Update to upstream 3.2.2
- Drop freeipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)
This commit is contained in:
parent
12216fc83f
commit
9f9581104f
1
.gitignore
vendored
1
.gitignore
vendored
@ -23,3 +23,4 @@
|
||||
/freeipa-3.1.2.tar.gz
|
||||
/freeipa-3.2.0.pre1.tar.gz
|
||||
/freeipa-3.2.0.tar.gz
|
||||
/freeipa-3.2.2.tar.gz
|
||||
|
@ -1,49 +0,0 @@
|
||||
From f807909bc12041af67b0051d4085b0ee1bee56d7 Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Thu, 11 Apr 2013 12:30:23 -0400
|
||||
Subject: [PATCH 1/6] Add ipaUserAuthType and ipaUserAuthTypeClass
|
||||
|
||||
This schema addition will be useful for future commits. It allows us to
|
||||
define permitted external authentication methods on both the user and
|
||||
global config. The implementation is generic, but the immediate usage
|
||||
is for otp support.
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/3365
|
||||
http://freeipa.org/page/V3/OTP
|
||||
---
|
||||
install/share/60basev3.ldif | 2 ++
|
||||
install/updates/10-60basev3.update | 4 ++++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
|
||||
index 43da2e7..435948f 100644
|
||||
--- a/install/share/60basev3.ldif
|
||||
+++ b/install/share/60basev3.ldif
|
||||
@@ -36,6 +36,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
|
||||
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
|
||||
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
|
||||
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
|
||||
@@ -51,3 +52,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
|
||||
+objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
|
||||
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
|
||||
index 62dd472..476fa3b 100644
|
||||
--- a/install/updates/10-60basev3.update
|
||||
+++ b/install/updates/10-60basev3.update
|
||||
@@ -16,3 +16,7 @@ replace:objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST
|
||||
|
||||
# Fix dc syntax (RFC 2247)
|
||||
replace:attributeTypes:"( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2247' )::( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2247' )"
|
||||
+
|
||||
+# Add ipaUserAuthType and ipaUserAuthTypeClass
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
|
||||
+add:objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 98fde54c170eb7974afe80403d54747563c8e3be Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 12 Oct 2012 14:35:43 -0400
|
||||
Subject: [PATCH] Use TLS for CA replication
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/3162
|
||||
---
|
||||
ipaserver/install/cainstance.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||
index aabbba3..f2ac840 100644
|
||||
--- a/ipaserver/install/cainstance.py
|
||||
+++ b/ipaserver/install/cainstance.py
|
||||
@@ -640,7 +640,7 @@ class CAInstance(service.Service):
|
||||
"pki_security_domain_hostname": self.master_host,
|
||||
"pki_security_domain_https_port": "443",
|
||||
"pki_security_domain_password": self.admin_password,
|
||||
- "pki_clone_replication_security": "SSL",
|
||||
+ "pki_clone_replication_security": "TLS",
|
||||
"pki_clone_uri": \
|
||||
"https://%s" % ipautil.format_netloc(self.master_host, 443)
|
||||
}
|
||||
--
|
||||
1.7.11.4
|
||||
|
@ -1,288 +0,0 @@
|
||||
From edca6946f81e01ddc5f3d5a8389560a704f11d7b Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Thu, 11 Apr 2013 13:24:46 -0400
|
||||
Subject: [PATCH 2/6] Add IPA OTP schema and ACLs
|
||||
|
||||
This commit adds schema support for two factor authentication via
|
||||
OTP devices, including RADIUS or TOTP. This schema will be used
|
||||
by future patches which will enable two factor authentication
|
||||
directly.
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/3365
|
||||
http://freeipa.org/page/V3/OTP
|
||||
---
|
||||
install/share/70ipaotp.ldif | 28 +++++++++++++++++++++++
|
||||
install/share/Makefile.am | 1 +
|
||||
install/share/copy-schema-to-ca.py | 1 +
|
||||
install/share/default-aci.ldif | 10 +++++++-
|
||||
install/updates/10-70ipaotp.update | 25 ++++++++++++++++++++
|
||||
install/updates/40-otp.update | 9 ++++++++
|
||||
install/updates/Makefile.am | 4 +++-
|
||||
ipalib/constants.py | 1 +
|
||||
ipaserver/install/dsinstance.py | 3 ++-
|
||||
ipaserver/install/plugins/update_anonymous_aci.py | 25 ++++++++++++++------
|
||||
10 files changed, 97 insertions(+), 10 deletions(-)
|
||||
create mode 100644 install/share/70ipaotp.ldif
|
||||
create mode 100644 install/updates/10-70ipaotp.update
|
||||
create mode 100644 install/updates/40-otp.update
|
||||
|
||||
diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif
|
||||
new file mode 100644
|
||||
index 0000000..3cfe872
|
||||
--- /dev/null
|
||||
+++ b/install/share/70ipaotp.ldif
|
||||
@@ -0,0 +1,28 @@
|
||||
+# IPA OTP schema
|
||||
+# BaseOID: 2.16.840.1.113730.3.8.16
|
||||
+# See RFC 4517 for Syntax OID definitions
|
||||
+dn: cn=schema
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP')
|
||||
+objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
|
||||
+objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
|
||||
+objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
|
||||
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||
index f8f9b74..8823723 100644
|
||||
--- a/install/share/Makefile.am
|
||||
+++ b/install/share/Makefile.am
|
||||
@@ -11,6 +11,7 @@ app_DATA = \
|
||||
60ipadns.ldif \
|
||||
61kerberos-ipav3.ldif \
|
||||
65ipasudo.ldif \
|
||||
+ 70ipaotp.ldif \
|
||||
anonymous-vlv.ldif \
|
||||
bootstrap-template.ldif \
|
||||
caJarSigningCert.cfg.template \
|
||||
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
|
||||
index 4e2054e..1888f12 100755
|
||||
--- a/install/share/copy-schema-to-ca.py
|
||||
+++ b/install/share/copy-schema-to-ca.py
|
||||
@@ -31,6 +31,7 @@ SCHEMA_FILENAMES = (
|
||||
"60ipadns.ldif",
|
||||
"61kerberos-ipav3.ldif",
|
||||
"65ipasudo.ldif",
|
||||
+ "70ipaotp.ldif",
|
||||
"05rfc2247.ldif",
|
||||
)
|
||||
|
||||
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
|
||||
index f173f79..18881ec 100644
|
||||
--- a/install/share/default-aci.ldif
|
||||
+++ b/install/share/default-aci.ldif
|
||||
@@ -3,7 +3,7 @@
|
||||
dn: $SUFFIX
|
||||
changetype: modify
|
||||
add: aci
|
||||
-aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||
+aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
|
||||
@@ -96,3 +96,11 @@ dn: cn=ipa,cn=etc,$SUFFIX
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
+
|
||||
+# Let users manage their own tokens
|
||||
+dn: $SUFFIX
|
||||
+changetype: modify
|
||||
+add: aci
|
||||
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
|
||||
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
|
||||
+aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
|
||||
diff --git a/install/updates/10-70ipaotp.update b/install/updates/10-70ipaotp.update
|
||||
new file mode 100644
|
||||
index 0000000..600ef9c
|
||||
--- /dev/null
|
||||
+++ b/install/updates/10-70ipaotp.update
|
||||
@@ -0,0 +1,25 @@
|
||||
+dn: cn=schema
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $$ ipatokenOwner $$ ipatokenDisabled $$ ipatokenNotBefore $$ ipatokenNotAfter $$ ipatokenVendor $$ ipatokenModel $$ ipatokenSerial) X-ORIGIN 'IPA OTP')
|
||||
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $$ ipatokenOTPalgorithm $$ ipatokenOTPdigits $$ ipatokenTOTPclockOffset $$ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
|
||||
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
|
||||
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $$ ipatokenRadiusServer $$ ipatokenRadiusSecret) MAY (description $$ ipatokenRadiusTimeout $$ ipatokenRadiusRetries $$ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
|
||||
diff --git a/install/updates/40-otp.update b/install/updates/40-otp.update
|
||||
new file mode 100644
|
||||
index 0000000..ff36c87
|
||||
--- /dev/null
|
||||
+++ b/install/updates/40-otp.update
|
||||
@@ -0,0 +1,9 @@
|
||||
+dn: cn=otp,$SUFFIX
|
||||
+default: objectClass: nsContainer
|
||||
+default: objectClass: top
|
||||
+default: cn: otp
|
||||
+
|
||||
+dn: $SUFFIX
|
||||
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'
|
||||
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'
|
||||
+add: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
|
||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||
index ab3f411..787a51c 100644
|
||||
--- a/install/updates/Makefile.am
|
||||
+++ b/install/updates/Makefile.am
|
||||
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
10-60basev2.update \
|
||||
10-60basev3.update \
|
||||
+ 10-70ipaotp.update \
|
||||
10-RFC2307bis.update \
|
||||
10-RFC4876.update \
|
||||
10-config.update \
|
||||
@@ -13,6 +14,7 @@ app_DATA = \
|
||||
10-ssh.update \
|
||||
10-bind-schema.update \
|
||||
