commit 7c8968e6e6cad844926acc5c0ce218739af36f9c Author: CentOS Sources Date: Thu Aug 1 18:08:17 2019 -0400 import ipa-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2d87067 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/freeipa-4.7.90.pre1.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata new file mode 100644 index 0000000..ff45819 --- /dev/null +++ b/.ipa.metadata @@ -0,0 +1 @@ +a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz diff --git a/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch b/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch new file mode 100644 index 0000000..5d479d6 --- /dev/null +++ b/SOURCES/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch @@ -0,0 +1,30 @@ +From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Wed, 1 May 2019 16:19:53 -0700 +Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5) + +On Fedora/RHEL, it does not have a dash in it. The changes in +da2cf1c5 inadvertently added a dash to the path in the 'base' +paths definition (used on Fedora/RHEL), so the font wasn't found. + +Signed-off-by: Adam Williamson +--- + ipaplatform/base/paths.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 1cd2591bc..e1d396690 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -249,7 +249,7 @@ class BasePathNamespace: + USERADD = "/usr/sbin/useradd" + FONTS_DIR = "/usr/share/fonts" + FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans" +- FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome" ++ FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome" + USR_SHARE_IPA_DIR = "/usr/share/ipa/" + USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client" + CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" +-- +2.21.0 + diff --git a/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch b/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch new file mode 100644 index 0000000..bcc4ceb --- /dev/null +++ b/SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch @@ -0,0 +1,32 @@ +From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 20 Jul 2018 11:06:55 -0400 +Subject: [PATCH] No need to call rhel-specific domainname service + +It was moved upstream into hostname package which named it +nis-domainname. When it was in the initscripts package there were +separate fedora-domainname and rhel-domainname services. + +From F29+ it will be nis-domainname. We can use that as well in +RHEL 8. +--- + ipaplatform/rhel/services.py | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py +index 1403d08..06fa633 100644 +--- a/ipaplatform/rhel/services.py ++++ b/ipaplatform/rhel/services.py +@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services + # to their actual systemd service names + rhel_system_units = redhat_services.redhat_system_units + +-# Service that sets domainname on RHEL is called rhel-domainname.service +-rhel_system_units['domainname'] = 'rhel-domainname.service' +- + + # Service classes that implement RHEL-specific behaviour + +-- +2.13.6 + diff --git a/SOURCES/0001-revert-minssf-defaults.patch b/SOURCES/0001-revert-minssf-defaults.patch new file mode 100644 index 0000000..777c13e --- /dev/null +++ b/SOURCES/0001-revert-minssf-defaults.patch @@ -0,0 +1,136 @@ +From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 1 May 2019 21:25:31 +0300 +Subject: [PATCH] Revert "Require a minimum SASL security factor of 56" + +This reverts commit 350954589774499d99bf87cb5631c664bb0707c4. +--- + install/share/Makefile.am | 1 - + install/share/min-ssf.ldif | 14 -------------- + ipalib/constants.py | 3 --- + ipapython/ipaldap.py | 17 ++--------------- + ipaserver/install/dsinstance.py | 5 ----- + 5 files changed, 2 insertions(+), 38 deletions(-) + delete mode 100644 install/share/min-ssf.ldif + +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index be83bdf75..8d039d95c 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -94,7 +94,6 @@ dist_app_DATA = \ + ipa-kdc-proxy.conf.template \ + ipa-pki-proxy.conf.template \ + ipa-rewrite.conf.template \ +- min-ssf.ldif \ + ipaca_default.ini \ + ipaca_customize.ini \ + ipaca_softhsm2.ini \ +diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif +deleted file mode 100644 +index 1c2566f84..000000000 +--- a/install/share/min-ssf.ldif ++++ /dev/null +@@ -1,14 +0,0 @@ +-# config +-# pretend SSF for LDAPI connections +-# nsslapd-localssf must be equal to or greater than nsslapd-minssf +-dn: cn=config +-changetype: modify +-replace: nsslapd-localssf +-nsslapd-localssf: 256 +- +-# minimum security strength factor for SASL and TLS +-# 56 is considered weak, but some old clients announce wrong SSF. +-dn: cn=config +-changetype: modify +-replace: nsslapd-minssf +-nsslapd-minssf: 56 +diff --git a/ipalib/constants.py b/ipalib/constants.py +index bcf6f3373..c22dd26ae 100644 +--- a/ipalib/constants.py ++++ b/ipalib/constants.py +@@ -311,9 +311,6 @@ TLS_VERSIONS = [ + ] + TLS_VERSION_MINIMAL = "tls1.0" + +-# minimum SASL secure strength factor for LDAP connections +-# 56 provides backwards compatibility with old libraries. +-LDAP_SSF_MIN_THRESHOLD = 56 + + # Use cache path + USER_CACHE_PATH = ( +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index