From 9d212321517c099446862dc86dc9c6063d059605 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 28 Jan 2014 13:37:46 +0100 Subject: [PATCH] 3.3.4-1 - Update to upstream 3.3.4 - Install CA anchor into standard location (#928478) - ipa-client-install part of ipa-server-install fails on reinstall (#1044994) - Remove mod_ssl workaround (RHEL bug #1029046) - Enable syncrepl plugin to support bind-dyndb-ldap 4.0 --- .gitignore | 1 + ...platform-Add-Fedora-19-platform-file.patch | 156 +++++++++++++++ ...ll-Publish-CA-certificate-to-systemw.patch | 178 ++++++++++++++++++ 0003-Add-runas-option-to-run-function.patch | 106 +++++++++++ 0004-Switch-httpd-to-use-default-CCACHE.patch | 84 +++++++++ 0005-httpd-should-destroy-all-CCACHEs.patch | 30 +++ ...ngelog-and-Content-Synchronization-D.patch | 124 ++++++++++++ ...nd-refInt-DS-plugins-to-main-IPA-suf.patch | 73 +++++++ ...directory-for-bind-dyndb-ldap-plugin.patch | 93 +++++++++ 0009-Remove-mod_ssl-port-workaround.patch | 98 ++++++++++ freeipa.spec | 54 +++++- sources | 2 +- 12 files changed, 988 insertions(+), 11 deletions(-) create mode 100644 0001-platform-Add-Fedora-19-platform-file.patch create mode 100644 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch create mode 100644 0003-Add-runas-option-to-run-function.patch create mode 100644 0004-Switch-httpd-to-use-default-CCACHE.patch create mode 100644 0005-httpd-should-destroy-all-CCACHEs.patch create mode 100644 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch create mode 100644 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch create mode 100644 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch create mode 100644 0009-Remove-mod_ssl-port-workaround.patch diff --git a/.gitignore b/.gitignore index b529335..8f58a9c 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /freeipa-3.3.0.tar.gz /freeipa-3.3.1.tar.gz /freeipa-3.3.3.tar.gz +/freeipa-3.3.4.tar.gz diff --git a/0001-platform-Add-Fedora-19-platform-file.patch b/0001-platform-Add-Fedora-19-platform-file.patch new file mode 100644 index 0000000..c849b54 --- /dev/null +++ b/0001-platform-Add-Fedora-19-platform-file.patch @@ -0,0 +1,156 @@ +From 2a98701ea1745394b717c3f4be4e0e376ab1d658 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Mon, 11 Nov 2013 13:02:40 +0100 +Subject: [PATCH 1/9] platform: Add Fedora 19 platform file + +Part of: https://fedorahosted.org/freeipa/ticket/3504 +--- + freeipa.spec.in | 15 ++++++++- + ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++ + ipapython/setup.py.in | 1 + + 3 files changed, 70 insertions(+), 1 deletion(-) + create mode 100644 ipapython/platform/fedora19/__init__.py + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 138390ed729ac561504e41b44bb0e2c9041e7b94..8fd0a368ed02cfad120db6283e3899027d467bfc 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -326,6 +326,9 @@ export JAVA_STACK_SIZE="8m" + %endif + export CFLAGS="$CFLAGS %{optflags}" + export CPPFLAGS="$CPPFLAGS %{optflags}" ++%if 0%{?fedora} >= 19 ++export SUPPORTED_PLATFORM=fedora19 ++%else + %if 0%{?fedora} >= 18 + # use fedora18 platform which is based on fedora16 platform with systemd + # support + fedora18 changes +@@ -333,6 +336,7 @@ export SUPPORTED_PLATFORM=fedora18 + %else + export SUPPORTED_PLATFORM=fedora16 + %endif ++%endif + # Force re-generate of platform support + rm -f ipapython/services.py + make version-update +@@ -350,6 +354,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client + + %install + rm -rf %{buildroot} ++%if 0%{?fedora} >= 19 ++export SUPPORTED_PLATFORM=fedora19 ++%else + %if 0%{?fedora} >= 18 + # use fedora18 platform which is based on fedora16 platform with systemd + # support + fedora18 changes +@@ -357,6 +364,7 @@ export SUPPORTED_PLATFORM=fedora18 + %else + export SUPPORTED_PLATFORM=fedora16 + %endif ++%endif + # Force re-generate of platform support + rm -f ipapython/services.py + %if ! %{ONLY_CLIENT} +@@ -810,12 +818,14 @@ fi + %dir %{python_sitelib}/ipapython/platform/base + %dir %{python_sitelib}/ipapython/platform/fedora16 + %dir %{python_sitelib}/ipapython/platform/fedora18 ++%dir %{python_sitelib}/ipapython/platform/fedora19 + %dir %{python_sitelib}/ipapython/platform/redhat + %{python_sitelib}/ipapython/*.py* + %{python_sitelib}/ipapython/platform/*.py* + %{python_sitelib}/ipapython/platform/base/*.py* + %{python_sitelib}/ipapython/platform/fedora16/*.py* + %{python_sitelib}/ipapython/platform/fedora18/*.py* ++%{python_sitelib}/ipapython/platform/fedora19/*.py* + %{python_sitelib}/ipapython/platform/redhat/*.py* + %dir %{python_sitelib}/ipalib + %{python_sitelib}/ipalib/* +@@ -851,7 +861,10 @@ fi + %endif # ONLY_CLIENT + + %changelog +-* Fri Oct 25 2013 Martin Kosek - 3.3.2-1 ++* Tue Nov 12 2013 Tomas Babej - 3.3.90-5 ++- Add Fedora 19 platform files ++ ++* Fri Oct 25 2013 Martin Kosek - 3.3.90-4 + - Remove mod_ssl conflict, it can now live with mod_nss installed + + * Wed Sep 4 2013 Ana Krivokapic - 3.3.0-3 +diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py +new file mode 100644 +index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca +--- /dev/null ++++ b/ipapython/platform/fedora19/__init__.py +@@ -0,0 +1,55 @@ ++# Author: Tomas Babej ++# ++# Copyright (C) 2013 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++from ipapython.platform import fedora18, base ++ ++# All what we allow exporting directly from this module ++ ++# Everything else is made available through these symbols when they are ++# directly imported into ipapython.services: ++ ++# authconfig -- class reference for platform-specific implementation of ++# authconfig(8) ++# service -- class reference for platform-specific implementation of a ++# PlatformService class ++# knownservices -- factory instance to access named services IPA cares about, ++# names are ipapython.services.wellknownservices ++# backup_and_replace_hostname -- platform-specific way to set hostname and ++# make it persistent over reboots ++# restore_network_configuration -- platform-specific way of restoring network ++# configuration (e.g. static hostname) ++# restore_context -- platform-sepcific way to restore security context, if ++# applicable ++# check_selinux_status -- platform-specific way to see if SELinux is enabled ++# and restorecon is installed. ++ ++__all__ = ['authconfig', 'service', 'knownservices', ++ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status', ++ 'restore_network_configuration', 'timedate_services'] ++ ++# Just copy a referential list of timedate services ++timedate_services = list(base.timedate_services) ++ ++backup_and_replace_hostname = fedora18.backup_and_replace_hostname ++restore_network_configuration = fedora18.restore_network_configuration ++authconfig = fedora18.authconfig ++service = fedora18.service ++knownservices = fedora18.knownservices ++restore_context = fedora18.restore_context ++check_selinux_status = fedora18.check_selinux_status +diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in +index d3bbcaf1e46528d50731ca18a96a3384f6b49548..108c95d0ccb74e1cec5167759243f428f4ecf21a 100644 +--- a/ipapython/setup.py.in ++++ b/ipapython/setup.py.in +@@ -70,6 +70,7 @@ def setup_package(): + "ipapython.platform.base", + "ipapython.platform.fedora16", + "ipapython.platform.fedora18", ++ "ipapython.platform.fedora19", + "ipapython.platform.redhat" ], + ) + finally: +-- +1.8.5.3 + diff --git a/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch b/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch new file mode 100644 index 0000000..2fdef0e --- /dev/null +++ b/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch @@ -0,0 +1,178 @@ +From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Tue, 24 Sep 2013 10:54:57 +0200 +Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide + store + +During the installation, copy the CA certificate to the systemwide +store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the +systemwide CA database. + +This allows browsers to access IPA WebUI without warning out of the +box. + +https://fedorahosted.org/freeipa/ticket/3504 +--- + ipa-client/ipa-install/ipa-client-install | 13 +++++- + ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++- + ipapython/services.py.in | 11 ++++- + 3 files changed, 88 insertions(+), 3 deletions(-) + +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -651,6 +651,9 @@ def uninstall(options, env): + root_logger.warning('Please remove /etc/ipa/default.conf manually, ' + 'as it can cause subsequent installation to fail.') + ++ # Remove the CA cert from the systemwide certificate store ++ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT) ++ + # Remove the CA cert + try: + os.remove(CACERT) +@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore): + return CLIENT_INSTALL_ERROR + root_logger.info("Configured /etc/sssd/sssd.conf") + ++ # Add the CA to the platform-dependant systemwide CA store ++ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT) ++ + # Add the CA to the default NSS database and trust it + try: +- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) ++ root_logger.debug("Attempting to add CA directly to the " ++ "default NSS database.") ++ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", ++ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) + except CalledProcessError, e: + root_logger.info("Failed to add CA to the default NSS database.") + return CLIENT_INSTALL_ERROR ++ else: ++ root_logger.info('Added the CA to the default NSS database.') + + host_principal = 'host/%s@%s' % (hostname, cli_realm) + if options.on_master: +diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py +index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644 +--- a/ipapython/platform/fedora19/__init__.py ++++ b/ipapython/platform/fedora19/__init__.py +@@ -17,6 +17,14 @@ + # along with this program. If not, see . + # + ++import shutil ++import os ++ ++from subprocess import CalledProcessError ++ ++from ipapython.ipa_log_manager import root_logger ++from ipapython.ipautil import run ++ + from ipapython.platform import fedora18, base + + # All what we allow exporting directly from this module +@@ -38,10 +46,19 @@ + # applicable + # check_selinux_status -- platform-specific way to see if SELinux is enabled + # and restorecon is installed. ++# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our ++# CA certificate into the systemwide ++# CA store ++# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our ++# CA certificate from the systemwide ++# CA store ++ + + __all__ = ['authconfig', 'service', 'knownservices', + 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status', +- 'restore_network_configuration', 'timedate_services'] ++ 'restore_network_configuration', 'timedate_services', ++ 'insert_ca_cert_into_systemwide_ca_store', ++ 'remove_ca_cert_from_systemwide_ca_store'] + + # Just copy a referential list of timedate services + timedate_services = list(base.timedate_services) +@@ -53,3 +70,51 @@ + knownservices = fedora18.knownservices + restore_context = fedora18.restore_context + check_selinux_status = fedora18.check_selinux_status ++ ++systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/' ++ ++ ++def insert_ca_cert_into_systemwide_ca_store(cacert_path): ++ # Add the 'ipa-' prefix to cert name to avoid name collisions ++ cacert_name = os.path.basename(cacert_path) ++ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) ++ ++ # Add the CA to the systemwide CA trust database ++ try: ++ shutil.copy(cacert_path, new_cacert_path) ++ run(['/usr/bin/update-ca-trust']) ++ except OSError, e: ++ root_logger.info("Failed to copy %s to %s" % (cacert_path, ++ new_cacert_path)) ++ except CalledProcessError, e: ++ root_logger.info("Failed to add CA to the systemwide " ++ "CA trust database: %s" % str(e)) ++ else: ++ root_logger.info('Added the CA to the systemwide CA trust database.') ++ return True ++ ++ return False ++ ++ ++def remove_ca_cert_from_systemwide_ca_store(cacert_path): ++ # Derive the certificate name in the store ++ cacert_name = os.path.basename(cacert_path) ++ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) ++ ++ # Remove CA cert from systemwide store ++ if os.path.exists(new_cacert_path): ++ try: ++ os.remove(new_cacert_path) ++ run(['/usr/bin/update-ca-trust']) ++ except OSError, e: ++ root_logger.error('Could not remove: %s, %s' ++ % (new_cacert_path, str(e))) ++ return False ++ except CalledProcessError, e: ++ root_logger.error('Could not update systemwide CA trust ' ++ 'database: %s' % str(e)) ++ return False ++ else: ++ root_logger.info('Systemwide CA database updated.') ++ ++ return True +diff --git a/ipapython/services.py.in b/ipapython/services.py.in +index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644 +--- a/ipapython/services.py.in ++++ b/ipapython/services.py.in +@@ -21,7 +21,7 @@ + authconfig = None + + # knownservices is an entry point to known platform services +-# (instance of ipapython.platform.base.KnownServices) ++# (instance of ipapython.platform.base.KnownServices) + knownservices = None + + # service is a class to instantiate ipapython.platform.base.PlatformService +@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE + def get_svc_list_file(): + return SVC_LIST_FILE + ++def insert_ca_cert_into_systemwide_ca_store_default(path): ++ return True ++ ++def remove_ca_cert_from_systemwide_ca_store_default(path): ++ return True ++ ++insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default ++remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default ++ + from ipapython.platform.SUPPORTED_PLATFORM import * +-- +1.8.5.3 + diff --git a/0003-Add-runas-option-to-run-function.patch b/0003-Add-runas-option-to-run-function.patch new file mode 100644 index 0000000..a470d1a --- /dev/null +++ b/0003-Add-runas-option-to-run-function.patch @@ -0,0 +1,106 @@ +From b4791862852770711be87ca63ed85b23e72baea3 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 16 Jan 2014 14:10:42 +0100 +Subject: [PATCH 3/9] Add runas option to run function + +Run function can now run the specified command as different user by +setting the both real and effective UID and GID for executed process. + +Add both the missing run function attribute doc strings as well as +a doc string for the runas attribute. +--- + ipapython/ipautil.py | 59 +++++++++++++++++++++++++++++++++------------------- + 1 file changed, 38 insertions(+), 21 deletions(-) + +diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py +index 92569c3b487bdbbfc4f0033813fda56c8928f20c..f7a2443af940a695321da7989457a392d6451d44 100644 +--- a/ipapython/ipautil.py ++++ b/ipapython/ipautil.py +@@ -42,6 +42,7 @@ + import netaddr + import time + import krbV ++import pwd + from dns import resolver, rdatatype + from dns.exception import DNSException + +@@ -246,29 +247,35 @@ def shell_quote(string): + return "'" + string.replace("'", "'\\''") + "'" + + def run(args, stdin=None, raiseonerr=True, +- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None): ++ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None, ++ runas=None): + """ + Execute a command and return stdin, stdout and the process return code. + +- args is a list of arguments for the command +- +- stdin is used if you want to pass input to the command +- +- raiseonerr raises an exception if the return code is not zero +- +- nolog is a tuple of strings that shouldn't be logged, like passwords. +- Each tuple consists of a string to be replaced by XXXXXXXX. +- +- For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser'] +- +- We don't want to log the password so nolog would be set to: +- ('Secret123',) +- +- The resulting log output would be: +- +- /usr/bin/setpasswd --password XXXXXXXX someuser +- +- If an value isn't found in the list it is silently ignored. ++ :param args: List of arguments for the command ++ :param stdin: Optional input to the command ++ :param raiseonerr: If True, raises an exception if the return code is ++ not zero ++ :param nolog: Tuple of strings that shouldn't be logged, like passwords. ++ Each tuple consists of a string to be replaced by XXXXXXXX. ++ ++ Example: ++ We have a command ++ ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser'] ++ and we don't want to log the password so nolog would be set to: ++ ('Secret123',) ++ The resulting log output would be: ++ ++ /usr/bin/setpasswd --password XXXXXXXX someuser ++ ++ If a value isn't found in the list it is silently ignored. ++ :param env: Dictionary of environment variables passed to the command. ++ When None, current environment is copied ++ :param capture_output: Capture stderr and stdout ++ :param skip_output: Redirect the output to /dev/null and do not capture it ++ :param cwd: Current working directory ++ :param runas: Name of a user that the command shold be run as. The spawned ++ process will have both real and effective UID and GID set. + """ + p_in = None + p_out = None +@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True, + root_logger.debug('Starting external process') + root_logger.debug('args=%s' % arg_string) + ++ preexec_fn = None ++ if runas is not None: ++ pent = pwd.getpwnam(runas) ++ root_logger.debug('runas=%s (UID %d, GID %s)', runas, ++ pent.pw_uid, pent.pw_gid) ++ ++ preexec_fn = lambda: (os.setregid(pent.pw_gid, pent.pw_gid), ++ os.setreuid(pent.pw_uid, pent.pw_uid)) ++ + try: + p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err, +- close_fds=True, env=env, cwd=cwd) ++ close_fds=True, env=env, cwd=cwd, ++ preexec_fn=preexec_fn) + stdout,stderr = p.communicate(stdin) + stdout,stderr = str(stdout), str(stderr) # Make pylint happy + except KeyboardInterrupt: +-- +1.8.5.3 + diff --git a/0004-Switch-httpd-to-use-default-CCACHE.patch b/0004-Switch-httpd-to-use-default-CCACHE.patch new file mode 100644 index 0000000..dd8cf44 --- /dev/null +++ b/0004-Switch-httpd-to-use-default-CCACHE.patch @@ -0,0 +1,84 @@ +From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 16 Jan 2014 14:12:29 +0100 +Subject: [PATCH 4/9] Switch httpd to use default CCACHE + +Stock httpd no longer uses systemd EnvironmentFile option which is +making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard +to debug problems during subsequent ipa-server-install's where HTTP +may use a stale CCACHE in the default kernel keyring CCACHE. + +Avoid forcing custom CCACHE and switch to system one, just make sure +that it is properly cleaned by kdestroy run as "apache" user during +FreeIPA server installation process. + +https://fedorahosted.org/freeipa/ticket/4084 +--- + install/tools/ipa-upgradeconfig | 7 ++++++- + ipaserver/install/httpinstance.py | 22 +++------------------- + 2 files changed, 9 insertions(+), 20 deletions(-) + +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1043,10 +1043,15 @@ def main(): + update_dbmodules(api.env.realm) + uninstall_ipa_kpasswd() + ++ removed_sysconfig_file = '/etc/sysconfig/httpd' ++ if fstore.has_file(removed_sysconfig_file): ++ root_logger.info('Restoring %s as it is no longer required', ++ removed_sysconfig_file) ++ fstore.restore_file(removed_sysconfig_file) ++ + http = httpinstance.HTTPInstance(fstore) + http.remove_httpd_ccache() + http.configure_selinux_for_httpd() +- http.configure_httpd_ccache() + http.change_mod_nss_port_to_http() + + ds = dsinstance.DsInstance() +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, + self.step("creating a keytab for httpd", self.__create_http_keytab) + self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) +- self.step("configure httpd ccache", self.configure_httpd_ccache) + self.step("restarting httpd", self.__start) + self.step("configuring httpd to start on boot", self.