Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/freeipa.git#3cbe72f9cbfe1e02e2a289c84517e1ff5649fac4
This commit is contained in:
DistroBaker 2021-03-04 12:30:45 +00:00
parent 6a6233ecfc
commit 62e000f7fb
10 changed files with 442 additions and 677 deletions

10
.gitignore vendored
View File

@ -96,3 +96,13 @@
/freeipa-4.8.10.tar.gz.asc
/freeipa-4.9.0rc1.tar.gz
/freeipa-4.9.0rc1.tar.gz.asc
/freeipa-4.9.0rc2.tar.gz
/freeipa-4.9.0rc2.tar.gz.asc
/freeipa-4.9.0rc3.tar.gz
/freeipa-4.9.0rc3.tar.gz.asc
/freeipa-4.9.0.tar.gz
/freeipa-4.9.0.tar.gz.asc
/freeipa-4.9.1.tar.gz
/freeipa-4.9.1.tar.gz.asc
/freeipa-4.9.2.tar.gz
/freeipa-4.9.2.tar.gz.asc

File diff suppressed because one or more lines are too long

View File

@ -1,56 +0,0 @@
From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 28 Oct 2020 10:34:31 -0400
Subject: [PATCH] New validation efforts in 389-ds-base require that the
backend entry for a database be created before the mapping tree entry. This
enforces that the mapping tree entry (the suffix) actually belongs to an
existing backend.
For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()
Fixes: https://pagure.io/freeipa/issue/8558
---
ipaserver/install/cainstance.py | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index fca829de094..1c2fab1dffb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1162,17 +1162,6 @@ def __create_ds_db(self):
backend = 'ipaca'
suffix = DN(('o', 'ipaca'))
- # replication
- dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
- entry = api.Backend.ldap2.make_entry(
- dn,
- objectclass=["top", "extensibleObject", "nsMappingTree"],
- cn=[suffix],
- )
- entry['nsslapd-state'] = ['Backend']
- entry['nsslapd-backend'] = [backend]
- api.Backend.ldap2.add_entry(entry)
-
# database
dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
('cn', 'config'))
@@ -1184,6 +1173,17 @@ def __create_ds_db(self):
entry['nsslapd-suffix'] = [suffix]
api.Backend.ldap2.add_entry(entry)
+ # replication
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+ entry = api.Backend.ldap2.make_entry(
+ dn,
+ objectclass=["top", "extensibleObject", "nsMappingTree"],
+ cn=[suffix],
+ )
+ entry['nsslapd-state'] = ['Backend']
+ entry['nsslapd-backend'] = [backend]
+ api.Backend.ldap2.add_entry(entry)
+
def __setup_replication(self):
repl = replication.CAReplicationManager(self.realm, self.fqdn)
repl.setup_cs_replication(self.master_host)

View File

@ -1,107 +0,0 @@
From 87813eb6404ae0aa15b95b1af788db0d37e2efa5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 18 Nov 2020 12:35:38 +0200
Subject: [PATCH] util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
configure.ac | 4 +++-
util/Makefile.am | 10 +++++++---
util/ipa_pwd.c | 9 ++++++++-
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ef1a1c6867e..5d04d446e0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,9 @@ dnl ---------------------------------------------------------------------------
dnl - Check for pwquality library
dnl ---------------------------------------------------------------------------
AM_COND_IF([ENABLE_SERVER], [
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
+ )
])
dnl ---------------------------------------------------------------------------
diff --git a/util/Makefile.am b/util/Makefile.am
index 5e21c098f14..b3803777809 100644
--- a/util/Makefile.am
+++ b/util/Makefile.am
@@ -21,7 +21,11 @@ libutil_la_SOURCES = \
libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
-check_PROGRAMS = t_pwd t_policy
-TESTS = $(check_PROGRAMS)
+check_PROGRAMS = t_pwd
t_pwd_LDADD = libutil.la
-t_policy_LDADD = libutil.la
+if ENABLE_SERVER
+check_PROGRAMS += t_policy
+t_policy_LDADD = libutil.la
+endif
+
+TESTS = $(check_PROGRAMS)
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index dbff5ef1cba..8fa413c69cf 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -23,6 +23,7 @@
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
+#include "config.h"
#include <stdio.h>
#include <string.h>
#include <time.h>
@@ -31,7 +32,9 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
+#if defined(USE_PWQUALITY)
#include <pwquality.h>
+#endif
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
{
int pwdlen, blen;
int ret;
+#if defined(USE_PWQUALITY)
pwquality_settings_t *pwq;
int check_pwquality = 0;
- int entropy;
+ int entropy = 0;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
+#endif
if (!policy || !password) {
return IPAPWD_POLICY_ERROR;
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
}
}
+#if defined(USE_PWQUALITY)
/* Only call into libpwquality if at least one setting is made
* because there are a number of checks that don't have knobs
* so preserve the previous behavior.
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
#endif
}
}
+#endif /* USE_PWQUALITY */
if (pwd_history) {
char *hash;

