FreeIPA 4.8.0 release

2019-07-03 10:26:16 +03:00 · 2019-07-03 10:26:16 +03:00 · 5eefa180c1
commit 5eefa180c1
parent abebbbda3d
6 changed files with 38 additions and 223 deletions
--- a/.gitignore
+++ b/.gitignore
@ -74,3 +74,5 @@
 /freeipa-4.7.2.tar.gz.asc
 /freeipa-4.7.90.pre1.tar.gz
 /freeipa-4.7.90.pre1.tar.gz.asc
 /freeipa-4.8.0.tar.gz
 /freeipa-4.8.0.tar.gz.asc
--- a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
+++ b/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
@ -1,30 +0,0 @@
 From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
 From: Adam Williamson <awilliam@redhat.com>
 Date: Wed, 1 May 2019 16:19:53 -0700
 Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
 On Fedora/RHEL, it does not have a dash in it. The changes in
 da2cf1c5 inadvertently added a dash to the path in the 'base'
 paths definition (used on Fedora/RHEL), so the font wasn't found.
 Signed-off-by: Adam Williamson <awilliam@redhat.com>
 ---
 ipaplatform/base/paths.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
 index 1cd2591bc..e1d396690 100644
 --- a/ipaplatform/base/paths.py
 +++ b/ipaplatform/base/paths.py
@@ -249,7 +249,7 @@ class BasePathNamespace:
     USERADD = "/usr/sbin/useradd"
     FONTS_DIR = "/usr/share/fonts"
     FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
 -    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
 +    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
     USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
 -- 
 2.21.0
--- a/0001-revert-minssf-defaults.patch
+++ b/0001-revert-minssf-defaults.patch
@ -1,136 +0,0 @@
 From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 1 May 2019 21:25:31 +0300
 Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
 This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
 ---
 install/share/Makefile.am       |  1 -
 install/share/min-ssf.ldif      | 14 --------------
 ipalib/constants.py             |  3 ---
 ipapython/ipaldap.py            | 17 ++---------------
 ipaserver/install/dsinstance.py |  5 -----
 5 files changed, 2 insertions(+), 38 deletions(-)
 delete mode 100644 install/share/min-ssf.ldif
 diff --git a/install/share/Makefile.am b/install/share/Makefile.am
 index be83bdf75..8d039d95c 100644
 --- a/install/share/Makefile.am
 +++ b/install/share/Makefile.am
@@ -94,7 +94,6 @@ dist_app_DATA =				\
 	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
 -	min-ssf.ldif			\
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
 diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
 deleted file mode 100644
 index 1c2566f84..000000000
 --- a/install/share/min-ssf.ldif
 +++ /dev/null
@@ -1,14 +0,0 @@
 -# config
 -# pretend SSF for LDAPI connections
 -# nsslapd-localssf must be equal to or greater than nsslapd-minssf
 -dn: cn=config
 -changetype: modify
 -replace: nsslapd-localssf
 -nsslapd-localssf: 256
 -
 -# minimum security strength factor for SASL and TLS
 -# 56 is considered weak, but some old clients announce wrong SSF.
 -dn: cn=config
 -changetype: modify
 -replace: nsslapd-minssf
 -nsslapd-minssf: 56
 diff --git a/ipalib/constants.py b/ipalib/constants.py
 index bcf6f3373..c22dd26ae 100644
 --- a/ipalib/constants.py
 +++ b/ipalib/constants.py
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
 -# minimum SASL secure strength factor for LDAP connections
 -# 56 provides backwards compatibility with old libraries.
