Update to upstream 4.1.0

see http://www.freeipa.org/page/Releases/4.1.0

.gitignore

@@ -33,3 +33,4 @@
 /freeipa-4.0.1.tar.gz
 /freeipa-4.0.2.tar.gz
 /freeipa-4.0.3.tar.gz
+/freeipa-4.1.0.tar.gz

freeipa.spec

@@ -1,10 +1,25 @@
-# Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages
+# Define ONLY_CLIENT to only make the ipa-admintools, ipa-client and ipa-python
+# subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%global alt_name ipa
+%if 0%{?rhel}
+%global samba_version 4.0.5-1
+%global selinux_policy_version 3.12.1-153
+%else
+%global samba_version 2:4.0.5-1
+%global selinux_policy_version 3.12.1-179
+%endif
+
 %global plugin_dir %{_libdir}/dirsrv/plugins
-%global POLICYCOREUTILSVER 2.1.14-37
 %global gettext_domain ipa
-%global VERSION 4.0.3
+%if 0%{?rhel}
+%global platform_module rhel
+%else
+%global platform_module fedora
+%endif
+
+%global VERSION 4.1.0
 
 %define _hardened_build 1
 
@@ -20,11 +35,11 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.2
+BuildRequires:  389-ds-base-devel >= 1.3.3.5
 BuildRequires:  svrcore-devel
-BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= 2:4.0.5-1
+BuildRequires:  samba-devel >= %{samba_version}
 BuildRequires:  samba-python
 BuildRequires:  libwbclient-devel
 BuildRequires:  libtalloc-devel
@@ -62,11 +77,11 @@ BuildRequires:  sssd >= 1.9.2
 BuildRequires:  python-lxml
 BuildRequires:  python-pyasn1 >= 0.0.9a
 BuildRequires:  python-qrcode-core >= 5.0.0
-BuildRequires:  python-dns
+BuildRequires:  python-dns >= 1.11.1
 BuildRequires:  m2crypto
 BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
-BuildRequires:  libsss_nss_idmap-devel
+BuildRequires:  libsss_nss_idmap-devel >= 1.12.2
 BuildRequires:  java-headless
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
@@ -76,6 +91,9 @@ BuildRequires:  rhino
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico
 BuildRequires:  python-backports-ssl_match_hostname
+BuildRequires:  softhsm-devel >= 2.0.0b1-3
+BuildRequires:  openssl-devel
+BuildRequires:  p11-kit-devel
 
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -90,7 +108,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.2
+Requires: 389-ds-base >= 1.3.3.5
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -102,7 +120,7 @@ Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
 Requires: mod_auth_kerb >= 5.4-16
 Requires: mod_nss >= 1.0.8-26
-Requires: python-ldap
+Requires: python-ldap >= 2.4.15
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1
@@ -112,24 +130,30 @@ Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-176
+Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.47.7
-Requires: pki-ca >= 10.1.1
-Requires: dogtag-pki-server-theme
+Requires: slapi-nis >= 0.54-1
+Requires: pki-ca >= 10.2.0-3
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
-Requires: python-dns
+Requires: python-dns >= 1.11.1
 Requires: zip
-Requires: policycoreutils >= %{POLICYCOREUTILSVER}
+Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.75.13
-Requires(pre): 389-ds-base >= 1.3.3.2
+Requires(pre): 389-ds-base >= 1.3.3.5
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
+Requires: openssl
+Requires: softhsm >= 2.0.0b1-3
+Requires: p11-kit
+Requires: systemd-python
+
+Conflicts: %{alt_name}-server
+Obsoletes: %{alt_name}-server < %{version}
 
 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
@@ -138,15 +162,15 @@ Obsoletes: freeipa-server-selinux < 3.3.0
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
 # that work for us.
-Conflicts: bind-dyndb-ldap < 5.0
-Conflicts: bind < 9.8.2-0.4.rc2
+Conflicts: bind-dyndb-ldap < 6.0-4
+Conflicts: bind < 9.9.6-2
+# DNSSEC
+Conflicts: opendnssec < 1.4.6-4
 
 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
 # member.
 Conflicts: nss-pam-ldapd < 0.8.4
 
-Obsoletes: ipa-server >= 1.0
-
 %description server
 IPA is an integrated solution to provide centrally managed Identity (machine,
 user, virtual machines, groups, authentication credentials), Policy
@@ -162,7 +186,7 @@ Group: System Environment/Base
 Requires: %{name}-server = %version-%release
 Requires: m2crypto
 Requires: samba-python
-Requires: samba >= 2:4.0.5-1
+Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
 Requires: libsss_nss_idmap-python
@@ -175,6 +199,9 @@ Requires(post): python
 Requires(postun): %{_sbindir}/update-alternatives
 Requires(preun): %{_sbindir}/update-alternatives
 
