replace mod_auth-kerb with mod_auth_gssapi

2015-03-30 15:50:37 +02:00 · 2015-03-30 15:50:37 +02:00 · 5e8ed97275
commit 5e8ed97275
parent c25f465e18
6 changed files with 336 additions and 107 deletions
--- a/0002-Make-lint-work-on-Fedora-22.patch
+++ b/0002-Make-lint-work-on-Fedora-22.patch
@ -0,0 +1,78 @@
+From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Fri, 27 Mar 2015 07:14:27 -0400
+Subject: [PATCH] Make lint work on Fedora 22.
+
+pylint added 'confidence' parameter to 'add_message' method of PyLinter.
+To be compatible with both, pre- and post- 1.4  IPALinter must accept
+the parameter but not pass it over.
+Also python3 checker was added and enabled by default. FreeIPA is still
+not ready for python3.
+Additionally few false-positives was marked.
+---
+ ipalib/plugins/otptoken.py               | 1 +
+ ipapython/dnssec/ldapkeydb.py            | 1 +
+ ipaserver/install/ipa_otptoken_import.py | 1 +
+ make-lint                                | 3 ++-
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
+index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644
+--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
+@@ -547,6 +547,7 @@ class otptoken_sync(Local):
+         query = urllib.urlencode(query)
+ 
+         # Sync the token.
+        # pylint: disable=E1101
+         handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
+                                cert_reqs=ssl.CERT_REQUIRED,
+                                ssl_version=ssl.PROTOCOL_TLSv1)
+diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
+index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644
+--- a/ipapython/dnssec/ldapkeydb.py
+++ b/ipapython/dnssec/ldapkeydb.py
+@@ -23,6 +23,7 @@ def uri_escape(val):
+     assert len(val) > 0, "zero-length URI component detected"
+     hexval = hexlify(val)
+     out = '%'
+    # pylint: disable=E1127
+     out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
+     return out
+ 
+diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
+index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644
+--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
+@@ -60,6 +60,7 @@ def convertDate(value):
+ 
+     dt = dateutil.parser.parse(value)
+ 
+    # pylint: disable=E1101
+     if dt.tzinfo is None:
+         dt = datetime.datetime(*dt.timetuple()[0:6],
+                                tzinfo=dateutil.tz.tzlocal())
+diff --git a/make-lint b/make-lint
+index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755
+--- a/make-lint
+++ b/make-lint
+@@ -143,7 +143,7 @@ class IPALinter(PyLinter):
+             return
+         super(IPALinter, self).register_checker(checker)
+ 
+-    def add_message(self, msg_id, line=None, node=None, args=None):
+    def add_message(self, msg_id, line=None, node=None, args=None, confidence=None):
+         if line is None and node is not None:
+             line = node.fromlineno
+ 
+@@ -235,6 +235,7 @@ def main():
+                         '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})')
+     linter.set_option('reports', False)
+     linter.set_option('persistent', False)
+    linter.set_option('disable', 'python3')
+ 
+     linter.check(files)
+ 
+-- 
+2.1.0
+
--- a/0002-Timeout-when-performing-time-sync-during-client-inst.patch
+++ b/0002-Timeout-when-performing-time-sync-during-client-inst.patch
@ -1,105 +0,0 @@
->From 8c6aaa8a9b2829f9cfff402dc65f2b5a9a93813b Mon Sep 17 00:00:00 2001
-From: Nathan Kinder <nkinder@redhat.com>
-Date: Wed, 25 Feb 2015 15:19:47 -0800
-Subject: [PATCH 2/2] Timeout when performing time sync during client install
-
-We use ntpd now to sync time before fetching a TGT during client
-install.  Unfortuantely, ntpd will hang forever if it is unable to
-reach the NTP server.
-
-This patch adds the ability for commands run via ipautil.run() to
-have an optional timeout.  This capability is used by the NTP sync
-code that is run during ipa-client-install.
-
-Ticket: https://fedorahosted.org/freeipa/ticket/4842
---
- ipa-client/ipaclient/ntpconf.py |  8 +++++++-
- ipaplatform/base/paths.py       |  1 +
- ipapython/ipautil.py            | 12 +++++++++++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
-index e1ac55a..99e43a6 100644
--- a/ipa-client/ipaclient/ntpconf.py
-+++ b/ipa-client/ipaclient/ntpconf.py
-@@ -18,6 +18,7 @@
- #
- 
- from ipapython import ipautil
-+from ipapython.ipa_log_manager import root_logger
- import shutil
- import os
- from ipaplatform.tasks import tasks
-@@ -149,7 +150,12 @@ def synconce_ntp(server_fqdn):
- 
-     tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn)
-     try:
-        ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name])
-+        # The ntpd command will never exit if it is unable to reach the
-+        # server, so timeout after 15 seconds.
-+        timeout = 15
-+        root_logger.info('Attempting to sync time using ntpd.  '
-+                         'Will timeout after %s seconds' % timeout)
-+        ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout)
-         return True
-     except ipautil.CalledProcessError:
-         return False
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 7922e3b..11c7e92 100644
--- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -186,6 +186,7 @@ class BasePathNamespace(object):
-     SSLGET = "/usr/bin/sslget"
-     SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
-     SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