View File

@ -1,74 +0,0 @@
From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 28 Sep 2020 12:00:01 +0200
Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible
systemd-resolved runs as user systemd-resolve. Ensure that
resolved.conf.d drop-in directory is accessible when installer runs with
restricted umask. Also ensure the file and directory has correct SELinux
context.
The parent directory /etc/systemd exists on all platforms.
Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaplatform/base/tasks.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index a39857e869..adf320b700 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
from ipaplatform.services import knownservices
confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
- os.makedirs(confd, exist_ok=True)
+ if not os.path.isdir(confd):
+ os.mkdir(confd)
+ # owned by root, readable by systemd-resolve user
+ os.chmod(confd, 0o755)
+ tasks.restore_context(confd, force=True)
cfg = RESOLVE1_IPA_CONF.format(
searchdomains=" ".join(searchdomains)
@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.fchmod(f.fileno(), 0o644)
f.write(cfg)
+ tasks.restore_context(
+ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
+ )
+
knownservices["systemd-resolved"].reload_or_restart()
def unconfigure_dns_resolver(self, fstore=None):
From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 28 Sep 2020 12:29:00 +0200
Subject: [PATCH 2/2] Also backup DNS config drop-ins
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaserver/install/ipa_backup.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 39347643d3..d472990afe 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool):
paths.GSSPROXY_CONF,
paths.HOSTS,
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
+ paths.NETWORK_MANAGER_IPA_CONF,
+ paths.SYSTEMD_RESOLVED_IPA_CONF,
) + tuple(
os.path.join(paths.IPA_NSSDB_DIR, file)
for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)

View File

@ -1,36 +0,0 @@
From 8b2002cc7e2e0400e1afa3a21963a22947c7a908 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 29 Sep 2020 10:39:01 +0200
Subject: [PATCH] configure_dns_resolver: call self.restore_context
Use the platform implementation of restore_context() instead of the base
implementation.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaplatform/base/tasks.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index adf320b700..4387e0e12f 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -340,7 +340,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.mkdir(confd)
# owned by root, readable by systemd-resolve user
os.chmod(confd, 0o755)
- tasks.restore_context(confd, force=True)
+ self.restore_context(confd, force=True)
cfg = RESOLVE1_IPA_CONF.format(
searchdomains=" ".join(searchdomains)
@@ -349,7 +349,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.fchmod(f.fileno(), 0o644)
f.write(cfg)
- tasks.restore_context(
+ self.restore_context(
paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
)

View File

@ -1,37 +0,0 @@
From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 26 Sep 2020 16:30:58 +0300
Subject: [PATCH] Pre-populate IP addresses for the name server upgrades
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 332f8b251..144b340a4 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore):
# resolve1's stub resolver config file.
has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF)
if not has_resolved_ipa_conf and detect_resolve1_resolv_conf():
+ ip_addresses = installutils.get_server_ip_address(
+ api.env.host, True, False, [])
+ bind.ip_addresses = ip_addresses
bind.setup_resolv_conf()
logger.info("Updated systemd-resolved configuration")
--
2.28.0

