rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 4.0.0

Browse Source 
Remove Fedora patches, all are in the upstream release
Remove the freeipa-server-strict package
Update to upstream 4.0.0
This commit is contained in:
Petr Viktorin 2014-07-07 19:23:17 +02:00
parent da4983b208
commit 92ad420100
16 changed files with 60 additions and 1272 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@
/freeipa-3.3.3.tar.gz
/freeipa-3.3.4.tar.gz
/freeipa-3.3.5.tar.gz
/freeipa-4.0.0.tar.gz

41
0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
View File

@ -1,41 +0,0 @@
From ba5baea9cfd07559ca2f4f7a194999b982af2a24 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 4 Nov 2013 17:15:23 +0200
Subject: [PATCH] Guard import of adtrustinstance for case without trusts
https://fedorahosted.org/freeipa/ticket/4011
---
install/tools/ipa-server-install | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b3dcf6d93a70e2910a3d7fa62139efbf640d1cbe..458ebba550d0fe7675bd874e23c7d730c53297e6 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -40,7 +40,12 @@ import pwd
import textwrap
from optparse import OptionGroup, OptionValueError
-from ipaserver.install import adtrustinstance
+try:
+ from ipaserver.install import adtrustinstance
+ _server_trust_ad_installed = True
+except ImportError:
+ _server_trust_ad_installed = False
+
from ipaserver.install import dsinstance
from ipaserver.install import krbinstance
from ipaserver.install import bindinstance
@@ -493,7 +498,8 @@ def uninstall():
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
- adtrustinstance.ADTRUSTInstance(fstore).uninstall()
+ if _server_trust_ad_installed:
+ adtrustinstance.ADTRUSTInstance(fstore).uninstall()
memcacheinstance.MemcacheInstance().uninstall()
otpdinstance.OtpdInstance().uninstall()
ipaservices.restore_network_configuration(fstore, sstore)
--
1.8.3.1

88
0001-platform-Add-Fedora-19-platform-file.patch
View File

@ -1,88 +0,0 @@
From 2a98701ea1745394b717c3f4be4e0e376ab1d658 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tomasbabej@gmail.com>
Date: Mon, 11 Nov 2013 13:02:40 +0100
Subject: [PATCH 1/9] platform: Add Fedora 19 platform file
Part of: https://fedorahosted.org/freeipa/ticket/3504
---
ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++
ipapython/setup.py.in | 1 +
3 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 ipapython/platform/fedora19/__init__.py
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
new file mode 100644
index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca
--- /dev/null
+++ b/ipapython/platform/fedora19/__init__.py
@@ -0,0 +1,55 @@
+# Author: Tomas Babej <tbabej@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython.platform import fedora18, base
+
+# All what we allow exporting directly from this module
+
+# Everything else is made available through these symbols when they are
+# directly imported into ipapython.services:
+
+# authconfig -- class reference for platform-specific implementation of
+# authconfig(8)
+# service -- class reference for platform-specific implementation of a
+# PlatformService class
+# knownservices -- factory instance to access named services IPA cares about,
+# names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and
+# make it persistent over reboots
+# restore_network_configuration -- platform-specific way of restoring network
+# configuration (e.g. static hostname)
+# restore_context -- platform-sepcific way to restore security context, if
+# applicable
+# check_selinux_status -- platform-specific way to see if SELinux is enabled
+# and restorecon is installed.
+
+__all__ = ['authconfig', 'service', 'knownservices',
+ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
+ 'restore_network_configuration', 'timedate_services']
+
+# Just copy a referential list of timedate services
+timedate_services = list(base.timedate_services)
+
+backup_and_replace_hostname = fedora18.backup_and_replace_hostname
+restore_network_configuration = fedora18.restore_network_configuration
+authconfig = fedora18.authconfig
+service = fedora18.service
+knownservices = fedora18.knownservices
+restore_context = fedora18.restore_context
+check_selinux_status = fedora18.check_selinux_status
diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
index d3bbcaf1e46528d50731ca18a96a3384f6b49548..108c95d0ccb74e1cec5167759243f428f4ecf21a 100644
--- a/ipapython/setup.py.in
+++ b/ipapython/setup.py.in
@@ -70,6 +70,7 @@ def setup_package():
"ipapython.platform.base",
"ipapython.platform.fedora16",
"ipapython.platform.fedora18",
+ "ipapython.platform.fedora19",
"ipapython.platform.redhat" ],
)
finally:
--
1.8.5.3

