Update to upstream 3.2.0 GA

- ipa-client-install fails if /etc/ipa does not exist (#961483)
- Certificate status is not visible in Service and Host page (#956718)
- ipa-client-install removes needed options from ldap.conf (#953991)
- Handle socket.gethostbyaddr() exceptions when verifying hostnames
  (#953957)
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
- Require nss 3.14.3-12.0 to address certutil certificate import
  errors (#953485)
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
  environments. (#953464)
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
- ipa-server-install --uninstall doesn't stop dirsrv instances
  (#953432)
-   Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
  behavior for socket based connections (#960222)
- Require libsss_nss_idmap-python
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember
  to member is now done automatically and having it in the config file
  raises an error.
- Add backup and restore tools, directory.
- require at least systemd 38 which provides the journal (we no longer
  need to require syslog.target)
- Update Requires on policycoreutils to 2.1.14-37
- Update Requires on selinux-policy to 3.12.1-42
- Update Requires on 389-ds-base to 1.3.1.0

.gitignore

@@ -22,3 +22,4 @@
 /freeipa-3.1.0.tar.gz
 /freeipa-3.1.2.tar.gz
 /freeipa-3.2.0.pre1.tar.gz
+/freeipa-3.2.0.tar.gz

freeipa.spec

@@ -2,13 +2,13 @@
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
 %global plugin_dir %{_libdir}/dirsrv/plugins
-%global POLICYCOREUTILSVER 2.1.12-5
+%global POLICYCOREUTILSVER 2.1.14-37
 %global gettext_domain ipa
-%global VERSION 3.2.0.pre1
+%global VERSION 3.2.0
 
 Name:           freeipa
 Version:        3.2.0
-Release:        0.1.pre1%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -18,13 +18,13 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.0
+BuildRequires:  389-ds-base-devel >= 1.3.1.0
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
 %if 0%{?fedora} >= 18
-BuildRequires:  samba-devel >= 4.0.0-150
+BuildRequires:  samba-devel >= 2:4.0.5-1
 BuildRequires:  samba-python
 BuildRequires:  libwbclient-devel
 %else
@@ -75,6 +75,11 @@ BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  java-1.7.0-openjdk
 
+# Find out Kerberos middle version to infer ABI changes in DAL driver
+# We cannot load DAL driver into KDC with wrong ABI.
+# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
+%global krb5_dal_version %{expand:%(echo "#include <kdb.h>"|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
+
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
 user, virtual machines, groups, authentication credentials), Policy
@@ -89,14 +94,14 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.0.5
+Requires: 389-ds-base >= 1.3.1.0
-Requires: openldap-clients
+Requires: openldap-clients > 2.4.35-4
-Requires: nss
+Requires: nss >= 3.14.3-12.0
-Requires: nss-tools
+Requires: nss-tools >= 3.14.3-12.0
-%if 0%{?fedora} >= 19
+%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11
+Requires: krb5-server >= 1.11.2-1
 %else
-%if 0%{?fedora} == 18
+%if 0%{krb5_dal_version} == 3
 # krb5 1.11 bumped DAL interface major version, a rebuild is needed
 Requires: krb5-server < 1.11
 Requires: krb5-server >= 1.10
@@ -124,10 +129,10 @@ Requires: python-memcached
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.11.1-86
+Requires: selinux-policy >= 3.12.1-42
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.0-0.54.b3
+Requires: pki-ca >= 10.0.2-5
 Requires: dogtag-pki-server-theme
 %if 0%{?rhel}
 Requires: subscription-manager
@@ -140,7 +145,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
+Requires(pre): 389-ds-base >= 1.3.1.0
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -152,6 +157,10 @@ Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
 Conflicts: bind < 9.8.2-0.4.rc2
 
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
 # mod_proxy provides a single API to communicate over SSL. If mod_ssl
 # is even loaded into Apache then it grabs this interface.
 Conflicts: mod_ssl
@@ -190,7 +199,7 @@ Requires: %{name}-server = %version-%release
 Requires: m2crypto
 %if 0%{?fedora} >= 18
 Requires: samba-python
-Requires: samba
+Requires: samba >= 2:4.0.5-1
 Requires: samba-winbind
 %else
 Requires: samba4-python
@@ -198,6 +207,7 @@ Requires: samba4
 Requires: samba4-winbind
 %endif
 Requires: libsss_idmap
+Requires: libsss_nss_idmap-python
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
 # IPA AD trusts cannot be used at the same time with the locator plugin
@@ -443,6 +453,9 @@ mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
 