 -LDAP_SSF_MIN_THRESHOLD = 56
 # Use cache path
 USER_CACHE_PATH = (
 diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
 index d9d67be1d..9ff443fe4 100644
 --- a/ipapython/ipaldap.py
 +++ b/ipapython/ipaldap.py
@@ -43,9 +43,7 @@ import six
 # pylint: disable=ipa-forbidden-import
 from ipalib import errors, x509, _
 -from ipalib.constants import (
 -    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
 -)
 +from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 # pylint: enable=ipa-forbidden-import
 from ipaplatform.paths import paths
 from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
 -def ldap_initialize(uri, cacertfile=None,
 -                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
 +def ldap_initialize(uri, cacertfile=None):
     """Wrapper around ldap.initialize()
     The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
       locations, also known as system-wide trust store.
     * Cert validation is enforced.
     * SSLv2 and SSLv3 are disabled.
 -    * Require a minimum SASL security factor of 56. That level ensures
 -      data integrity and confidentiality. Although at least AES128 is
 -      enforced pretty much everywhere, 56 is required for backwards
 -      compatibility with systems that announce wrong SSF.
     """
     conn = ldap.initialize(uri)
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
     if not uri.startswith('ldapi://'):
 -        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
 -        # if the current value is already larger.
 -        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
 -        if cur_min_ssf < ssf_min_threshold:
 -            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
 -
         if cacertfile:
             if not os.path.isfile(cacertfile):
                 raise IOError(errno.ENOENT, cacertfile)
 diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
 index 8240e3043..9f05db1db 100644
 --- a/ipaserver/install/dsinstance.py
 +++ b/ipaserver/install/dsinstance.py
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
         else:
             self.step("importing CA certificates from LDAP",
                       self.__import_ca_certs)
 -        # set min SSF after DS is configured for TLS
 -        self.step("require minimal SSF", self.__min_ssf)
         self.step("restarting directory server", self.__restart_instance)
         self.start_creation()
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
             dm_password=self.dm_password
         )
 -    def __min_ssf(self):
 -        self._ldap_mod("min-ssf.ldif")
 -
     def __add_sudo_binduser(self):
         self._ldap_mod("sudobind.ldif", self.sub_dict)
 -- 
 2.21.0
--- a/0002-upgrade-adtrust-when-no-trusts.patch
+++ b/0002-upgrade-adtrust-when-no-trusts.patch
@ -1,44 +0,0 @@
 From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sat, 11 May 2019 11:54:40 +0300
 Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
 trusts
 Upgrade failure when ipa-server-upgrade is being run on a system with no
 trust established but trust configured
 Fixes: https://pagure.io/freeipa/issue/7939
 ---
 ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)
 diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
 index 6b4e2caa2..cdc3a8b04 100644
 --- a/ipaserver/install/plugins/adtrust.py
 +++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
 -        trusts = ldap.get_entries(
 -            base_dn=trusts_dn,
 -            scope=ldap.SCOPE_ONELEVEL,
 -            filter=self.trust_filter,
 -            attrs_list=self.trust_attrs)
 +        # We might be in a situation when no trusts exist yet
 +        # In such case there is nothing to upgrade but we have to catch
 +        # an exception or it will abort the whole upgrade process
 +        try:
 +            trusts = ldap.get_entries(
 +                base_dn=trusts_dn,
 +                scope=ldap.SCOPE_ONELEVEL,
 +                filter=self.trust_filter,
 +                attrs_list=self.trust_attrs)
 +        except errors.EmptyResult:
 +            trusts = []
         # For every trust, retrieve its principals and convert
         for t_entry in trusts:
 -- 
 2.21.0
--- a/freeipa.spec
+++ b/freeipa.spec
@ -101,7 +101,7 @@
 # 10.6.7 fixes UpdateNumberRange clone installation issue
 # https://pagure.io/freeipa/issue/7654 and empty token issue
 # and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.8-3
+%global pki_version 10.7.0-1
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
@ -114,7 +114,7 @@
 %global nss_version 3.41.0-1
 %endif
-%global sssd_version 2.1.0-2
+%global sssd_version 2.2.0-1
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@ -126,7 +126,7 @@
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.7.90.pre1
+%define IPA_VERSION 4.8.0
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@ -135,18 +135,13 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
 Patch0001:      0001-revert-minssf-defaults.patch
 # https://github.com/freeipa/freeipa/pull/3104
 # Fix an error in the path the webUI uses for fontawesome
 Patch0002:      0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
 Patch0003:      0002-upgrade-adtrust-when-no-trusts.patch
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -535,6 +530,23 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 This package provides command-line tools for IPA administrators.