10-uniqueness.update \
|
||||
+ 10-schema_compat.update \
|
||||
19-managed-entries.update \
|
||||
20-aci.update \
|
||||
20-dna.update \
|
||||
@@ -20,7 +22,6 @@ app_DATA = \
|
||||
20-indices.update \
|
||||
20-nss_ldap.update \
|
||||
20-replication.update \
|
||||
- 10-schema_compat.update \
|
||||
20-user_private_groups.update \
|
||||
20-winsync_index.update \
|
||||
21-replicas_container.update \
|
||||
@@ -32,6 +33,7 @@ app_DATA = \
|
||||
40-replication.update \
|
||||
40-dns.update \
|
||||
40-automember.update \
|
||||
+ 40-otp.update \
|
||||
45-roles.update \
|
||||
50-lockout-policy.update \
|
||||
50-groupuuid.update \
|
||||
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||
index ecb9255..de08457 100644
|
||||
--- a/ipalib/constants.py
|
||||
+++ b/ipalib/constants.py
|
||||
@@ -109,6 +109,7 @@ DEFAULT_CONFIG = (
|
||||
('container_dna', DN(('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||
('container_dna_posix_ids', DN(('cn', 'posix-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||
('container_realm_domains', DN(('cn', 'Realm Domains'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||
+ ('container_otp', DN(('cn', 'otp'))),
|
||||
|
||||
# Ports, hosts, and URIs:
|
||||
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
|
||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||
index e6bb054..7c809ec 100644
|
||||
--- a/ipaserver/install/dsinstance.py
|
||||
+++ b/ipaserver/install/dsinstance.py
|
||||
@@ -409,7 +409,8 @@ class DsInstance(service.Service):
|
||||
"60basev3.ldif",
|
||||
"60ipadns.ldif",
|
||||
"61kerberos-ipav3.ldif",
|
||||
- "65ipasudo.ldif"):
|
||||
+ "65ipasudo.ldif",
|
||||
+ "70ipaotp.ldif"):
|
||||
target_fname = schema_dirname(self.serverid) + schema_fname
|
||||
shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
|
||||
os.chmod(target_fname, 0440) # read access for dirsrv user/group
|
||||
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
|
||||
index 2b7446a..1e75113 100644
|
||||
--- a/ipaserver/install/plugins/update_anonymous_aci.py
|
||||
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
|
||||
@@ -20,8 +20,6 @@
|
||||
from copy import deepcopy
|
||||
from ipaserver.install.plugins import FIRST, LAST
|
||||
from ipaserver.install.plugins.baseupdate import PostUpdate
|
||||
-#from ipalib.frontend import Updater
|
||||
-#from ipaserver.install.plugins import baseupdate
|
||||
from ipalib import api
|
||||
from ipalib.aci import ACI
|
||||
from ipalib.plugins import aci
|
||||
@@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate):
|
||||
aciname = u'Enable Anonymous access'
|
||||
aciprefix = u'none'
|
||||
ldap = self.obj.backend
|
||||
+ targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
|
||||
+ filter = None
|
||||
|
||||
(dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
|
||||
|
||||
@@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate):
|
||||
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
|
||||
|
||||
attrs = rawaci.target['targetattr']['expression']
|
||||
+ rawfilter = rawaci.target.get('targetfilter', None)
|
||||
+ if rawfilter is not None:
|
||||
+ filter = rawfilter['expression']
|
||||
|
||||
update_attrs = deepcopy(attrs)
|
||||
|
||||
@@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate):
|
||||
needed_attrs.append(attr)
|
||||
|
||||
update_attrs.extend(needed_attrs)
|
||||
- if len(attrs) == len(update_attrs):
|
||||
+ if (len(attrs) == len(update_attrs) and
|
||||
+ filter == targetfilter):
|
||||
root_logger.debug("Anonymous ACI already update-to-date")
|
||||
return (False, False, [])
|
||||
- else:
|
||||
- root_logger.debug("New Anonymous ACI attributes needed: %s",
|
||||
- needed_attrs)
|
||||
|
||||
for tmpaci in acistrs:
|
||||
candidate = ACI(tmpaci)
|
||||
@@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate):
|
||||
acistrs.remove(tmpaci)
|
||||
break
|
||||
|
||||
- rawaci.target['targetattr']['expression'] = update_attrs
|
||||
+ if len(attrs) != len(update_attrs):
|
||||
+ root_logger.debug("New Anonymous ACI attributes needed: %s",
|
||||
+ needed_attrs)
|
||||
+
|
||||
+ rawaci.target['targetattr']['expression'] = update_attrs
|
||||
+
|
||||
+ if filter != targetfilter:
|
||||
+ root_logger.debug("New Anonymous ACI targetfilter needed.")
|
||||
+
|
||||
+ rawaci.set_target_filter(targetfilter)
|
||||
+
|
||||
acistrs.append(unicode(rawaci))
|
||||
entry_attrs['aci'] = acistrs
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -1,187 +0,0 @@
|
||||
From 5b15278283d3be6d615c98963807facf34da31eb Mon Sep 17 00:00:00 2001
|
||||
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Thu, 11 Apr 2013 13:50:42 -0400
|
||||
Subject: [PATCH 3/6] ipa-kdb: Add OTP support
|
||||
|
||||
If OTP is enabled for a user, then:
|
||||
1. Long-term keys are not provided to KDB
|
||||
2. The user string 'otp' is defined to KDB
|
||||
|
||||
Since it is not secure to send radius configuration information
|
||||
over krb5 user strings, we simply set the string to a known default
|
||||
('[]') which enables the default configuration in the KDC.