+# Web UI plugin dir
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+
 # NOTE: systemd specific section
 mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
 install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf
@@ -465,6 +478,7 @@ install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_me
 mkdir -p %{buildroot}%{_libexecdir}
 install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
 # Fedora spec file only: END
+mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 %endif  # ! %{ONLY_CLIENT}
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -616,10 +630,48 @@ if [ $1 -gt 1 ] ; then
     fi
 fi
 
+%triggerin -n freeipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+        sed -r '
+            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+            sed -ri '
+                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        fi
+
+        mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+        /sbin/restorecon /etc/ssh/sshd_config
+        chmod 600 /etc/ssh/sshd_config
+
+        /bin/systemctl condrestart sshd.service 2>&1 || :
+    fi
+fi
+
 %if ! %{ONLY_CLIENT}
 %files server -f server-python.list
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
+%{_sbindir}/ipa-backup
+%{_sbindir}/ipa-restore
 %{_sbindir}/ipa-ca-install
 %{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-server-install
@@ -696,17 +748,18 @@ fi
 %{_usr}/share/ipa/ui/*.svg
 %{_usr}/share/ipa/ui/*.ttf
 %{_usr}/share/ipa/ui/*.woff
-%dir %{_usr}/share/ipa/ui/ext
-%config(noreplace) %{_usr}/share/ipa/ui/ext/extension.js
 %dir %{_usr}/share/ipa/ui/js/dojo
 %{_usr}/share/ipa/ui/js/dojo/dojo.js
 %dir %{_usr}/share/ipa/ui/js/libs
 %{_usr}/share/ipa/ui/js/libs/*.js
 %dir %{_usr}/share/ipa/ui/js/freeipa
 %{_usr}/share/ipa/ui/js/freeipa/app.js
+%dir %{_usr}/share/ipa/ui/js/plugins
 %dir %{_usr}/share/ipa/ui/images
 %{_usr}/share/ipa/ui/images/*.png
 %{_usr}/share/ipa/ui/images/*.gif
+%dir %{_usr}/share/ipa/wsgi
+%{_usr}/share/ipa/wsgi/plugins.py*
 %dir %{_sysconfdir}/ipa
 %dir %{_sysconfdir}/ipa/html
 %config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
@@ -743,6 +796,7 @@ fi
 %attr(755,root,root) %{plugin_dir}/libipa_dns.so
 %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
 %dir %{_localstatedir}/lib/ipa
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
@@ -766,6 +820,8 @@ fi
 %{_mandir}/man8/ipactl.8.gz
 %{_mandir}/man8/ipa-upgradeconfig.8.gz
 %{_mandir}/man1/ipa-compliance.1.gz
+%{_mandir}/man1/ipa-backup.1.gz
+%{_mandir}/man1/ipa-restore.1.gz
 
 %files server-selinux
 %defattr(-,root,root,-)
@@ -845,10 +901,37 @@ fi
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/freeipa-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
+- Update to upstream 3.2.0 GA
+- ipa-client-install fails if /etc/ipa does not exist (#961483)
+- Certificate status is not visible in Service and Host page (#956718)
+- ipa-client-install removes needed options from ldap.conf (#953991)
+- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
+- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
+- Require nss 3.14.3-12.0 to address certutil certificate import
+  errors (#953485)
+- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
+  environments. (#953464)
+- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
+- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
+- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
+  socket based connections (#960222)
+- Require libsss_nss_idmap-python
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+  member is now done automatically and having it in the config file raises
+  an error.
+- Add backup and restore tools, directory.
+- require at least systemd 38 which provides the journal (we no longer
+  need to require syslog.target)
+- Update Requires on policycoreutils to 2.1.14-37
+- Update Requires on selinux-policy to 3.12.1-42
+- Update Requires on 389-ds-base to 1.3.1.0
+
 * Tue Apr  2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
 - Update to upstream 3.2.0 Prerelease 1
 - Use upstream reference spec file as a base for Fedora spec file

sources

@@ -1 +1 @@
-eb93b180518f4450118183d1c579459b  freeipa-3.2.0.pre1.tar.gz
+e1ce2b1957e4248212de9ac3e95057f9  freeipa-3.2.0.tar.gz