Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963

This commit is contained in:
James Antill 2023-02-23 12:41:36 -05:00
parent fe3a12eb3a
commit a3a1bed87f
8 changed files with 435 additions and 29 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.8.tar.gz SOURCES/freeipa-4.9.11.tar.gz

View File

@ -0,0 +1,41 @@
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Dec 02 2022 12:21:22 +0000
Subject: updates: fix memberManager ACI to allow managers from a specified group
The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.
Remove old ACI and add a full one during upgrade step.
Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index a168bb9..4a7ba13 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
# Allow member managers to modify members of user groups
dn: cn=groups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Allow member managers to modify members of host groups
dn: cn=hostgroups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
# Hosts can add and delete their own services
dn: cn=services,cn=accounts,$SUFFIX

View File

@ -0,0 +1,69 @@
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 10 Dec 2021 12:15:36 -0300
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
---
freeipa.spec.in | 4 +---
ipaplatform/base/paths.py | 2 +-
ipaplatform/fedora/paths.py | 1 +
ipaserver/dnssec/bindmgr.py | 1 -
4 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8f5c370e5..e20edb7bc 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
-# bind-dnssec-utils is required by the OpenDNSSec integration
-# https://pagure.io/freeipa/issue/9026
-Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,6 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 0c79cc03d..a15c0e601 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -127,7 +127,6 @@ class BINDMgr:
)
cmd = [
paths.DNSSEC_KEYFROMLABEL,
- '-E', 'pkcs11',
'-K', workdir,
'-a', attrs['idnsSecAlgorithm'][0],
'-l', uri
--
2.31.1

View File

@ -0,0 +1,60 @@
From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 17 Jun 2022 15:40:04 -0300
Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation.
uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>')
for callback definition.
This patch changes the arrow definition callbacks for regular anonymous
function definitions.
---
install/ui/src/freeipa/idp.js | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js
index ada09c075..be3c4f0e6 100644
--- a/install/ui/src/freeipa/idp.js
+++ b/install/ui/src/freeipa/idp.js
@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() {
// For custom template we show custom fields
// and mark all of them required and passed to the RPC
// If show_custom is false, the opposite happens
- custom_fields.forEach(fname => {
+ custom_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_required(show_custom);
widget_f.set_enabled(show_custom);
@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() {
});
// For template fields we show them if custom aren't shown
- template_fields.forEach(fname => {
+ template_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_enabled(!show_custom);
widget_f.widget.set_visible(!show_custom);
@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() {
var value = prov_f.get_value()[0];
// First, clear template fields from the previous provider choice
- template_fields.forEach(fname => {
+ template_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.widget.set_visible(false);
widget_f.set_required(false);
@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() {
});
// Second, enable and get required template-specific fields
- idp.templates.forEach(idp_v => {
+ idp.templates.forEach(function(idp_v) {
if (idp_v['value'] == value) {
- idp_v['fields'].forEach(fname => {
+ idp_v['fields'].forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_required(true);
widget_f.set_enabled(true);
--
2.36.1

View File

@ -0,0 +1,114 @@
From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 19 Dec 2022 14:57:03 -0300
Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
---
ipapython/dnsutil.py | 41 -------------------------
ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------
2 files changed, 81 deletions(-)
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 58de365ab..4baeaf8cc 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver):
nameservers.remove(ipv4_loopback)
self.nameservers = nameservers
- @dns.resolver.Resolver.nameservers.setter
- def nameservers(self, nameservers):
- """
- *nameservers*, a ``list`` of nameservers with optional ports:
- "SERVER_IP port PORT_NUMBER".
-
- Overloads dns.resolver.Resolver.nameservers setter to split off ports
- into nameserver_ports after setting nameservers successfully with the
- setter in dns.resolver.Resolver.
- """
- # Get nameserver_ports if it is already set
- if hasattr(self, "nameserver_ports"):
- nameserver_ports = self.nameserver_ports
- else:
- nameserver_ports = {}
-
- # Check nameserver items in list and split out converted port number
- # into nameserver_ports: { nameserver: port }
- if isinstance(nameservers, list):
- _nameservers = []
- for nameserver in nameservers:
- splits = nameserver.split()
- if len(splits) == 3 and splits[1] == "port":
- nameserver = splits[0]
- try:
- port = int(splits[2])
- if port < 0 or port > 65535:
- raise ValueError()
- except ValueError:
- raise ValueError(
- "invalid nameserver: %s is not a valid port" %
- splits[2])
- nameserver_ports[nameserver] = port
- _nameservers.append(nameserver)
- nameservers = _nameservers
-
- # Call dns.resolver.Resolver.nameservers setter
- dns.resolver.Resolver.nameservers.__set__(self, nameservers)
- # Set nameserver_ports after successfull call to setter
- self.nameserver_ports = nameserver_ports
-
class DNSZoneAlreadyExists(dns.exception.DNSException):
supp_kwargs = {'zone', 'ns'}
diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
index 09463c69d..5e7a46197 100644
--- a/ipatests/test_ipapython/test_dnsutil.py
+++ b/ipatests/test_ipapython/test_dnsutil.py
@@ -101,43 +101,3 @@ class TestSortURI:
assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
-
-
-class TestDNSResolver:
- def test_nameservers(self):
- res = dnsutil.DNSResolver()
- res.nameservers = ["4.4.4.4", "8.8.8.8"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
-
- def test_nameservers_with_ports(self):
- res = dnsutil.DNSResolver()
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
-
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
-
- def test_nameservers_with_bad_ports(self):
- res = dnsutil.DNSResolver()
- try:
- res.nameservers = ["4.4.4.4 port a"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port a")
-
- try:
- res.nameservers = ["4.4.4.4 port -1"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port -1")
-
- try:
- res.nameservers = ["4.4.4.4 port 65536"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port 65536")
--
2.38.1

