa/wsgi.py - -* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 -- Require python-wehjit >= 0.2.2 - -* Wed Feb 3 2010 Rob Crittenden - 1.99-15 -- Add sssd and certmonger as a Requires on ipa-client - -* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 -- Require python-wehjit >= 0.2.0 - -* Fri Dec 4 2009 Rob Crittenden - 1.99-13 -- Add ipa-rmkeytab tool - -* Tue Dec 1 2009 Rob Crittenden - 1.99-12 -- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 - Any type - -* Wed Nov 25 2009 Rob Crittenden - 1.99-11 -- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf - -* Fri Nov 13 2009 Rob Crittenden - 1.99-10 -- Add bash completion script and own /etc/bash_completion.d in case it - doesn't already exist - -* Tue Nov 3 2009 Rob Crittenden - 1.99-9 -- Remove ipa_webgui, its functions rolled into ipa_httpd - -* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 -- Removed python-cherrypy from BuildRequires and Requires -- Added Requires python-assets, python-wehjit - -* Mon Aug 24 2009 Rob Crittenden - 1.99-7 -- Added httpd SELinux policy so CRLs can be read - -* Thu May 21 2009 Rob Crittenden - 1.99-6 -- Move ipalib to ipa-python subpackage -- Bump minimum version of slapi-nis to 0.15 - -* Wed May 6 2009 Rob Crittenden - 1.99-5 -- Set 0.14 as minimum version for slapi-nis - -* Wed Apr 22 2009 Rob Crittenden - 1.99-4 -- Add Requires: python-nss to ipa-python sub-package - -* Thu Mar 5 2009 Rob Crittenden - 1.99-3 -- Remove the IPA DNA plugin, use the DS one - -* Wed Mar 4 2009 Rob Crittenden - 1.99-2 -- Build radius separately -- Fix a few minor issues - -* Tue Feb 3 2009 Rob Crittenden - 1.99-1 -- Replace TurboGears requirement with python-cherrypy - -* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 -- rebuild with new openssl - -* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 -- Fix SELinux code - -* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 -- Fix breakage caused by python-kerberos update to 1.1 - -* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 -- New upstream release 1.2.1 - -* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 -- Rebuild for Python 2.6 - -* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 -- Respin after the tarball has been re-released upstream - New hash is 506c9c92dcaf9f227cba5030e999f177 - -* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 -- Conditionally restart also dirsrv and httpd when upgrading - -* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 -- Update to upstream version 1.2.0 -- Set fedora-ds-base minimum version to 1.1.3 for winsync header -- Set the minimum version for SELinux policy -- Remove references to Fedora 7 - -* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 -- Fix for CVE-2008-3274 -- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface -- Add fix for bug #453185 -- Rebuild against openldap libraries, mozldap ones do not work properly -- TurboGears is currently broken in rawhide. Added patch to not build - the UI locales and removed them from the ipa-server files section. - -* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 -- Add call to /usr/sbin/upgradeconfig to post install - -* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 -- Update to upstream version 1.1.0 -- Patch for indexing memberof attribute -- Patch for indexing uidnumber and gidnumber -- Patch to change DNA default values for replicas -- Patch to fix uninitialized variable in ipa-getkeytab - -* Fri May 16 2008 Rob Crittenden - 1.0.0-5 -- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum - version to 1.0.7-4 so we pick up the NSS fixes. -- Add selinux-policy-base(post) to Requires (446496) - -* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 -- Add missing entry for /var/cache/ipa/kpasswd (444624) -- Added patch to fix permissions problems with the Apache NSS database. -- Added patch to fix problem with DNS querying where the query could be - returned as the answer. -- Fix spec error where patch1 was in the wrong section - -* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 -- Added patch to fix problem reported by ldapmodify - -* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 -- Fix Requires for krb5-server that was missing for Fedora versions > 9 -- Remove quotes around test for fedora version to package egg-info - -* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 -- Update to upstream version 1.0.0 - -* Tue Mar 18 2008 Rob Crittenden 0.99-12 -- Pull upstream changelog 722 -- Add Conflicts mod_ssl (435360) - -* Fri Feb 29 2008 Rob Crittenden 0.99-11 -- Pull upstream changelog 698 -- Fix ownership of /var/log/ipa_error.log during install (435119) -- Add pwpolicy command and man page - -* Thu Feb 21 2008 Rob Crittenden 0.99-10 -- Pull upstream