- Update to upstream 3.3.4
- Install CA anchor into standard location (#928478)
- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
- Remove mod_ssl workaround (RHEL bug #1029046)
- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
This commit is contained in:
Martin Kosek 2014-01-28 13:37:46 +01:00
parent 3242eeabec
commit 9d21232151
12 changed files with 988 additions and 11 deletions

1
.gitignore vendored
View File

@ -27,3 +27,4 @@
/freeipa-3.3.0.tar.gz /freeipa-3.3.0.tar.gz
/freeipa-3.3.1.tar.gz /freeipa-3.3.1.tar.gz
/freeipa-3.3.3.tar.gz /freeipa-3.3.3.tar.gz
/freeipa-3.3.4.tar.gz

View File

@ -0,0 +1,156 @@
From 2a98701ea1745394b717c3f4be4e0e376ab1d658 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tomasbabej@gmail.com>
Date: Mon, 11 Nov 2013 13:02:40 +0100
Subject: [PATCH 1/9] platform: Add Fedora 19 platform file
Part of: https://fedorahosted.org/freeipa/ticket/3504
---
freeipa.spec.in | 15 ++++++++-
ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++
ipapython/setup.py.in | 1 +
3 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 ipapython/platform/fedora19/__init__.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 138390ed729ac561504e41b44bb0e2c9041e7b94..8fd0a368ed02cfad120db6283e3899027d467bfc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -326,6 +326,9 @@ export JAVA_STACK_SIZE="8m"
%endif
export CFLAGS="$CFLAGS %{optflags}"
export CPPFLAGS="$CPPFLAGS %{optflags}"
+%if 0%{?fedora} >= 19
+export SUPPORTED_PLATFORM=fedora19
+%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
@@ -333,6 +336,7 @@ export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
+%endif
# Force re-generate of platform support
rm -f ipapython/services.py
make version-update
@@ -350,6 +354,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
%install
rm -rf %{buildroot}
+%if 0%{?fedora} >= 19
+export SUPPORTED_PLATFORM=fedora19
+%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
@@ -357,6 +364,7 @@ export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
+%endif
# Force re-generate of platform support
rm -f ipapython/services.py
%if ! %{ONLY_CLIENT}
@@ -810,12 +818,14 @@ fi
%dir %{python_sitelib}/ipapython/platform/base
%dir %{python_sitelib}/ipapython/platform/fedora16
%dir %{python_sitelib}/ipapython/platform/fedora18
+%dir %{python_sitelib}/ipapython/platform/fedora19
%dir %{python_sitelib}/ipapython/platform/redhat
%{python_sitelib}/ipapython/*.py*
%{python_sitelib}/ipapython/platform/*.py*
%{python_sitelib}/ipapython/platform/base/*.py*
%{python_sitelib}/ipapython/platform/fedora16/*.py*
%{python_sitelib}/ipapython/platform/fedora18/*.py*
+%{python_sitelib}/ipapython/platform/fedora19/*.py*
%{python_sitelib}/ipapython/platform/redhat/*.py*
%dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/*
@@ -851,7 +861,10 @@ fi
%endif # ONLY_CLIENT
%changelog
-* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
+* Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
+- Add Fedora 19 platform files
+
+* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.90-4
- Remove mod_ssl conflict, it can now live with mod_nss installed
* Wed Sep 4 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.3.0-3
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
new file mode 100644
index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca
--- /dev/null
+++ b/ipapython/platform/fedora19/__init__.py
@@ -0,0 +1,55 @@
+# Author: Tomas Babej <tbabej@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipapython.platform import fedora18, base
+
+# All what we allow exporting directly from this module
+
+# Everything else is made available through these symbols when they are
+# directly imported into ipapython.services:
+
+# authconfig -- class reference for platform-specific implementation of
+# authconfig(8)
+# service -- class reference for platform-specific implementation of a
+# PlatformService class
+# knownservices -- factory instance to access named services IPA cares about,
+# names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and
+# make it persistent over reboots
+# restore_network_configuration -- platform-specific way of restoring network
+# configuration (e.g. static hostname)
+# restore_context -- platform-sepcific way to restore security context, if
+# applicable
+# check_selinux_status -- platform-specific way to see if SELinux is enabled
+# and restorecon is installed.
+
+__all__ = ['authconfig', 'service', 'knownservices',
+ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
+ 'restore_network_configuration', 'timedate_services']
+
+# Just copy a referential list of timedate services
+timedate_services = list(base.timedate_services)
+
+backup_and_replace_hostname = fedora18.backup_and_replace_hostname
+restore_network_configuration = fedora18.restore_network_configuration
+authconfig = fedora18.authconfig
+service = fedora18.service
+knownservices = fedora18.knownservices
+restore_context = fedora18.restore_context
+check_selinux_status = fedora18.check_selinux_status
diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
index d3bbcaf1e46528d50731ca18a96a3384f6b49548..108c95d0ccb74e1cec5167759243f428f4ecf21a 100644
--- a/ipapython/setup.py.in
+++ b/ipapython/setup.py.in
@@ -70,6 +70,7 @@ def setup_package():
"ipapython.platform.base",
"ipapython.platform.fedora16",
"ipapython.platform.fedora18",
+ "ipapython.platform.fedora19",
"ipapython.platform.redhat" ],
)
finally:
--
1.8.5.3