84
0002-Fix-Wformat-security-warnings.patch
View File

@ -1,84 +0,0 @@
From 8c03b1dbcdf75ba76b96ccfcc148afe0e134e2d3 Mon Sep 17 00:00:00 2001
From: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com>
Date: Tue, 3 Sep 2013 00:12:26 +0300
Subject: [PATCH] Fix -Wformat-security warnings
---
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 6 +++---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ++++----
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 9f884bd39233adf90b0f4eff1868885d587d351a..22c40f2bcfc527127b745e1efde5977b148c78a8 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -317,7 +317,7 @@ free_and_return:
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
- LOG(errMesg ? errMesg : "success\n");
+ LOG("%s", errMesg ? errMesg : "success\n");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
free(principal);
@@ -344,7 +344,7 @@ ipaenrollment_extop(Slapi_PBlock *pb)
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0) {
errMesg = "Could not get OID and value from request.\n";
rc = LDAP_OPERATIONS_ERROR;
- LOG(errMesg);
+ LOG("%s", errMesg);
goto free_and_return;
}
@@ -357,7 +357,7 @@ ipaenrollment_extop(Slapi_PBlock *pb)
rc = LDAP_OPERATIONS_ERROR;
free_and_return:
- LOG(errMesg);
+ LOG("%s", errMesg);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 1058c313d1f2a193eb7fae621bc9c5d103fb6d5f..c3e0ebd9d90f393be031b26fadcedd00f6091a8d 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -573,7 +573,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (ber) ber_free(ber, 1);
- LOG(errMesg ? errMesg : "success");
+ LOG("%s", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -1143,7 +1143,7 @@ free_and_return:
if (rc == LDAP_SUCCESS)
errMesg = NULL;
- LOG(errMesg ? errMesg : "success");
+ LOG("%s", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -1170,7 +1170,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) {
errMesg = "Could not get OID value from request.\n";
rc = LDAP_OPERATIONS_ERROR;
- LOG(errMesg);
+ LOG("%s", errMesg);
goto free_and_return;
} else {
LOG("Received extended operation request with OID %s\n", oid);
@@ -1193,7 +1193,7 @@ static int ipapwd_extop(Slapi_PBlock *pb)
free_and_return:
if (krbcfg) free_ipapwd_krbcfg(&krbcfg);
- LOG(errMesg);
+ LOG("%s", errMesg);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
--
1.8.3.1

178
0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
View File

@ -1,178 +0,0 @@
From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide
store
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
---
ipa-client/ipa-install/ipa-client-install | 13 +++++-
ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++-
ipapython/services.py.in | 11 ++++-
3 files changed, 88 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -651,6 +651,9 @@ def uninstall(options, env):
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
'as it can cause subsequent installation to fail.')
+ # Remove the CA cert from the systemwide certificate store
+ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
# Remove the CA cert
try:
os.remove(CACERT)
@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
root_logger.info("Configured /etc/sssd/sssd.conf")
+ # Add the CA to the platform-dependant systemwide CA store
+ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+
# Add the CA to the default NSS database and trust it
try:
- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+ root_logger.debug("Attempting to add CA directly to the "
+ "default NSS database.")
+ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
except CalledProcessError, e:
root_logger.info("Failed to add CA to the default NSS database.")
return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.info('Added the CA to the default NSS database.')
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import shutil
+import os
+
+from subprocess import CalledProcessError
+
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
+
from ipapython.platform import fedora18, base
# All what we allow exporting directly from this module
@@ -38,10 +46,19 @@
# applicable
# check_selinux_status -- platform-specific way to see if SELinux is enabled
# and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+# CA certificate into the systemwide
+# CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+# CA certificate from the systemwide
+# CA store
+
__all__ = ['authconfig', 'service', 'knownservices',
'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
- 'restore_network_configuration', 'timedate_services']
+ 'restore_network_configuration', 'timedate_services',
+ 'insert_ca_cert_into_systemwide_ca_store',
+ 'remove_ca_cert_from_systemwide_ca_store']
# Just copy a referential list of timedate services
timedate_services = list(base.timedate_services)
@@ -53,3 +70,51 @@
knownservices = fedora18.knownservices
restore_context = fedora18.restore_context
check_selinux_status = fedora18.check_selinux_status
+
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+
+
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+ # Add the 'ipa-' prefix to cert name to avoid name collisions
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+ # Add the CA to the systemwide CA trust database
+ try:
+ shutil.copy(cacert_path, new_cacert_path)
+ run(['/usr/bin/update-ca-trust'])
+ except OSError, e:
+ root_logger.info("Failed to copy %s to %s" % (cacert_path,
+ new_cacert_path))
+ except CalledProcessError, e:
+ root_logger.info("Failed to add CA to the systemwide "
+ "CA trust database: %s" % str(e))
+ else:
+ root_logger.info('Added the CA to the systemwide CA trust database.')
+ return True
+
+ return False
+
+
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+ # Derive the certificate name in the store
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+ # Remove CA cert from systemwide store
+ if os.path.exists(new_cacert_path):
+ try:
+ os.remove(new_cacert_path)
+ run(['/usr/bin/update-ca-trust'])
+ except OSError, e:
+ root_logger.error('Could not remove: %s, %s'
+ % (new_cacert_path, str(e)))
+ return False
+ except CalledProcessError, e:
+ root_logger.error('Could not update systemwide CA trust '
+ 'database: %s' % str(e))
+ return False
+ else:
+ root_logger.info('Systemwide CA database updated.')
+
+ return True
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
--- a/ipapython/services.py.in
+++ b/ipapython/services.py.in
@@ -21,7 +21,7 @@
authconfig = None
# knownservices is an entry point to known platform services
-# (instance of ipapython.platform.base.KnownServices)
+# (instance of ipapython.platform.base.KnownServices)
knownservices = None
# service is a class to instantiate ipapython.platform.base.PlatformService
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
def get_svc_list_file():
return SVC_LIST_FILE
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+ return True
+
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+ return True
+
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
+
from ipapython.platform.SUPPORTED_PLATFORM import *
--
1.8.5.3