16
freeipa-4.9.11.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi
00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ
4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG
KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7
go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI
wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv
EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf
+y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr
WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc
oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut
IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd
umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E=
=8YVm
-----END PGP SIGNATURE-----

160
ipa.spec
View File

@ -68,8 +68,7 @@
%global krb5_kdb_version 8.0 %global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19 %global python_netaddr_version 0.7.19
# Require 4.14.5-13 which brings CVE-2020-25717 fixes %global samba_version 4.17.2-1
%global samba_version 4.14.5-13
%global selinux_policy_version 3.14.3-52 %global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4 %global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1 %global python_ldap_version 3.1.0-1
@ -93,8 +92,7 @@
# 0.7.16: https://github.com/drkjam/netaddr/issues/71 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16 %global python_netaddr_version 0.7.16
# Require 4.14.6 which brings CVE-2020-25717 fixes %global samba_version 2:4.17.2
%global samba_version 2:4.14.6
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface # 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45 %global selinux_policy_version 3.14.5-45
@ -146,8 +144,8 @@
# RHEL 8.2+, F32+ has 3.58 # RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4 %global nss_version 3.44.0-4
# RHEL 8.3+, F32+ # RHEL 8.7+, F35+, adds IdP integration
%global sssd_version 2.4.0 %global sssd_version 2.7.0
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) %define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3 %global kdcproxy_version 0.4-3
@ -178,7 +176,7 @@
# Work-around fact that RPM SPEC parser does not accept # Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.8 %define IPA_VERSION 4.9.11
# Release candidate version -- uncomment with one percent for RC versions # Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil #%%global rc_version %%nil
%define AT_SIGN @ %define AT_SIGN @
@ -191,7 +189,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 7%{?rc_version:.%rc_version}%{?dist} Release: 3%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -211,24 +209,19 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START # RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD} %if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8 %if 0%{?rhel} >= 8
Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
# Due to behavior changes in python3-dns 2.2.0, IPA overrides the setting of the
# nameserver property inherited from dns.resolver.Resolver class to allow the
# setting of nameservers with custom ports. The method used is only needed, and
# only works, on version 2.2.0, or later, of python3-dns. For RHEL 8, which uses
# series 1.xx, the method override is not needed to provide the same behavior.
Patch1004: 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch
%endif %endif
%endif %endif
# RHEL spec file only: END # RHEL spec file only: END
Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
# For the timestamp trick in patch application # For the timestamp trick in patch application
BuildRequires: diffstat BuildRequires: diffstat
@ -298,6 +291,7 @@ BuildRequires: cracklib-dicts
# Build dependencies for makeapi/makeaci # Build dependencies for makeapi/makeaci
# #
BuildRequires: python3-cffi BuildRequires: python3-cffi
# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
BuildRequires: python3-dns BuildRequires: python3-dns
BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-ldap >= %{python_ldap_version}
BuildRequires: python3-libsss_nss_idmap BuildRequires: python3-libsss_nss_idmap
@ -325,7 +319,9 @@ BuildRequires: python3-wheel
%if %{with doc} %if %{with doc}
BuildRequires: python3-sphinx BuildRequires: python3-sphinx
BuildRequires: python3-m2r BuildRequires: plantum1
BuildRequires: fontconfig
BuildRequires: google-noto-sans-vf-fonts
%endif %endif
