3.3.4-1
- Update to upstream 3.3.4 - Install CA anchor into standard location (#928478) - ipa-client-install part of ipa-server-install fails on reinstall (#1044994) - Remove mod_ssl workaround (RHEL bug #1029046) - Enable syncrepl plugin to support bind-dyndb-ldap 4.0
This commit is contained in:
parent
3242eeabec
commit
9d21232151
1
.gitignore
vendored
1
.gitignore
vendored
@ -27,3 +27,4 @@
|
|||||||
/freeipa-3.3.0.tar.gz
|
/freeipa-3.3.0.tar.gz
|
||||||
/freeipa-3.3.1.tar.gz
|
/freeipa-3.3.1.tar.gz
|
||||||
/freeipa-3.3.3.tar.gz
|
/freeipa-3.3.3.tar.gz
|
||||||
|
/freeipa-3.3.4.tar.gz
|
||||||
|
156
0001-platform-Add-Fedora-19-platform-file.patch
Normal file
156
0001-platform-Add-Fedora-19-platform-file.patch
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
From 2a98701ea1745394b717c3f4be4e0e376ab1d658 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Babej <tomasbabej@gmail.com>
|
||||||
|
Date: Mon, 11 Nov 2013 13:02:40 +0100
|
||||||
|
Subject: [PATCH 1/9] platform: Add Fedora 19 platform file
|
||||||
|
|
||||||
|
Part of: https://fedorahosted.org/freeipa/ticket/3504
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 15 ++++++++-
|
||||||
|
ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++
|
||||||
|
ipapython/setup.py.in | 1 +
|
||||||
|
3 files changed, 70 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 ipapython/platform/fedora19/__init__.py
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 138390ed729ac561504e41b44bb0e2c9041e7b94..8fd0a368ed02cfad120db6283e3899027d467bfc 100644
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -326,6 +326,9 @@ export JAVA_STACK_SIZE="8m"
|
||||||
|
%endif
|
||||||
|
export CFLAGS="$CFLAGS %{optflags}"
|
||||||
|
export CPPFLAGS="$CPPFLAGS %{optflags}"
|
||||||
|
+%if 0%{?fedora} >= 19
|
||||||
|
+export SUPPORTED_PLATFORM=fedora19
|
||||||
|
+%else
|
||||||
|
%if 0%{?fedora} >= 18
|
||||||
|
# use fedora18 platform which is based on fedora16 platform with systemd
|
||||||
|
# support + fedora18 changes
|
||||||
|
@@ -333,6 +336,7 @@ export SUPPORTED_PLATFORM=fedora18
|
||||||
|
%else
|
||||||
|
export SUPPORTED_PLATFORM=fedora16
|
||||||
|
%endif
|
||||||
|
+%endif
|
||||||
|
# Force re-generate of platform support
|
||||||
|
rm -f ipapython/services.py
|
||||||
|
make version-update
|
||||||
|
@@ -350,6 +354,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf %{buildroot}
|
||||||
|
+%if 0%{?fedora} >= 19
|
||||||
|
+export SUPPORTED_PLATFORM=fedora19
|
||||||
|
+%else
|
||||||
|
%if 0%{?fedora} >= 18
|
||||||
|
# use fedora18 platform which is based on fedora16 platform with systemd
|
||||||
|
# support + fedora18 changes
|
||||||
|
@@ -357,6 +364,7 @@ export SUPPORTED_PLATFORM=fedora18
|
||||||
|
%else
|
||||||
|
export SUPPORTED_PLATFORM=fedora16
|
||||||
|
%endif
|
||||||
|
+%endif
|
||||||
|
# Force re-generate of platform support
|
||||||
|
rm -f ipapython/services.py
|
||||||
|
%if ! %{ONLY_CLIENT}
|
||||||
|
@@ -810,12 +818,14 @@ fi
|
||||||
|
%dir %{python_sitelib}/ipapython/platform/base
|
||||||
|
%dir %{python_sitelib}/ipapython/platform/fedora16
|
||||||
|
%dir %{python_sitelib}/ipapython/platform/fedora18
|
||||||
|
+%dir %{python_sitelib}/ipapython/platform/fedora19
|
||||||
|
%dir %{python_sitelib}/ipapython/platform/redhat
|
||||||
|
%{python_sitelib}/ipapython/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/base/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/fedora16/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/fedora18/*.py*
|
||||||
|
+%{python_sitelib}/ipapython/platform/fedora19/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/redhat/*.py*
|
||||||
|
%dir %{python_sitelib}/ipalib
|
||||||
|
%{python_sitelib}/ipalib/*
|
||||||
|
@@ -851,7 +861,10 @@ fi
|
||||||
|
%endif # ONLY_CLIENT
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
-* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
|
||||||
|
+* Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
|
||||||
|
+- Add Fedora 19 platform files
|
||||||
|
+
|
||||||
|
+* Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.90-4
|
||||||
|
- Remove mod_ssl conflict, it can now live with mod_nss installed
|
||||||
|
|
||||||
|
* Wed Sep 4 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.3.0-3
|
||||||
|
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/ipapython/platform/fedora19/__init__.py
|
||||||
|
@@ -0,0 +1,55 @@
|
||||||
|
+# Author: Tomas Babej <tbabej@redhat.com>
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2013 Red Hat
|
||||||
|
+# see file 'COPYING' for use and warranty information
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+from ipapython.platform import fedora18, base
|
||||||
|
+
|
||||||
|
+# All what we allow exporting directly from this module
|
||||||
|
+
|
||||||
|
+# Everything else is made available through these symbols when they are
|
||||||
|
+# directly imported into ipapython.services:
|
||||||
|
+
|
||||||
|
+# authconfig -- class reference for platform-specific implementation of
|
||||||
|
+# authconfig(8)
|
||||||
|
+# service -- class reference for platform-specific implementation of a
|
||||||
|
+# PlatformService class
|
||||||
|
+# knownservices -- factory instance to access named services IPA cares about,
|
||||||
|
+# names are ipapython.services.wellknownservices
|
||||||
|
+# backup_and_replace_hostname -- platform-specific way to set hostname and
|
||||||
|
+# make it persistent over reboots
|
||||||
|
+# restore_network_configuration -- platform-specific way of restoring network
|
||||||
|
+# configuration (e.g. static hostname)
|
||||||
|
+# restore_context -- platform-sepcific way to restore security context, if
|
||||||
|
+# applicable
|
||||||
|
+# check_selinux_status -- platform-specific way to see if SELinux is enabled
|
||||||
|
+# and restorecon is installed.