View File

@ -1,282 +0,0 @@
From 071e283b19e925bea596a25b4758ab2cbc657914 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 10:47:05 -0400
Subject: [PATCH 1/3] Fall back to old server installation detection when
needed
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
ipalib/facts.py | 31 ++++++++++++++++++++++++++++-
ipaserver/install/installutils.py | 4 ----
ipaserver/install/server/install.py | 3 ++-
ipaserver/install/server/upgrade.py | 7 +++++--
4 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/ipalib/facts.py b/ipalib/facts.py
index 5106fc2ac5..d78c1a2275 100644
--- a/ipalib/facts.py
+++ b/ipalib/facts.py
@@ -6,17 +6,46 @@
Facts about the installation
"""
+import logging
import os
from . import sysrestore
from ipaplatform.paths import paths
+logger = logging.getLogger(__name__)
+
+# Used to determine install status
+IPA_MODULES = [
+ 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
+
def is_ipa_configured():
"""
Use the state to determine if IPA has been configured.
"""
sstore = sysrestore.StateFile(paths.SYSRESTORE)
- return sstore.get_state('installation', 'complete')
+ if sstore.has_state('installation'):
+ return sstore.get_state('installation', 'complete')
+
+ # Fall back to older method in case this is an existing installation
+
+ installed = False
+
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+
+ for module in IPA_MODULES:
+ if sstore.has_state(module):
+ logger.debug('%s is configured', module)
+ installed = True
+ else:
+ logger.debug('%s is not configured', module)
+
+ if fstore.has_files():
+ logger.debug('filestore has files')
+ installed = True
+ else:
+ logger.debug('filestore is tracking no files')
+
+ return installed
def is_ipa_client_configured(on_master=False):
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 583b1aca0b..13baf494cd 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -63,10 +63,6 @@
logger = logging.getLogger(__name__)
-# Used to determine install status
-IPA_MODULES = [
- 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
-
class BadHostError(Exception):
pass
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b86c3fec15..4d8e3ad78f 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -37,13 +37,14 @@
validate_domain_name,
no_matching_interface_for_ip_address_warning,
)
+from ipalib.facts import IPA_MODULES
from ipaserver.install import (
adtrust, adtrustinstance, bindinstance, ca, dns, dsinstance,
httpinstance, installutils, kra, krbinstance,
otpdinstance, custodiainstance, replication, service,
sysupgrade)
from ipaserver.install.installutils import (
- IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
+ BadHostError, get_fqdn, get_server_ip_address,
load_pkcs12, read_password, verify_fqdn, update_hosts_file,
validate_mask)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f0d9b746cd..109d1e100e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1455,8 +1455,11 @@ def upgrade_configuration():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
- if is_ipa_configured() is None:
- sstore.backup_state('installation', 'complete', True)
+ if not sstore.has_state('installation'):
+ if is_ipa_configured():
+ sstore.backup_state('installation', 'complete', True)
+ else:
+ sstore.backup_state('installation', 'complete', False)
fqdn = api.env.host
From 7d84d919a8f5767ade1dcc380ce4eebadac6a8b5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 11:12:55 -0400
Subject: [PATCH 2/3] Use is_ipa_configured from ipalib.facts
A couple of places still used the deprecated installutils version.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
ipaserver/install/installutils.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 13baf494cd..a3274d5797 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -665,7 +665,7 @@ def check_server_configuration():
Most convenient use case for the function is in install tools that require