# #
@ -348,6 +344,7 @@ BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-custodia >= 0.3.1
BuildRequires: python3-dateutil BuildRequires: python3-dateutil
BuildRequires: python3-dbus BuildRequires: python3-dbus
# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
BuildRequires: python3-dns >= 1.15 BuildRequires: python3-dns >= 1.15
BuildRequires: python3-docker BuildRequires: python3-docker
BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-gssapi >= 1.2.0
@ -422,7 +419,6 @@ Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version} Requires(post): krb5-server >= %{krb5_base_version}
Requires: krb5-kdb-version = %{krb5_kdb_version} Requires: krb5-kdb-version = %{krb5_kdb_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa} Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony Requires: chrony
Requires: httpd >= %{httpd_version} Requires: httpd >= %{httpd_version}
@ -474,6 +470,8 @@ Requires: libpwquality
Requires: cracklib-dicts Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME # NDR libraries are internal in Samba and change with version without changing SONAME
Requires: samba-client-libs >= %{samba_version} Requires: samba-client-libs >= %{samba_version}
# Due to RHBZ#2100916, libvert-libev is required by ipa-otp.
Requires: libverto-libev >= 0.3.2-1
Provides: %{alt_name}-server = %{version} Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server Conflicts: %{alt_name}-server
@ -518,6 +516,7 @@ Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version} Requires: augeas-libs >= %{augeas_version}
Requires: python3-custodia >= 0.3.1 Requires: python3-custodia >= 0.3.1
Requires: python3-dbus Requires: python3-dbus
# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
Requires: python3-dns >= 1.15 Requires: python3-dns >= 1.15
Requires: python3-gssapi >= 1.2.0 Requires: python3-gssapi >= 1.2.0
Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaclient = %{version}-%{release}
@ -648,7 +647,14 @@ Requires: python3-sssdconfig >= %{sssd_version}
Requires: cyrus-sasl-gssapi%{?_isa} Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony Requires: chrony
Requires: krb5-workstation >= %{krb5_version} Requires: krb5-workstation >= %{krb5_version}
Requires: authselect >= 0.4-2 # Support pkinit with client install
Requires: krb5-pkinit-openssl >= %{krb5_version}
# authselect: sssd profile with-subid
%if 0%{?fedora} >= 36
Requires: authselect >= 1.4.0
%else
Requires: authselect >= 1.2.5
%endif
Requires: curl Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
# All Fedora 28+ and RHEL8+ contain the service in hostname package # All Fedora 28+ and RHEL8+ contain the service in hostname package
@ -660,6 +666,7 @@ Requires: xmlrpc-c >= 1.27.4
Requires: jansson Requires: jansson
%endif %endif
Requires: sssd-ipa >= %{sssd_version} Requires: sssd-ipa >= %{sssd_version}
Requires: sssd-idp >= %{sssd_version}
Requires: certmonger >= %{certmonger_version} Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version} Requires: nss-tools >= %{nss_version}
Requires: bind-utils Requires: bind-utils
@ -741,6 +748,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release}
Requires: python3-augeas Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version} Requires: augeas-libs >= %{augeas_version}
# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
Requires: python3-dns >= 1.15 Requires: python3-dns >= 1.15
Requires: python3-jinja2 Requires: python3-jinja2
@ -821,6 +829,7 @@ Requires: python3-cffi
Requires: python3-cryptography >= 1.6 Requires: python3-cryptography >= 1.6
Requires: python3-dateutil Requires: python3-dateutil
Requires: python3-dbus Requires: python3-dbus
# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
Requires: python3-dns >= 1.15 Requires: python3-dns >= 1.15
Requires: python3-gssapi >= 1.2.0 Requires: python3-gssapi >= 1.2.0
Requires: python3-jwcrypto >= 0.4.2 Requires: python3-jwcrypto >= 0.4.2
@ -1051,6 +1060,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la
rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{plugin_dir}/libtopology.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@ -1234,6 +1244,7 @@ if [ $1 -gt 1 ] ; then
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
chmod 0600 /var/log/ipaupgrade.log