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/3561
|
||||
http://freeipa.org/page/V3/OTP
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb.c | 38 +++++++++++++++++++++++++++++++++++-
|
||||
daemons/ipa-kdb/ipa_kdb.h | 13 ++++++++++++
|
||||
daemons/ipa-kdb/ipa_kdb_principals.c | 28 ++++++++++++++++++++++++++
|
||||
3 files changed, 78 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||
index e5c718e..8464264 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||
@@ -173,9 +173,42 @@ done:
|
||||
return base;
|
||||
}
|
||||
|
||||
+static const struct {
|
||||
+ const char *name;
|
||||
+ enum ipadb_user_auth flag;
|
||||
+} userauth_table[] = {
|
||||
+ { "disabled", IPADB_USER_AUTH_DISABLED },
|
||||
+ { "password", IPADB_USER_AUTH_PASSWORD },
|
||||
+ { "radius", IPADB_USER_AUTH_RADIUS },
|
||||
+ { "otp", IPADB_USER_AUTH_OTP },
|
||||
+ { }
|
||||
+};
|
||||
+
|
||||
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||
+ enum ipadb_user_auth *userauth)
|
||||
+{
|
||||
+ struct berval **vals;
|
||||
+ int i, j;
|
||||
+
|
||||
+ *userauth = IPADB_USER_AUTH_EMPTY;
|
||||
+ vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
|
||||
+ if (!vals)
|
||||
+ return;
|
||||
+
|
||||
+ for (i = 0; vals[i]; i++) {
|
||||
+ for (j = 0; userauth_table[j].name; j++) {
|
||||
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
||||
+ *userauth |= userauth_table[j].flag;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
int ipadb_get_global_configs(struct ipadb_context *ipactx)
|
||||
{
|
||||
- char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR, NULL };
|
||||
+ char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR,
|
||||
+ IPA_USER_AUTH_TYPE, NULL };
|
||||
struct berval **vals = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
LDAPMessage *first;
|
||||
@@ -203,6 +236,9 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Check for permitted authentication types. */
|
||||
+ ipadb_get_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
|
||||
+
|
||||
vals = ldap_get_values_len(ipactx->lcontext, first,
|
||||
"ipaConfigString");
|
||||
if (!vals || !vals[0]) {
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
||||
index 9daaab8..54869d8 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.h
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
||||
@@ -75,9 +75,18 @@
|
||||
#define IPA_SETUP "ipa-setup-override-restrictions"
|
||||
|
||||
#define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData"
|
||||
+#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
|
||||
|
||||
struct ipadb_mspac;
|
||||
|
||||
+enum ipadb_user_auth {
|
||||
+ IPADB_USER_AUTH_EMPTY = 0,
|
||||
+ IPADB_USER_AUTH_DISABLED = 1 << 0,
|
||||
+ IPADB_USER_AUTH_PASSWORD = 1 << 1,
|
||||
+ IPADB_USER_AUTH_RADIUS = 1 << 2,
|
||||
+ IPADB_USER_AUTH_OTP = 1 << 3,
|
||||
+};
|
||||
+
|
||||
struct ipadb_context {
|
||||
char *uri;
|
||||
char *base;
|
||||
@@ -92,6 +101,7 @@ struct ipadb_context {
|
||||
bool disable_last_success;
|
||||
bool disable_lockout;
|
||||
char **authz_data;
|
||||
+ enum ipadb_user_auth user_auth;
|
||||
};
|
||||
|
||||
#define IPA_E_DATA_MAGIC 0x0eda7a
|
||||
@@ -259,3 +269,6 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
||||
krb5_timestamp authtime,
|
||||
krb5_error_code error_code);
|
||||
|
||||
+/* AUTH METHODS */
|
||||
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||
+ enum ipadb_user_auth *user_auth);
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
index 11c155e..3566e1e 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
@@ -64,6 +64,7 @@ static char *std_principal_attrs[] = {
|
||||
"nsaccountlock",
|
||||
"passwordHistory",
|
||||
IPA_KRB_AUTHZ_DATA_ATTR,
|
||||
+ IPA_USER_AUTH_TYPE,
|
||||
|
||||
"objectClass",
|
||||
NULL
|
||||
@@ -228,6 +229,9 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||
krb5_db_entry **kentry,
|
||||
uint32_t *polmask)
|
||||
{
|
||||
+ krb5_octet otp_string[] = {'o', 't', 'p', 0, '[', ']', 0 };
|
||||
+ enum ipadb_user_auth user_ua = IPADB_USER_AUTH_EMPTY;
|
||||
+ enum ipadb_user_auth *active_ua = &user_ua;
|
||||
struct ipadb_context *ipactx;
|
||||
LDAP *lcontext;
|
||||
krb5_db_entry *entry;
|
||||
@@ -262,6 +266,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||
entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
||||
entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
||||
|
||||
+ /* Get the user's user_auth settings. */
|
||||