changelog 678 -- Add new subpackage, ipa-server-selinux -- Add Requires: authconfig to ipa-python (bz #433747) -- Package i18n files - -* Mon Feb 18 2008 Rob Crittenden 0.99-9 -- Pull upstream changelog 641 -- Require minimum version of krb5-server on F-7 and F-8 -- Package some new files - -* Thu Jan 31 2008 Rob Crittenden 0.99-8 -- Marked with wrong license. IPA is GPLv2. - -* Tue Jan 29 2008 Rob Crittenden 0.99-7 -- Ensure that /etc/ipa exists before moving user-modifiable html files there -- Put html files into /etc/ipa/html instead of /etc/ipa - -* Tue Jan 29 2008 Rob Crittenden 0.99-6 -- Pull upstream changelog 608 which renamed several files - -* Thu Jan 24 2008 Rob Crittenden 0.99-5 -- package the sessions dir /var/cache/ipa/sessions -- Pull upstream changelog 597 - -* Thu Jan 24 2008 Rob Crittenden 0.99-4 -- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the - UI to not start. - -* Thu Jan 24 2008 Rob Crittenden 0.99-3 -- Included LICENSE and README in all packages for documentation -- Move user-modifiable content to /etc/ipa and linked back to - /usr/share/ipa/html -- Changed some references to /usr to the {_usr} macro and /etc - to {_sysconfdir} -- Added popt-devel to BuildRequires for Fedora 8 and higher and - popt for Fedora 7 -- Package the egg-info for Fedora 9 and higher for ipa-python - -* Tue Jan 22 2008 Rob Crittenden 0.99-2 -- Added auto* BuildRequires - -* Mon Jan 21 2008 Rob Crittenden 0.99-1 -- Unified spec file - -* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 -- Fixed License in specfile -- Include files from /usr/lib/python*/site-packages/ipaserver - -* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 -- Version bump for release - -* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 -- Preverse mode on ipa-keytab-util -- Version bump for relase and rpm name change - -* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 -- Broke invididual Requires and BuildRequires onto separate lines and - reordered them -- Added python-tgexpandingformwidget as a dependency -- Require at least fedora-ds-base 1.1 - -* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 -- Version bump for release - -* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 -- Add dep for freeipa-admintools and acl - -* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 -- Add dependency for python-krbV - -* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 -- Require mod_nss-1.0.7-2 for mod_proxy fixes - -* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 -- Convert to autotools-based build - -* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 - -* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 -- Added support for libipa-dna-plugin - -* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 -- Added support for ipa_kpasswd and ipa_pwd_extop - -* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 -- Abstracted client class to work directly or over RPC - -* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 -- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires -- Remove references to admin server in ipa-server-setupssl -- Generate a client certificate for the XML-RPC server to connect to LDAP with -- Create a keytab for Apache -- Create an ldif with a test user -- Provide a certmap.conf for doing SSL client authentication - -* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 -- Initial rpm version diff --git a/ipa.spec b/ipa.spec index 0c47ee0..1a3ec9f 100644 --- a/ipa.spec +++ b/ipa.spec @@ -176,7 +176,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.11 +%define IPA_VERSION 4.9.12 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 1%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -209,7 +209,7 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch +Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1725,6 +1725,12 @@ fi %endif %changelog +* Wed May 24 2023 Rafael Jeffman - 4.9.12-1 +- Rebase ipa to 4.9.12 + Resolves: RHBZ#2196425 +- user or group name: explain the supported format + Resolves: RHBZ#2150217 + * Mon Dec 19 2022 Rafael Jeffman - 4.9.11-3 - Revert DNSResolver Fix use of nameservers with ports. Related: RHBZ#2141316 diff --git a/sources b/sources index c2e5e3f..e57b13a 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (freeipa-4.9.11.tar.gz) = cab799850faa30b6e6799d8f0a25dac3e4941c269a9bf0da86d998f1ecb5f4d0f5c84059dae6e88f8f17f24642015eb6fe29fcb281067b70b5e44644572b0b80 +SHA512 (freeipa-4.9.12.tar.gz) = a4d7d46042bbbf8ca3df6bca45cdab9f3bfb7634fc516c1939533e5e200035374c6e72981dde7dc96a176679b69275fc54f0dfb174beeee66ba21d72006d4b1f +SHA512 (freeipa-4.9.12.tar.gz.asc) = 95ad27a52df1e4dd9ad9f058c53199cfd26e5b1c4269dd5a7b55147881033d55cc2656e812975015aff228e7f98417e3b22584b8413d53ec299ece98e1279e6f