|
||||||
|
+
|
||||||
|
+__all__ = ['authconfig', 'service', 'knownservices',
|
||||||
|
+ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
|
||||||
|
+ 'restore_network_configuration', 'timedate_services']
|
||||||
|
+
|
||||||
|
+# Just copy a referential list of timedate services
|
||||||
|
+timedate_services = list(base.timedate_services)
|
||||||
|
+
|
||||||
|
+backup_and_replace_hostname = fedora18.backup_and_replace_hostname
|
||||||
|
+restore_network_configuration = fedora18.restore_network_configuration
|
||||||
|
+authconfig = fedora18.authconfig
|
||||||
|
+service = fedora18.service
|
||||||
|
+knownservices = fedora18.knownservices
|
||||||
|
+restore_context = fedora18.restore_context
|
||||||
|
+check_selinux_status = fedora18.check_selinux_status
|
||||||
|
diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
|
||||||
|
index d3bbcaf1e46528d50731ca18a96a3384f6b49548..108c95d0ccb74e1cec5167759243f428f4ecf21a 100644
|
||||||
|
--- a/ipapython/setup.py.in
|
||||||
|
+++ b/ipapython/setup.py.in
|
||||||
|
@@ -70,6 +70,7 @@ def setup_package():
|
||||||
|
"ipapython.platform.base",
|
||||||
|
"ipapython.platform.fedora16",
|
||||||
|
"ipapython.platform.fedora18",
|
||||||
|
+ "ipapython.platform.fedora19",
|
||||||
|
"ipapython.platform.redhat" ],
|
||||||
|
)
|
||||||
|
finally:
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
178
0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
Normal file
178
0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
Normal file
@ -0,0 +1,178 @@
|
|||||||
|
From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Babej <tbabej@redhat.com>
|
||||||
|
Date: Tue, 24 Sep 2013 10:54:57 +0200
|
||||||
|
Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide
|
||||||
|
store
|
||||||
|
|
||||||
|
During the installation, copy the CA certificate to the systemwide
|
||||||
|
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
|
||||||
|
systemwide CA database.
|
||||||
|
|
||||||
|
This allows browsers to access IPA WebUI without warning out of the
|
||||||
|
box.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3504
|
||||||
|
---
|
||||||
|
ipa-client/ipa-install/ipa-client-install | 13 +++++-
|
||||||
|
ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++-
|
||||||
|
ipapython/services.py.in | 11 ++++-
|
||||||
|
3 files changed, 88 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
||||||
|
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755
|
||||||
|
--- a/ipa-client/ipa-install/ipa-client-install
|
||||||
|
+++ b/ipa-client/ipa-install/ipa-client-install
|
||||||
|
@@ -651,6 +651,9 @@ def uninstall(options, env):
|
||||||
|
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
|
||||||
|
'as it can cause subsequent installation to fail.')
|
||||||
|
|
||||||
|
+ # Remove the CA cert from the systemwide certificate store
|
||||||
|
+ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
|
||||||
|
+
|
||||||
|
# Remove the CA cert
|
||||||
|
try:
|
||||||
|
os.remove(CACERT)
|
||||||
|
@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore):
|
||||||
|
return CLIENT_INSTALL_ERROR
|
||||||
|
root_logger.info("Configured /etc/sssd/sssd.conf")
|
||||||
|
|
||||||
|
+ # Add the CA to the platform-dependant systemwide CA store
|
||||||
|
+ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
|
||||||
|
+
|
||||||
|
# Add the CA to the default NSS database and trust it
|
||||||
|
try:
|
||||||
|
- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
|
||||||
|
+ root_logger.debug("Attempting to add CA directly to the "
|
||||||
|
+ "default NSS database.")
|
||||||
|
+ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
|
||||||
|
+ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
|
||||||
|
except CalledProcessError, e:
|
||||||
|
root_logger.info("Failed to add CA to the default NSS database.")
|
||||||
|
return CLIENT_INSTALL_ERROR
|
||||||
|
+ else:
|
||||||
|
+ root_logger.info('Added the CA to the default NSS database.')
|
||||||
|
|
||||||
|
host_principal = 'host/%s@%s' % (hostname, cli_realm)
|
||||||
|
if options.on_master:
|
||||||
|
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
|
||||||
|
index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
|
||||||
|
--- a/ipapython/platform/fedora19/__init__.py
|
||||||
|
+++ b/ipapython/platform/fedora19/__init__.py
|
||||||
|
@@ -17,6 +17,14 @@
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
+import shutil
|
||||||
|
+import os
|
||||||
|
+
|
||||||
|
+from subprocess import CalledProcessError
|
||||||
|
+
|
||||||
|
+from ipapython.ipa_log_manager import root_logger
|
||||||
|
+from ipapython.ipautil import run
|
||||||
|
+
|
||||||
|
from ipapython.platform import fedora18, base
|
||||||
|
|
||||||
|
# All what we allow exporting directly from this module
|
||||||
|
@@ -38,10 +46,19 @@
|
||||||
|
# applicable
|
||||||
|
# check_selinux_status -- platform-specific way to see if SELinux is enabled
|
||||||
|
# and restorecon is installed.
|
||||||
|
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
|
||||||
|
+# CA certificate into the systemwide
|
||||||
|
+# CA store
|
||||||
|
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
|
||||||
|
+# CA certificate from the systemwide
|
||||||
|
+# CA store
|
||||||
|
+
|
||||||
|
|
||||||
|
__all__ = ['authconfig', 'service', 'knownservices',
|
||||||
|
'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
|
||||||
|
- 'restore_network_configuration', 'timedate_services']
|
||||||
|
+ 'restore_network_configuration', 'timedate_services',
|
||||||
|
+ 'insert_ca_cert_into_systemwide_ca_store',
|
||||||
|
+ 'remove_ca_cert_from_systemwide_ca_store']
|
||||||
|
|
||||||
|
# Just copy a referential list of timedate services
|
||||||
|
timedate_services = list(base.timedate_services)
|
||||||
|
@@ -53,3 +70,51 @@
|
||||||
|
knownservices = fedora18.knownservices
|
||||||
|
restore_context = fedora18.restore_context
|
||||||
|
check_selinux_status = fedora18.check_selinux_status
|
||||||
|
+
|
||||||
|
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
|
||||||
|
+ # Add the 'ipa-' prefix to cert name to avoid name collisions
|
||||||
|
+ cacert_name = os.path.basename(cacert_path)
|
||||||
|
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
|
||||||
|
+
|
||||||
|
+ # Add the CA to the systemwide CA trust database
|
||||||
|
+ try:
|
||||||
|
+ shutil.copy(cacert_path, new_cacert_path)
|
||||||
|
+ run(['/usr/bin/update-ca-trust'])
|
||||||
|
+ except OSError, e:
|
||||||
|
+ root_logger.info("Failed to copy %s to %s" % (cacert_path,
|
||||||
|
+ new_cacert_path))
|
||||||
|
+ except CalledProcessError, e:
|
||||||
|
+ root_logger.info("Failed to add CA to the systemwide "
|
||||||
|
+ "CA trust database: %s" % str(e))
|
||||||
|
+ else:
|
||||||
|
+ root_logger.info('Added the CA to the systemwide CA trust database.')