d9d67be1d..9ff443fe4 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -43,9 +43,7 @@ import six + + # pylint: disable=ipa-forbidden-import + from ipalib import errors, x509, _ +-from ipalib.constants import ( +- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD +-) ++from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT + # pylint: enable=ipa-forbidden-import + from ipaplatform.paths import paths + from ipapython.ipautil import format_netloc, CIDict +@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name): + return 'ldapi://' + ldapurl.ldapUrlEscape(socketname) + + +-def ldap_initialize(uri, cacertfile=None, +- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD): ++def ldap_initialize(uri, cacertfile=None): + """Wrapper around ldap.initialize() + + The function undoes global and local ldap.conf settings that may cause +@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None, + locations, also known as system-wide trust store. + * Cert validation is enforced. + * SSLv2 and SSLv3 are disabled. +- * Require a minimum SASL security factor of 56. That level ensures +- data integrity and confidentiality. Although at least AES128 is +- enforced pretty much everywhere, 56 is required for backwards +- compatibility with systems that announce wrong SSF. + """ + conn = ldap.initialize(uri) + +@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None, + conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON) + + if not uri.startswith('ldapi://'): +- # require a minimum SSF for TCP connections, but don't lower SSF_MIN +- # if the current value is already larger. +- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN) +- if cur_min_ssf < ssf_min_threshold: +- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold) +- + if cacertfile: + if not os.path.isfile(cacertfile): + raise IOError(errno.ENOENT, cacertfile) +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 8240e3043..9f05db1db 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -324,8 +324,6 @@ class DsInstance(service.Service): + else: + self.step("importing CA certificates from LDAP", + self.__import_ca_certs) +- # set min SSF after DS is configured for TLS +- self.step("require minimal SSF", self.__min_ssf) + self.step("restarting directory server", self.__restart_instance) + + self.start_creation() +@@ -1243,9 +1241,6 @@ class DsInstance(service.Service): + dm_password=self.dm_password + ) + +- def __min_ssf(self): +- self._ldap_mod("min-ssf.ldif") +- + def __add_sudo_binduser(self): + self._ldap_mod("sudobind.ldif", self.sub_dict) + +-- +2.21.0 + diff --git a/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch b/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch new file mode 100644 index 0000000..b98c49f --- /dev/null +++ b/SOURCES/0002-upgrade-adtrust-when-no-trusts.patch @@ -0,0 +1,44 @@ +From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 11 May 2019 11:54:40 +0300 +Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of + trusts + +Upgrade failure when ipa-server-upgrade is being run on a system with no +trust established but trust configured + +Fixes: https://pagure.io/freeipa/issue/7939 +--- + ipaserver/install/plugins/adtrust.py | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 6b4e2caa2..cdc3a8b04 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater): + + trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn + +- trusts = ldap.get_entries( +- base_dn=trusts_dn, +- scope=ldap.SCOPE_ONELEVEL, +- filter=self.trust_filter, +- attrs_list=self.trust_attrs) ++ # We might be in a situation when no trusts exist yet ++ # In such case there is nothing to upgrade but we have to catch ++ # an exception or it will abort the whole upgrade process ++ try: ++ trusts = ldap.get_entries( ++ base_dn=trusts_dn, ++ scope=ldap.SCOPE_ONELEVEL, ++ filter=self.trust_filter, ++ attrs_list=self.trust_attrs) ++ except errors.EmptyResult: ++ trusts = [] + + # For every trust, retrieve its principals and convert + for t_entry in trusts: +-- +2.21.0 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch new file mode 100644 index 0000000..dd6dc07 --- /dev/null +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -0,0 +1,2748 @@ +From 63b3030e2e2f6411ad29448746b96bb9658467f8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 02/72] client/man/default.conf.5: Change branding to IPA + and Identity Management + +--- + client/man/default.conf.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 +index f21d9d5b7..d6c1e42d1 100644 +--- a/client/man/default.conf.5 ++++ b/client/man/default.conf.5 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "default.conf" "5" "Feb 21 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + default.conf \- IPA configuration file + .SH "SYNOPSIS" +-- +2.17.1 + + +From 3fe816976ea30d363ae5c6086b8daaaadaa5d7f7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 03/72] client/man/ipa-certupdate.1: Change branding to IPA + and Identity Management + +--- + client/man/ipa-certupdate.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1 +index d95790a36..431b395a9 100644 +--- a/client/man/ipa-certupdate.1 ++++ b/client/man/ipa-certupdate.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Jan Cholasta + .