106
0003-Add-runas-option-to-run-function.patch
View File

@ -1,106 +0,0 @@
From b4791862852770711be87ca63ed85b23e72baea3 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 16 Jan 2014 14:10:42 +0100
Subject: [PATCH 3/9] Add runas option to run function
Run function can now run the specified command as different user by
setting the both real and effective UID and GID for executed process.
Add both the missing run function attribute doc strings as well as
a doc string for the runas attribute.
---
ipapython/ipautil.py | 59 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 38 insertions(+), 21 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 92569c3b487bdbbfc4f0033813fda56c8928f20c..f7a2443af940a695321da7989457a392d6451d44 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -42,6 +42,7 @@
import netaddr
import time
import krbV
+import pwd
from dns import resolver, rdatatype
from dns.exception import DNSException
@@ -246,29 +247,35 @@ def shell_quote(string):
return "'" + string.replace("'", "'\\''") + "'"
def run(args, stdin=None, raiseonerr=True,
- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
+ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+ runas=None):
"""
Execute a command and return stdin, stdout and the process return code.
- args is a list of arguments for the command
-
- stdin is used if you want to pass input to the command
-
- raiseonerr raises an exception if the return code is not zero
-
- nolog is a tuple of strings that shouldn't be logged, like passwords.
- Each tuple consists of a string to be replaced by XXXXXXXX.
-
- For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
-
- We don't want to log the password so nolog would be set to:
- ('Secret123',)
-
- The resulting log output would be:
-
- /usr/bin/setpasswd --password XXXXXXXX someuser
-
- If an value isn't found in the list it is silently ignored.
+ :param args: List of arguments for the command
+ :param stdin: Optional input to the command
+ :param raiseonerr: If True, raises an exception if the return code is
+ not zero
+ :param nolog: Tuple of strings that shouldn't be logged, like passwords.
+ Each tuple consists of a string to be replaced by XXXXXXXX.
+
+ Example:
+ We have a command
+ ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+ and we don't want to log the password so nolog would be set to:
+ ('Secret123',)
+ The resulting log output would be:
+
+ /usr/bin/setpasswd --password XXXXXXXX someuser
+
+ If a value isn't found in the list it is silently ignored.
+ :param env: Dictionary of environment variables passed to the command.
+ When None, current environment is copied
+ :param capture_output: Capture stderr and stdout
+ :param skip_output: Redirect the output to /dev/null and do not capture it
+ :param cwd: Current working directory
+ :param runas: Name of a user that the command shold be run as. The spawned
+ process will have both real and effective UID and GID set.
"""
p_in = None
p_out = None
@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
root_logger.debug('Starting external process')
root_logger.debug('args=%s' % arg_string)
+ preexec_fn = None
+ if runas is not None:
+ pent = pwd.getpwnam(runas)
+ root_logger.debug('runas=%s (UID %d, GID %s)', runas,
+ pent.pw_uid, pent.pw_gid)
+
+ preexec_fn = lambda: (os.setregid(pent.pw_gid, pent.pw_gid),
+ os.setreuid(pent.pw_uid, pent.pw_uid))
+
try:
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
- close_fds=True, env=env, cwd=cwd)
+ close_fds=True, env=env, cwd=cwd,
+ preexec_fn=preexec_fn)
stdout,stderr = p.communicate(stdin)
stdout,stderr = str(stdout), str(stderr) # Make pylint happy
except KeyboardInterrupt:
--
1.8.5.3

69
0003-Increase-stack-size-for-Web-UI-builder.patch
View File

@ -1,69 +0,0 @@
From 375f363df04c51b4f20b68dd567070d9e912e037 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Wed, 31 Jul 2013 15:12:19 +0200
Subject: [PATCH] Increase stack size for Web UI builder
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.
512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
---
Makefile | 5 +++++
install/ui/util/build.sh | 5 +++--
install/ui/util/uglifyjs/uglify | 9 +++++----
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index a7226341e6bd10106309997aae558fc07239482d..e54f8f0ba6484a12343f389b3cffbc20d7420a5f 100644
--- a/Makefile
+++ b/Makefile
@@ -55,6 +55,11 @@ PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python)
CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)
export CFLAGS
+# Uncomment to increase Java stack size for Web UI build in case it fails
+# because of stack overflow exception. Default should be OK for most platforms.
+#JAVA_STACK_SIZE ?= 8m
+#export JAVA_STACK_SIZE
+
all: bootstrap-autogen server tests
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/install/ui/util/build.sh b/install/ui/util/build.sh
index 7cd623485a8a87872e29d32f529bd77a45d59810..03776c1fe54f750cf028981bce625702af32aa1d 100755
--- a/install/ui/util/build.sh
+++ b/install/ui/util/build.sh
@@ -31,5 +31,6 @@ if [[ ! $profile ]] ; then
exit 1
fi
-rhino $DIR/build/build.js baseUrl=$DIR/build load=build profile=$DIR/../src/$profile.profile.js
-exit $?
\ No newline at end of file
+RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/rhino.jar org.mozilla.javascript.tools.shell.Main"
+$RHINO $DIR/build/build.js baseUrl=$DIR/build load=build profile=$DIR/../src/$profile.profile.js
+exit $?
diff --git a/install/ui/util/uglifyjs/uglify b/install/ui/util/uglifyjs/uglify
index 7d25b38df19e465227f29b8b70ccf7ca140f725a..1227f589b4c50de49c465f6c696ecdc8af5e3c91 100755
--- a/install/ui/util/uglifyjs/uglify
+++ b/install/ui/util/uglifyjs/uglify
@@ -25,8 +25,9 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# rhino-1.7R4 doesn't have -main option to enable CommonJS support. It was
# replaced by -require option.
-if [ `rhino --help | grep -e -require | wc -l` -gt 0 ] ; then
- rhino -require $DIR/uglify-js.js $@
+RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/rhino.jar org.mozilla.javascript.tools.shell.Main"
+if [ `$RHINO --help | grep -e -require | wc -l` -gt 0 ] ; then
+ $RHINO -require $DIR/uglify-js.js $@
else
- rhino -main $DIR/uglify-js.js $DIR/ug.js $@
-fi
\ No newline at end of file
+ $RHINO -main $DIR/uglify-js.js $DIR/ug.js $@
+fi
--
1.8.3.1