View File

@ -0,0 +1,178 @@
From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 24 Sep 2013 10:54:57 +0200
Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide
store
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
---
ipa-client/ipa-install/ipa-client-install | 13 +++++-
ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++-
ipapython/services.py.in | 11 ++++-
3 files changed, 88 insertions(+), 3 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -651,6 +651,9 @@ def uninstall(options, env):
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
'as it can cause subsequent installation to fail.')
+ # Remove the CA cert from the systemwide certificate store
+ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
# Remove the CA cert
try:
os.remove(CACERT)
@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
root_logger.info("Configured /etc/sssd/sssd.conf")
+ # Add the CA to the platform-dependant systemwide CA store
+ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+
# Add the CA to the default NSS database and trust it
try:
- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+ root_logger.debug("Attempting to add CA directly to the "
+ "default NSS database.")
+ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
except CalledProcessError, e:
root_logger.info("Failed to add CA to the default NSS database.")
return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.info('Added the CA to the default NSS database.')
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if options.on_master:
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
--- a/ipapython/platform/fedora19/__init__.py
+++ b/ipapython/platform/fedora19/__init__.py
@@ -17,6 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import shutil
+import os
+
+from subprocess import CalledProcessError
+
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
+
from ipapython.platform import fedora18, base
# All what we allow exporting directly from this module
@@ -38,10 +46,19 @@
# applicable
# check_selinux_status -- platform-specific way to see if SELinux is enabled
# and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+# CA certificate into the systemwide
+# CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+# CA certificate from the systemwide
+# CA store
+
__all__ = ['authconfig', 'service', 'knownservices',
'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
- 'restore_network_configuration', 'timedate_services']
+ 'restore_network_configuration', 'timedate_services',
+ 'insert_ca_cert_into_systemwide_ca_store',
+ 'remove_ca_cert_from_systemwide_ca_store']
# Just copy a referential list of timedate services
timedate_services = list(base.timedate_services)
@@ -53,3 +70,51 @@
knownservices = fedora18.knownservices
restore_context = fedora18.restore_context
check_selinux_status = fedora18.check_selinux_status
+
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+
+
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+ # Add the 'ipa-' prefix to cert name to avoid name collisions
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+ # Add the CA to the systemwide CA trust database
+ try:
+ shutil.copy(cacert_path, new_cacert_path)
+ run(['/usr/bin/update-ca-trust'])
+ except OSError, e:
+ root_logger.info("Failed to copy %s to %s" % (cacert_path,
+ new_cacert_path))
+ except CalledProcessError, e:
+ root_logger.info("Failed to add CA to the systemwide "
+ "CA trust database: %s" % str(e))
+ else:
+ root_logger.info('Added the CA to the systemwide CA trust database.')
+ return True
+
+ return False
+
+
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+ # Derive the certificate name in the store
+ cacert_name = os.path.basename(cacert_path)
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+ # Remove CA cert from systemwide store
+ if os.path.exists(new_cacert_path):
+ try:
+ os.remove(new_cacert_path)
+ run(['/usr/bin/update-ca-trust'])
+ except OSError, e:
+ root_logger.error('Could not remove: %s, %s'
+ % (new_cacert_path, str(e)))
+ return False
+ except CalledProcessError, e:
+ root_logger.error('Could not update systemwide CA trust '
+ 'database: %s' % str(e))
+ return False
+ else:
+ root_logger.info('Systemwide CA database updated.')
+
+ return True
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
--- a/ipapython/services.py.in
+++ b/ipapython/services.py.in
@@ -21,7 +21,7 @@
authconfig = None
# knownservices is an entry point to known platform services
-# (instance of ipapython.platform.base.KnownServices)
+# (instance of ipapython.platform.base.KnownServices)
knownservices = None
# service is a class to instantiate ipapython.platform.base.PlatformService
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
def get_svc_list_file():
return SVC_LIST_FILE
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+ return True
+
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+ return True
+
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
+
from ipapython.platform.SUPPORTED_PLATFORM import *
--
1.8.5.3