+Conflicts: %{alt_name}-server-trust-ad
+Obsoletes: %{alt_name}-server-trust-ad < %{version}
+
 %description server-trust-ad
 Cross-realm trusts with Active Directory in IPA require working Samba 4
 installation. This package is provided for convenience to install all required
@@ -196,13 +223,13 @@ Requires: pam_krb5
 Requires: wget
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.11.1
-Requires: certmonger >= 0.65
+Requires: sssd >= 1.12.2
+Requires: certmonger >= 0.75.6
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
 Requires: python-krbV
-Requires: python-dns
+Requires: python-dns >= 1.11.1
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
@@ -210,7 +237,8 @@ Requires: nfs-utils
 Requires: python-backports-ssl_match_hostname
 Requires(post): policycoreutils
 
-Obsoletes: ipa-client >= 1.0
+Conflicts: %{alt_name}-client
+Obsoletes: %{alt_name}-client < %{version}
 
 %description client
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -220,7 +248,6 @@ logs, analysis thereof). If your network uses IPA for authentication,
 this package should be installed on every client machine.
 
 
-%if ! %{ONLY_CLIENT}
 %package admintools
 Summary: IPA administrative tools
 Group: System Environment/Base
@@ -229,7 +256,8 @@ Requires: %{name}-client = %{version}-%{release}
 Requires: python-krbV
 Requires: python-ldap
 
-Obsoletes: ipa-admintools >= 1.0
+Conflicts: %{alt_name}-admintools
+Obsoletes: %{alt_name}-admintools < %{version}
 
 %description admintools
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -237,7 +265,6 @@ user, virtual machines, groups, authentication credentials), Policy
 (configuration settings, access control information) and Audit (events,
 logs, analysis thereof). This package provides command-line tools for
 IPA administrators.
-%endif # ONLY_CLIENT
 
 %package python
 Summary: Python libraries used by IPA
@@ -256,7 +283,8 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico
 
-Obsoletes: ipa-python >= 1.0
+Conflicts: %{alt_name}-python
+Obsoletes: %{alt_name}-python < %{version}
 
 %description python
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -278,6 +306,9 @@ Requires: python-coverage
 Requires: python-polib
 Requires: python-paramiko >= 1.7.7
 
+Conflicts: %{alt_name}-tests
+Obsoletes: %{alt_name}-tests < %{version}
+
 %description tests
 IPA is an integrated solution to provide centrally managed Identity (machine,
 user, virtual machines, groups, authentication credentials), Policy
@@ -320,6 +351,8 @@ export JAVA_STACK_SIZE="8m"
 %endif
 export CFLAGS="%{optflags} $CFLAGS"
 export LDFLAGS="%{__global_ldflags} $LDFLAGS"
+export SUPPORTED_PLATFORM=%{platform_module}
+
 # Force re-generate of platform support
 export IPA_VENDOR_VERSION_SUFFIX=-%{release}
 rm -f ipapython/version.py
@@ -341,6 +374,7 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
 
 %install
 rm -rf %{buildroot}
+export SUPPORTED_PLATFORM=%{platform_module}
 # Force re-generate of platform support
 export IPA_VENDOR_VERSION_SUFFIX=-%{release}
 rm -f ipapython/version.py
@@ -356,6 +390,8 @@ make client-install DESTDIR=%{buildroot}
 %find_lang %{gettext_domain}
 
 
+mkdir -p %{buildroot}%{_usr}/share/ipa
+
 %if ! %{ONLY_CLIENT}
 # Remove .la files from libtool - we don't want to package
 # these files
@@ -372,6 +408,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
 rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
 rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
 rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
+rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
 rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
 rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
 rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@@ -410,13 +447,24 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
+install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
+install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
+install -m 644 daemons/dnssec/ipa-ods-exporter.socket %{buildroot}%{_unitdir}/ipa-ods-exporter.socket
+install -m 644 daemons/dnssec/ipa-ods-exporter.service %{buildroot}%{_unitdir}/ipa-ods-exporter.service
+install -m 644 daemons/dnssec/ipa-dnskeysyncd.service %{buildroot}%{_unitdir}/ipa-dnskeysyncd.service
+
+# dnssec daemons
+mkdir -p %{buildroot}%{_libexecdir}/ipa/
+install daemons/dnssec/ipa-dnskeysyncd %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysyncd
+install daemons/dnssec/ipa-dnskeysync-replica %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysync-replica
+install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-exporter
 