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@ -1409,6 +1420,7 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1* %{_mandir}/man1/ipa-replica-conncheck.1*
%{_mandir}/man1/ipa-replica-install.1* %{_mandir}/man1/ipa-replica-install.1*
@ -1708,12 +1720,106 @@ fi
%if %{with selinux} %if %{with selinux}
%files selinux %files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with selinux # with selinux
%endif %endif
%changelog %changelog
* Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3
- Revert DNSResolver Fix use of nameservers with ports.
Related: RHBZ#2141316
* Fri Dec 16 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-2
- webui IdP: Remove arrow notation due to uglify-js limitation
Related: RHBZ#2141316
* Wed Dec 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-1
- Rebase ipa to 4.9.11
Resolves: RHBZ#2141316
- updates: fix memberManager ACI to allow managers from a specified group
Resolves: RHBZ#2056009
- Defer creating the final krb5.conf on clients
Resolves: RHBZ#2148259
- Exclude installed policy module file from RPM verification
Resolves: RHBZ#2149567
- Spec file: ipa-client depends on krb5-pkinit-openssl
Resolves: RHBZ#2149889
* Thu Nov 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-8
- ipa man page format the EXAMPLES section
Resolves: RHBZ#2129895
- Fix canonicalization issue in Web UI
Resolves: RHBZ#2127035
- Remove idnssoaserial argument from dns zone API.
Resolves: RHBZ#2108630
- Warn for permissions with read/write/search/compare and no attrs
Resolves: RHBZ#2098187
- Add PKINIT support to ipa-client-install
Resolves: RHBZ#2075452
- Generate CNAMEs for TXT+URI location krb records
Resolves: RHBZ#2104185
- Vault: fix interoperability issues with older RHEL systems
Resolves: RHBZ#2144737
- Fix typo on ipaupgrade.log chmod during RPM %post snipppet
Resolves: RHBZ#2140994
* Tue Nov 1 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-7
- Rebuild to samba 4.17.2.
Related: RHBZ#2132051
* Mon Aug 22 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-6
- webui: Allow grace login limit
Resolves: RHBZ#2109243
- check_repl_update: in progress is a boolean
Resolves: RHBZ#2117303
- Disabling gracelimit does not prevent LDAP binds
Resolves: RHBZ#2109236
- Set passwordgracelimit to match global policy on group pw policies
Resolves: RHBZ#2115475
* Tue Jul 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-5
- webui: Do not allow empty pagination size
Resolves: RHBZ#2094672
* Tue Jul 12 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-4
- Add end to end integration tests for external IdP
Resolves: RHBZ#2106346
* Thu Jul 07 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-3
- Add explicit dependency for libvert-libev
Resolves: RHBZ#2104929
* Fri Jul 01 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-2
- Preserve user: fix the confusing summary
Resolves: RHBZ#2022028
- Only calculate LDAP password grace when the password is expired
Related: RHBZ#782917
* Wed Jun 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-1
- Rebase to upstream release 4.9.10
Remove upstream patches 0002 to 0016 that are part of version 4.9.10
Remove patches 1101 that is part of version 4.9.10
Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases
Add patches 0001 and 0002 to fix build on RHEL 8.7
Resolves: RHBZ#2079466
Resolves: RHBZ#2063155
Resolves: RHBZ#1958777
Resolves: RHBZ#2068088
Resolves: RHBZ#2004646
Resolves: RHBZ#782917
Resolves: RHBZ#2059396
Resolves: RHBZ#2092015
* Tue Apr 5 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-8
- Backport latest test fixes in python3-ipatests
Resolves: RHBZ#2060841
- extdom: user getorigby{user|group}name if available
Resolves: RHBZ#2062379
- Set the mode on ipaupgrade.log during RPM post snipppet
Resolves: RHBZ#2061957
- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
Resolves: RHBZ#1909630
* Thu Feb 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-7 * Thu Feb 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-7
- ipatests: Backport test fixes in python3-ipatests. - ipatests: Backport test fixes in python3-ipatests.
Resolves: RHBZ#2057505 Resolves: RHBZ#2057505

View File

@ -1 +1 @@
SHA512 (freeipa-4.9.8.tar.gz) = 2fc27c5eb6f3fd0ed8cdba7668f72da3c5a84ec089159bd1dfde44b1d4abefb1280a18d559979b2167ba942facbf33e6d80fa32ee1af2b6881ecdf9162b6b32e SHA1 (freeipa-4.9.11.tar.gz) = 4ef188d43f5f2a09e214dd2bae68595a5977bb61