View File

@ -0,0 +1,106 @@
From b4791862852770711be87ca63ed85b23e72baea3 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 16 Jan 2014 14:10:42 +0100
Subject: [PATCH 3/9] Add runas option to run function
Run function can now run the specified command as different user by
setting the both real and effective UID and GID for executed process.
Add both the missing run function attribute doc strings as well as
a doc string for the runas attribute.
---
ipapython/ipautil.py | 59 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 38 insertions(+), 21 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 92569c3b487bdbbfc4f0033813fda56c8928f20c..f7a2443af940a695321da7989457a392d6451d44 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -42,6 +42,7 @@
import netaddr
import time
import krbV
+import pwd
from dns import resolver, rdatatype
from dns.exception import DNSException
@@ -246,29 +247,35 @@ def shell_quote(string):
return "'" + string.replace("'", "'\\''") + "'"
def run(args, stdin=None, raiseonerr=True,
- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
+ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+ runas=None):
"""
Execute a command and return stdin, stdout and the process return code.
- args is a list of arguments for the command
-
- stdin is used if you want to pass input to the command
-
- raiseonerr raises an exception if the return code is not zero
-
- nolog is a tuple of strings that shouldn't be logged, like passwords.
- Each tuple consists of a string to be replaced by XXXXXXXX.
-
- For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
-
- We don't want to log the password so nolog would be set to:
- ('Secret123',)
-
- The resulting log output would be:
-
- /usr/bin/setpasswd --password XXXXXXXX someuser
-
- If an value isn't found in the list it is silently ignored.
+ :param args: List of arguments for the command
+ :param stdin: Optional input to the command
+ :param raiseonerr: If True, raises an exception if the return code is
+ not zero
+ :param nolog: Tuple of strings that shouldn't be logged, like passwords.
+ Each tuple consists of a string to be replaced by XXXXXXXX.
+
+ Example:
+ We have a command
+ ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+ and we don't want to log the password so nolog would be set to:
+ ('Secret123',)
+ The resulting log output would be:
+
+ /usr/bin/setpasswd --password XXXXXXXX someuser
+
+ If a value isn't found in the list it is silently ignored.
+ :param env: Dictionary of environment variables passed to the command.
+ When None, current environment is copied
+ :param capture_output: Capture stderr and stdout
+ :param skip_output: Redirect the output to /dev/null and do not capture it
+ :param cwd: Current working directory
+ :param runas: Name of a user that the command shold be run as. The spawned
+ process will have both real and effective UID and GID set.
"""
p_in = None
p_out = None
@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
root_logger.debug('Starting external process')
root_logger.debug('args=%s' % arg_string)
+ preexec_fn = None
+ if runas is not None:
+ pent = pwd.getpwnam(runas)
+ root_logger.debug('runas=%s (UID %d, GID %s)', runas,
+ pent.pw_uid, pent.pw_gid)
+
+ preexec_fn = lambda: (os.setregid(pent.pw_gid, pent.pw_gid),
+ os.setreuid(pent.pw_uid, pent.pw_uid))
+
try:
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
- close_fds=True, env=env, cwd=cwd)
+ close_fds=True, env=env, cwd=cwd,
+ preexec_fn=preexec_fn)
stdout,stderr = p.communicate(stdin)
stdout,stderr = str(stdout), str(stderr) # Make pylint happy
except KeyboardInterrupt:
--
1.8.5.3

View File

@ -0,0 +1,84 @@
From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 16 Jan 2014 14:12:29 +0100
Subject: [PATCH 4/9] Switch httpd to use default CCACHE
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
---
install/tools/ipa-upgradeconfig | 7 ++++++-
ipaserver/install/httpinstance.py | 22 +++-------------------
2 files changed, 9 insertions(+), 20 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1043,10 +1043,15 @@ def main():
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
+ removed_sysconfig_file = '/etc/sysconfig/httpd'
+ if fstore.has_file(removed_sysconfig_file):
+ root_logger.info('Restoring %s as it is no longer required',
+ removed_sysconfig_file)
+ fstore.restore_file(removed_sysconfig_file)
+
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
- http.configure_httpd_ccache()
http.change_mod_nss_port_to_http()
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None,
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
- self.step("configure httpd ccache", self.configure_httpd_ccache)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -217,24 +216,9 @@ def __create_http_keytab(self):
def remove_httpd_ccache(self):
# Clean up existing ccache
- pent = pwd.getpwnam("apache")
- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
-
- def configure_httpd_ccache(self):
- pent = pwd.getpwnam("apache")
- ccache = '/tmp/krb5cc_%d' % pent.pw_uid
- filepath = '/etc/sysconfig/httpd'
- if not os.path.exists(filepath):
- # file doesn't exist; create it with correct ownership & mode
- open(filepath, 'a').close()
- os.chmod(filepath,
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- os.chown(filepath, 0, 0)
-
- replacevars = {'KRB5CCNAME': ccache}
- old_values = ipautil.backup_config_and_replace_variables(
- self.fstore, filepath, replacevars=replacevars)
- ipaservices.restore_context(filepath)
+ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+ # current env
+ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
--
1.8.5.3

View File

@ -0,0 +1,30 @@
From d134f591c9250f38d170a937ec221637d09b58bc Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 22 Jan 2014 16:08:51 +0100
Subject: [PATCH 5/9] httpd should destroy all CCACHEs
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.
https://fedorahosted.org/freeipa/ticket/4084
---
ipaserver/install/httpinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 9c9205883b38dfb854fb2885d3692a7053866b63..5d37926ddcaa17ce2eab839cd6aecdab0159a8ee 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -218,7 +218,7 @@ def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
--
1.8.5.3

View File

@ -0,0 +1,124 @@
From ada54e7e836d13ccede3fe74f1cd30300a242c6e Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Fri, 25 Oct 2013 12:41:25 +0200
Subject: [PATCH 6/9] Enable Retro Changelog and Content Synchronization DS
plugins
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 1 +
install/tools/ipa-upgradeconfig | 5 ++++-
install/updates/20-syncrepl.update | 9 +++++++++
install/updates/Makefile.am | 1 +
ipaserver/install/bindinstance.py | 13 +++++++++++++
5 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 install/updates/20-syncrepl.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8fd0a368ed02cfad120db6283e3899027d467bfc..4f60be6ccd623de4574c7627e0ffc4ff0829e701 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -764,6 +764,7 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
+%ghost %{_localstatedir}/named/ipa
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..5bcef1ac827da296c6a35e8fc29a1c6f0a04f808 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1084,6 +1084,10 @@ def main():
setup_firefox_extension(fstore)
add_ca_dns_records()
+ bind = bindinstance.BindInstance(fstore)
+ if bind.is_configured():
+ bind.create_dir('/var/named/ipa', 0700)
+
# Any of the following functions returns True iff the named.conf file
# has been altered
named_conf_changes = (
@@ -1097,7 +1101,6 @@ def main():
if any(named_conf_changes):
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
- bind = bindinstance.BindInstance(fstore)
try:
bind.restart()
except ipautil.CalledProcessError, e:
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
new file mode 100644
index 0000000000000000000000000000000000000000..c4158a1634410acd323f04f442bbbd2f69c24708
--- /dev/null
+++ b/install/updates/20-syncrepl.update
@@ -0,0 +1,9 @@
+# Enable Retro changelog
+dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
+add:nsslapd-attribute: nsuniqueid:targetUniqueId
+add:nsslapd-changelogmaxage: 2d
+
+# Enable SyncRepl
+dn: cn=Content Synchronization,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 40c3b3c8916faa267254a29d0f458ca53201950c..09965ff9885fce93f3d15dc73b11fa210f68b163 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -22,6 +22,7 @@ app_DATA = \
20-indices.update \
20-nss_ldap.update \
20-replication.update \
+ 20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
21-replicas_container.update \
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -22,6 +22,7 @@
import pwd
import netaddr
import re
+import errno
import ldap
@@ -509,6 +510,16 @@ def create_sample_bind_zone(self):
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
+ def create_dir(self, path, mode):
+ try:
+ os.makedirs(path, mode)
+ except OSError as e:
+ if e.errno != errno.EEXIST:
+ raise e
+
+ pent = pwd.getpwnam(self.named_user or 'named')
+ os.chown(path, pent.pw_uid, pent.pw_gid)
+
def create_instance(self):
try:
@@ -519,6 +530,8 @@ def create_instance(self):
# get a connection to the DS
self.ldap_connect()
+ self.create_dir('/var/named/ipa', 0700)
+
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
--
1.8.5.3