configured IPA for its function.
"""
- if not is_ipa_configured():
+ if not facts.is_ipa_configured():
raise ScriptError("IPA is not configured on this system.",
rval=SERVER_NOT_CONFIGURED)
From 36ecfdbfe4ceedcfe056816cbb22162842fae975 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 13:55:54 -0400
Subject: [PATCH 3/3] ipatests: Add test for is_ipa_configured
Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
.../test_integration/test_installation.py | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index fb19900838..98bdc98ab8 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -21,6 +21,7 @@
from ipalib import x509
from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipapython.dn import DN
from ipaplatform.constants import constants
from ipaplatform.osinfo import osinfo
@@ -357,6 +358,93 @@ def test_ipa_ca_crt_permissions(self):
assert owner == "root"
assert group == "root"
+ def test_is_ipa_configured(self):
+ """Verify that the old and new methods of is_ipa_installed works
+
+ If there is an installation section then it is the status.
+
+ If not then it will fall back to looking for configured
+ services and files and use that for determination.
+ """
+ def set_installation_state(host, state):
+ """
+ Update the complete value in the installation section
+ """
+ host.run_command(
+ ['python3', '-c',
+ 'from ipalib.install import sysrestore; '
+ 'from ipaplatform.paths import paths;'
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
+ 'sstore.backup_state("installation", "complete", '
+ '{state})'.format(state=state)])
+
+ def get_installation_state(host):
+ """
+ Retrieve the installation state from new install method
+ """
+ result = host.run_command(
+ ['python3', '-c',
+ 'from ipalib.install import sysrestore; '
+ 'from ipaplatform.paths import paths;'
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
+ 'print(sstore.get_state("installation", "complete"))'])
+ return result.stdout_text.strip() # a string
+
+ # This comes from freeipa.spec and is used to determine whether
+ # an upgrade is required.
+ cmd = ['python3', '-c',
+ 'import sys; from ipalib import facts; sys.exit(0 '
+ 'if facts.is_ipa_configured() else 1);']
+
+ # This will use the new method since this is a fresh install,
+ # verify that it is true.
+ self.master.run_command(cmd)
+ assert get_installation_state(self.master) == 'True'
+
+ # Set complete to False which should cause the command to fail
+ # This tests the state of a failed or in-process installation.
+ set_installation_state(self.master, False)
+ result = self.master.run_command(cmd, raiseonerr=False)
+ assert result.returncode == 1
+ set_installation_state(self.master, True)
+
+ # Tweak sysrestore.state to drop installation section
+ self.master.run_command(
+ ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Re-run installation check and it should fall back to old method
+ # and be successful.
+ self.master.run_command(cmd)
+ assert get_installation_state(self.master) == 'None'
+
+ # Restore installation section.
+ self.master.run_command(
+ ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Uninstall and confirm that the old method reports correctly
+ # on uninstalled servers. It will exercise the old method since
+ # there is no state.
+ tasks.uninstall_master(self.master)
+
+ # ensure there is no stale state
+ result = self.master.run_command(r'test -f {}'.format(
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)),
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ result = self.master.run_command(r'test -f {}'.format(
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_INDEXFILE)),
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+
+ # Now run is_ipa_configured() and it should be False
+ result = self.master.run_command(cmd, raiseonerr=False)
+ assert result.returncode == 1
+
+
class TestInstallWithCA_KRA1(InstallTestBase1):
@classmethod