|
||||||
|
+ return True
|
||||||
|
+
|
||||||
|
+ return False
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
|
||||||
|
+ # Derive the certificate name in the store
|
||||||
|
+ cacert_name = os.path.basename(cacert_path)
|
||||||
|
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
|
||||||
|
+
|
||||||
|
+ # Remove CA cert from systemwide store
|
||||||
|
+ if os.path.exists(new_cacert_path):
|
||||||
|
+ try:
|
||||||
|
+ os.remove(new_cacert_path)
|
||||||
|
+ run(['/usr/bin/update-ca-trust'])
|
||||||
|
+ except OSError, e:
|
||||||
|
+ root_logger.error('Could not remove: %s, %s'
|
||||||
|
+ % (new_cacert_path, str(e)))
|
||||||
|
+ return False
|
||||||
|
+ except CalledProcessError, e:
|
||||||
|
+ root_logger.error('Could not update systemwide CA trust '
|
||||||
|
+ 'database: %s' % str(e))
|
||||||
|
+ return False
|
||||||
|
+ else:
|
||||||
|
+ root_logger.info('Systemwide CA database updated.')
|
||||||
|
+
|
||||||
|
+ return True
|
||||||
|
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
|
||||||
|
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
|
||||||
|
--- a/ipapython/services.py.in
|
||||||
|
+++ b/ipapython/services.py.in
|
||||||
|
@@ -21,7 +21,7 @@
|
||||||
|
authconfig = None
|
||||||
|
|
||||||
|
# knownservices is an entry point to known platform services
|
||||||
|
-# (instance of ipapython.platform.base.KnownServices)
|
||||||
|
+# (instance of ipapython.platform.base.KnownServices)
|
||||||
|
knownservices = None
|
||||||
|
|
||||||
|
# service is a class to instantiate ipapython.platform.base.PlatformService
|
||||||
|
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
|
||||||
|
def get_svc_list_file():
|
||||||
|
return SVC_LIST_FILE
|
||||||
|
|
||||||
|
+def insert_ca_cert_into_systemwide_ca_store_default(path):
|
||||||
|
+ return True
|
||||||
|
+
|
||||||
|
+def remove_ca_cert_from_systemwide_ca_store_default(path):
|
||||||
|
+ return True
|
||||||
|
+
|
||||||
|
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
|
||||||
|
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
|
||||||
|
+
|
||||||
|
from ipapython.platform.SUPPORTED_PLATFORM import *
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
106
0003-Add-runas-option-to-run-function.patch
Normal file
106
0003-Add-runas-option-to-run-function.patch
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
From b4791862852770711be87ca63ed85b23e72baea3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Martin Kosek <mkosek@redhat.com>
|
||||||
|
Date: Thu, 16 Jan 2014 14:10:42 +0100
|
||||||
|
Subject: [PATCH 3/9] Add runas option to run function
|
||||||
|
|
||||||
|
Run function can now run the specified command as different user by
|
||||||
|
setting the both real and effective UID and GID for executed process.
|
||||||
|
|
||||||
|
Add both the missing run function attribute doc strings as well as
|
||||||
|
a doc string for the runas attribute.
|
||||||
|
---
|
||||||
|
ipapython/ipautil.py | 59 +++++++++++++++++++++++++++++++++-------------------
|
||||||
|
1 file changed, 38 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
|
||||||
|
index 92569c3b487bdbbfc4f0033813fda56c8928f20c..f7a2443af940a695321da7989457a392d6451d44 100644
|
||||||
|
--- a/ipapython/ipautil.py
|
||||||
|
+++ b/ipapython/ipautil.py
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
import netaddr
|
||||||
|
import time
|
||||||
|
import krbV
|
||||||
|
+import pwd
|
||||||
|
from dns import resolver, rdatatype
|
||||||
|
from dns.exception import DNSException
|
||||||
|
|
||||||
|
@@ -246,29 +247,35 @@ def shell_quote(string):
|
||||||
|
return "'" + string.replace("'", "'\\''") + "'"
|
||||||
|
|
||||||
|
def run(args, stdin=None, raiseonerr=True,
|
||||||
|
- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
|
||||||
|
+ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
|
||||||
|
+ runas=None):
|
||||||
|
"""
|
||||||
|
Execute a command and return stdin, stdout and the process return code.
|
||||||
|
|
||||||
|
- args is a list of arguments for the command
|
||||||
|
-
|
||||||
|
- stdin is used if you want to pass input to the command
|
||||||
|
-
|
||||||
|
- raiseonerr raises an exception if the return code is not zero
|
||||||
|
-
|
||||||
|
- nolog is a tuple of strings that shouldn't be logged, like passwords.
|
||||||
|
- Each tuple consists of a string to be replaced by XXXXXXXX.
|
||||||
|
-
|
||||||
|
- For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
|
||||||
|
-
|
||||||
|
- We don't want to log the password so nolog would be set to:
|
||||||
|
- ('Secret123',)
|
||||||
|
-
|
||||||
|
- The resulting log output would be:
|
||||||
|
-
|
||||||
|
- /usr/bin/setpasswd --password XXXXXXXX someuser
|
||||||
|
-
|
||||||
|
- If an value isn't found in the list it is silently ignored.
|
||||||
|
+ :param args: List of arguments for the command
|
||||||
|
+ :param stdin: Optional input to the command
|
||||||
|
+ :param raiseonerr: If True, raises an exception if the return code is
|
||||||
|
+ not zero
|
||||||
|
+ :param nolog: Tuple of strings that shouldn't be logged, like passwords.
|
||||||
|
+ Each tuple consists of a string to be replaced by XXXXXXXX.
|
||||||
|
+
|
||||||
|
+ Example:
|
||||||
|
+ We have a command
|
||||||
|
+ ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
|
||||||
|
+ and we don't want to log the password so nolog would be set to:
|
||||||
|
+ ('Secret123',)
|
||||||
|
+ The resulting log output would be:
|
||||||
|
+
|
||||||
|
+ /usr/bin/setpasswd --password XXXXXXXX someuser
|
||||||
|
+
|
||||||
|
+ If a value isn't found in the list it is silently ignored.
|
||||||
|
+ :param env: Dictionary of environment variables passed to the command.
|
||||||
|
+ When None, current environment is copied
|
||||||
|
+ :param capture_output: Capture stderr and stdout
|
||||||
|
+ :param skip_output: Redirect the output to /dev/null and do not capture it
|
||||||
|
+ :param cwd: Current working directory
|
||||||
|
+ :param runas: Name of a user that the command shold be run as. The spawned
|
||||||
|
+ process will have both real and effective UID and GID set.