84
0004-Switch-httpd-to-use-default-CCACHE.patch
View File

@ -1,84 +0,0 @@
From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 16 Jan 2014 14:12:29 +0100
Subject: [PATCH 4/9] Switch httpd to use default CCACHE
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
---
install/tools/ipa-upgradeconfig | 7 ++++++-
ipaserver/install/httpinstance.py | 22 +++-------------------
2 files changed, 9 insertions(+), 20 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1043,10 +1043,15 @@ def main():
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
+ removed_sysconfig_file = '/etc/sysconfig/httpd'
+ if fstore.has_file(removed_sysconfig_file):
+ root_logger.info('Restoring %s as it is no longer required',
+ removed_sysconfig_file)
+ fstore.restore_file(removed_sysconfig_file)
+
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
- http.configure_httpd_ccache()
http.change_mod_nss_port_to_http()
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None,
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
- self.step("configure httpd ccache", self.configure_httpd_ccache)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -217,24 +216,9 @@ def __create_http_keytab(self):
def remove_httpd_ccache(self):
# Clean up existing ccache
- pent = pwd.getpwnam("apache")
- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
-
- def configure_httpd_ccache(self):
- pent = pwd.getpwnam("apache")
- ccache = '/tmp/krb5cc_%d' % pent.pw_uid
- filepath = '/etc/sysconfig/httpd'
- if not os.path.exists(filepath):
- # file doesn't exist; create it with correct ownership & mode
- open(filepath, 'a').close()
- os.chmod(filepath,
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- os.chown(filepath, 0, 0)
-
- replacevars = {'KRB5CCNAME': ccache}
- old_values = ipautil.backup_config_and_replace_variables(
- self.fstore, filepath, replacevars=replacevars)
- ipaservices.restore_context(filepath)
+ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+ # current env
+ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
--
1.8.5.3

30
0005-httpd-should-destroy-all-CCACHEs.patch
View File

@ -1,30 +0,0 @@
From d134f591c9250f38d170a937ec221637d09b58bc Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 22 Jan 2014 16:08:51 +0100
Subject: [PATCH 5/9] httpd should destroy all CCACHEs
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.
https://fedorahosted.org/freeipa/ticket/4084
---
ipaserver/install/httpinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 9c9205883b38dfb854fb2885d3692a7053866b63..5d37926ddcaa17ce2eab839cd6aecdab0159a8ee 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -218,7 +218,7 @@ def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
--
1.8.5.3

124
0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
View File

@ -1,124 +0,0 @@
From ada54e7e836d13ccede3fe74f1cd30300a242c6e Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Fri, 25 Oct 2013 12:41:25 +0200
Subject: [PATCH 6/9] Enable Retro Changelog and Content Synchronization DS
plugins
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 1 +
install/tools/ipa-upgradeconfig | 5 ++++-
install/updates/20-syncrepl.update | 9 +++++++++
install/updates/Makefile.am | 1 +
ipaserver/install/bindinstance.py | 13 +++++++++++++
5 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 install/updates/20-syncrepl.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8fd0a368ed02cfad120db6283e3899027d467bfc..4f60be6ccd623de4574c7627e0ffc4ff0829e701 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -764,6 +764,7 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
+%ghost %{_localstatedir}/named/ipa
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..5bcef1ac827da296c6a35e8fc29a1c6f0a04f808 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1084,6 +1084,10 @@ def main():
setup_firefox_extension(fstore)
add_ca_dns_records()
+ bind = bindinstance.BindInstance(fstore)
+ if bind.is_configured():
+ bind.create_dir('/var/named/ipa', 0700)
+
# Any of the following functions returns True iff the named.conf file
# has been altered
named_conf_changes = (
@@ -1097,7 +1101,6 @@ def main():
if any(named_conf_changes):
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
- bind = bindinstance.BindInstance(fstore)
try:
bind.restart()
except ipautil.CalledProcessError, e:
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
new file mode 100644
index 0000000000000000000000000000000000000000..c4158a1634410acd323f04f442bbbd2f69c24708
--- /dev/null
+++ b/install/updates/20-syncrepl.update
@@ -0,0 +1,9 @@
+# Enable Retro changelog
+dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
+add:nsslapd-attribute: nsuniqueid:targetUniqueId
+add:nsslapd-changelogmaxage: 2d
+
+# Enable SyncRepl
+dn: cn=Content Synchronization,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 40c3b3c8916faa267254a29d0f458ca53201950c..09965ff9885fce93f3d15dc73b11fa210f68b163 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -22,6 +22,7 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
+ 20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
21-replicas_container.update \
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -22,6 +22,7 @@
import pwd
import netaddr
import re
+import errno
import ldap
@@ -509,6 +510,16 @@ def create_sample_bind_zone(self):
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
+ def create_dir(self, path, mode):
+ try:
+ os.makedirs(path, mode)
+ except OSError as e:
+ if e.errno != errno.EEXIST:
+ raise e
+
+ pent = pwd.getpwnam(self.named_user or 'named')
+ os.chown(path, pent.pw_uid, pent.pw_gid)
+
def create_instance(self):
try:
@@ -519,6 +530,8 @@ def create_instance(self):
# get a connection to the DS
self.ldap_connect()
+ self.create_dir('/var/named/ipa', 0700)
+
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
--
1.8.5.3