View File

@ -15,10 +15,8 @@
# 389-ds-base 1.4 no longer supports i686 platform, build only client
# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
%ifarch %{ix86}
%ifarch %{ix86}
%{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
%endif
%endif
# Define ONLY_CLIENT to only make the ipa-client and ipa-python
@ -35,10 +33,18 @@
%endif
# Whether to build ipatests
%global with_ipatests_option %{?_with_ipatests}
%if %{with ipatests}
%global with_ipatests_option --with-ipatests
%else
%global with_ipatests_option --without-ipatests
%endif
# Whether to use XML-RPC with ipa-join
%global with_ipa_join_xml_option %{?_with_ipa_join_xml}
%if %{with ipa_join_xml}
%global with_ipa_join_xml_option --with-ipa-join-xml
%else
%global with_ipa_join_xml_option --without-ipa-join-xml
%endif
# lint is not executed during rpmbuild
# %%global with_lint 1
@ -49,7 +55,7 @@
%endif
# Include SELinux subpackage
%if 0%{?fedora} >= 30 || 0%{?rhel}
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
%global with_selinux 1
%global selinuxtype targeted
%global modulename ipa
@ -58,7 +64,7 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.18.2
%global krb5_version 1.18.2-2
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
@ -67,86 +73,92 @@
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
%if 0%{?rhel} < 9
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
%global ds_version 1.4.2.4-6
%else
%global ds_version 2.0.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 9.11.20-6
%else
# Fedora
%global package_name freeipa
%global alt_name ipa
# Fix for CVE-2018-20217
%global krb5_version 1.18
# Fix for CVE-2020-28196
%global krb5_version 1.18.2-29
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
%global samba_version 2:4.12
%global samba_version 2:4.12.10
# SELinux context for dirsrv unit file, BZ 1820298
%if 0%{?fedora} >= 32
%global selinux_policy_version 3.14.5-39
%else
%global selinux_policy_version 3.14.4-52
%endif
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45
%global slapi_nis_version 0.56.5
%global krb5_kdb_version 8.0
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
# https://pagure.io/freeipa/issue/8515
%global ds_version 1.4.3
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
%if 0%{?fedora} < 34
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
%else
%global ds_version 2.0.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
%if 0%{?fedora} >= 31
%global httpd_version 2.4.41-9
%else
%global httpd_version 2.4.41-6.1
%global bind_version 9.11.24-1
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}
# Fedora
%endif
# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
%if 0%{?fedora} || 0%{?rhel} > 8
%if 0%{?fedora} || 0%{?rhel} >= 9
%global openssl_pkcs11_version 0.4.10-6
%global softhsm_version 2.5.0-4
%else
%global with_bind_pkcs11 1
%endif
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}
# Fedora
%if 0%{?rhel} == 8
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%else
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%endif
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
%global pki_version 10.9.0-0.4
# RHEL 8.3+, F32+ has 0.79.13
%global certmonger_version 0.79.7-3
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-1
# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4
%global nss_version 3.41.0-1
# RHEL 8.3+, F32+
%global sssd_version 2.4.0
# One-Way Trust authenticated by trust secret
# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
%global sssd_version 1.16.3-2
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3
%define krb5_base_version %(LC_ALL=C pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%if 0%{?fedora} >= 33
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
# systemd with resolved enabled
# see https://pagure.io/freeipa/issue/8275
%global systemd_version 246.6-3
%else
%global systemd_version 245
%global systemd_version 239
%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
@ -157,25 +169,43 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.0
# Release candidate version -- set to %%nil (one percent sign) for a release
%global rc_version rc1
%define IPA_VERSION 4.9.2
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif
%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 0.1%{?rc_version:.%rc_version}%{?dist}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
# Only use detached signature for the distribution builds. If it is a developer build, skip it
%if %{NON_DEVELOPER_BUILD}
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
Patch1: https://github.com/freeipa/freeipa/pull/5273.patch
%endif
# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -202,6 +232,7 @@ BuildRequires: pkgconfig
BuildRequires: pkgconf
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: make
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: gettext-devel
@ -226,7 +257,7 @@ BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
BuildRequires: nodejs(abi)
# use old dependency on RHEL 8 for now
%if 0%{?fedora} >= 31 || 0%{?rhel} > 8
%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
BuildRequires: python3-rjsmin
%else
BuildRequires: uglify-js
@ -283,6 +314,7 @@ BuildRequires: jsl
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
BuildRequires: keyutils
BuildRequires: python3-augeas
BuildRequires: python3-cffi
@ -304,12 +336,13 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-pycodestyle
%if 0%{?fedora} || %{?rhel} > 8
%if 0%{?fedora} || 0%{?rhel} > 8
# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
BuildRequires: python3-pylint >= 2.1.1-2
%else
@ -339,10 +372,8 @@ BuildRequires: krb5-server >= %{krb5_version}
# ONLY_CLIENT
%endif
#
# Build dependencies for SELinux policy
# 3.14.6-9 includes fix for https://github.com/fedora-selinux/selinux-policy/pull/333
%if 0%{?with_selinux}
%if %{with selinux}
BuildRequires: selinux-policy-devel >= %{selinux_policy_version}
%endif
@ -369,7 +400,6 @@ Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version}
Requires: krb5-kdb-version = %{krb5_kdb_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
@ -431,6 +461,13 @@ Obsoletes: %{name}-server <= 4.2.0
# member.
Conflicts: nss-pam-ldapd < 0.8.4
# RHEL spec file only: START: Do not build tests
%if 0%{?rhel} == 8
# ipa-tests subpackage was moved to separate srpm
Conflicts: ipa-tests < 3.3.3-9
%endif
# RHEL spec file only: END: Do not build tests
%description server
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -454,7 +491,7 @@ Requires: python3-dbus
Requires: python3-dns >= 1.15
Requires: python3-gssapi >= 1.2.0
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-kdcproxy >= 0.4.1
Requires: python3-kdcproxy >= %{kdcproxy_version}
Requires: python3-lxml
Requires: python3-pki >= %{pki_version}
Requires: python3-pyasn1 >= 0.3.2-2
@ -468,7 +505,6 @@ Requires: python3-urllib3 >= 1.24.2-3
Requires: python3-urllib3 >= 1.25.7
%endif
%description -n python3-ipaserver
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -484,6 +520,10 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
Requires: custodia >= 0.3.1
%if 0%{?rhel} >= 8
Requires: redhat-logos-ipa >= 80.4
%endif
Provides: %{alt_name}-server-common = %{version}
Conflicts: %{alt_name}-server-common
@ -502,22 +542,19 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
%endif
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
# RHEL 8.3+ and Fedora 32+ have 2.1
Requires: opendnssec >= 2.1.6-5
%else
Requires: opendnssec >= 1.4.6-4
%endif
%{?systemd_requires}
Provides: %{alt_name}-server-dns = %{version}
@ -540,7 +577,9 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
%endif
Requires(post): python3
Requires: python3-samba
Requires: python3-libsss_nss_idmap
@ -612,6 +651,11 @@ Obsoletes: %{alt_name}-admintools < 4.4.1
Obsoletes: %{name}-admintools < 4.4.1
Provides: %{name}-admintools = %{version}-%{release}
%if 0%{?rhel} == 8
# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
Conflicts: crypto-policies < 20200629-1
%endif
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -642,12 +686,11 @@ on the machine enrolled into a FreeIPA environment
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
Requires: systemd-units
Requires: %{name}-client = %{version}-%{release}
Requires: systemd-units >= %{systemd_version}
Requires(post): systemd-units >= %{systemd_version}
Requires(preun): systemd-units >= %{systemd_version}
Requires(postun): systemd-units >= %{systemd_version}
Requires: %{name}-client = %{version}-%{release}
%description client-epn
This package provides a service to collect and send expiring password
@ -673,7 +716,6 @@ and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.
%package client-common
Summary: Common files used by IPA client
BuildArch: noarch
@ -753,10 +795,14 @@ Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-pyusb
Requires: python3-qrcode-core >= 5.0.0
Requires: python3-requests
Requires: python3-setuptools
Requires: python3-six
Requires: python3-sss-murmur
Requires: python3-yubico >= 1.3.2-7
%if 0%{?rhel} && 0%{?rhel} == 8
Requires: platform-python-setuptools
%else
Requires: python3-setuptools
%endif
%description -n python3-ipalib
IPA is an integrated solution to provide centrally managed Identity (users,
@ -803,18 +849,28 @@ BuildArch: noarch
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: ldns-utils
Requires: python3-coverage
Requires: python3-cryptography >= 1.6
Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
Requires: python3-pytest >= 3.9.1
Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: sshpass
%endif
Requires: python3-sssdconfig >= %{sssd_version}
Requires: tar
Requires: xz
Requires: openssh-clients
Requires: sshpass
%if 0%{?rhel}
AutoReqProv: no
%endif
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
@ -824,9 +880,10 @@ features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This package contains tests that verify IPA functionality under Python 3.
# with_ipatests
# with ipatests
%endif
%if %{with selinux}
# SELinux subpackage
%package selinux