__enable) + +@@ -217,24 +216,9 @@ def __create_http_keytab(self): + + def remove_httpd_ccache(self): + # Clean up existing ccache +- pent = pwd.getpwnam("apache") +- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) +- +- def configure_httpd_ccache(self): +- pent = pwd.getpwnam("apache") +- ccache = '/tmp/krb5cc_%d' % pent.pw_uid +- filepath = '/etc/sysconfig/httpd' +- if not os.path.exists(filepath): +- # file doesn't exist; create it with correct ownership & mode +- open(filepath, 'a').close() +- os.chmod(filepath, +- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) +- os.chown(filepath, 0, 0) +- +- replacevars = {'KRB5CCNAME': ccache} +- old_values = ipautil.backup_config_and_replace_variables( +- self.fstore, filepath, replacevars=replacevars) +- ipaservices.restore_context(filepath) ++ # Make sure that empty env is passed to avoid passing KRB5CCNAME from ++ # current env ++ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={}) + + def __configure_http(self): + target_fname = '/etc/httpd/conf.d/ipa.conf' +-- +1.8.5.3 + diff --git a/0005-httpd-should-destroy-all-CCACHEs.patch b/0005-httpd-should-destroy-all-CCACHEs.patch new file mode 100644 index 0000000..3c3e5f8 --- /dev/null +++ b/0005-httpd-should-destroy-all-CCACHEs.patch @@ -0,0 +1,30 @@ +From d134f591c9250f38d170a937ec221637d09b58bc Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 Jan 2014 16:08:51 +0100 +Subject: [PATCH 5/9] httpd should destroy all CCACHEs + +Use "kdestroy -A" command to destroy all CCACHEs, both the primary +and the non-primary ones to make sure that the non-primary ones are +not used later. + +https://fedorahosted.org/freeipa/ticket/4084 +--- + ipaserver/install/httpinstance.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 9c9205883b38dfb854fb2885d3692a7053866b63..5d37926ddcaa17ce2eab839cd6aecdab0159a8ee 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -218,7 +218,7 @@ def remove_httpd_ccache(self): + # Clean up existing ccache + # Make sure that empty env is passed to avoid passing KRB5CCNAME from + # current env +- ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={}) ++ ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={}) + + def __configure_http(self): + target_fname = '/etc/httpd/conf.d/ipa.conf' +-- +1.8.5.3 + diff --git a/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch b/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch new file mode 100644 index 0000000..34af3bd --- /dev/null +++ b/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch @@ -0,0 +1,124 @@ +From ada54e7e836d13ccede3fe74f1cd30300a242c6e Mon Sep 17 00:00:00 2001 +From: Ana Krivokapic +Date: Fri, 25 Oct 2013 12:41:25 +0200 +Subject: [PATCH 6/9] Enable Retro Changelog and Content Synchronization DS + plugins + +Enable Retro Changelog and Content Synchronization DS plugins which are required +for SyncRepl support. + +Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. + +https://fedorahosted.org/freeipa/ticket/3967 +--- + freeipa.spec.in | 1 + + install/tools/ipa-upgradeconfig | 5 ++++- + install/updates/20-syncrepl.update | 9 +++++++++ + install/updates/Makefile.am | 1 + + ipaserver/install/bindinstance.py | 13 +++++++++++++ + 5 files changed, 28 insertions(+), 1 deletion(-) + create mode 100644 install/updates/20-syncrepl.update + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8fd0a368ed02cfad120db6283e3899027d467bfc..4f60be6ccd623de4574c7627e0ffc4ff0829e701 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -764,6 +764,7 @@ fi + %{_mandir}/man1/ipa-backup.1.gz + %{_mandir}/man1/ipa-restore.1.gz + %{_mandir}/man1/ipa-advise.1.gz ++%ghost %{_localstatedir}/named/ipa + + %files server-trust-ad + %{_sbindir}/ipa-adtrust-install +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..5bcef1ac827da296c6a35e8fc29a1c6f0a04f808 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1084,6 +1084,10 @@ def main(): + setup_firefox_extension(fstore) + add_ca_dns_records() + ++ bind = bindinstance.BindInstance(fstore) ++ if bind.is_configured(): ++ bind.create_dir('/var/named/ipa', 0700) ++ + # Any of the following functions returns True iff the named.conf file + # has been altered + named_conf_changes = ( +@@ -1097,7 +1101,6 @@ def main(): + if any(named_conf_changes): + # configuration has changed, restart the name server + root_logger.info('Changes to named.conf have been made, restart named') +- bind = bindinstance.BindInstance(fstore) + try: + bind.restart() + except ipautil.CalledProcessError, e: +diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update +new file mode 100644 +index 0000000000000000000000000000000000000000..c4158a1634410acd323f04f442bbbd2f69c24708 +--- /dev/null ++++ b/install/updates/20-syncrepl.update +@@ -0,0 +1,9 @@ ++# Enable Retro changelog ++dn: cn=Retro Changelog Plugin,cn=plugins,cn=config ++only:nsslapd-pluginEnabled: on ++add:nsslapd-attribute: nsuniqueid:targetUniqueId ++add:nsslapd-changelogmaxage: 2d ++ ++# Enable SyncRepl ++dn: cn=Content Synchronization,cn=plugins,cn=config ++only:nsslapd-pluginEnabled: on +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 40c3b3c8916faa267254a29d0f458ca53201950c..09965ff9885fce93f3d15dc73b11fa210f68b163 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -22,6 +22,7 @@ app_DATA = \ + 20-indices.update \ + 