Update to upstream 3.3.5

.gitignore

@@ -28,3 +28,4 @@
 /freeipa-3.3.1.tar.gz
 /freeipa-3.3.3.tar.gz
 /freeipa-3.3.4.tar.gz
+/freeipa-3.3.5.tar.gz

0001-platform-Add-Fedora-19-platform-file.patch

@@ -5,79 +5,11 @@ Subject: [PATCH 1/9] platform: Add Fedora 19 platform file
 
 Part of: https://fedorahosted.org/freeipa/ticket/3504
 ---
- freeipa.spec.in                         | 15 ++++++++-
  ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++
  ipapython/setup.py.in                   |  1 +
  3 files changed, 70 insertions(+), 1 deletion(-)
  create mode 100644 ipapython/platform/fedora19/__init__.py
 
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 138390ed729ac561504e41b44bb0e2c9041e7b94..8fd0a368ed02cfad120db6283e3899027d467bfc 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -326,6 +326,9 @@ export JAVA_STACK_SIZE="8m"
- %endif
- export CFLAGS="$CFLAGS %{optflags}"
- export CPPFLAGS="$CPPFLAGS %{optflags}"
-+%if 0%{?fedora} >= 19
-+export SUPPORTED_PLATFORM=fedora19
-+%else
- %if 0%{?fedora} >= 18
- # use fedora18 platform which is based on fedora16 platform with systemd
- # support + fedora18 changes
-@@ -333,6 +336,7 @@ export SUPPORTED_PLATFORM=fedora18
- %else
- export SUPPORTED_PLATFORM=fedora16
- %endif
-+%endif
- # Force re-generate of platform support
- rm -f ipapython/services.py
- make version-update
-@@ -350,6 +354,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
- 
- %install
- rm -rf %{buildroot}
-+%if 0%{?fedora} >= 19
-+export SUPPORTED_PLATFORM=fedora19
-+%else
- %if 0%{?fedora} >= 18
- # use fedora18 platform which is based on fedora16 platform with systemd
- # support + fedora18 changes
-@@ -357,6 +364,7 @@ export SUPPORTED_PLATFORM=fedora18
- %else
- export SUPPORTED_PLATFORM=fedora16
- %endif
-+%endif
- # Force re-generate of platform support
- rm -f ipapython/services.py
- %if ! %{ONLY_CLIENT}
-@@ -810,12 +818,14 @@ fi
- %dir %{python_sitelib}/ipapython/platform/base
- %dir %{python_sitelib}/ipapython/platform/fedora16
- %dir %{python_sitelib}/ipapython/platform/fedora18
-+%dir %{python_sitelib}/ipapython/platform/fedora19
- %dir %{python_sitelib}/ipapython/platform/redhat
- %{python_sitelib}/ipapython/*.py*
- %{python_sitelib}/ipapython/platform/*.py*
- %{python_sitelib}/ipapython/platform/base/*.py*
- %{python_sitelib}/ipapython/platform/fedora16/*.py*
- %{python_sitelib}/ipapython/platform/fedora18/*.py*
-+%{python_sitelib}/ipapython/platform/fedora19/*.py*
- %{python_sitelib}/ipapython/platform/redhat/*.py*
- %dir %{python_sitelib}/ipalib
- %{python_sitelib}/ipalib/*
-@@ -851,7 +861,10 @@ fi
- %endif # ONLY_CLIENT
- 
- %changelog
--* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
-+* Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
-+- Add Fedora 19 platform files
-+
-+* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.90-4
- - Remove mod_ssl conflict, it can now live with mod_nss installed
- 
- * Wed Sep 4 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.3.0-3
 diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
 new file mode 100644
 index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca

0009-Remove-mod_ssl-port-workaround.patch

@@ -5,43 +5,10 @@ Subject: [PATCH 9/9] Remove mod_ssl port workaround.
 
 https://fedorahosted.org/freeipa/ticket/4021
 ---
- freeipa.spec.in                   |  8 ++++++--
  install/tools/ipa-upgradeconfig   |  2 +-
  ipaserver/install/httpinstance.py | 17 ++++++++---------
  3 files changed, 15 insertions(+), 12 deletions(-)
 