73
0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
View File

@ -1,73 +0,0 @@
From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Thu, 23 Jan 2014 12:22:38 +0100
Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix.
This drastically improves performance of retro changelog trimming.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 6 +++---
install/updates/20-syncrepl.update | 13 ++++++++++++-
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.3
+BuildRequires: 389-ds-base-devel >= 1.3.2.10
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -95,7 +95,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -150,7 +150,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -1,9 +1,20 @@
-# Enable Retro changelog
+# Enable Retro changelog - it is necessary for SyncRepl
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
+# Remember original nsuniqueid for objects referenced from cn=changelog
add:nsslapd-attribute: nsuniqueid:targetUniqueId
add:nsslapd-changelogmaxage: 2d
+# Keep memberOf and referential integrity plugins away from cn=changelog.
+# It is necessary for performance reasons because we don't have appropriate
+# indices for cn=changelog.
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add:memberofentryscope: '$SUFFIX'
+
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+add:nsslapd-plugincontainerscope: '$SUFFIX'
+add:nsslapd-pluginentryscope: '$SUFFIX'
+
# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
--
1.8.5.3

93
0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
View File

@ -1,93 +0,0 @@
From 916437b391739ea3ee48dfcd9f0d164536ca9ead Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Mon, 27 Jan 2014 14:47:10 +0100
Subject: [PATCH 8/9] Remove working directory for bind-dyndb-ldap plugin.
The working directory will be provided directly
by bind-dyndb-ldap package.
This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 1 -
install/tools/ipa-upgradeconfig | 5 +----
ipaserver/install/bindinstance.py | 13 -------------
3 files changed, 1 insertion(+), 18 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ef96c7c271ebba33b15d9b35891092e4151c3aae..eb9afbb4bfa1a11caf1282d5b76c2e138735386c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -764,7 +764,6 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
-%ghost %{_localstatedir}/named/ipa
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 5bcef1ac827da296c6a35e8fc29a1c6f0a04f808..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1084,10 +1084,6 @@ def main():
setup_firefox_extension(fstore)
add_ca_dns_records()
- bind = bindinstance.BindInstance(fstore)
- if bind.is_configured():
- bind.create_dir('/var/named/ipa', 0700)
-
# Any of the following functions returns True iff the named.conf file
# has been altered
named_conf_changes = (
@@ -1101,6 +1097,7 @@ def main():
if any(named_conf_changes):
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
+ bind = bindinstance.BindInstance(fstore)
try:
bind.restart()
except ipautil.CalledProcessError, e:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 4baeb4e077c64a7abebd1c071012f6c1e02dc1ae..6d5a1d44d30c89278c24fe7ab5278355cb65b0b4 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -22,7 +22,6 @@
import pwd
import netaddr
import re
-import errno
import ldap
@@ -510,16 +509,6 @@ def create_sample_bind_zone(self):
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
- def create_dir(self, path, mode):
- try:
- os.makedirs(path, mode)
- except OSError as e:
- if e.errno != errno.EEXIST:
- raise e
-
- pent = pwd.getpwnam(self.named_user or 'named')
- os.chown(path, pent.pw_uid, pent.pw_gid)
-
def create_instance(self):
try:
@@ -530,8 +519,6 @@ def create_instance(self):
# get a connection to the DS
self.ldap_connect()
- self.create_dir('/var/named/ipa', 0700)
-
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
--
1.8.5.3