|
||||||
|
"""
|
||||||
|
p_in = None
|
||||||
|
p_out = None
|
||||||
|
@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
|
||||||
|
root_logger.debug('Starting external process')
|
||||||
|
root_logger.debug('args=%s' % arg_string)
|
||||||
|
|
||||||
|
+ preexec_fn = None
|
||||||
|
+ if runas is not None:
|
||||||
|
+ pent = pwd.getpwnam(runas)
|
||||||
|
+ root_logger.debug('runas=%s (UID %d, GID %s)', runas,
|
||||||
|
+ pent.pw_uid, pent.pw_gid)
|
||||||
|
+
|
||||||
|
+ preexec_fn = lambda: (os.setregid(pent.pw_gid, pent.pw_gid),
|
||||||
|
+ os.setreuid(pent.pw_uid, pent.pw_uid))
|
||||||
|
+
|
||||||
|
try:
|
||||||
|
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
|
||||||
|
- close_fds=True, env=env, cwd=cwd)
|
||||||
|
+ close_fds=True, env=env, cwd=cwd,
|
||||||
|
+ preexec_fn=preexec_fn)
|
||||||
|
stdout,stderr = p.communicate(stdin)
|
||||||
|
stdout,stderr = str(stdout), str(stderr) # Make pylint happy
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
84
0004-Switch-httpd-to-use-default-CCACHE.patch
Normal file
84
0004-Switch-httpd-to-use-default-CCACHE.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Martin Kosek <mkosek@redhat.com>
|
||||||
|
Date: Thu, 16 Jan 2014 14:12:29 +0100
|
||||||
|
Subject: [PATCH 4/9] Switch httpd to use default CCACHE
|
||||||
|
|
||||||
|
Stock httpd no longer uses systemd EnvironmentFile option which is
|
||||||
|
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
|
||||||
|
to debug problems during subsequent ipa-server-install's where HTTP
|
||||||
|
may use a stale CCACHE in the default kernel keyring CCACHE.
|
||||||
|
|
||||||
|
Avoid forcing custom CCACHE and switch to system one, just make sure
|
||||||
|
that it is properly cleaned by kdestroy run as "apache" user during
|
||||||
|
FreeIPA server installation process.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/4084
|
||||||
|
---
|
||||||
|
install/tools/ipa-upgradeconfig | 7 ++++++-
|
||||||
|
ipaserver/install/httpinstance.py | 22 +++-------------------
|
||||||
|
2 files changed, 9 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||||
|
index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
|
||||||
|
--- a/install/tools/ipa-upgradeconfig
|
||||||
|
+++ b/install/tools/ipa-upgradeconfig
|
||||||
|
@@ -1043,10 +1043,15 @@ def main():
|
||||||
|
update_dbmodules(api.env.realm)
|
||||||
|
uninstall_ipa_kpasswd()
|
||||||
|
|
||||||
|
+ removed_sysconfig_file = '/etc/sysconfig/httpd'
|
||||||
|
+ if fstore.has_file(removed_sysconfig_file):
|
||||||
|
+ root_logger.info('Restoring %s as it is no longer required',
|
||||||
|
+ removed_sysconfig_file)
|
||||||
|
+ fstore.restore_file(removed_sysconfig_file)
|
||||||
|
+
|
||||||
|
http = httpinstance.HTTPInstance(fstore)
|
||||||
|
http.remove_httpd_ccache()
|
||||||
|
http.configure_selinux_for_httpd()
|
||||||
|
- http.configure_httpd_ccache()
|
||||||
|
http.change_mod_nss_port_to_http()
|
||||||
|
|
||||||
|
ds = dsinstance.DsInstance()
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None,
|
||||||
|
self.step("creating a keytab for httpd", self.__create_http_keytab)
|
||||||
|
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
|
||||||
|
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
|
||||||
|
- self.step("configure httpd ccache", self.configure_httpd_ccache)
|
||||||
|
self.step("restarting httpd", self.__start)
|
||||||
|
self.step("configuring httpd to start on boot", self.__enable)
|
||||||
|
|
||||||
|
@@ -217,24 +216,9 @@ def __create_http_keytab(self):
|
||||||
|
|
||||||
|
def remove_httpd_ccache(self):
|
||||||
|
# Clean up existing ccache
|
||||||
|
- pent = pwd.getpwnam("apache")
|
||||||
|
- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
|
||||||
|
-
|
||||||
|
- def configure_httpd_ccache(self):
|
||||||
|
- pent = pwd.getpwnam("apache")
|
||||||
|
- ccache = '/tmp/krb5cc_%d' % pent.pw_uid
|
||||||
|
- filepath = '/etc/sysconfig/httpd'
|
||||||
|
- if not os.path.exists(filepath):
|
||||||
|
- # file doesn't exist; create it with correct ownership & mode
|
||||||
|
- open(filepath, 'a').close()
|
||||||
|
- os.chmod(filepath,
|
||||||
|
- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
|
||||||
|
- os.chown(filepath, 0, 0)
|
||||||
|
-
|
||||||
|
- replacevars = {'KRB5CCNAME': ccache}
|
||||||
|
- old_values = ipautil.backup_config_and_replace_variables(
|
||||||
|
- self.fstore, filepath, replacevars=replacevars)
|
||||||
|
- ipaservices.restore_context(filepath)
|
||||||
|
+ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
|
||||||
|
+ # current env
|
||||||
|
+ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
|
||||||
|
|
||||||
|
def __configure_http(self):
|
||||||
|
target_fname = '/etc/httpd/conf.d/ipa.conf'
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
30
0005-httpd-should-destroy-all-CCACHEs.patch
Normal file
30
0005-httpd-should-destroy-all-CCACHEs.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From d134f591c9250f38d170a937ec221637d09b58bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Martin Kosek <mkosek@redhat.com>
|
||||||
|
Date: Wed, 22 Jan 2014 16:08:51 +0100
|
||||||
|
Subject: [PATCH 5/9] httpd should destroy all CCACHEs
|
||||||
|
|
||||||
|
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
|
||||||
|
and the non-primary ones to make sure that the non-primary ones are
|
||||||
|
not used later.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/4084
|
||||||
|
---
|
||||||
|
ipaserver/install/httpinstance.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 9c9205883b38dfb854fb2885d3692a7053866b63..5d37926ddcaa17ce2eab839cd6aecdab0159a8ee 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -218,7 +218,7 @@ def remove_httpd_ccache(self):
|
||||||
|
# Clean up existing ccache
|
||||||
|
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
|
||||||
|
# current env
|
||||||
|
- ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
|
||||||
|
+ ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
|
||||||
|
|
||||||
|
def __configure_http(self):
|
||||||
|
target_fname = '/etc/httpd/conf.d/ipa.conf'
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
124
0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
Normal file
124
0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From ada54e7e836d13ccede3fe74f1cd30300a242c6e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ana Krivokapic <akrivoka@redhat.com>
|
||||||
|
Date: Fri, 25 Oct 2013 12:41:25 +0200
|
||||||
|
Subject: [PATCH 6/9] Enable Retro Changelog and Content Synchronization DS
|
||||||
|
plugins
|
||||||
|
|
||||||
|
Enable Retro Changelog and Content Synchronization DS plugins which are required
|
||||||
|
for SyncRepl support.