View File

@ -0,0 +1,73 @@
From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Thu, 23 Jan 2014 12:22:38 +0100
Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix.
This drastically improves performance of retro changelog trimming.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 6 +++---
install/updates/20-syncrepl.update | 13 ++++++++++++-
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.3
+BuildRequires: 389-ds-base-devel >= 1.3.2.10
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -95,7 +95,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -150,7 +150,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -1,9 +1,20 @@
-# Enable Retro changelog
+# Enable Retro changelog - it is necessary for SyncRepl
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
+# Remember original nsuniqueid for objects referenced from cn=changelog
add:nsslapd-attribute: nsuniqueid:targetUniqueId
add:nsslapd-changelogmaxage: 2d
+# Keep memberOf and referential integrity plugins away from cn=changelog.
+# It is necessary for performance reasons because we don't have appropriate
+# indices for cn=changelog.
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add:memberofentryscope: '$SUFFIX'
+
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+add:nsslapd-plugincontainerscope: '$SUFFIX'
+add:nsslapd-pluginentryscope: '$SUFFIX'
+
# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
--
1.8.5.3

View File

@ -0,0 +1,93 @@
From 916437b391739ea3ee48dfcd9f0d164536ca9ead Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Mon, 27 Jan 2014 14:47:10 +0100
Subject: [PATCH 8/9] Remove working directory for bind-dyndb-ldap plugin.
The working directory will be provided directly
by bind-dyndb-ldap package.
This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
https://fedorahosted.org/freeipa/ticket/3967
---
freeipa.spec.in | 1 -
install/tools/ipa-upgradeconfig | 5 +----
ipaserver/install/bindinstance.py | 13 -------------
3 files changed, 1 insertion(+), 18 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ef96c7c271ebba33b15d9b35891092e4151c3aae..eb9afbb4bfa1a11caf1282d5b76c2e138735386c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -764,7 +764,6 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
-%ghost %{_localstatedir}/named/ipa
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 5bcef1ac827da296c6a35e8fc29a1c6f0a04f808..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1084,10 +1084,6 @@ def main():
setup_firefox_extension(fstore)
add_ca_dns_records()
- bind = bindinstance.BindInstance(fstore)
- if bind.is_configured():
- bind.create_dir('/var/named/ipa', 0700)
-
# Any of the following functions returns True iff the named.conf file
# has been altered
named_conf_changes = (
@@ -1101,6 +1097,7 @@ def main():
if any(named_conf_changes):
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
+ bind = bindinstance.BindInstance(fstore)
try:
bind.restart()
except ipautil.CalledProcessError, e:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 4baeb4e077c64a7abebd1c071012f6c1e02dc1ae..6d5a1d44d30c89278c24fe7ab5278355cb65b0b4 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -22,7 +22,6 @@
import pwd
import netaddr
import re
-import errno
import ldap
@@ -510,16 +509,6 @@ def create_sample_bind_zone(self):
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
- def create_dir(self, path, mode):
- try:
- os.makedirs(path, mode)
- except OSError as e:
- if e.errno != errno.EEXIST:
- raise e
-
- pent = pwd.getpwnam(self.named_user or 'named')
- os.chown(path, pent.pw_uid, pent.pw_gid)
-
def create_instance(self):
try:
@@ -530,8 +519,6 @@ def create_instance(self):
# get a connection to the DS
self.ldap_connect()
- self.create_dir('/var/named/ipa', 0700)
-
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
--
1.8.5.3