65
0009-Remove-mod_ssl-port-workaround.patch
View File

@ -1,65 +0,0 @@
From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 26 Nov 2013 08:53:34 +0000
Subject: [PATCH 9/9] Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
---
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/httpinstance.py | 17 ++++++++---------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1052,7 +1052,7 @@ def main():
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
- http.change_mod_nss_port_to_http()
+ http.change_mod_nss_port_from_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -237,25 +237,24 @@ def __configure_http(self):
http_fd.close()
os.chmod(target_fname, 0644)
- def change_mod_nss_port_to_http(self):
+ def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
- # Change port to http to workaround the mod_ssl check, the SSL is
- # enforced in the vhost later, so it is benign.
+ # The workaround for this was to change port to http. It is no longer
+ # necessary, as mod_nss now ships with default configuration which
+ # sets SSLEngine off when mod_ssl is installed.
#
- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
- # is fixed.
- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
+ # Remove the workaround.
+ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print "Updating port in %s failed." % NSS_CONF
- self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
--
1.8.5.3

84
0010-Move-ipa-otpd-socket-directory.patch
View File

@ -1,84 +0,0 @@
From 6c500ccf05103566ca888bc8d67187ab81621328 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 7 Feb 2014 11:56:33 -0500
Subject: [PATCH] Move ipa-otpd socket directory
https://fedorahosted.org/freeipa/ticket/4167
Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
daemons/configure.ac | 6 +++---
daemons/ipa-otpd/Makefile.am | 2 +-
daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++--
freeipa.spec.in | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index e57dad27614f268d3e5bbafc99b739a5cfa2589b..5646c3873beee996999e4f1d87aea653f4b5dd1b 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto])
AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"
KRAD_LIBS="-lkrad"
-krb5kdcdir="${localstatedir}/kerberos/krb5kdc"
+krb5rundir="${localstatedir}/run/krb5kdc"
AC_SUBST(KRB5_LIBS)
AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5kdcdir)
+AC_SUBST(krb5rundir)
dnl ---------------------------------------------------------------------------
dnl - Check for Mozilla LDAP and OpenLDAP SDK
@@ -337,7 +337,7 @@ echo "
sysconfdir: ${sysconfdir}
localstatedir: ${localstatedir}
datadir: ${datadir}
- krb5kdcdir: ${krb5kdcdir}
+ krb5rundir: ${krb5rundir}
systemdsystemunitdir: ${systemdsystemunitdir}
source code location: ${srcdir}
compiler: ${CC}
diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c
%.socket: %.socket.in
- @sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \
+ @sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \
-e 's|@UNLINK[@]|@UNLINK@|g' \
$< > $@
diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644
--- a/daemons/ipa-otpd/ipa-otpd.socket.in
+++ b/daemons/ipa-otpd/ipa-otpd.socket.in
@@ -2,8 +2,8 @@
Description=ipa-otpd socket
[Socket]
-ListenStream=@krb5kdcdir@/DEFAULT.socket
-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket
+ListenStream=@krb5rundir@/DEFAULT.socket
+ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
SocketMode=0600
Accept=true
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c28928c1c5c2d20e2dfe6112750c70bfb0b55894..a908adfc2b2f1bef90c051c86dcd1fdecb61daa4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -107,7 +107,7 @@ Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
%endif
%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.5-3
%else
%if 0%{krb5_dal_version} == 3
# krb5 1.11 bumped DAL interface major version, a rebuild is needed
--
1.8.5.3