+ ipadb_get_user_auth(ipactx->lcontext, lentry, &user_ua);
|
||||
+
|
||||
+ /* TODO: Should we confirm the existence of ipatokenRadiusConfigLink in
|
||||
+ * the case of RADIUS? Existence of a token for OTP? */
|
||||
+
|
||||
+ /* Determine which user_auth policy is active: user or global. */
|
||||
+ if ((ipactx->user_auth & IPADB_USER_AUTH_DISABLED)
|
||||
+ || user_ua == IPADB_USER_AUTH_EMPTY)
|
||||
+ active_ua = &ipactx->user_auth;
|
||||
+
|
||||
/* ignore mask for now */
|
||||
|
||||
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
|
||||
@@ -393,6 +408,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||
&res_key_data, &result, &mkvno);
|
||||
switch (ret) {
|
||||
case 0:
|
||||
+ /* Only set a principal's key if password auth should be used. */
|
||||
+ if ((*active_ua & ~IPADB_USER_AUTH_DISABLED) != IPADB_USER_AUTH_EMPTY
|
||||
+ && !(*active_ua & IPADB_USER_AUTH_PASSWORD)) {
|
||||
+ /* This is the same behavior as ENOENT below. */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
entry->key_data = res_key_data;
|
||||
entry->n_key_data = result;
|
||||
if (mkvno) {
|
||||
@@ -515,6 +537,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||
ied->authz_data = authz_data_list;
|
||||
}
|
||||
|
||||
+ /* If enabled, set the otp user string, enabling otp. */
|
||||
+ if ((*active_ua & (IPADB_USER_AUTH_RADIUS | IPADB_USER_AUTH_OTP)) &&
|
||||
+ !(*active_ua & IPADB_USER_AUTH_DISABLED)) {
|
||||
+ ret = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
|
||||
+ sizeof(otp_string), otp_string);
|
||||
+ }
|
||||
|
||||
kerr = 0;
|
||||
|
||||
--
|
||||
1.8.2.1
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,76 +0,0 @@
|
||||
From 1be93108c4c1506ea50879d645c47ab6843a6ee1 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Kosek <mkosek@redhat.com>
|
||||
Date: Tue, 14 May 2013 18:36:50 +0200
|
||||
Subject: [PATCH] Set KRB5CCNAME so that dirsrv can work with newer krb5-server
|
||||
|
||||
The DIR ccache format is now the default in krb5-server 1.11.2-4
|
||||
but /run/user/<uid> isn't created for Apache by anything so it
|
||||
has no ccache (and it doesn't have SELinux permissions to write here
|
||||
either).
|
||||
|
||||
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/3628
|
||||
---
|
||||
install/tools/ipa-upgradeconfig | 1 +
|
||||
ipaserver/install/dsinstance.py | 18 ++++++++++++++++++
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||
index 8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0..8e9357f20fe7c9a88908def6a2e3b2104f07d73a 100644
|
||||
--- a/install/tools/ipa-upgradeconfig
|
||||
+++ b/install/tools/ipa-upgradeconfig
|
||||
@@ -919,6 +919,7 @@ def main():
|
||||
http.configure_httpd_ccache()
|
||||
|
||||
ds = dsinstance.DsInstance()
|
||||
+ ds.configure_dirsrv_ccache()
|
||||
|
||||
fix_schema_file_syntax(ds)
|
||||
|
||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||
index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..3b841417e717587675d3ac748ec02182b3e14672 100644
|
||||
--- a/ipaserver/install/dsinstance.py
|
||||
+++ b/ipaserver/install/dsinstance.py
|
||||
@@ -26,6 +26,7 @@
|
||||
import time
|
||||
import tempfile
|
||||
import base64
|
||||
+import stat
|
||||
|
||||
from ipapython.ipa_log_manager import *
|
||||
from ipapython import ipautil, sysrestore, dogtag, ipaldap
|
||||
@@ -213,6 +214,7 @@ def __common_setup(self, enable_ssl=False):
|
||||
self.step("configuring certmap.conf", self.__certmap_conf)
|
||||
self.step("configure autobind for root", self.__root_autobind)
|
||||
self.step("configure new location for managed entries", self.__repoint_managed_entries)
|
||||
+ self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
|
||||
self.step("restarting directory server", self.__restart_instance)
|
||||
|
||||
def __common_post_setup(self):
|
||||
@@ -515,6 +517,22 @@ def __config_lockout_module(self):
|
||||
def __repoint_managed_entries(self):
|
||||
self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)
|
||||
|
||||
+ def configure_dirsrv_ccache(self):
|
||||
+ pent = pwd.getpwnam("dirsrv")
|
||||
+ ccache = '/tmp/krb5cc_%d' % pent.pw_uid
|
||||
+ filepath = '/etc/sysconfig/dirsrv'
|
||||
+ if not os.path.exists(filepath):
|
||||
+ # file doesn't exist; create it with correct ownership & mode
|
||||
+ open(filepath, 'a').close()
|
||||
+ os.chmod(filepath,
|
||||
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
|
||||
+ os.chown(filepath, 0, 0)
|
||||