View File

@ -0,0 +1,98 @@
From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 26 Nov 2013 08:53:34 +0000
Subject: [PATCH 9/9] Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
---
freeipa.spec.in | 8 ++++++--
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/httpinstance.py | 17 ++++++++---------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
%else
Requires: mod_auth_kerb >= 5.4-8
%endif
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -861,6 +861,10 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Nov 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.3.90-6
+- Set minimum version of httpd to 2.4.6-6
+- Set minimum version of mod_nss to 1.0.8-26
+
* Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
- Add Fedora 19 platform files
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1052,7 +1052,7 @@ def main():
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
- http.change_mod_nss_port_to_http()
+ http.change_mod_nss_port_from_http()
ds = dsinstance.DsInstance()
ds.configure_dirsrv_ccache()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -237,25 +237,24 @@ def __configure_http(self):
http_fd.close()
os.chmod(target_fname, 0644)
- def change_mod_nss_port_to_http(self):
+ def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
- # Change port to http to workaround the mod_ssl check, the SSL is
- # enforced in the vhost later, so it is benign.
+ # The workaround for this was to change port to http. It is no longer
+ # necessary, as mod_nss now ships with default configuration which
+ # sets SSLEngine off when mod_ssl is installed.
#
- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
- # is fixed.
- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
+ # Remove the workaround.
+ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __set_mod_nss_port(self):
self.fstore.backup_file(NSS_CONF)
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
print "Updating port in %s failed." % NSS_CONF
- self.change_mod_nss_port_to_http()
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
--
1.8.5.3