|
||||||
|
|
||||||
|
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3967
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 1 +
|
||||||
|
install/tools/ipa-upgradeconfig | 5 ++++-
|
||||||
|
install/updates/20-syncrepl.update | 9 +++++++++
|
||||||
|
install/updates/Makefile.am | 1 +
|
||||||
|
ipaserver/install/bindinstance.py | 13 +++++++++++++
|
||||||
|
5 files changed, 28 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 install/updates/20-syncrepl.update
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 8fd0a368ed02cfad120db6283e3899027d467bfc..4f60be6ccd623de4574c7627e0ffc4ff0829e701 100644
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -764,6 +764,7 @@ fi
|
||||||
|
%{_mandir}/man1/ipa-backup.1.gz
|
||||||
|
%{_mandir}/man1/ipa-restore.1.gz
|
||||||
|
%{_mandir}/man1/ipa-advise.1.gz
|
||||||
|
+%ghost %{_localstatedir}/named/ipa
|
||||||
|
|
||||||
|
%files server-trust-ad
|
||||||
|
%{_sbindir}/ipa-adtrust-install
|
||||||
|
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||||
|
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..5bcef1ac827da296c6a35e8fc29a1c6f0a04f808 100644
|
||||||
|
--- a/install/tools/ipa-upgradeconfig
|
||||||
|
+++ b/install/tools/ipa-upgradeconfig
|
||||||
|
@@ -1084,6 +1084,10 @@ def main():
|
||||||
|
setup_firefox_extension(fstore)
|
||||||
|
add_ca_dns_records()
|
||||||
|
|
||||||
|
+ bind = bindinstance.BindInstance(fstore)
|
||||||
|
+ if bind.is_configured():
|
||||||
|
+ bind.create_dir('/var/named/ipa', 0700)
|
||||||
|
+
|
||||||
|
# Any of the following functions returns True iff the named.conf file
|
||||||
|
# has been altered
|
||||||
|
named_conf_changes = (
|
||||||
|
@@ -1097,7 +1101,6 @@ def main():
|
||||||
|
if any(named_conf_changes):
|
||||||
|
# configuration has changed, restart the name server
|
||||||
|
root_logger.info('Changes to named.conf have been made, restart named')
|
||||||
|
- bind = bindinstance.BindInstance(fstore)
|
||||||
|
try:
|
||||||
|
bind.restart()
|
||||||
|
except ipautil.CalledProcessError, e:
|
||||||
|
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000000000000000000000000000..c4158a1634410acd323f04f442bbbd2f69c24708
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/install/updates/20-syncrepl.update
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+# Enable Retro changelog
|
||||||
|
+dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
|
||||||
|
+only:nsslapd-pluginEnabled: on
|
||||||
|
+add:nsslapd-attribute: nsuniqueid:targetUniqueId
|
||||||
|
+add:nsslapd-changelogmaxage: 2d
|
||||||
|
+
|
||||||
|
+# Enable SyncRepl
|
||||||
|
+dn: cn=Content Synchronization,cn=plugins,cn=config
|
||||||
|
+only:nsslapd-pluginEnabled: on
|
||||||
|
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||||
|
index 40c3b3c8916faa267254a29d0f458ca53201950c..09965ff9885fce93f3d15dc73b11fa210f68b163 100644
|
||||||
|
--- a/install/updates/Makefile.am
|
||||||
|
+++ b/install/updates/Makefile.am
|
||||||
|
@@ -22,6 +22,7 @@ app_DATA = \
|
||||||
|
20-indices.update \
|
||||||
|
20-nss_ldap.update \
|
||||||
|
20-replication.update \
|
||||||
|
+ 20-syncrepl.update \
|
||||||
|
20-user_private_groups.update \
|
||||||
|
20-winsync_index.update \
|
||||||
|
21-replicas_container.update \
|
||||||
|
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
|
||||||
|
index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644
|
||||||
|
--- a/ipaserver/install/bindinstance.py
|
||||||
|
+++ b/ipaserver/install/bindinstance.py
|
||||||
|
@@ -22,6 +22,7 @@
|
||||||
|
import pwd
|
||||||
|
import netaddr
|
||||||
|
import re
|
||||||
|
+import errno
|
||||||
|
|
||||||
|
import ldap
|
||||||
|
|
||||||
|
@@ -509,6 +510,16 @@ def create_sample_bind_zone(self):
|
||||||
|
os.close(bind_fd)
|
||||||
|
print "Sample zone file for bind has been created in "+bind_name
|
||||||
|
|
||||||
|
+ def create_dir(self, path, mode):
|
||||||
|
+ try:
|
||||||
|
+ os.makedirs(path, mode)
|
||||||
|
+ except OSError as e:
|
||||||
|
+ if e.errno != errno.EEXIST:
|
||||||
|
+ raise e
|
||||||
|
+
|
||||||
|
+ pent = pwd.getpwnam(self.named_user or 'named')
|
||||||
|
+ os.chown(path, pent.pw_uid, pent.pw_gid)
|
||||||
|
+
|
||||||
|
def create_instance(self):
|
||||||
|
|
||||||
|
try:
|
||||||
|
@@ -519,6 +530,8 @@ def create_instance(self):
|
||||||
|
# get a connection to the DS
|
||||||
|
self.ldap_connect()
|
||||||
|
|
||||||
|
+ self.create_dir('/var/named/ipa', 0700)
|
||||||
|
+
|
||||||
|
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
|
||||||
|
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Spacek <pspacek@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2014 12:22:38 +0100
|
||||||
|
Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix.
|
||||||
|
|
||||||
|
This drastically improves performance of retro changelog trimming.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3967
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 6 +++---
|
||||||
|
install/updates/20-syncrepl.update | 13 ++++++++++++-
|
||||||
|
2 files changed, 15 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
|
%if ! %{ONLY_CLIENT}
|
||||||
|
-BuildRequires: 389-ds-base-devel >= 1.3.1.3
|
||||||
|
+BuildRequires: 389-ds-base-devel >= 1.3.2.10
|
||||||
|
BuildRequires: svrcore-devel
|
||||||
|
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
|
||||||
|
BuildRequires: systemd-units
|
||||||
|
@@ -95,7 +95,7 @@ Group: System Environment/Base
|
||||||
|
Requires: %{name}-python = %{version}-%{release}
|
||||||
|
Requires: %{name}-client = %{version}-%{release}
|
||||||
|
Requires: %{name}-admintools = %{version}-%{release}
|
||||||
|
-Requires: 389-ds-base >= 1.3.1.3
|
||||||
|
+Requires: 389-ds-base >= 1.3.2.10
|
||||||
|
Requires: openldap-clients > 2.4.35-4
|
||||||
|
%if 0%{?fedora} == 18
|
||||||
|
Requires: nss >= 3.14.3-2
|
||||||
|
@@ -150,7 +150,7 @@ Requires: zip
|
||||||
|
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
|
||||||
|
Requires: tar
|
||||||
|
Requires(pre): certmonger >= 0.65
|
||||||
|
-Requires(pre): 389-ds-base >= 1.3.1.3
|
||||||
|
+Requires(pre): 389-ds-base >= 1.3.2.10
|
||||||
|
|
||||||
|
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
|
||||||
|
# entire SELinux policy is stored in the system policy
|
||||||
|
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
|
||||||
|
index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644
|
||||||
|
--- a/install/updates/20-syncrepl.update
|
||||||
|
+++ b/install/updates/20-syncrepl.update
|
||||||
|
@@ -1,9 +1,20 @@
|
||||||
|
-# Enable Retro changelog
|
||||||
|
+# Enable Retro changelog - it is necessary for SyncRepl
|
||||||
|
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
|
||||||
|
only:nsslapd-pluginEnabled: on
|
||||||
|
+# Remember original nsuniqueid for objects referenced from cn=changelog
|
||||||
|
add:nsslapd-attribute: nsuniqueid:targetUniqueId
|
||||||
|
add:nsslapd-changelogmaxage: 2d
|
||||||
|
|
||||||
|
+# Keep memberOf and referential integrity plugins away from cn=changelog.