20-nss_ldap.update \ + 20-replication.update \ ++ 20-syncrepl.update \ + 20-user_private_groups.update \ + 20-winsync_index.update \ + 21-replicas_container.update \ +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -22,6 +22,7 @@ + import pwd + import netaddr + import re ++import errno + + import ldap + +@@ -509,6 +510,16 @@ def create_sample_bind_zone(self): + os.close(bind_fd) + print "Sample zone file for bind has been created in "+bind_name + ++ def create_dir(self, path, mode): ++ try: ++ os.makedirs(path, mode) ++ except OSError as e: ++ if e.errno != errno.EEXIST: ++ raise e ++ ++ pent = pwd.getpwnam(self.named_user or 'named') ++ os.chown(path, pent.pw_uid, pent.pw_gid) ++ + def create_instance(self): + + try: +@@ -519,6 +530,8 @@ def create_instance(self): + # get a connection to the DS + self.ldap_connect() + ++ self.create_dir('/var/named/ipa', 0700) ++ + if installutils.record_in_hosts(self.ip_address, self.fqdn) is None: + installutils.add_record_to_hosts(self.ip_address, self.fqdn) + +-- +1.8.5.3 + diff --git a/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch b/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch new file mode 100644 index 0000000..d1510f4 --- /dev/null +++ b/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch @@ -0,0 +1,73 @@ +From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001 +From: Petr Spacek +Date: Thu, 23 Jan 2014 12:22:38 +0100 +Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix. + +This drastically improves performance of retro changelog trimming. + +https://fedorahosted.org/freeipa/ticket/3967 +--- + freeipa.spec.in | 6 +++--- + install/updates/20-syncrepl.update | 13 ++++++++++++- + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + + %if ! %{ONLY_CLIENT} +-BuildRequires: 389-ds-base-devel >= 1.3.1.3 ++BuildRequires: 389-ds-base-devel >= 1.3.2.10 + BuildRequires: svrcore-devel + BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} + BuildRequires: systemd-units +@@ -95,7 +95,7 @@ Group: System Environment/Base + Requires: %{name}-python = %{version}-%{release} + Requires: %{name}-client = %{version}-%{release} + Requires: %{name}-admintools = %{version}-%{release} +-Requires: 389-ds-base >= 1.3.1.3 ++Requires: 389-ds-base >= 1.3.2.10 + Requires: openldap-clients > 2.4.35-4 + %if 0%{?fedora} == 18 + Requires: nss >= 3.14.3-2 +@@ -150,7 +150,7 @@ Requires: zip + Requires: policycoreutils >= %{POLICYCOREUTILSVER} + Requires: tar + Requires(pre): certmonger >= 0.65 +-Requires(pre): 389-ds-base >= 1.3.1.3 ++Requires(pre): 389-ds-base >= 1.3.2.10 + + # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the + # entire SELinux policy is stored in the system policy +diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update +index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644 +--- a/install/updates/20-syncrepl.update ++++ b/install/updates/20-syncrepl.update +@@ -1,9 +1,20 @@ +-# Enable Retro changelog ++# Enable Retro changelog - it is necessary for SyncRepl + dn: cn=Retro Changelog Plugin,cn=plugins,cn=config + only:nsslapd-pluginEnabled: on ++# Remember original nsuniqueid for objects referenced from cn=changelog + add:nsslapd-attribute: nsuniqueid:targetUniqueId + add:nsslapd-changelogmaxage: 2d + ++# Keep memberOf and referential integrity plugins away from cn=changelog. ++# It is necessary for performance reasons because we don't have appropriate ++# indices for cn=changelog. ++dn: cn=MemberOf Plugin,cn=plugins,cn=config ++add:memberofentryscope: '$SUFFIX' ++ ++dn: cn=referential integrity postoperation,cn=plugins,cn=config ++add:nsslapd-plugincontainerscope: '$SUFFIX' ++add:nsslapd-pluginentryscope: '$SUFFIX' ++ + # Enable SyncRepl + dn: cn=Content Synchronization,cn=plugins,cn=config + only:nsslapd-pluginEnabled: on +-- +1.8.5.3 + diff --git a/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch b/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch new file mode 100644 index 0000000..2a2113f --- /dev/null +++ b/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch @@ -0,0 +1,93 @@ +From 916437b391739ea3ee48dfcd9f0d164536ca9ead Mon Sep 17 00:00:00 2001 +From: Petr Spacek +Date: Mon, 27 Jan 2014 14:47:10 +0100 +Subject: [PATCH 8/9] Remove working directory for bind-dyndb-ldap plugin. + +The working directory will be provided directly +by bind-dyndb-ldap package. + +This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08. + +https://fedorahosted.org/freeipa/ticket/3967 +--- + freeipa.spec.in | 1 - + install/tools/ipa-upgradeconfig | 5 +---- + ipaserver/install/bindinstance.py | 13 ------------- + 3 files changed, 1 insertion(+), 18 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index ef96c7c271ebba33b15d9b35891092e4151c3aae..eb9afbb4bfa1a11caf1282d5b76c2e138735386c 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -764,7 +764,6 @@ fi + %{_mandir}/man1/ipa-backup.1.gz + %{_mandir}/man1/ipa-restore.1.gz + %{_mandir}/man1/ipa-advise.1.gz +-%ghost %{_localstatedir}/named/ipa + + %files server-trust-ad + %{_sbindir}/ipa-adtrust-install +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index 5bcef1ac827da296c6a35e8fc29a1c6f0a04f808..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1084,10 +1084,6 @@ def main(): + setup_firefox_extension(fstore) + add_ca_dns_records() + +- bind = bindinstance.BindInstance(fstore) +- if bind.is_configured(): +- bind.create_dir('/var/named/ipa', 0700) +- + # Any of the following functions returns True iff the named.conf file + # has been altered + named_conf_changes = ( +@@ -1101,6 +1097,7 @@ def main(): + if any(named_conf_changes): + # configuration has changed, restart the name server + root_logger.info('Changes to named.conf have been made, restart named') ++ bind = bindinstance.BindInstance(fstore) + try: + bind.restart() + except ipautil.CalledProcessError, e: +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 4baeb4e077c64a7abebd1c071012f6c1e02dc1ae..6d5a1d44d30c89278c24fe7ab5278355cb65b0b4 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -22,7 +22,6 @@ + import pwd + import netaddr + import re +-import errno + + import ldap + +@@ -510,16 +509,6 @@ def create_sample_bind_zone(self): + os.close(bind_fd) + print "Sample zone file for bind has been created in "+bind_name + +- def create_dir(self, path, mode): +- try: +- os.makedirs(path, mode) +- except OSError as e: +- if e.errno != errno.EEXIST: +- raise e +- +- pent = pwd.getpwnam(self.named_user or 'named') +- os.chown(path, pent.pw_uid, pent.pw_gid) +- + def create_instance(self): + + try: +@@ -530,8 +519,6 @@ def create_instance(self): + # get a connection to the DS + self.ldap_connect() + +- self.create_dir('/var/named/ipa', 0700) +- + if installutils.record_in_hosts(self.ip_address, self.fqdn) is None: + installutils.add_record_to_hosts(self.ip_address, self.fqdn) + +-- +1.8.5.3 + diff --git a/0009-Remove-mod_ssl-port-workaround.patch b/0009-Remove-mod_ssl-port-workaround.patch new file mode 100644 index 0000000..3e28fd3 --- /dev/null +++ b/0009-Remove-mod_ssl-port-workaround.patch @@ -0,0 +1,98 @@ +From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 26 Nov 2013 08:53:34 +0000 +Subject: [PATCH 9/9] Remove mod_ssl port workaround. + +https://fedorahosted.org/freeipa/ticket/4021 +--- + freeipa.spec.in | 8 ++++++-- + install/tools/ipa-upgradeconfig | 2 +- + ipaserver/install/httpinstance.py | 17 ++++++++--------- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10 + Requires: krb5-pkinit-openssl + Requires: cyrus-sasl-gssapi%{?_isa} + Requires: ntp +-Requires: httpd ++Requires: httpd >= 2.4.6-6 + Requires: mod_wsgi + %if 0%{?fedora} >= 18 + Requires: mod_auth_kerb >= 5.4-16 + %else + Requires: mod_auth_kerb >= 5.4-8 + %endif +-Requires: mod_nss >= 1.0.8-24 ++Requires: mod_nss >= 1.0.8-26 + Requires: python-ldap + Requires: python-krbV + Requires: acl +@@ -861,6 +861,10 @@ fi + %endif # ONLY_CLIENT + + %changelog ++* Tue Nov 26 2013 Jan Cholasta - 3.3.90-6 ++- Set minimum version of httpd to 2.4.6-6 ++- Set minimum version of mod_nss to 1.0.8-26 ++ + * Tue Nov 12 2013 Tomas Babej - 3.3.90-5 + - Add Fedora 19 platform files + +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1052,7 +1052,7 @@ def main(): + http = httpinstance.HTTPInstance(fstore) + http.remove_httpd_ccache() + http.configure_selinux_for_httpd() +- http.change_mod_nss_port_to_http() ++ http.change_mod_nss_port_from_http() + + ds = dsinstance.DsInstance() + ds.configure_dirsrv_ccache() +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -237,25 +237,24 @@ def __configure_http(self): + http_fd.close() + os.chmod(target_fname, 0644) + +- def change_mod_nss_port_to_http(self): ++ def change_mod_nss_port_from_http(self): + # mod_ssl enforces SSLEngine on for vhost on 443 even though + # the listener is mod_nss. This then crashes the httpd as mod_nss + # listened port obviously does not match mod_ssl requirements. + # +- # Change port to http to workaround the mod_ssl check, the SSL is +- # enforced in the vhost later, so it is benign. ++ # The workaround for this was to change port to http. It is no longer ++ # necessary, as mod_nss now ships with default configuration which ++ # sets SSLEngine off when mod_ssl is installed. + # +- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 +- # is fixed. +- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): +- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) +- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) ++ # Remove the workaround. ++ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): ++ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) ++ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) + + def __set_mod_nss_port(self): + self.fstore.backup_file(NSS_CONF) + if installutils.update_file(NSS_CONF, '8443', '443') != 0: + print "Updating port in %s failed." % NSS_CONF +- self.change_mod_nss_port_to_http() + + def __set_mod_nss_nickname(self, nickname): + installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) +-- +1.8.5.3 + diff --git a/freeipa.spec b/freeipa.spec index b682914..588ea5b 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -4,11 +4,11 @@ %global plugin_dir %{_libdir}/dirsrv/plugins %global POLICYCOREUTILSVER 2.1.14-37 %global gettext_domain ipa -%global VERSION 3.3.3 +%global VERSION 3.3.4 Name: freeipa -Version: 3.3.3 -Release: 5%{?dist} +Version: 3.3.4 +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -17,9 +17,15 @@ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch -Patch0002: 0002-Fix-Wformat-security-warnings.patch -Patch0003: 0003-Increase-stack-size-for-Web-UI-builder.patch +Patch0001: 0001-platform-Add-Fedora-19-platform-file.patch +Patch0002: 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch +Patch0003: 0003-Add-runas-option-to-run-function.patch +Patch0004: 0004-Switch-httpd-to-use-default-CCACHE.patch +Patch0005: 0005-httpd-should-destroy-all-CCACHEs.patch +Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch +Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch +Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch +Patch0009: 0009-Remove-mod_ssl-port-workaround.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.1.3 @@ -96,7 +102,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.1.3 +Requires: 389-ds-base >= 1.3.2.10 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -119,14 +125,14 @@ Requires: krb5-server >= 1.10 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd >= 2.4.6-6 Requires: mod_wsgi %if 0%{?fedora} >= 18 Requires: mod_auth_kerb >= 5.4-16 %else Requires: mod_auth_kerb >= 5.4-8 %endif -Requires: mod_nss >= 1.0.8-24 +Requires: mod_nss >= 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl @@ -151,7 +157,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.65 -Requires(pre): 389-ds-base >= 1.3.1.3 +Requires(pre): 389-ds-base >= 1.3.2.10 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy @@ -372,6 +378,9 @@ export JAVA_STACK_SIZE="8m" %endif export CFLAGS="$CFLAGS %{optflags}" export CPPFLAGS="$CPPFLAGS %{optflags}" +%if 0%{?fedora} >= 19 +export SUPPORTED_PLATFORM=fedora19 +%else %if 0%{?fedora} >= 18 # use fedora18 platform which is based on fedora16 platform with systemd # support + fedora18 changes @@ -379,6 +388,7 @@ export SUPPORTED_PLATFORM=fedora18 %else export SUPPORTED_PLATFORM=fedora16 %endif +%endif # Force re-generate of platform support rm -f ipapython/services.py make version-update @@ -396,6 +406,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client %install rm -rf %{buildroot} +%if 0%{?fedora} >= 19 +export SUPPORTED_PLATFORM=fedora19 +%else %if 0%{?fedora} >= 18 # use fedora18 platform which is based on fedora16 platform with systemd # support + fedora18 changes @@ -403,6 +416,7 @@ export SUPPORTED_PLATFORM=fedora18 %else export SUPPORTED_PLATFORM=fedora16 %endif +%endif # Force re-generate of platform support rm -f ipapython/services.py %if ! %{ONLY_CLIENT} @@ -595,6 +609,16 @@ if [ $1 -gt 1 ] ; then /sbin/restorecon /etc/krb5.conf fi fi + + if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then + if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then + sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew + mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd + /sbin/restorecon /etc/sysconfig/ntpd + + /bin/systemctl condrestart ntpd.service 2>&1 || : + fi + fi fi %triggerin -n freeipa-client -- openssh-server @@ -719,6 +743,7 @@ fi %{_usr}/share/ipa/ui/*.svg %{_usr}/share/ipa/ui/*.ttf %{_usr}/share/ipa/ui/*.woff +%dir %{_usr}/share/ipa/ui/js %dir %{_usr}/share/ipa/ui/js/dojo %{_usr}/share/ipa/ui/js/dojo/dojo.js %dir %{_usr}/share/ipa/ui/js/libs @@ -853,12 +878,14 @@ fi %dir %{python_sitelib}/ipapython/platform/base %dir %{python_sitelib}/ipapython/platform/fedora16 %dir %{python_sitelib}/ipapython/platform/fedora18 +%dir %{python_sitelib}/ipapython/platform/fedora19 %dir %{python_sitelib}/ipapython/platform/redhat %{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/platform/*.py* %{python_sitelib}/ipapython/platform/base/*.py* %{python_sitelib}/ipapython/platform/fedora16/*.py* %{python_sitelib}/ipapython/platform/fedora18/*.py* +%{python_sitelib}/ipapython/platform/fedora19/*.py* %{python_sitelib}/ipapython/platform/redhat/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* @@ -894,6 +921,13 @@ fi %endif # ONLY_CLIENT %changelog +* Tue Jan 28 2014 Martin Kosek - 3.3.4-1 +- Update to upstream 3.3.4 +- Install CA anchor into standard location (#928478) +- ipa-client-install part of ipa-server-install fails on reinstall (#1044994) +- Remove mod_ssl workaround (RHEL bug #1029046) +- Enable syncrepl plugin to support bind-dyndb-ldap 4.0 + * Fri Jan 3 2014 Martin Kosek - 3.3.3-5 - Build crashed with rhino exception on s390 architectures (#1040576) diff --git a/sources b/sources index 39e8e00..b6a1d95 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ba4546b837c5129524e2d1020986400f freeipa-3.3.3.tar.gz +2ad49c60abada8a328ddd825481d9e9c freeipa-3.3.4.tar.gz