View File

@ -4,11 +4,11 @@
%global plugin_dir %{_libdir}/dirsrv/plugins %global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.14-37 %global POLICYCOREUTILSVER 2.1.14-37
%global gettext_domain ipa %global gettext_domain ipa
%global VERSION 3.3.3 %global VERSION 3.3.4
Name: freeipa Name: freeipa
Version: 3.3.3 Version: 3.3.4
Release: 5%{?dist} Release: 1%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -17,9 +17,15 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch Patch0001: 0001-platform-Add-Fedora-19-platform-file.patch
Patch0002: 0002-Fix-Wformat-security-warnings.patch Patch0002: 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
Patch0003: 0003-Increase-stack-size-for-Web-UI-builder.patch Patch0003: 0003-Add-runas-option-to-run-function.patch
Patch0004: 0004-Switch-httpd-to-use-default-CCACHE.patch
Patch0005: 0005-httpd-should-destroy-all-CCACHEs.patch
Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
Patch0009: 0009-Remove-mod_ssl-port-workaround.patch
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1.3 BuildRequires: 389-ds-base-devel >= 1.3.1.3
@ -96,7 +102,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release} Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release} Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release}
Requires: 389-ds-base >= 1.3.1.3 Requires: 389-ds-base >= 1.3.2.10
Requires: openldap-clients > 2.4.35-4 Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18 %if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2 Requires: nss >= 3.14.3-2
@ -119,14 +125,14 @@ Requires: krb5-server >= 1.10
Requires: krb5-pkinit-openssl Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa} Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp Requires: ntp
Requires: httpd Requires: httpd >= 2.4.6-6
Requires: mod_wsgi Requires: mod_wsgi
%if 0%{?fedora} >= 18 %if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16 Requires: mod_auth_kerb >= 5.4-16
%else %else
Requires: mod_auth_kerb >= 5.4-8 Requires: mod_auth_kerb >= 5.4-8
%endif %endif
Requires: mod_nss >= 1.0.8-24 Requires: mod_nss >= 1.0.8-26
Requires: python-ldap Requires: python-ldap
Requires: python-krbV Requires: python-krbV
Requires: acl Requires: acl
@ -151,7 +157,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar Requires: tar
Requires(pre): certmonger >= 0.65 Requires(pre): certmonger >= 0.65
Requires(pre): 389-ds-base >= 1.3.1.3 Requires(pre): 389-ds-base >= 1.3.2.10
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy # entire SELinux policy is stored in the system policy
@ -372,6 +378,9 @@ export JAVA_STACK_SIZE="8m"
%endif %endif
export CFLAGS="$CFLAGS %{optflags}" export CFLAGS="$CFLAGS %{optflags}"
export CPPFLAGS="$CPPFLAGS %{optflags}" export CPPFLAGS="$CPPFLAGS %{optflags}"
%if 0%{?fedora} >= 19
export SUPPORTED_PLATFORM=fedora19
%else
%if 0%{?fedora} >= 18 %if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd # use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes # support + fedora18 changes
@ -379,6 +388,7 @@ export SUPPORTED_PLATFORM=fedora18
%else %else
export SUPPORTED_PLATFORM=fedora16 export SUPPORTED_PLATFORM=fedora16
%endif %endif
%endif
# Force re-generate of platform support # Force re-generate of platform support
rm -f ipapython/services.py rm -f ipapython/services.py
make version-update make version-update
@ -396,6 +406,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}
%if 0%{?fedora} >= 19
export SUPPORTED_PLATFORM=fedora19
%else
%if 0%{?fedora} >= 18 %if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd # use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes # support + fedora18 changes
@ -403,6 +416,7 @@ export SUPPORTED_PLATFORM=fedora18
%else %else
export SUPPORTED_PLATFORM=fedora16 export SUPPORTED_PLATFORM=fedora16
%endif %endif
%endif
# Force re-generate of platform support # Force re-generate of platform support
rm -f ipapython/services.py rm -f ipapython/services.py
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
@ -595,6 +609,16 @@ if [ $1 -gt 1 ] ; then
/sbin/restorecon /etc/krb5.conf /sbin/restorecon /etc/krb5.conf
fi fi
fi fi
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
/sbin/restorecon /etc/sysconfig/ntpd
/bin/systemctl condrestart ntpd.service 2>&1 || :
fi
fi
fi fi
%triggerin -n freeipa-client -- openssh-server %triggerin -n freeipa-client -- openssh-server
@ -719,6 +743,7 @@ fi
%{_usr}/share/ipa/ui/*.svg %{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf %{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff %{_usr}/share/ipa/ui/*.woff
%dir %{_usr}/share/ipa/ui/js
%dir %{_usr}/share/ipa/ui/js/dojo %dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js %{_usr}/share/ipa/ui/js/dojo/dojo.js
%dir %{_usr}/share/ipa/ui/js/libs %dir %{_usr}/share/ipa/ui/js/libs
@ -853,12 +878,14 @@ fi
%dir %{python_sitelib}/ipapython/platform/base %dir %{python_sitelib}/ipapython/platform/base
%dir %{python_sitelib}/ipapython/platform/fedora16 %dir %{python_sitelib}/ipapython/platform/fedora16
%dir %{python_sitelib}/ipapython/platform/fedora18 %dir %{python_sitelib}/ipapython/platform/fedora18
%dir %{python_sitelib}/ipapython/platform/fedora19
%dir %{python_sitelib}/ipapython/platform/redhat %dir %{python_sitelib}/ipapython/platform/redhat
%{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/*.py*
%{python_sitelib}/ipapython/platform/*.py* %{python_sitelib}/ipapython/platform/*.py*
%{python_sitelib}/ipapython/platform/base/*.py* %{python_sitelib}/ipapython/platform/base/*.py*
%{python_sitelib}/ipapython/platform/fedora16/*.py* %{python_sitelib}/ipapython/platform/fedora16/*.py*
%{python_sitelib}/ipapython/platform/fedora18/*.py* %{python_sitelib}/ipapython/platform/fedora18/*.py*
%{python_sitelib}/ipapython/platform/fedora19/*.py*
%{python_sitelib}/ipapython/platform/redhat/*.py* %{python_sitelib}/ipapython/platform/redhat/*.py*
%dir %{python_sitelib}/ipalib %dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/* %{python_sitelib}/ipalib/*
@ -894,6 +921,13 @@ fi
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
%changelog %changelog
* Tue Jan 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-1
- Update to upstream 3.3.4
- Install CA anchor into standard location (#928478)
- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
- Remove mod_ssl workaround (RHEL bug #1029046)
- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5 * Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
- Build crashed with rhino exception on s390 architectures (#1040576) - Build crashed with rhino exception on s390 architectures (#1040576)

View File

@ -1 +1 @@
ba4546b837c5129524e2d1020986400f freeipa-3.3.3.tar.gz 2ad49c60abada8a328ddd825481d9e9c freeipa-3.3.4.tar.gz