 %package client-samba
 Summary: Tools to configure Samba on IPA client
 Group: System Environment/Base
 Requires: %{name}-client = %{version}-%{release}
 Requires: python3-samba
 Requires: samba-client
 Requires: samba-winbind
 Requires: samba-common-tools
 Requires: samba
 Requires: sssd-winbind-idmap
 Requires: tdb-tools
 Requires: cifs-utils
 %description client-samba
 This package provides command-line tools to deploy Samba domain member
 on the machine enrolled into a FreeIPA environment
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
 BuildArch: noarch
@ -1014,6 +1026,7 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
 %{_sbindir}/ipa-cert-fix
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@ -1078,6 +1091,7 @@ fi
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
 %{_mandir}/man1/ipa-cert-fix.1*
 %files -n python3-ipaserver
@ -1211,6 +1225,7 @@ fi
 %{_sbindir}/ipa-join
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
 %config %{_sysconfdir}/sysconfig/certmonger
 %{_mandir}/man1/ipa.1*
 %{_mandir}/man1/ipa-getkeytab.1*
 %{_mandir}/man1/ipa-rmkeytab.1*
@ -1219,6 +1234,12 @@ fi
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
 %files client-samba
 %doc README.md Contributors.txt
 %license COPYING
 %{_sbindir}/ipa-client-samba
 %{_mandir}/man1/ipa-client-samba.1*
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
 %license COPYING
@ -1312,6 +1333,10 @@ fi
 %changelog
 * Wed Jul 03 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-1
 - New upstream release 4.8.0
 - New subpackage: freeipa-client-samba
 * Sat May 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-6
 - Upgrade: handle situation when trusts were configured but not established yet
  Fixed: rhbz#1708808
--- a/6
+++ b/6
@ -1,4 +1,2 @@
-SHA512 (freeipa-4.7.2.tar.gz) = 11d805fe0c085b285bace571912c3b541fc5aa9207c87ec31e22ac5fcfd2fa410e9a7ce4aafc88821e57c0be99a38d98d0c824e46bc85d968b4937f8599d9d5f
+SHA512 (freeipa-4.8.0.tar.gz) = f1c0831d97adee4f951972b7a6096ba4458704514ac1ead4e6ed0072524ac320750d690315c0b8d3a51b2f51d66dea81cf224ce417bd5d2eeb65ffe0c45c9229
-SHA512 (freeipa-4.7.2.tar.gz.asc) = ab4215555eb6458ccefc0038976d39ed3f708eaa6bc7fe7eea3e72af285665501da6275c881897584d178f4a1ea290d23051a1591f1b14b30691fea1cc05b641
+SHA512 (freeipa-4.8.0.tar.gz.asc) = 8d8b3de2ea0eab4a2ce1a063b686927cb1e95b60d5da7c945633edc79252c113c2b44e98299be34efd32526c421335f4344b1a20b6483011c1319d4284af2934
 SHA512 (freeipa-4.7.90.pre1.tar.gz) = 97c61d24f37b72aca838e6b67756af106329d8a933e6c8f7eaff362aae7943463b0efa5a6f99874513e95621666fc0a9adf58b44d5fa0be9b10e64c8ce2d9235
 SHA512 (freeipa-4.7.90.pre1.tar.gz.asc) = 0109dfa2846fbac79c7ef8b7427ce96d3d1a1aac8998d66616194fe30501e342bf6c1f251d460ddd4fd9d3f7d8ab100358adbd26c7bfc69e393a1a1c3ef1c016