@ -838,7 +895,7 @@ Requires(post): selinux-policy-%{selinuxtype}
%description selinux
Custom SELinux policy module for FreeIPA
# with_selinux
# with selinux
%endif
@ -925,6 +982,18 @@ ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_b
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
%if 0%{?rhel}
# RHEL spec file only: START
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
%endif
# RHEL spec file only: END
%find_lang %{gettext_domain}
%if ! %{ONLY_CLIENT}
@ -1006,6 +1075,11 @@ if [ $? -eq 0 ]; then
if [ $? -eq 0 ]; then
/bin/systemctl restart ipa.service >/dev/null
fi
/bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
if [ $? -eq 1 ]; then
/bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
fi
fi
# END
@ -1188,6 +1262,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
fi
fi
%triggerin client -- openssh-server >= 8.2
# Has the client been configured?
restore=0
@ -1252,6 +1327,7 @@ fi
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%dir %{_libexecdir}/ipa
%{_libexecdir}/ipa/ipa-ccache-sweeper
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
@ -1276,6 +1352,8 @@ fi
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
# END
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
@ -1318,6 +1396,7 @@ fi
%{_mandir}/man1/ipa-cert-fix.1*
%{_mandir}/man1/ipa-acme-manage.1*
%files -n python3-ipaserver
%doc README.md Contributors.txt
%license COPYING
@ -1373,8 +1452,15 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
%dir %{_usr}/share/ipa/ui/images
%if 0%{?rhel}
%{_usr}/share/ipa/ui/images/facet-*.png
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
%else
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
%endif
%dir %{_usr}/share/ipa/wsgi
%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
@ -1472,6 +1558,7 @@ fi
%{_sbindir}/ipa-client-samba
%{_mandir}/man1/ipa-client-samba.1*
%files client-epn
%doc README.md Contributors.txt
%dir %{_sysconfdir}/ipa/epn
@ -1502,13 +1589,6 @@ fi
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
%dir %{python3_sitelib}/ipaclient/csrgen
%dir %{python3_sitelib}/ipaclient/csrgen/profiles
%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
%dir %{python3_sitelib}/ipaclient/csrgen/rules
%{python3_sitelib}/ipaclient/csrgen/rules/*.json
%dir %{python3_sitelib}/ipaclient/csrgen/templates
%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
%{python3_sitelib}/ipaclient-*.egg-info
@ -1562,6 +1642,7 @@ fi
%if %{with ipatests}
%files -n python3-ipatests
%doc README.md Contributors.txt
%license COPYING
@ -1580,17 +1661,60 @@ fi
%{_mandir}/man1/ipa-test-config.1*
%{_mandir}/man1/ipa-test-task.1*
# with_ipatests
# with ipatests
%endif
%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with_selinux
# with selinux
%endif
%changelog
* Fri Feb 26 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-4
- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609
* Tue Feb 23 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-3
- Only use python-platform on RHEL 8
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-2
- Fix ipatests dependency to python3-pexpect
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
- Upstream release FreeIPA 4.9.2
* Wed Jan 27 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-1
- Upstream release FreeIPA 4.9.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 20 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.0-2
- Set client keytab location for 389ds (RHBZ#1918075)
* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-1
- FreeIPA 4.9.0 final release
* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.6.rc3
- Refactor DNSSEC paths creation code (upstream PR#5340)
* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.5.rc3
- FreeIPA 4.9.0 release candidate 3
- Enforce C.UTF-8 locale in systemd service units
- Fold up fixes from Rawhide and RHEL 8.4 testing
* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.4.rc2
- Fix upgrade script for CA rule rewrites
- Fix permissions for /run/ipa/ccaches
* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
- Correct SELinux policy requirements
* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.2.rc2
- FreeIPA 4.9.0 release candidate 2
* Thu Nov 19 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.1.rc1
- Use correct bind PKCS11 engine dependencies
- Fix SELinux build requirement

View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.9.0rc1.tar.gz) = 384ac0163f3977311ef523a6ed71ac8ceb33347d44f89763583e97e8e50eed2f9ec94e32f23dc8d9514c8e7e26d03ae859d045e9a1dd17b3f0cdd0fced82d464
SHA512 (freeipa-4.9.0rc1.tar.gz.asc) = 2be55c28456c07104bb45984d2c6d804730e90172e9288b21ae45dc5542fceddbb621b96c3e3e5e2b613ebfa55c792727adfb43b349d2069d150f42067c91bf2
SHA512 (freeipa-4.9.2.tar.gz) = 2e04821c701032ff2f5fc4f318a8473b2f2affa6a017fc0ed766408f344f3dc1fc4faed4b6dbaca8fb460cc6751633aac4034fb4cf18de447027e638f351211d
SHA512 (freeipa-4.9.2.tar.gz.asc) = 3527ca2546796611b9a390b0aa4fb91b1a2902a1c40aec6d449d7253e7847fbe955c6ea67c61ca0f7e95731d98ae97fd4d759778c92ad96e8477c4e863c2d6ba