210
freeipa.spec
View File

@ -4,15 +4,13 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.14-37
%global gettext_domain ipa
%global VERSION 3.3.5
%global VERSION 4.0.0
%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
%endif
Name: freeipa
Version: 3.3.5
Release: 4%{?dist}
Version: 4.0.0
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -21,30 +19,14 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-platform-Add-Fedora-19-platform-file.patch
Patch0002: 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
Patch0003: 0003-Add-runas-option-to-run-function.patch
Patch0004: 0004-Switch-httpd-to-use-default-CCACHE.patch
Patch0005: 0005-httpd-should-destroy-all-CCACHEs.patch
Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
Patch0009: 0009-Remove-mod_ssl-port-workaround.patch
Patch0010: 0010-Move-ipa-otpd-socket-directory.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.2.16
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
%if 0%{?fedora} >= 18
BuildRequires: samba-devel >= 2:4.0.5-1
BuildRequires: samba-python
BuildRequires: libwbclient-devel
%else
BuildRequires: samba4-devel >= 4.0.0-139
BuildRequires: samba4-python
%endif
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
%endif # ONLY_CLIENT
@ -69,7 +51,7 @@ BuildRequires: python-setuptools
BuildRequires: python-krbV
BuildRequires: python-nss
BuildRequires: python-netaddr
BuildRequires: python-kerberos
BuildRequires: python-kerberos >= 1.1-14
BuildRequires: python-rhsm
BuildRequires: pyOpenSSL
BuildRequires: pylint
@ -79,21 +61,20 @@ BuildRequires: python-memcached
BuildRequires: sssd >= 1.9.2
BuildRequires: python-lxml
BuildRequires: python-pyasn1 >= 0.0.9a
BuildRequires: python-qrcode
BuildRequires: python-dns
BuildRequires: m2crypto
BuildRequires: check
BuildRequires: libsss_idmap-devel
BuildRequires: libsss_nss_idmap-devel
BuildRequires: java-1.7.0-openjdk
BuildRequires: rhino
BuildRequires: libverto-devel
BuildRequires: systemd
BuildRequires: libunistring-devel
BuildRequires: rhino
# Find out Kerberos middle version to infer ABI changes in DAL driver
# We cannot load DAL driver into KDC with wrong ABI.
# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
%global krb5_dal_version %{expand:%(echo "#include <kdb.h>"|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
BuildRequires: python-lesscpy
BuildRequires: python-yubico
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@ -108,36 +89,17 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: 389-ds-base >= 1.3.2.16
Requires: 389-ds-base >= 1.3.2.19
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
Requires: nss-tools >= 3.14.3-2
%else
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
%endif
%if 0%{?krb5_dal_version} >= 4
Requires: krb5-server >= 1.11.5-3
%else
%if 0%{krb5_dal_version} == 3
# krb5 1.11 bumped DAL interface major version, a rebuild is needed
Requires: krb5-server < 1.11
Requires: krb5-server >= 1.10
%else
Requires: krb5-server >= 1.10
%endif
%endif
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
%else
Requires: mod_auth_kerb >= 5.4-8
%endif
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
@ -145,10 +107,11 @@ Requires: acl
Requires: python-pyasn1
Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= 3.12.1-135
Requires: selinux-policy >= 3.12.1-176
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.1.1
@ -163,7 +126,9 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
Requires(pre): 389-ds-base >= 1.3.2.10
Requires(pre): 389-ds-base >= 1.3.2.19
Requires: fontawesome-fonts
Requires: open-sans-fonts
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
@ -172,11 +137,7 @@ Obsoletes: freeipa-server-selinux < 3.3.0
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
# that work for us.
%if 0%{?fedora} >= 18
Conflicts: bind-dyndb-ldap < 3.5
%else
Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
%endif
Conflicts: bind-dyndb-ldap < 5.0
Conflicts: bind < 9.8.2-0.4.rc2
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
@ -199,19 +160,11 @@ Summary: Virtual package to install packages required for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: m2crypto
%if 0%{?fedora} >= 18
Requires: samba-python
Requires: samba >= 2:4.0.5-1
Requires: samba-winbind
%else
Requires: samba4-python
Requires: samba4
Requires: samba4-winbind
%endif
Requires: libsss_idmap
%if 0%{?fedora} >= 19
Requires: libsss_nss_idmap-python
%endif
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
# on the installes where server-trust-ad subpackage is installed because
# IPA AD trusts cannot be used at the same time with the locator plugin
@ -226,29 +179,6 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
%if 0%{?fedora} == 19
# Fedora spec file only: START
%package server-strict
Summary: Strict package dependencies
Group: System Environment/Base
Requires(post): %{name}-server = %{version}-%{release}
Requires(postun): %{name}-server = %{version}-%{release}
# Specific requires
Requires(pre): 389-ds-base = 1.3.1.11
Requires: krb5-server = 1.11.3
Requires: pki-ca = 10.1.1
%description server-strict
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). This meta package adds strict version dependencies
to known working versions. To upgrade to a non-approved version uninstall
this package.
# Fedora spec file only: END
%endif
%endif # ONLY_CLIENT
@ -310,15 +240,19 @@ IPA administrators.
%package python
Summary: Python libraries used by IPA
Group: System Environment/Libraries
Requires: python-kerberos
Requires: python-kerberos >= 1.1-14
Requires: gnupg
Requires: iproute
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss
Requires: python-nss >= 0.15
Requires: python-lxml
Requires: python-netaddr
Requires: libipa_hbac-python
Requires: python-qrcode
Requires: python-pyasn1
Requires: python-dateutil
Requires: python-yubico
Obsoletes: ipa-python >= 1.0
@ -382,22 +316,14 @@ done
# UI compilation segfaulted on some arches when the stack was lower (#1040576)
export JAVA_STACK_SIZE="8m"
%endif
export CFLAGS="$CFLAGS %{optflags}"
export CPPFLAGS="$CPPFLAGS %{optflags}"
export CFLAGS="%{optflags} $CFLAGS"
export LDFLAGS="%{__global_ldflags} $LDFLAGS"
%if 0%{?fedora} >= 19
export SUPPORTED_PLATFORM=fedora19
%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
%endif
# Force re-generate of platform support
rm -f ipapython/services.py
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
rm -f ipapython/version.py
rm -f ipaplatform/services.py
rm -f ipaplatform/tasks.py
rm -f ipaplatform/paths.py
make version-update
cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
%if ! %{ONLY_CLIENT}
@ -413,19 +339,13 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
%install
rm -rf %{buildroot}
%if 0%{?fedora} >= 19
export SUPPORTED_PLATFORM=fedora19
%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
%endif
# Force re-generate of platform support
rm -f ipapython/services.py
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
rm -f ipapython/version.py
rm -f ipaplatform/services.py
rm -f ipaplatform/tasks.py
rm -f ipaplatform/paths.py
make version-update
%if ! %{ONLY_CLIENT}
make install DESTDIR=%{buildroot}
%else
@ -450,6 +370,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@ -469,8 +390,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
@ -553,10 +472,13 @@ fi
# Restart IPA processes. This must be also run in postrans so that plugins
# and software is in consistent state
python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
# NOTE: systemd specific section
if [ $? -eq 0 ]; then
/bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
/bin/systemctl is-enabled ipa.service >/dev/null 2>&1
if [ $? -eq 0 ]; then
/bin/systemctl restart ipa.service >/dev/null 2>&1 || :
fi
fi
# END
@ -589,7 +511,7 @@ fi
winbind_krb5_locator.so /dev/null 90
%posttrans server-trust-ad
python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# NOTE: systemd specific section
/bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@ -600,6 +522,7 @@ fi
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
fi
%endif # ONLY_CLIENT
%post client
@ -680,13 +603,14 @@ fi
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-advise
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/ipa-otpd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
@ -732,7 +656,6 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
%{_usr}/share/ipa/migration/index.html
@ -740,16 +663,13 @@ fi
%{_usr}/share/ipa/migration/migration.py*
%dir %{_usr}/share/ipa/ui
%{_usr}/share/ipa/ui/index.html
%{_usr}/share/ipa/ui/login.html
%{_usr}/share/ipa/ui/logout.html
%{_usr}/share/ipa/ui/reset_password.html
%{_usr}/share/ipa/ui/sync_otp.html
%{_usr}/share/ipa/ui/*.ico
%{_usr}/share/ipa/ui/*.css
%{_usr}/share/ipa/ui/*.js
%{_usr}/share/ipa/ui/*.eot
%{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff
%dir %{_usr}/share/ipa/ui/css
%{_usr}/share/ipa/ui/css/*.css
%dir %{_usr}/share/ipa/ui/js
%dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js
@ -757,10 +677,11 @@ fi
%{_usr}/share/ipa/ui/js/libs/*.js
%dir %{_usr}/share/ipa/ui/js/freeipa
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
%{_usr}/share/ipa/ui/images/*.gif
%dir %{_usr}/share/ipa/wsgi
%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
@ -768,13 +689,11 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%{_usr}/share/ipa/ca_renewal
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
@ -798,6 +717,7 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
%dir %{_localstatedir}/lib/ipa
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
@ -823,6 +743,7 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
%{_mandir}/man1/ipa-otptoken-import.1.gz
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
@ -836,13 +757,6 @@ fi
%{python_sitelib}/ipaserver/install/adtrustinstance*
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if 0%{?fedora} == 19
# Fedora spec file only: START
%files server-strict
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
# Fedora spec file only: END
%endif
%endif # ONLY_CLIENT
%files client
@ -854,11 +768,8 @@ fi
%{_sbindir}/ipa-rmkeytab
%{_sbindir}/ipa-join
%dir %{_usr}/share/ipa
%dir %{_usr}/share/ipa/ipaclient
%dir %{_localstatedir}/lib/ipa-client
%dir %{_localstatedir}/lib/ipa-client/sysrestore
%{_usr}/share/ipa/ipaclient/ipa.cfg
%{_usr}/share/ipa/ipaclient/ipa.js
%dir %{python_sitelib}/ipaclient
%{python_sitelib}/ipaclient/*.py*
%{_mandir}/man1/ipa-getkeytab.1.gz
@ -881,21 +792,11 @@ fi
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
%dir %{python_sitelib}/ipapython
%dir %{python_sitelib}/ipapython/platform
%dir %{python_sitelib}/ipapython/platform/base
%dir %{python_sitelib}/ipapython/platform/fedora16
%dir %{python_sitelib}/ipapython/platform/fedora18
%dir %{python_sitelib}/ipapython/platform/fedora19
%dir %{python_sitelib}/ipapython/platform/redhat
%{python_sitelib}/ipapython/*.py*
%{python_sitelib}/ipapython/platform/*.py*
%{python_sitelib}/ipapython/platform/base/*.py*
%{python_sitelib}/ipapython/platform/fedora16/*.py*
%{python_sitelib}/ipapython/platform/fedora18/*.py*
%{python_sitelib}/ipapython/platform/fedora19/*.py*
%{python_sitelib}/ipapython/platform/redhat/*.py*
%dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/*
%dir %{python_sitelib}/ipaplatform
%{python_sitelib}/ipaplatform/*
%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
%{python_sitelib}/ipapython-*.egg-info
%{python_sitelib}/freeipa-*.egg-info
@ -914,7 +815,8 @@ fi
%dir %{python_sitelib}/ipatests/test_ipalib
%dir %{python_sitelib}/ipatests/test_ipapython
%dir %{python_sitelib}/ipatests/test_ipaserver
%dir %{python_sitelib}/ipatests/test_ipaserver/install
%dir %{python_sitelib}/ipatests/test_ipaserver/test_install
%dir %{python_sitelib}/ipatests/test_ipaserver/data
%dir %{python_sitelib}/ipatests/test_pkcs10
%dir %{python_sitelib}/ipatests/test_webui
%dir %{python_sitelib}/ipatests/test_xmlrpc
@ -928,6 +830,10 @@ fi
%endif # ONLY_CLIENT
%changelog
* Mon Jul 07 2014 Petr Viktorin <pviktori@redhat.com> 4.0.0-1
- Update to upstream 4.0.0
- Remove the server-strict package
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
d255c8177714735bc3963c619a0737ba freeipa-3.3.5.tar.gz
84ee2352f153074e2ace1d04ba4c2efb freeipa-4.0.0.tar.gz