+
|
||||
+ replacevars = {'KRB5CCNAME': ccache}
|
||||
+ old_values = ipautil.backup_config_and_replace_variables(
|
||||
+ self.fstore, filepath, replacevars=replacevars)
|
||||
+ ipaservices.restore_context(filepath)
|
||||
+
|
||||
def __managed_entries(self):
|
||||
self._ldap_mod("managed-entries.ldif", self.sub_dict)
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
200
freeipa.spec
200
freeipa.spec
@ -4,11 +4,11 @@
|
||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||
%global POLICYCOREUTILSVER 2.1.14-37
|
||||
%global gettext_domain ipa
|
||||
%global VERSION 3.2.0
|
||||
%global VERSION 3.2.2
|
||||
|
||||
Name: freeipa
|
||||
Version: 3.2.0
|
||||
Release: 2%{?dist}
|
||||
Version: 3.2.2
|
||||
Release: 1%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -17,18 +17,9 @@ URL: http://www.freeipa.org/
|
||||
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
Patch1: 0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
|
||||
Patch2: 0002-Add-IPA-OTP-schema-and-ACLs.patch
|
||||
Patch3: 0003-ipa-kdb-Add-OTP-support.patch
|
||||
Patch4: 0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
|
||||
Patch5: 0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch
|
||||
Patch6: 0006-Add-OTP-support-to-ipa-pwd-extop.patch
|
||||
Patch7: freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch
|
||||
|
||||
%if ! %{ONLY_CLIENT}
|
||||
BuildRequires: 389-ds-base-devel >= 1.3.1.0
|
||||
BuildRequires: 389-ds-base-devel >= 1.3.1.3
|
||||
BuildRequires: svrcore-devel
|
||||
BuildRequires: /usr/share/selinux/devel/Makefile
|
||||
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
BuildRequires: systemd-units
|
||||
%if 0%{?fedora} >= 18
|
||||
@ -103,8 +94,7 @@ Group: System Environment/Base
|
||||
Requires: %{name}-python = %{version}-%{release}
|
||||
Requires: %{name}-client = %{version}-%{release}
|
||||
Requires: %{name}-admintools = %{version}-%{release}
|
||||
Requires: %{name}-server-selinux = %{version}-%{release}
|
||||
Requires: 389-ds-base >= 1.3.1.0
|
||||
Requires: 389-ds-base >= 1.3.1.3
|
||||
Requires: openldap-clients > 2.4.35-4
|
||||
Requires: nss >= 3.14.3-12.0
|
||||
Requires: nss-tools >= 3.14.3-12.0
|
||||
@ -139,7 +129,7 @@ Requires: python-memcached
|
||||
Requires: systemd-units >= 38
|
||||
Requires(pre): systemd-units
|
||||
Requires(post): systemd-units
|
||||
Requires: selinux-policy >= 3.12.1-42
|
||||
Requires: selinux-policy >= 3.12.1-65
|
||||
Requires(post): selinux-policy-base
|
||||
Requires: slapi-nis >= 0.44
|
||||
Requires: pki-ca >= 10.0.2-5
|
||||
@ -155,7 +145,11 @@ Requires: zip
|
||||
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires: tar
|
||||
Requires(pre): certmonger >= 0.65
|
||||
Requires(pre): 389-ds-base >= 1.3.1.0
|
||||
Requires(pre): 389-ds-base >= 1.3.1.3
|
||||
|
||||
# With FreeIPA 3.2.2, package freeipa-server-selinux was obsoleted as the
|
||||
# entire SELinux policy is stored in the system policy
|
||||
Obsoletes: freeipa-server-selinux < 3.2.2
|
||||
|
||||
# We have a soft-requires on bind. It is an optional part of
|
||||
# IPA but if it is configured we need a way to require versions
|
||||
@ -186,22 +180,6 @@ to install this package (in other words, most people should NOT install
|
||||
this package).
|
||||
|
||||
|
||||
%package server-selinux
|
||||
Summary: SELinux rules for freeipa-server daemons
|
||||
Group: System Environment/Base
|
||||
Requires(post): %{name}-server = %{version}-%{release}
|
||||
Requires(postun): %{name}-server = %{version}-%{release}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
|
||||
Obsoletes: ipa-server-selinux >= 1.0
|
||||
|
||||
%description server-selinux
|
||||
IPA is an integrated solution to provide centrally managed Identity (machine,
|
||||
user, virtual machines, groups, authentication credentials), Policy
|
||||
(configuration settings, access control information) and Audit (events,
|
||||
logs, analysis thereof). This package provides SELinux rules for the
|
||||
daemons included in freeipa-server
|
||||
|
||||
%package server-trust-ad
|
||||
Summary: Virtual package to install packages required for Active Directory trusts
|
||||
Group: System Environment/Base
|
||||
@ -231,26 +209,28 @@ Requires(preun): %{_sbindir}/update-alternatives
|
||||
Cross-realm trusts with Active Directory in IPA require working Samba 4 installation.
|
||||
This package is provided for convenience to install all required dependencies at once.