 # Web UI plugin dir
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
 # NOTE: systemd specific section
-mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d
-install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
 # END
 
 mkdir -p %{buildroot}%{_localstatedir}/run/
@@ -437,11 +485,13 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
-
-%if ! %{ONLY_CLIENT}
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
 install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
+
+%if ! %{ONLY_CLIENT}
 mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 
 (cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f  | \
@@ -551,9 +601,20 @@ if [ $1 -gt 1 ] ; then
             /bin/systemctl condrestart ntpd.service 2>&1 || :
         fi
     fi
+
+    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
+        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+        tempfile=$(mktemp)
+        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
+        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
+        fi
+        rm -f "$tempfile"
+    fi
 fi
 
-%triggerin -n freeipa-client -- openssh-server
+%triggerin -n %{name}-client -- openssh-server
 # Has the client been configured?
 restore=0
 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
@@ -612,17 +673,27 @@ fi
 %{_sbindir}/ipactl
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-advise
+%{_sbindir}/ipa-cacert-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/ipa-otpd
+%dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-dnskeysyncd
+%{_libexecdir}/ipa/ipa-dnskeysync-replica
+%{_libexecdir}/ipa/ipa-ods-exporter
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
 # NOTE: systemd specific section
-%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa_memcached.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
 %attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
 # END
 %dir %{python_sitelib}/ipaserver
 %dir %{python_sitelib}/ipaserver/install
@@ -719,6 +790,7 @@ fi
 %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
 %attr(755,root,root) %{plugin_dir}/libipa_dns.so
 %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
+%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
 %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
@@ -746,6 +818,7 @@ fi
 %{_mandir}/man1/ipa-restore.1.gz
 %{_mandir}/man1/ipa-advise.1.gz
 %{_mandir}/man1/ipa-otptoken-import.1.gz
+%{_mandir}/man1/ipa-cacert-manage.1.gz
 
 %files server-trust-ad
 %{_sbindir}/ipa-adtrust-install
@@ -766,6 +839,7 @@ fi
 %doc COPYING README Contributors.txt
 %{_sbindir}/ipa-client-install
 %{_sbindir}/ipa-client-automount
+%{_sbindir}/ipa-certupdate
 %{_sbindir}/ipa-getkeytab
 %{_sbindir}/ipa-rmkeytab
 %{_sbindir}/ipa-join
@@ -778,34 +852,45 @@ fi
 %{_mandir}/man1/ipa-rmkeytab.1.gz
 %{_mandir}/man1/ipa-client-install.1.gz
 %{_mandir}/man1/ipa-client-automount.1.gz
+%{_mandir}/man1/ipa-certupdate.1.gz
 %{_mandir}/man1/ipa-join.1.gz
 %{_mandir}/man5/default.conf.5.gz
 
-%if ! %{ONLY_CLIENT}
 %files admintools
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
 %{_mandir}/man1/ipa.1.gz
-%endif # ONLY_CLIENT
 
 %files python -f %{gettext_domain}.lang
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
 %dir %{python_sitelib}/ipapython
 %{python_sitelib}/ipapython/*.py*
+%dir %{python_sitelib}/ipapython/dnssec
+%{python_sitelib}/ipapython/dnssec/*.py*
 %dir %{python_sitelib}/ipalib
 %{python_sitelib}/ipalib/*
 %dir %{python_sitelib}/ipaplatform
 %{python_sitelib}/ipaplatform/*
 %attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
+%attr(0644,root,root) %{python_sitearch}/_ipap11helper.so
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/freeipa-*.egg-info
+%{python_sitelib}/ipaplatform-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
+%{python_sitearch}/_ipap11helper-*.egg-info
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
+%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 
 %if ! %{ONLY_CLIENT}
 %files tests -f tests-python.list
@@ -832,6 +917,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Tue Oct 21 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-1
+- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0
+
 * Fri Sep 12 2014 Petr Viktorin <pviktori@redhat.com> - 4.0.3-1
 - Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3
 

sources

@@ -1 +1 @@
-ad166bfed1ba9fc9241206c17d04a334  freeipa-4.0.3.tar.gz
+15d4914499ff928a1f90b3c4d15998f8  freeipa-4.1.0.tar.gz