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10
- Requires: krb5-pkinit-openssl
- Requires: cyrus-sasl-gssapi%{?_isa}
- Requires: ntp
--Requires: httpd
-+Requires: httpd >= 2.4.6-6
- Requires: mod_wsgi
- %if 0%{?fedora} >= 18
- Requires: mod_auth_kerb >= 5.4-16
- %else
- Requires: mod_auth_kerb >= 5.4-8
- %endif
--Requires: mod_nss >= 1.0.8-24
-+Requires: mod_nss >= 1.0.8-26
- Requires: python-ldap
- Requires: python-krbV
- Requires: acl
-@@ -861,6 +861,10 @@ fi
- %endif # ONLY_CLIENT
- 
- %changelog
-+* Tue Nov 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.3.90-6
-+- Set minimum version of httpd to 2.4.6-6
-+- Set minimum version of mod_nss to 1.0.8-26
-+
- * Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
- - Add Fedora 19 platform files
- 
 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
 index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
 --- a/install/tools/ipa-upgradeconfig

0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch

@@ -1,108 +0,0 @@
-From 11ebbe3f27fdf18e2578b533eb2560e9f88eeede Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Thu, 30 Jan 2014 16:58:25 +0100
-Subject: [PATCH 10/11] Fallback to global policy in ipa-lockout plugin
-
-krbPwdPolicyReference is no longer filled default users. Instead, plugins
-fallback to hardcoded global policy reference.
-
-Fix ipa-lockout plugin to fallback to it instead of failing to apply
-the policy.
-
-https://fedorahosted.org/freeipa/ticket/4085
----
- .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c    | 34 ++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
---- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-@@ -49,6 +49,7 @@
- #include <time.h>
- #include "slapi-plugin.h"
- #include "nspr.h"
-+#include <krb5.h>
- 
- #include "util.h"
- 
-@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
- 
- static struct ipa_context *global_ipactx = NULL;
- 
-+static char *ipa_global_policy = NULL;
-+
- #define GENERALIZED_TIME_LENGTH 15
- 
- /**
-@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
-     Slapi_Attr *attr = NULL;
-     char *dn = NULL;
-     char *basedn = NULL;
-+    char *realm = NULL;
-     Slapi_DN *sdn;
-     Slapi_Entry *config_entry;
-+    krb5_context krbctx = NULL;
-+    krb5_error_code krberr;
-     int ret;
- 
-     /* Get cn=config so we can get the default naming context */
-@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
-         goto done;
-     }
- 
-+    krberr = krb5_init_context(&krbctx);
-+    if (krberr) {
-+        LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
-+        ret = LDAP_OPERATIONS_ERROR;
-+        goto done;
-+    }
-+
-+    krberr = krb5_get_default_realm(krbctx, &realm);
-+    if (krberr) {
-+        LOG_FATAL("Failed to get default realm (%d)\n", krberr);
-+        ret = LDAP_OPERATIONS_ERROR;
-+        goto done;
-+    }
-+
-+    ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
-+                                          realm, basedn);
-+    if (!ipa_global_policy) {
-+        LOG_OOM();
-+        ret = LDAP_OPERATIONS_ERROR;
-+        goto done;
-+    }
-+
-     ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
-     if (ret == -1) {
-         LOG_OOM();
-@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
- done:
-     if (config_entry)
-         slapi_entry_free(config_entry);
-+    free(realm);
-+    krb5_free_context(krbctx);
-     free(dn);
-     free(basedn);
-     return ret;
-@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
-             slapi_valueset_first_value(*values, &sv);
-             *policy_dn = slapi_value_get_string(sv);
-         }
-+    } else {
-+        *policy_dn = ipa_global_policy;
-     }
- 
-     if (*policy_dn == NULL) {
-@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
- {
-     LOG_TRACE( "--in-->\n");
- 
-+    slapi_ch_free_string(&ipa_global_policy);
-+
-     LOG_TRACE("<--out--\n");
- 
-     return EOK;
--- 
-1.8.5.3
-

0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch

@@ -1,66 +0,0 @@
-From 43070359eb267c3eb3b290f5f601e9509a63389f Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Tue, 4 Feb 2014 11:02:34 +0100
-Subject: [PATCH 11/11] ipa-lockout: do not fail when default realm cannot be
- read
-
-When ipa-lockout plugin is started during FreeIPA server installation,
-the default realm may not be available and plugin should then not end
-with failure.
-
-Similarly to other plugins, start in degraded mode in this situation.
-Operation is fully restored during the final services restart.
-
-https://fedorahosted.org/freeipa/ticket/4085
----
- .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c    | 34 +++++++++++-----------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
---- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
-@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
-     krberr = krb5_init_context(&krbctx);
-     if (krberr) {
-         LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
--        ret = LDAP_OPERATIONS_ERROR;
--        goto done;
--    }
--
--    krberr = krb5_get_default_realm(krbctx, &realm);
--    if (krberr) {
--        LOG_FATAL("Failed to get default realm (%d)\n", krberr);
--        ret = LDAP_OPERATIONS_ERROR;
--        goto done;
--    }
--
--    ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
--                                          realm, basedn);
--    if (!ipa_global_policy) {
--        LOG_OOM();
--        ret = LDAP_OPERATIONS_ERROR;
--        goto done;
-+        /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
-+         * or is misconfigured. Start up in a degraded mode.
-+         */
-+    } else {
-+        krberr = krb5_get_default_realm(krbctx, &realm);
-+        if (krberr) {
-+            LOG_FATAL("Failed to get default realm (%d)\n", krberr);
-+        } else {
-+            ipa_global_policy =
-+                slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
-+                                  realm, basedn);
-+            if (!ipa_global_policy) {
-+                LOG_OOM();
-+                ret = LDAP_OPERATIONS_ERROR;
-+                goto done;
-+            }
-+        }
-     }
- 
-     ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
--- 
-1.8.5.3
-

freeipa.spec

@@ -4,15 +4,15 @@
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global POLICYCOREUTILSVER 2.1.14-37
 %global gettext_domain ipa
-%global VERSION 3.3.4
+%global VERSION 3.3.5
 
 %if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
 %define _hardened_build 1
 %endif
 
 Name:           freeipa
-Version:        3.3.4
-Release:        3%{?dist}
+Version:        3.3.5
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -30,12 +30,10 @@ Patch0006:      0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
 Patch0007:      0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
 Patch0008:      0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
 Patch0009:      0009-Remove-mod_ssl-port-workaround.patch
-Patch0010:      0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
-Patch0011:      0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
-Patch0012:      0012-Move-ipa-otpd-socket-directory.patch
+Patch0010:      0010-Move-ipa-otpd-socket-directory.patch
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.3
+BuildRequires:  389-ds-base-devel >= 1.3.2.16
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -109,7 +107,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.10
+Requires: 389-ds-base >= 1.3.2.16
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -149,10 +147,10 @@ Requires: python-memcached
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-65
+Requires: selinux-policy >= 3.12.1-135
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
-Requires: pki-ca >= 10.0.4
+Requires: pki-ca >= 10.1.1
 Requires: dogtag-pki-server-theme
 %if 0%{?rhel}
 Requires: subscription-manager
@@ -238,7 +236,7 @@ Requires(postun): %{name}-server = %{version}-%{release}
 # Specific requires
 Requires(pre): 389-ds-base = 1.3.1.11
 Requires: krb5-server = 1.11.3
-Requires: pki-ca = 10.0.5
+Requires: pki-ca = 10.1.1
 
 %description server-strict
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -385,6 +383,7 @@ export JAVA_STACK_SIZE="8m"
 %endif
 export CFLAGS="$CFLAGS %{optflags}"
 export CPPFLAGS="$CPPFLAGS %{optflags}"
+export LDFLAGS="%{__global_ldflags} $LDFLAGS"
 %if 0%{?fedora} >= 19
 export SUPPORTED_PLATFORM=fedora19
 %else
@@ -928,6 +927,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Fri Mar 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.5-1
+- Update to upstream 3.3.5
+
 * Tue Feb 11 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-3
 - Move ipa-otpd socket directory to /var/run/krb5kdc
 - Require krb5-server 1.11.5-3 supporting the new directory

sources

@@ -1 +1 @@
-2ad49c60abada8a328ddd825481d9e9c  freeipa-3.3.4.tar.gz
+d255c8177714735bc3963c619a0737ba  freeipa-3.3.5.tar.gz