|
||||||
|
+# It is necessary for performance reasons because we don't have appropriate
|
||||||
|
+# indices for cn=changelog.
|
||||||
|
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
|
||||||
|
+add:memberofentryscope: '$SUFFIX'
|
||||||
|
+
|
||||||
|
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
|
||||||
|
+add:nsslapd-plugincontainerscope: '$SUFFIX'
|
||||||
|
+add:nsslapd-pluginentryscope: '$SUFFIX'
|
||||||
|
+
|
||||||
|
# Enable SyncRepl
|
||||||
|
dn: cn=Content Synchronization,cn=plugins,cn=config
|
||||||
|
only:nsslapd-pluginEnabled: on
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
@ -0,0 +1,93 @@
|
|||||||
|
From 916437b391739ea3ee48dfcd9f0d164536ca9ead Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Spacek <pspacek@redhat.com>
|
||||||
|
Date: Mon, 27 Jan 2014 14:47:10 +0100
|
||||||
|
Subject: [PATCH 8/9] Remove working directory for bind-dyndb-ldap plugin.
|
||||||
|
|
||||||
|
The working directory will be provided directly
|
||||||
|
by bind-dyndb-ldap package.
|
||||||
|
|
||||||
|
This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3967
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 1 -
|
||||||
|
install/tools/ipa-upgradeconfig | 5 +----
|
||||||
|
ipaserver/install/bindinstance.py | 13 -------------
|
||||||
|
3 files changed, 1 insertion(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index ef96c7c271ebba33b15d9b35891092e4151c3aae..eb9afbb4bfa1a11caf1282d5b76c2e138735386c 100644
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -764,7 +764,6 @@ fi
|
||||||
|
%{_mandir}/man1/ipa-backup.1.gz
|
||||||
|
%{_mandir}/man1/ipa-restore.1.gz
|
||||||
|
%{_mandir}/man1/ipa-advise.1.gz
|
||||||
|
-%ghost %{_localstatedir}/named/ipa
|
||||||
|
|
||||||
|
%files server-trust-ad
|
||||||
|
%{_sbindir}/ipa-adtrust-install
|
||||||
|
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||||
|
index 5bcef1ac827da296c6a35e8fc29a1c6f0a04f808..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
|
||||||
|
--- a/install/tools/ipa-upgradeconfig
|
||||||
|
+++ b/install/tools/ipa-upgradeconfig
|
||||||
|
@@ -1084,10 +1084,6 @@ def main():
|
||||||
|
setup_firefox_extension(fstore)
|
||||||
|
add_ca_dns_records()
|
||||||
|
|
||||||
|
- bind = bindinstance.BindInstance(fstore)
|
||||||
|
- if bind.is_configured():
|
||||||
|
- bind.create_dir('/var/named/ipa', 0700)
|
||||||
|
-
|
||||||
|
# Any of the following functions returns True iff the named.conf file
|
||||||
|
# has been altered
|
||||||
|
named_conf_changes = (
|
||||||
|
@@ -1101,6 +1097,7 @@ def main():
|
||||||
|
if any(named_conf_changes):
|
||||||
|
# configuration has changed, restart the name server
|
||||||
|
root_logger.info('Changes to named.conf have been made, restart named')
|
||||||
|
+ bind = bindinstance.BindInstance(fstore)
|
||||||
|
try:
|
||||||
|
bind.restart()
|
||||||
|
except ipautil.CalledProcessError, e:
|
||||||
|
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
|
||||||
|
index 4baeb4e077c64a7abebd1c071012f6c1e02dc1ae..6d5a1d44d30c89278c24fe7ab5278355cb65b0b4 100644
|
||||||
|
--- a/ipaserver/install/bindinstance.py
|
||||||
|
+++ b/ipaserver/install/bindinstance.py
|
||||||
|
@@ -22,7 +22,6 @@
|
||||||
|
import pwd
|
||||||
|
import netaddr
|
||||||
|
import re
|
||||||
|
-import errno
|
||||||
|
|
||||||
|
import ldap
|
||||||
|
|
||||||
|
@@ -510,16 +509,6 @@ def create_sample_bind_zone(self):
|
||||||
|
os.close(bind_fd)
|
||||||
|
print "Sample zone file for bind has been created in "+bind_name
|
||||||
|
|
||||||
|
- def create_dir(self, path, mode):
|
||||||
|
- try:
|
||||||
|
- os.makedirs(path, mode)
|
||||||
|
- except OSError as e:
|
||||||
|
- if e.errno != errno.EEXIST:
|
||||||
|
- raise e
|
||||||
|
-
|
||||||
|
- pent = pwd.getpwnam(self.named_user or 'named')
|
||||||
|
- os.chown(path, pent.pw_uid, pent.pw_gid)
|
||||||
|
-
|
||||||
|
def create_instance(self):
|
||||||
|
|
||||||
|
try:
|
||||||
|
@@ -530,8 +519,6 @@ def create_instance(self):
|
||||||
|
# get a connection to the DS
|
||||||
|
self.ldap_connect()
|
||||||
|
|
||||||
|
- self.create_dir('/var/named/ipa', 0700)
|
||||||
|
-
|
||||||
|
if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
|
||||||
|
installutils.add_record_to_hosts(self.ip_address, self.fqdn)
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
98
0009-Remove-mod_ssl-port-workaround.patch
Normal file
98
0009-Remove-mod_ssl-port-workaround.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Cholasta <jcholast@redhat.com>
|
||||||
|
Date: Tue, 26 Nov 2013 08:53:34 +0000
|
||||||
|
Subject: [PATCH 9/9] Remove mod_ssl port workaround.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/4021
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 8 ++++++--
|
||||||
|
install/tools/ipa-upgradeconfig | 2 +-
|
||||||
|
ipaserver/install/httpinstance.py | 17 ++++++++---------
|
||||||
|
3 files changed, 15 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10
|
||||||
|
Requires: krb5-pkinit-openssl
|
||||||
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||||
|
Requires: ntp
|
||||||
|
-Requires: httpd
|
||||||
|
+Requires: httpd >= 2.4.6-6
|
||||||
|
Requires: mod_wsgi
|
||||||
|
%if 0%{?fedora} >= 18
|
||||||
|
Requires: mod_auth_kerb >= 5.4-16
|
||||||
|
%else
|
||||||
|
Requires: mod_auth_kerb >= 5.4-8
|
||||||
|
%endif
|
||||||
|
-Requires: mod_nss >= 1.0.8-24
|
||||||
|
+Requires: mod_nss >= 1.0.8-26
|
||||||
|
Requires: python-ldap
|
||||||
|
Requires: python-krbV
|
||||||
|
Requires: acl
|
||||||
|
@@ -861,6 +861,10 @@ fi
|
||||||
|
%endif # ONLY_CLIENT
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
+* Tue Nov 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.3.90-6
|
||||||
|
+- Set minimum version of httpd to 2.4.6-6
|
||||||
|
+- Set minimum version of mod_nss to 1.0.8-26
|
||||||
|
+
|
||||||
|
* Tue Nov 12 2013 Tomas Babej<tbabej@redhat.com> - 3.3.90-5
|
||||||
|
- Add Fedora 19 platform files
|
||||||
|
|
||||||
|
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||||
|
index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
|
||||||
|
--- a/install/tools/ipa-upgradeconfig
|
||||||
|
+++ b/install/tools/ipa-upgradeconfig
|
||||||
|
@@ -1052,7 +1052,7 @@ def main():
|
||||||
|
http = httpinstance.HTTPInstance(fstore)
|
||||||
|
http.remove_httpd_ccache()
|
||||||
|
http.configure_selinux_for_httpd()
|
||||||
|
- http.change_mod_nss_port_to_http()
|
||||||
|
+ http.change_mod_nss_port_from_http()
|
||||||
|
|
||||||
|
ds = dsinstance.DsInstance()
|
||||||
|
ds.configure_dirsrv_ccache()
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -237,25 +237,24 @@ def __configure_http(self):
|
||||||
|
http_fd.close()
|
||||||
|
os.chmod(target_fname, 0644)
|
||||||
|
|
||||||
|
- def change_mod_nss_port_to_http(self):
|
||||||
|
+ def change_mod_nss_port_from_http(self):