|
||||
|
||||
# Fedora spec file only: START. Uncomment when Fedora 20 branches
|
||||
# %package server-strict
|
||||
# Summary: Strict package dependencies
|
||||
# Group: System Environment/Base
|
||||
# Requires(post): %{name}-server = %{version}-%{release}
|
||||
# Requires(postun): %{name}-server = %{version}-%{release}
|
||||
#
|
||||
# # Specific requires
|
||||
# Requires(pre): 389-ds-base = 1.3.0.5
|
||||
# Requires: krb5-server = 1.11.1
|
||||
# Requires: pki-ca = 10.0.1
|
||||
#
|
||||
# %description server-strict
|
||||
# IPA is an integrated solution to provide centrally managed Identity (machine,
|
||||
# user, virtual machines, groups, authentication credentials), Policy
|
||||
# (configuration settings, access control information) and Audit (events,
|
||||
# logs, analysis thereof). This meta package adds strict version dependencies
|
||||
# to known working versions. To upgrade to a non-approved version uninstall
|
||||
# this package.
|
||||
%if 0%{?fedora} == 19
|
||||
# Fedora spec file only: START
|
||||
%package server-strict
|
||||
Summary: Strict package dependencies
|
||||
Group: System Environment/Base
|
||||
Requires(post): %{name}-server = %{version}-%{release}
|
||||
Requires(postun): %{name}-server = %{version}-%{release}
|
||||
|
||||
# Specific requires
|
||||
Requires(pre): 389-ds-base = 1.3.1.3
|
||||
Requires: krb5-server = 1.11.3
|
||||
Requires: pki-ca = 10.0.3
|
||||
|
||||
%description server-strict
|
||||
IPA is an integrated solution to provide centrally managed Identity (machine,
|
||||
user, virtual machines, groups, authentication credentials), Policy
|
||||
(configuration settings, access control information) and Audit (events,
|
||||
logs, analysis thereof). This meta package adds strict version dependencies
|
||||
to known working versions. To upgrade to a non-approved version uninstall
|
||||
this package.
|
||||
# Fedora spec file only: END
|
||||
%endif
|
||||
|
||||
%endif # ! %{ONLY_CLIENT}
|
||||
|
||||
@ -377,9 +357,6 @@ cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localst
|
||||
|
||||
%if ! %{ONLY_CLIENT}
|
||||
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
|
||||
cd selinux
|
||||
# This isn't multi-process make capable yet
|
||||
make all
|
||||
%else
|
||||
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
|
||||
%endif # ! %{ONLY_CLIENT}
|
||||
@ -397,9 +374,6 @@ export SUPPORTED_PLATFORM=fedora16
|
||||
rm -f ipapython/services.py
|
||||
%if ! %{ONLY_CLIENT}
|
||||
make install DESTDIR=%{buildroot}
|
||||
cd selinux
|
||||
make install DESTDIR=%{buildroot}
|
||||
cd ..
|
||||
%else
|
||||
make client-install DESTDIR=%{buildroot}
|
||||
%endif # ! %{ONLY_CLIENT}
|
||||
@ -430,7 +404,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
|
||||
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
|
||||
mkdir %{buildroot}%{_usr}/share/ipa/html/
|
||||
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
|
||||
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js
|
||||
@ -500,7 +473,6 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
|
||||
install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
|
||||
install -pm 644 ipa-compliance.cron %{buildroot}%{_sysconfdir}/cron.d/ipa-compliance
|
||||
|
||||
(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \
|
||||
grep -v dcerpc | grep -v adtrustinstance | \
|
||||
@ -526,13 +498,22 @@ if [ $1 -gt 1 ] ; then
|
||||
/usr/libexec/freeipa-systemd-upgrade || :
|
||||
# Fedora spec file only: END
|
||||
/bin/systemctl condrestart certmonger.service 2>&1 || :