-+    BIN_TIMEOUT = "/usr/bin/timeout"
-     UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
-     BIN_WGET = "/usr/bin/wget"
-     ZIP = "/usr/bin/zip"
-diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
-index 4116d97..6a06a8e 100644
--- a/ipapython/ipautil.py
-+++ b/ipapython/ipautil.py
-@@ -249,7 +249,7 @@ def shell_quote(string):
- 
- def run(args, stdin=None, raiseonerr=True,
-         nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
-        runas=None):
-+        runas=None, timeout=None):
-     """
-     Execute a command and return stdin, stdout and the process return code.
- 
-@@ -277,6 +277,8 @@ def run(args, stdin=None, raiseonerr=True,
-     :param cwd: Current working directory
-     :param runas: Name of a user that the command shold be run as. The spawned
-         process will have both real and effective UID and GID set.
-+    :param timeout: Timeout if the command hasn't returned within the specified
-+        number of seconds.
-     """
-     p_in = None
-     p_out = None
-@@ -302,6 +304,11 @@ def run(args, stdin=None, raiseonerr=True,
-         p_out = subprocess.PIPE
-         p_err = subprocess.PIPE
- 
-+    if timeout:
-+        # If a timeout was provided, use the timeout command
-+        # to execute the requested command.
-+        args[0:0] = [paths.BIN_TIMEOUT, str(timeout)]
-+
-     arg_string = nolog_replace(' '.join(shell_quote(a) for a in args), nolog)
-     root_logger.debug('Starting external process')
-     root_logger.debug('args=%s' % arg_string)
-@@ -332,6 +339,9 @@ def run(args, stdin=None, raiseonerr=True,
-         if skip_output:
-             p_out.close()   # pylint: disable=E1103
- 
-+    if timeout and p.returncode == 124:
-+        root_logger.debug('Process did not complete before timeout')
-+
-     root_logger.debug('Process finished, return code=%s', p.returncode)
- 
-     # The command and its output may include passwords that we don't want
-- 
-1.9.3
-
--- a/0003-Remove-unused-part-of-ipa.conf.patch
+++ b/0003-Remove-unused-part-of-ipa.conf.patch
@ -0,0 +1,40 @@
+From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Mon, 30 Mar 2015 04:11:19 -0400
+Subject: [PATCH 1/3] Remove unused part of ipa.conf.
+
+Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
+IPA 1.0.
+---
+ install/conf/ipa.conf | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644
+--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
+@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
+     AddHandler wsgi-script .py
+ </Directory>
+ 
+-# Protect our CGIs
+-<Directory /var/www/cgi-bin>
+-  AuthType Kerberos
+-  AuthName "Kerberos Login"
+-  KrbMethodNegotiate on
+-  KrbMethodK5Passwd off
+-  KrbServiceName HTTP
+-  KrbAuthRealms $REALM
+-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+-  KrbSaveCredentials on
+-  Require valid-user
+-  ErrorDocument 401 /ipa/errors/unauthorized.html
+-</Directory>
+-
+-
+ # migration related pages
+ Alias /ipa/migration "/usr/share/ipa/migration"
+ <Directory "/usr/share/ipa/migration">
+-- 
+2.3.4
+
--- a/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
+++ b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
@ -0,0 +1,184 @@
+From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Mon, 30 Mar 2015 04:17:55 -0400
+Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
+
+https://fedorahosted.org/freeipa/ticket/4190
+---
+ freeipa.spec.in                |  4 +++-
+ init/systemd/ipa.conf.tmpfiles |  1 +
+ install/conf/ipa.conf          | 16 +++++-----------
+ ipalib/session.py              | 20 ++++++++++----------
+ ipaserver/rpcserver.py         |  2 +-
+ 5 files changed, 20 insertions(+), 23 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
+--- a/freeipa.spec.in
+++ b/freeipa.spec.in
+@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: ntp
+ Requires: httpd >= 2.4.6-6
+ Requires: mod_wsgi
+-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
+ Requires: mod_nss >= 1.0.8-26
+ Requires: python-ldap >= 2.4.15
+ Requires: python-krbV
+@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
+ mkdir -p %{buildroot}%{_localstatedir}/run/
+ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
+ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+ 
+ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+@@ -680,6 +681,7 @@ fi
+ %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
+ %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
+ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+ # NOTE: systemd specific section
+ %{_tmpfilesdir}/%{name}.conf
+ %attr(644,root,root) %{_unitdir}/ipa.service
+diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
+index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
+--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
+@@ -1,2 +1,3 @@
+ d /var/run/ipa_memcached 0700 apache apache
+ d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
+--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
+@@ -3,7 +3,6 @@
+ #
+ # This file may be overwritten on upgrades.
+ #
+-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ 
+ ProxyRequests Off
+ 
+@@ -61,19 +60,14 @@ WSGIScriptReloading Off
+   SetHandler None
+ </Location>
+ 
+-KrbConstrainedDelegationLock ipa
+-
+ # Protect /ipa and everything below it in webspace with Apache Kerberos auth
+ <Location "/ipa">
+-  AuthType Kerberos
+  AuthType GSSAPI
+   AuthName "Kerberos Login"