|
||||||
|
# mod_ssl enforces SSLEngine on for vhost on 443 even though
|
||||||
|
# the listener is mod_nss. This then crashes the httpd as mod_nss
|
||||||
|
# listened port obviously does not match mod_ssl requirements.
|
||||||
|
#
|
||||||
|
- # Change port to http to workaround the mod_ssl check, the SSL is
|
||||||
|
- # enforced in the vhost later, so it is benign.
|
||||||
|
+ # The workaround for this was to change port to http. It is no longer
|
||||||
|
+ # necessary, as mod_nss now ships with default configuration which
|
||||||
|
+ # sets SSLEngine off when mod_ssl is installed.
|
||||||
|
#
|
||||||
|
- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
|
||||||
|
- # is fixed.
|
||||||
|
- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
|
||||||
|
- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
|
||||||
|
- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
|
||||||
|
+ # Remove the workaround.
|
||||||
|
+ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
|
||||||
|
+ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
|
||||||
|
+ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
|
||||||
|
|
||||||
|
def __set_mod_nss_port(self):
|
||||||
|
self.fstore.backup_file(NSS_CONF)
|
||||||
|
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
|
||||||
|
print "Updating port in %s failed." % NSS_CONF
|
||||||
|
- self.change_mod_nss_port_to_http()
|
||||||
|
|
||||||
|
def __set_mod_nss_nickname(self, nickname):
|
||||||
|
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
|
||||||
|
--
|
||||||
|
1.8.5.3
|
||||||
|
|
54
freeipa.spec
54
freeipa.spec
@ -4,11 +4,11 @@
|
|||||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||||
%global POLICYCOREUTILSVER 2.1.14-37
|
%global POLICYCOREUTILSVER 2.1.14-37
|
||||||
%global gettext_domain ipa
|
%global gettext_domain ipa
|
||||||
%global VERSION 3.3.3
|
%global VERSION 3.3.4
|
||||||
|
|
||||||
Name: freeipa
|
Name: freeipa
|
||||||
Version: 3.3.3
|
Version: 3.3.4
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -17,9 +17,15 @@ URL: http://www.freeipa.org/
|
|||||||
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
|
Patch0001: 0001-platform-Add-Fedora-19-platform-file.patch
|
||||||
Patch0002: 0002-Fix-Wformat-security-warnings.patch
|
Patch0002: 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
|
||||||
Patch0003: 0003-Increase-stack-size-for-Web-UI-builder.patch
|
Patch0003: 0003-Add-runas-option-to-run-function.patch
|
||||||
|
Patch0004: 0004-Switch-httpd-to-use-default-CCACHE.patch
|
||||||
|
Patch0005: 0005-httpd-should-destroy-all-CCACHEs.patch
|
||||||
|
Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
|
||||||
|
Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
|
||||||
|
Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
|
||||||
|
Patch0009: 0009-Remove-mod_ssl-port-workaround.patch
|
||||||
|
|
||||||
%if ! %{ONLY_CLIENT}
|
%if ! %{ONLY_CLIENT}
|
||||||
BuildRequires: 389-ds-base-devel >= 1.3.1.3
|
BuildRequires: 389-ds-base-devel >= 1.3.1.3
|
||||||
@ -96,7 +102,7 @@ Group: System Environment/Base
|
|||||||
Requires: %{name}-python = %{version}-%{release}
|
Requires: %{name}-python = %{version}-%{release}
|
||||||
Requires: %{name}-client = %{version}-%{release}
|
Requires: %{name}-client = %{version}-%{release}
|
||||||
Requires: %{name}-admintools = %{version}-%{release}
|
Requires: %{name}-admintools = %{version}-%{release}
|
||||||
Requires: 389-ds-base >= 1.3.1.3
|
Requires: 389-ds-base >= 1.3.2.10
|
||||||
Requires: openldap-clients > 2.4.35-4
|
Requires: openldap-clients > 2.4.35-4
|
||||||
%if 0%{?fedora} == 18
|
%if 0%{?fedora} == 18
|
||||||
Requires: nss >= 3.14.3-2
|
Requires: nss >= 3.14.3-2
|
||||||
@ -119,14 +125,14 @@ Requires: krb5-server >= 1.10
|
|||||||
Requires: krb5-pkinit-openssl
|
Requires: krb5-pkinit-openssl
|
||||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||||
Requires: ntp
|
Requires: ntp
|
||||||
Requires: httpd
|
Requires: httpd >= 2.4.6-6
|
||||||
Requires: mod_wsgi
|
Requires: mod_wsgi
|
||||||
%if 0%{?fedora} >= 18
|
%if 0%{?fedora} >= 18
|
||||||
Requires: mod_auth_kerb >= 5.4-16
|
Requires: mod_auth_kerb >= 5.4-16
|
||||||
%else
|
%else
|
||||||
Requires: mod_auth_kerb >= 5.4-8
|
Requires: mod_auth_kerb >= 5.4-8
|
||||||
%endif
|
%endif
|
||||||
Requires: mod_nss >= 1.0.8-24
|
Requires: mod_nss >= 1.0.8-26
|
||||||
Requires: python-ldap
|
Requires: python-ldap
|
||||||
Requires: python-krbV
|
Requires: python-krbV
|
||||||
Requires: acl
|
Requires: acl
|
||||||
@ -151,7 +157,7 @@ Requires: zip
|
|||||||
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
|
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
|
||||||
Requires: tar
|
Requires: tar
|
||||||
Requires(pre): certmonger >= 0.65
|
Requires(pre): certmonger >= 0.65
|
||||||
Requires(pre): 389-ds-base >= 1.3.1.3
|
Requires(pre): 389-ds-base >= 1.3.2.10
|
||||||
|
|
||||||
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
|
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
|
||||||
# entire SELinux policy is stored in the system policy
|
# entire SELinux policy is stored in the system policy
|
||||||
@ -372,6 +378,9 @@ export JAVA_STACK_SIZE="8m"
|
|||||||
%endif
|
%endif
|
||||||
export CFLAGS="$CFLAGS %{optflags}"
|
export CFLAGS="$CFLAGS %{optflags}"
|
||||||
export CPPFLAGS="$CPPFLAGS %{optflags}"
|
export CPPFLAGS="$CPPFLAGS %{optflags}"
|
||||||
|
%if 0%{?fedora} >= 19
|
||||||
|
export SUPPORTED_PLATFORM=fedora19
|
||||||
|
%else
|
||||||
%if 0%{?fedora} >= 18
|
%if 0%{?fedora} >= 18
|
||||||
# use fedora18 platform which is based on fedora16 platform with systemd
|
# use fedora18 platform which is based on fedora16 platform with systemd
|
||||||
# support + fedora18 changes
|
# support + fedora18 changes
|
||||||
@ -379,6 +388,7 @@ export SUPPORTED_PLATFORM=fedora18
|
|||||||
%else
|
%else
|
||||||
export SUPPORTED_PLATFORM=fedora16
|
export SUPPORTED_PLATFORM=fedora16
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
# Force re-generate of platform support
|
# Force re-generate of platform support
|
||||||
rm -f ipapython/services.py
|
rm -f ipapython/services.py
|
||||||
make version-update
|
make version-update
|
||||||
@ -396,6 +406,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
|
|||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf %{buildroot}
|
rm -rf %{buildroot}
|
||||||
|
%if 0%{?fedora} >= 19
|
||||||
|
export SUPPORTED_PLATFORM=fedora19
|
||||||
|
%else
|
||||||
%if 0%{?fedora} >= 18
|
%if 0%{?fedora} >= 18
|
||||||
# use fedora18 platform which is based on fedora16 platform with systemd
|
# use fedora18 platform which is based on fedora16 platform with systemd
|
||||||
# support + fedora18 changes
|
# support + fedora18 changes
|
||||||
@ -403,6 +416,7 @@ export SUPPORTED_PLATFORM=fedora18
|
|||||||
%else
|
%else
|
||||||
export SUPPORTED_PLATFORM=fedora16
|
export SUPPORTED_PLATFORM=fedora16
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
# Force re-generate of platform support
|
# Force re-generate of platform support
|
||||||
rm -f ipapython/services.py
|
rm -f ipapython/services.py
|
||||||
%if ! %{ONLY_CLIENT}
|
%if ! %{ONLY_CLIENT}
|
||||||
@ -595,6 +609,16 @@ if [ $1 -gt 1 ] ; then
|
|||||||
/sbin/restorecon /etc/krb5.conf
|
/sbin/restorecon /etc/krb5.conf
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
|
||||||
|
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
|
||||||
|
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
|
||||||
|
mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
|
||||||
|
/sbin/restorecon /etc/sysconfig/ntpd
|
||||||
|
|
||||||
|
/bin/systemctl condrestart ntpd.service 2>&1 || :
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%triggerin -n freeipa-client -- openssh-server
|
%triggerin -n freeipa-client -- openssh-server
|
||||||
@ -719,6 +743,7 @@ fi
|
|||||||
%{_usr}/share/ipa/ui/*.svg
|
%{_usr}/share/ipa/ui/*.svg
|
||||||
%{_usr}/share/ipa/ui/*.ttf
|
%{_usr}/share/ipa/ui/*.ttf
|
||||||
%{_usr}/share/ipa/ui/*.woff
|
%{_usr}/share/ipa/ui/*.woff
|
||||||
|
%dir %{_usr}/share/ipa/ui/js
|
||||||
%dir %{_usr}/share/ipa/ui/js/dojo
|
%dir %{_usr}/share/ipa/ui/js/dojo
|
||||||
%{_usr}/share/ipa/ui/js/dojo/dojo.js
|
%{_usr}/share/ipa/ui/js/dojo/dojo.js
|
||||||
%dir %{_usr}/share/ipa/ui/js/libs
|
%dir %{_usr}/share/ipa/ui/js/libs
|
||||||
@ -853,12 +878,14 @@ fi
|
|||||||
%dir %{python_sitelib}/ipapython/platform/base
|
%dir %{python_sitelib}/ipapython/platform/base
|
||||||
%dir %{python_sitelib}/ipapython/platform/fedora16
|
%dir %{python_sitelib}/ipapython/platform/fedora16
|
||||||
%dir %{python_sitelib}/ipapython/platform/fedora18
|
%dir %{python_sitelib}/ipapython/platform/fedora18
|
||||||
|
%dir %{python_sitelib}/ipapython/platform/fedora19
|
||||||
%dir %{python_sitelib}/ipapython/platform/redhat
|
%dir %{python_sitelib}/ipapython/platform/redhat
|
||||||
%{python_sitelib}/ipapython/*.py*
|
%{python_sitelib}/ipapython/*.py*
|
||||||
%{python_sitelib}/ipapython/platform/*.py*
|
%{python_sitelib}/ipapython/platform/*.py*
|
||||||
%{python_sitelib}/ipapython/platform/base/*.py*
|
%{python_sitelib}/ipapython/platform/base/*.py*
|
||||||
%{python_sitelib}/ipapython/platform/fedora16/*.py*
|
%{python_sitelib}/ipapython/platform/fedora16/*.py*
|
||||||
%{python_sitelib}/ipapython/platform/fedora18/*.py*
|
%{python_sitelib}/ipapython/platform/fedora18/*.py*
|
||||||
|
%{python_sitelib}/ipapython/platform/fedora19/*.py*
|
||||||
%{python_sitelib}/ipapython/platform/redhat/*.py*
|
%{python_sitelib}/ipapython/platform/redhat/*.py*
|
||||||
%dir %{python_sitelib}/ipalib
|
%dir %{python_sitelib}/ipalib
|
||||||
%{python_sitelib}/ipalib/*
|
%{python_sitelib}/ipalib/*
|
||||||
@ -894,6 +921,13 @@ fi
|
|||||||
%endif # ONLY_CLIENT
|
%endif # ONLY_CLIENT
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-1
|
||||||
|
- Update to upstream 3.3.4
|
||||||
|
- Install CA anchor into standard location (#928478)
|
||||||
|
- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
|
||||||
|
- Remove mod_ssl workaround (RHEL bug #1029046)
|
||||||
|
- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
|
||||||
|
|
||||||
* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
|
* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
|
||||||
- Build crashed with rhino exception on s390 architectures (#1040576)
|
- Build crashed with rhino exception on s390 architectures (#1040576)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user