|
||||
/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
|
||||
fi
|
||||
|
||||
%posttrans server
|
||||
# This must be run in posttrans so that updates from previous
|
||||
# execution that may no longer be shipped are not applied.
|
||||
/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
|
||||
/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
|
||||
|
||||
# Restart IPA processes. This must be also run in postrans so that plugins
|
||||
# and software is in consistent state
|
||||
python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
|
||||
# NOTE: systemd specific section
|
||||
if [ $? -eq 0 ]; then
|
||||
/bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
|
||||
fi
|
||||
# END
|
||||
|
||||
%preun server
|
||||
if [ $1 = 0 ]; then
|
||||
@ -542,14 +523,6 @@ if [ $1 = 0 ]; then
|
||||
# END
|
||||
fi
|
||||
|
||||
%postun server
|
||||
if [ "$1" -ge "1" ]; then
|
||||
# NOTE: systemd specific section
|
||||
/bin/systemctl --quiet is-active ipa.service >/dev/null && \
|
||||
/bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
|
||||
# END
|
||||
fi
|
||||
|
||||
%pre server
|
||||
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
|
||||
# zombie process when we're done.
|
||||
@ -559,48 +532,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
|
||||
# END
|
||||
fi
|
||||
|
||||
%pre server-selinux
|
||||
if [ -s /etc/selinux/config ]; then
|
||||
. %{_sysconfdir}/selinux/config
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||
if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
|
||||
cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
|
||||
fi
|
||||
fi
|
||||
|
||||
%post server-selinux
|
||||
semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
|
||||
. %{_sysconfdir}/selinux/config
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||
selinuxenabled
|
||||
if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
|
||||
fixfiles -C ${FILE_CONTEXT}.%{name} restore
|
||||
rm -f ${FILE_CONTEXT}.%name
|
||||
fi
|
||||
|
||||
%preun server-selinux
|
||||
if [ $1 = 0 ]; then
|
||||
if [ -s /etc/selinux/config ]; then
|
||||
. %{_sysconfdir}/selinux/config
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||
if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
|
||||
cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
%postun server-selinux
|
||||
if [ $1 = 0 ]; then
|
||||
semodule -s targeted -r ipa_httpd ipa_dogtag
|
||||
. %{_sysconfdir}/selinux/config
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||
selinuxenabled
|
||||
if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
|
||||
fixfiles -C ${FILE_CONTEXT}.%{name} restore
|
||||
rm -f ${FILE_CONTEXT}.%name
|
||||
fi
|
||||
fi
|
||||
|
||||
%postun server-trust-ad
|
||||
if [ "$1" -ge "1" ]; then
|
||||
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
|
||||
@ -611,6 +542,8 @@ fi
|
||||
%post server-trust-ad
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
|
||||
winbind_krb5_locator.so /dev/null 90
|
||||
|
||||
%posttrans server-trust-ad
|
||||
python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
# NOTE: systemd specific section
|
||||
@ -697,10 +630,8 @@ fi
|
||||
%{_sbindir}/ipa-managed-entries
|
||||
%{_sbindir}/ipactl
|
||||
%{_sbindir}/ipa-upgradeconfig
|
||||
%{_sbindir}/ipa-compliance
|
||||
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
|
||||
%{_libexecdir}/ipa-otpd
|
||||
%{_sysconfdir}/cron.d/ipa-compliance
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
||||
@ -813,9 +744,7 @@ fi
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
|
||||
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
|
||||
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
|
||||
%dir %{_localstatedir}/cache/ipa
|
||||
%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
|
||||
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
|
||||
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
|
||||
%{_mandir}/man1/ipa-replica-conncheck.1.gz
|
||||
%{_mandir}/man1/ipa-replica-install.1.gz
|
||||
@ -832,16 +761,9 @@ fi
|
||||
%{_mandir}/man1/ipa-ldap-updater.1.gz
|
||||
%{_mandir}/man8/ipactl.8.gz
|
||||
%{_mandir}/man8/ipa-upgradeconfig.8.gz
|
||||
%{_mandir}/man1/ipa-compliance.1.gz
|
||||
%{_mandir}/man1/ipa-backup.1.gz
|
||||
%{_mandir}/man1/ipa-restore.1.gz
|
||||
|
||||
%files server-selinux
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%{_usr}/share/selinux/targeted/ipa_httpd.pp
|
||||
%{_usr}/share/selinux/targeted/ipa_dogtag.pp
|
||||
|
||||
%files server-trust-ad
|
||||
%{_sbindir}/ipa-adtrust-install
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
|
||||
@ -854,11 +776,13 @@ fi
|
||||
%{python_sitelib}/ipaserver/install/adtrustinstance*
|
||||
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
|
||||
# Fedora spec file only: START. Uncomment when Fedora 20 branches
|
||||
# %files server-strict
|
||||
# %defattr(-,root,root,-)
|
||||
# %doc COPYING README Contributors.txt
|
||||
%if 0%{?fedora} == 19
|
||||
# Fedora spec file only: START
|
||||
%files server-strict
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
# Fedora spec file only: END
|
||||
%endif
|
||||
%endif # ! %{ONLY_CLIENT}
|
||||
|
||||
%files client
|
||||
@ -919,6 +843,17 @@ fi
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||
|
||||
%changelog
|
||||
* Wed Jul 17 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
|
||||
- Update to upstream 3.2.2
|
||||
- Drop freeipa-server-selinux subpackage
|
||||
- Drop redundant directory /var/cache/ipa/sessions
|
||||
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
|
||||
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
|
||||
issues when there are still old parts of software (like entitlements plugin)
|
||||
|
||||
* Fri Jun 7 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
|
||||
- Update to upstream 3.2.1
|
||||
|
||||
* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
|
||||
- Add OTP patches
|
||||
- Add patch to set KRB5CCNAME for 389-ds-base
|
||||
@ -948,6 +883,17 @@ fi
|
||||
- Update Requires on policycoreutils to 2.1.14-37
|
||||
- Update Requires on selinux-policy to 3.12.1-42
|
||||
- Update Requires on 389-ds-base to 1.3.1.0
|
||||
- Remove a Requires for java-atk-wrapper
|
||||
|
||||
* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
|
||||
- Remove release from krb5-server in strict sub-package to allow for rebuilds.
|
||||
|
||||
* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
|
||||
- Add a Requires for java-atk-wrapper until we can determine which package
|
||||
should be pulling it in, dogtag or tomcat.
|
||||
|
||||
* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
|
||||
- Update to upstream 3.2.0 Beta 1
|
||||
|
||||
* Tue Apr 2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
|
||||
- Update to upstream 3.2.0 Prerelease 1
|
||||
|
Loading…
Reference in New Issue
Block a user