+-  KrbMethodNegotiate on
+-  KrbMethodK5Passwd off
+-  KrbServiceName HTTP
+-  KrbAuthRealms $REALM
+-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+-  KrbSaveCredentials on
+-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
+   Require valid-user
+   ErrorDocument 401 /ipa/errors/unauthorized.html
+ </Location>
+diff --git a/ipalib/session.py b/ipalib/session.py
+index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
+--- a/ipalib/session.py
+++ b/ipalib/session.py
+@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
+ There are 4 major players:
+ 
+   1. client
+-  2. mod_auth_kerb (in Apache process)
+  2. mod_auth_gssapi (in Apache process)
+   3. wsgi handler (in IPA wsgi python process)
+   4. ds (directory server)
+ 
+@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
+ 
+   2. Client sends post to /ipa/json.
+ 
+-  3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+  3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
+      authenticate negotiate.
+ 
+   4. Client resends with credentials
+ 
+-  5. mod_auth_kerb validates credentials
+  5. mod_auth_gssapi validates credentials
+ 
+      a. if invalid replies 403 access denied (stops here)
+ 
+@@ -550,7 +550,7 @@ A few notes about the session implementation.
+ Changes to Apache's resource protection
+ ---------------------------------------
+ 
+-  * /ipa/json is no longer protected by mod_auth_kerb. This is
+  * /ipa/json is no longer protected by mod_auth_gssapi. This is
+     necessary to avoid the negotiate expense in steps 3,4,5
+     above. Instead the /ipa/json resource will be protected in our wsgi
+     handler via the session cookie.
+@@ -583,15 +583,15 @@ The new sequence is:
+ 
+   5. client sends request to /ipa/login to obtain session credentials
+ 
+-  6. mod_auth_kerb replies 401 negotiate on /ipa/login
+  6. mod_auth_gssapi replies 401 negotiate on /ipa/login
+ 
+   7. client sends credentials to /ipa/login
+ 
+-  8. mod_auth_kerb validates credentials
+  8. mod_auth_gssapi validates credentials
+ 
+      a. if valid
+ 
+-        - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+        - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
+           invoked and does the following:
+ 
+           * establishes session for client
+@@ -600,7 +600,7 @@ The new sequence is:
+ 
+      a. if invalid
+ 
+-        - mod_auth_kerb sends 403 access denied (processing stops)
+        - mod_auth_gssapi sends 403 access denied (processing stops)
+ 
+   9. client now posts the same data again to /ipa/json including
+      session cookie. Processing repeats starting at step 2 and since
+@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
+ calls are marshalled and unmarshalled.
+ 
+ Under the new scheme /ipa/xml will continue to be Kerberos protected
+-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
+ client provides valid Kerberos credentials.
+ 
+ When the WSGI handler routes to /ipa/xml the Kerberos credentials will
+ be extracted from the KRB5CCNAME environment variable as provided by
+-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
+ 
+ '''
+ 
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
+--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
+@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
+     def __call__(self, environ, start_response):
+         self.debug('WSGI login_kerberos.__call__:')
+ 
+-        # Get the ccache created by mod_auth_kerb
+        # Get the ccache created by mod_auth_gssapi
+         user_ccache_name=environ.get('KRB5CCNAME')
+         if user_ccache_name is None:
+             return self.internal_error(environ, start_response,
+-- 
+2.3.4
+
--- a/0005-Bump-ipa.conf-version-to-17.patch
+++ b/0005-Bump-ipa.conf-version-to-17.patch
@ -0,0 +1,23 @@
+From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Mon, 30 Mar 2015 04:18:11 -0400
+Subject: [PATCH 3/3] Bump ipa.conf version to 17.
+
+---
+ install/conf/ipa.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644
+--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
+@@ -1,5 +1,5 @@
+ #
+-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
+ #
+ # This file may be overwritten on upgrades.
+ #
+-- 
+2.3.4
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -25,7 +25,7 @@

 Name:           freeipa
 Version:        %{VERSION}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -35,6 +35,10 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 Patch0001:      0001-Skip-time-sync-during-client-install-when-using-no-n.patch
+Patch0002:      0002-Make-lint-work-on-Fedora-22.patch
+Patch0003:      0003-Remove-unused-part-of-ipa.conf.patch
+Patch0004:      0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
+Patch0005:      0005-Bump-ipa.conf-version-to-17.patch

 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.3.8
@ -120,7 +124,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
@ -492,6 +496,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches

 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@ -708,6 +713,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
@ -941,6 +947,9 @@ fi
 %endif # ONLY_CLIENT

 %changelog
+* Mon Mar 30 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.4-2
+- Replace mod_auth_kerb usage with mod_auth_gssapi
+
 * Thu Mar 26 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-1
 - Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4
 - fix CVE-2015-1827 (#1206047)