\" +-.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-certupdate" "1" "Jul 2 2014" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-certupdate \- Update local IPA certificate databases with certificates from the server + .SH "SYNOPSIS" +-- +2.17.1 + + +From eca4cf0eabb4dee96ca01c02910153147e58ec4d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 04/72] client/man/ipa-client-automount.1: Change branding + to IPA and Identity Management + +--- + client/man/ipa-client-automount.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1 +index 343f64160..3f7c7d506 100644 +--- a/client/man/ipa-client-automount.1 ++++ b/client/man/ipa-client-automount.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-client-automount" "1" "May 25 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-client\-automount \- Configure automount and NFS for IPA + .SH "SYNOPSIS" +-- +2.17.1 + + +From e4097608a167f41998e863dfed0e3d135c54b6a0 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 05/72] client/man/ipa-client-install.1: Change branding to + IPA and Identity Management + +--- + client/man/ipa-client-install.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 +index a20bec9a1..d7347ed37 100644 +--- a/client/man/ipa-client-install.1 ++++ b/client/man/ipa-client-install.1 +@@ -1,7 +1,7 @@ + .\" A man page for ipa-client-install + .\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license + .\" +-.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-client-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-client\-install \- Configure an IPA client + .SH "SYNOPSIS" +-- +2.17.1 + + +From 3bfd21f6778e288b5094262aa481a835b49cc0f4 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 06/72] client/man/ipa-getkeytab.1: Change branding to IPA + and Identity Management + +--- + client/man/ipa-getkeytab.1 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 +index 20ceee2e6..061798693 100644 +--- a/client/man/ipa-getkeytab.1 ++++ b/client/man/ipa-getkeytab.1 +@@ -17,7 +17,7 @@ + .\" Author: Karl MacMillan + .\" Author: Simo Sorce + .\" +-.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-getkeytab" "1" "Oct 10 2007" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-getkeytab \- Get a keytab for a Kerberos principal + .SH "SYNOPSIS" +@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL. + \fB\-r\fR + Retrieve mode. Retrieve an existing key from the server instead of generating a + new one. This is incompatible with the \-\-password option, and will work only +-against a FreeIPA server more recent than version 3.3. The user requesting the ++against a IPA server more recent than version 3.3. The user requesting the + keytab must have access to the keys for this operation to succeed. + .SH "EXAMPLES" + Add and retrieve a keytab for the NFS service principal on +-- +2.17.1 + + +From 812ccffd549367cac3e4d2896b231b7b278e0b92 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 07/72] client/man/ipa-join.1: Change branding to IPA and + Identity Management + +--- + client/man/ipa-join.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1 +index d88160784..30b667558 100644 +--- a/client/man/ipa-join.1 ++++ b/client/man/ipa-join.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-join" "1" "Oct 8 2009" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal + .SH "SYNOPSIS" +-- +2.17.1 + + +From 3cac7f131059c01306b1db34fc30345add3fcf11 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 08/72] client/man/ipa-rmkeytab.1: Change branding to IPA + and Identity Management + +--- + client/man/ipa-rmkeytab.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1 +index 53f775439..2c8218c94 100644 +--- a/client/man/ipa-rmkeytab.1 ++++ b/client/man/ipa-rmkeytab.1 +@@ -17,7 +17,7 @@ + .\" Author: Rob Crittenden + .\" + .\" +-.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-rmkeytab" "1" "Oct 30 2009" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-rmkeytab \- Remove a kerberos principal from a keytab + .SH "SYNOPSIS" +-- +2.17.1 + + +From 0373bb1499f50bf4c04becabf2e773dd5977060e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 09/72] client/man/ipa.1: Change branding to IPA and + Identity Management + +--- + client/man/ipa.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/man/ipa.1 b/client/man/ipa.1 +index f9fae7c0d..2fb21b52d 100644 +--- a/client/man/ipa.1 ++++ b/client/man/ipa.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Pavel Zuna + .\" +-.TH "ipa" "1" "Apr 29 2016" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa" "1" "Apr 29 2016" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa \- IPA command\-line interface + .SH "SYNOPSIS" +-- +2.17.1 + + +From 36b7dce706ec2b0b650c51cea24be0655fd0c096 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sun, 7 Oct 2018 12:25:39 +0300 +Subject: [PATCH 10/72] install/html/ssbrowser.html: Change branding to IPA + and Identity Management + +--- + install/html/ssbrowser.html | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html +index faa7e657b..89ada7cb1 100644 +--- a/install/html/ssbrowser.html ++++ b/install/html/ssbrowser.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + +