rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.2-1.module+el8.4.0+9974+f3f9be88

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 10:10:29 -04:00 committed by Stepan Oksanichenko
parent ea368e57a3
commit c1eb05875e
12 changed files with 482 additions and 6274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.8.7.tar.gz SOURCES/freeipa-4.9.2.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz

293
SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
View File

@ -1,293 +0,0 @@
From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 28 May 2020 08:47:49 +0200
Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/association.js | 13 ++++-
install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
install/ui/src/freeipa/group.js | 14 +++++
install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
ipaserver/plugins/internal.py | 6 +++
5 files changed, 133 insertions(+), 31 deletions(-)
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index f10ccb2a5..b083a79f9 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -25,6 +25,7 @@
define([
'dojo/_base/lang',
'dojo/Deferred',
+ './builder',
'./metadata',
'./ipa',
'./jquery',
@@ -38,7 +39,7 @@ define([
'./facet',
'./search',
'./dialog'],
- function(lang, Deferred, metadata_provider, IPA, $, metadata,
+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
navigation, phases, reg, rpc, su, text) {
/**
@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
var pkeys = that.data.result.result[that.get_attribute_name()];
- var dialog = IPA.association_adder_dialog({
+ var dialog = builder.build('association_adder_dialog', {
+ $type: that.other_entity.name,
title: title,
entity: that.entity,
pkey: pkey,
@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
return that;
};
+// Create a registry for adder dialogs where key is name of 'other entity'.
+// It allows to override dialogs for some specific cases of association
+// creation.
+var dialog_builder = builder.get('association_adder_dialog');
+dialog_builder.factory = IPA.association_adder_dialog;
+reg.set('association_adder_dialog', dialog_builder.registry);
+
phases.on('registration', function() {
var w = reg.widget;
var f = reg.field;
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
index c153120df..d67d63b6d 100644
--- a/install/ui/src/freeipa/dialog.js
+++ b/install/ui/src/freeipa/dialog.js
@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
'class': 'input-group col-md-12 adder-dialog-top'
}).appendTo(container);
- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
- filter_placeholder = filter_placeholder.replace('${other_entity}',
- that.other_entity.metadata.label);
-
- that.filter_field = $('<input/>', {
- type: 'text',
- name: 'filter',
- 'class': 'form-control',
- 'placeholder': filter_placeholder,
- keyup: function(event) {
- if (event.keyCode === keys.ENTER) {
- that.search();
- return false;
- }
- }
- }).appendTo(input_group);
-
- var input_group_btn = $('<div/>', {
- 'class': 'input-group-btn'
- }).appendTo(input_group);
-
- that.find_button = IPA.button({
- name: 'find',
- label: '@i18n:buttons.filter',
- click: function() {
- that.search();
- return false;
- }
- }).appendTo(input_group_btn);
+ that.filter_field = that.get_filter_field(input_group);
var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
//
@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
return that.filter_field.val();
};
+ /**
+ * Return field for filtering available items
+ *
+ * Default implementation returns text input + "Filter" button.
+ * It can be overridden.
+ *
+ * @param {HTMLElement} input_group - container for a filter field
+ * @return {HTMLElement}
+ */
+ that.get_filter_field = function(input_group) {
+ var filter_placeholder = text.get(
+ '@i18n:association.filter_placeholder'
+ ).replace('${other_entity}', that.other_entity.metadata.label);
+
+ var filter_field = $('<input/>', {
+ type: 'text',
+ name: 'filter',
+ 'class': 'form-control',
+ 'placeholder': filter_placeholder,
+ keyup: function(event) {
+ if (event.keyCode === keys.ENTER) {
+ that.search();
+ return false;
+ }
+ }
+ }).appendTo(input_group);
+
+ var input_group_btn = $('<div/>', {
+ 'class': 'input-group-btn'
+ }).appendTo(input_group);
+
+ that.find_button = IPA.button({
+ name: 'find',
+ label: '@i18n:buttons.filter',
+ click: function() {
+ that.search();
+ return false;
+ }
+ }).appendTo(input_group_btn);
+
+ return filter_field;
+ };
+
/**
* Clear rows in available table
*/
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index e46d8c7e3..2984bd4b2 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -205,6 +205,20 @@ return {
add_title: '@i18n:objects.group.add_into_sudo',
remove_method: 'remove_user',
remove_title: '@i18n:objects.group.remove_from_sudo'
+ },
+ {
+ $type: 'association',
+ name: 'member_idoverrideuser',
+ associator: IPA.serial_associator,
+ add_title: '@i18n:objects.group.add_idoverride_user',
+ remove_title: '@i18n:objects.group.remove_idoverride_users',
+ columns: [
+ {
+ name: 'ipaanchoruuid',
+ label: '@i18n:objects.idoverrideuser.anchor_label',
+ link: false
+ }
+ ]
}
],
standard_association_facets: true,
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 35dc998c8..a4fca6205 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
return that;
};
+idviews.idoverrideuser_adder_dialog = function(spec) {
+
+ spec = spec || {};
+
+ var that = IPA.association_adder_dialog(spec);
+
+ that.base_search = that.search;
+
+ that.search = function() {
+ // Search for users only in case a ID view is selected
+ if (that.get_filter()) {
+ that.base_search();
+ }
+ };
+
+ /**
+ * Replace default text filter with a select box for filtering by ID view
+ */
+ that.get_filter_field = function(input_group) {
+
+ var filter_field = $('<select/>', {
+ name: 'filter',
+ 'class': 'form-control',
+ change: function(event) {
+ that.search();
+ }
+ }).appendTo(input_group);
+
+ rpc.command({
+ entity: 'idview',
+ method: 'find',
+ on_success: function(data) {
+ var results = data.result;
+
+ for (var i=0; i<results.count; i++) {
+ var result = results.result[i];
+ $('<option/>', {
+ text: result.cn[0],
+ value: result.cn[0]
+ }).appendTo(filter_field);
+ }
+
+ that.search();
+ }
+ }).execute();
+
+ return filter_field;
+ };
+
+ return that;
+};
+
/**
* ID View entity specification object
* @member idviews
@@ -993,6 +1045,7 @@ idviews.register = function() {
var f = reg.facet;
var a = reg.action;
var w = reg.widget;
+ var ad = reg.association_adder_dialog;
e.register({type: 'idview', spec: idviews.spec});
e.register({
@@ -1012,6 +1065,11 @@ idviews.register = function() {
w.register('idviews_certs', idviews.idviews_certs_widget);
w.register('cert_textarea', idviews.cert_textarea_widget);
+
+ ad.register({
+ type: 'idoverrideuser',
+ factory: idviews.idoverrideuser_adder_dialog
+ });
};
phases.on('registration', idviews.register);
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5f2b1fdc2..7622e65dc 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -835,6 +835,9 @@ class i18n_messages(Command):
"Remove users from member managers for user group "
"'${primary_key}'"
),
+ "add_idoverride_user": _(
+ "Add user ID override into user group '${primary_key}'"
+ ),
"details": _("Group Settings"),
"external": _("External"),
"groups": _("Groups"),
@@ -868,6 +871,9 @@ class i18n_messages(Command):
"remove_users": _(
"Remove users from user group '${primary_key}'"
),
+ "remove_idoverride_users": _(
+ "Remove user ID overrides from user group '${primary_key}'"
+ ),
"type": _("Group Type"),
"user_groups": _("User Groups"),
},
--
2.26.2

601
SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
View File

@ -1,601 +0,0 @@
From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 11 Jun 2020 11:17:25 +0200
Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
.gitignore | 4 +--
client/Makefile.am | 1 +
client/share/Makefile.am | 5 ++++
{install => client}/share/expire_msg.template | 0
client/systemd/Makefile.am | 27 +++++++++++++++++++
{init => client}/systemd/ipa-epn.service.in | 0
{init => client}/systemd/ipa-epn.timer.in | 0
configure.ac | 24 +++++++++++++++--
freeipa.spec.in | 15 +++++++++++
init/systemd/Makefile.am | 8 +++---
install/share/Makefile.am | 5 ----
server.m4 | 19 -------------
12 files changed, 76 insertions(+), 32 deletions(-)
rename {install => client}/share/expire_msg.template (100%)
create mode 100644 client/systemd/Makefile.am
rename {init => client}/systemd/ipa-epn.service.in (100%)
rename {init => client}/systemd/ipa-epn.timer.in (100%)
#diff --git a/.gitignore b/.gitignore
#index 6584c3b4f..4cedb1ff2 100644
#--- a/.gitignore
#+++ b/.gitignore
#@@ -94,8 +94,6 @@ freeipa2-dev-doc
# /init/ipa_memcached
# /init/systemd/ipa-custodia.service
# /init/systemd/ipa.service
#-/init/systemd/ipa-epn.service
#-/init/systemd/ipa-epn.timer
# /init/tmpfilesd/ipa.conf
#
# !/install/ui/doc/Makefile.in
#@@ -116,6 +114,8 @@ freeipa2-dev-doc
# /client/ipa-getkeytab
# /client/ipa-join
# /client/ipa-rmkeytab
#+/client/systemd/ipa-epn.service
#+/client/systemd/ipa-epn.timer
#
# /ipaplatform/override.py
# /ipapython/version.py
diff --git a/client/Makefile.am b/client/Makefile.am
index 858a9369e..87da87fcd 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -95,6 +95,7 @@ SUBDIRS = \
share \
man \
sysconfig \
+ systemd \
$(NULL)
# init
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 6d4a62d5e..1402a3a9d 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
$(NULL)
+
+epnconfdir = $(IPA_SYSCONF_DIR)/epn
+dist_epnconf_DATA = \
+ expire_msg.template \
+ $(NULL)
diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
similarity index 100%
rename from install/share/expire_msg.template
rename to client/share/expire_msg.template
diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
new file mode 100644
index 000000000..1f591be83
--- /dev/null
+++ b/client/systemd/Makefile.am
@@ -0,0 +1,27 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+dist_noinst_DATA = \
+ ipa-epn.service.in \
+ ipa-epn.timer.in \
+ $(NULL)
+
+systemdsystemunit_DATA = \
+ ipa-epn.service \
+ ipa-epn.timer \
+ $(NULL)
+
+CLEANFILES = $(systemdsystemunit_DATA)
+
+%: %.in Makefile
+ sed \
+ -e 's|@bindir[@]|$(bindir)|g' \
+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
+ '$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
similarity index 100%
rename from init/systemd/ipa-epn.service.in
rename to client/systemd/ipa-epn.service.in
diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
similarity index 100%
rename from init/systemd/ipa-epn.timer.in
rename to client/systemd/ipa-epn.timer.in
diff --git a/configure.ac b/configure.ac
index 5ec529088..586b2532a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
[runstatedir="/run"])
AC_SUBST([runstatedir])
+dnl ---------------------------------------------------------------------------
+dnl - Check for systemd directories
+dnl ---------------------------------------------------------------------------
+
+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
+AC_ARG_WITH([systemdsystemunitdir],
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
+ [Directory for systemd service files]),
+ [systemdsystemunitdir=$with_systemdsystemunitdir],
+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
+AC_SUBST([systemdsystemunitdir])
+
+AC_ARG_WITH([systemdtmpfilesdir],
+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
+ [Directory for systemd-tmpfiles configuration files]),
+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
+AC_SUBST([systemdtmpfilesdir])
+
dnl ---------------------------------------------------------------------------
dnl - Server-only configuration
dnl ---------------------------------------------------------------------------
@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
client/share/Makefile
client/man/Makefile
client/sysconfig/Makefile
+ client/systemd/Makefile
contrib/completion/Makefile
contrib/Makefile
daemons/dnssec/Makefile
@@ -637,13 +657,13 @@ echo "
jslint: ${JSLINT}
LDAP libs: ${LDAP_LIBS}
OpenSSL crypto libs: ${CRYPTO_LIBS}
- KRB5 libs: ${KRB5_LIBS}"
+ KRB5 libs: ${KRB5_LIBS}
+ systemdsystemunitdir: ${systemdsystemunitdir}"
AM_COND_IF([ENABLE_SERVER], [
echo "\
KRAD libs: ${KRAD_LIBS}
krb5rundir: ${krb5rundir}
- systemdsystemunitdir: ${systemdsystemunitdir}
systemdtmpfilesdir: ${systemdtmpfilesdir}
build mode: server & client"
], [
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cec57e64e..1d8f4e6aa 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
+Requires: systemd-units
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
Requires: %{name}-client = %{version}-%{release}
%description client-epn
@@ -1003,6 +1007,17 @@ fi
# ONLY_CLIENT
%endif
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
%post client
if [ $1 -gt 1 ] ; then
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 5053dbff6..175178787 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -2,17 +2,17 @@
#
AUTOMAKE_OPTIONS = 1.7
+NULL =
+
dist_noinst_DATA = \
ipa-custodia.service.in \
ipa.service.in \
- ipa-epn.service.in \
- ipa-epn.timer.in
+ $(NULL)
systemdsystemunit_DATA = \
ipa-custodia.service \
ipa.service \
- ipa-epn.service \
- ipa-epn.timer
+ $(NULL)
CLEANFILES = $(systemdsystemunit_DATA)
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 496e81288..e95796dfb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -106,8 +106,3 @@ dist_app_DATA = \
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
dist_kdcproxyconf_DATA = \
kdcproxy.conf
-
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
-dist_epnconf_DATA = \
- expire_msg.template \
- $(NULL)
diff --git a/server.m4 b/server.m4
index d35823e80..842d599d2 100644
--- a/server.m4
+++ b/server.m4
@@ -153,22 +153,3 @@ dnl Check for libverto
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBVERTO], [libverto])
-
-dnl ---------------------------------------------------------------------------
-dnl - Check for systemd directories
-dnl ---------------------------------------------------------------------------
-
-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
-AC_ARG_WITH([systemdsystemunitdir],
- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
- [Directory for systemd service files]),
- [systemdsystemunitdir=$with_systemdsystemunitdir],
- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
-AC_SUBST([systemdsystemunitdir])
-
-AC_ARG_WITH([systemdtmpfilesdir],
- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
- [Directory for systemd-tmpfiles configuration files]),
- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
-AC_SUBST([systemdtmpfilesdir])
--
2.26.2
From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 22 Jun 2020 16:39:02 +0200
Subject: [PATCH] EPN: ship the configuration file.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 5 ++--
client/share/Makefile.am | 7 +++++-
client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
freeipa.spec.in | 4 ++-
4 files changed, 65 insertions(+), 5 deletions(-)
create mode 100644 client/share/epn.conf
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 38e99e25d..14f5dbb75 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
root@localhost. Bounces will be sent here.
.TP
.B smtp_delay <milliseconds>
-Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
.TP
.B mail_from <address>
-Specifies the From: e-mal address value in the e-mails sent. The default is
-noreply@ipadefaultemaildomain. This value can be found by running
+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
.I ipa config-show
.TP
.B notify_ttls <list of days>
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 1402a3a9d..472242e62 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -5,7 +5,12 @@ dist_app_DATA = \
freeipa.template \
$(NULL)
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
+epnconfdir = $(IPA_SYSCONF_DIR)
dist_epnconf_DATA = \
+ epn.conf \
+ $(NULL)
+
+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
+dist_epntemplate_DATA = \
expire_msg.template \
$(NULL)
diff --git a/client/share/epn.conf b/client/share/epn.conf
new file mode 100644
index 000000000..0e590dfc3
--- /dev/null
+++ b/client/share/epn.conf
@@ -0,0 +1,54 @@
+# Global IPA-EPN [0] configuration file.
+# For a complete explanation of each parameter, see the epn.conf(5)
+# manual page.
+# For best results, change no more than a single parameter at a time,
+# and test if ipa-epn(1) still works as intended, using --dry-run when
+# it makes sense.
+#
+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
+
+[global]
+
+# Specifies the SMTP server to use.
+smtp_server = localhost
+
+# Specifies the SMTP port.
+smtp_port = 25
+
+# Specifies the id of the user to authenticate with the SMTP server.
+# Default None (empty value).
+# smtp_user =
+
+# Specifies the password for the authorized user.
+# Default None (empty value).
+# smtp_password =
+
+# pecifies the number of seconds to wait for SMTP to respond.
+smtp_timeout = 60
+
+# Specifies the type of secure connection to make. Options are: none,
+# starttls and ssl.
+smtp_security = none
+
+# Specifies the From e-mail address value in the e-mails sent. Bounces will
+# be sent here.
+smtp_admin = root@localhost
+
+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
+# overloading the mail queue.
+smtp_delay = 0
+
+# Specifies the From: e-mail address value in the e-mails sent.
+# The default when unset is noreply@ipadefaultemaildomain.
+# This value can be found by running ipa config-show.
+# mail_from =
+
+# The list of days before a password expiration when ipa-epn should notify
+# a user that their password will soon require a reset.
+notify_ttls = 28, 14, 7, 3, 1
+
+# Set the character set of the message.
+msg_charset = utf8
+
+# Set the message's MIME sub-content type.
+msg_subtype = plain
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5bce6f118..8cca99697 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1387,13 +1387,15 @@ fi
%files client-epn
%doc README.md Contributors.txt
+%dir %{_sysconfdir}/ipa/epn
%license COPYING
%{_sbindir}/ipa-epn
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
%files -n python3-ipaclient
%doc README.md Contributors.txt
--
2.26.2
From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 09:39:02 +0200
Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 2 +-
client/man/ipa-epn.1 | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 14f5dbb75..df1f0156c 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
-.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
epn.conf \- Expiring Password Notification configuration file
.SH "SYNOPSIS"
diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
index 9999ea8ca..124fd4536 100644
--- a/client/man/ipa-epn.1
+++ b/client/man/ipa-epn.1
@@ -15,14 +15,14 @@
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\"
-.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-epn \- Send expiring password nofications
.SH "SYNOPSIS"
-ipa\-epn \[options\]
+ipa\-epn \fR[options\fR]
.SH "DESCRIPTION"
-ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
-if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
--
2.26.2
From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 13:50:02 +0200
Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 7f56d4bc0..409d588d5 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ def test_EPN_config_file(self):
+ """Check that the EPN configuration file is installed.
+ https://pagure.io/freeipa/issue/8374
+ """
+ epn_conf = "/etc/ipa/epn.conf"
+ epn_template = "/etc/ipa/epn/expire_msg.template"
+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
+ assert epn_conf in cmd1.stdout_text
+ assert epn_template in cmd1.stdout_text
+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ assert cmd2.stdout_text.find(ck) == 0
+
def test_EPN_smoketest_1(self):
"""No users except admin. Check --dry-run output.
With the default configuration, the result should be an empty list.
--
2.26.2
From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 24 Jun 2020 23:24:36 +0200
Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 409d588d5..9a9fb17b9 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="Cannot check installed packages using RPM"
+ )
def test_EPN_config_file(self):
"""Check that the EPN configuration file is installed.
https://pagure.io/freeipa/issue/8374
"""
+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
+ rpm_q_cmds = [
+ ["rpm", "-qi", "freeipa-client"],
+ ["rpm", "-qi", "freeipa-client-epn"],
+ ["rpm", "-qc", "freeipa-client-epn"],
+ ["rpm", "-V", "freeipa-client-epn"],
+ ["rpm", "-qvc", "freeipa-client-epn"],
+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
+ ]
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
+ tasks.install_packages(self.master, ["*ipa-client-epn"])
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ # end workaround
epn_conf = "/etc/ipa/epn.conf"
epn_template = "/etc/ipa/epn/expire_msg.template"
cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
--
2.26.2

147
SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
View File

@ -1,147 +0,0 @@
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 15 Jun 2020 18:38:35 -0400
Subject: [PATCH] Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 42c9db3fb..aa3baeb7c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
doc = server_xml.getroot()
# no AJP connector means no need to update anything
- connectors = doc.xpath('//Connector[@port="8009"]')
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
if len(connectors) == 0:
return
- # AJP connector is set on port 8009. Use non-greedy search to find it
+ # AJP protocol is at version 1.3. Assume there is only one as
+ # Dogtag only provisions one.
connector = connectors[0]
# Detect tomcat version and choose the right option name
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
rewrite = False
else:
if oldattr in connector.attrib:
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
+ # upgrade for us; we need only to ensure that we're not both
+ # attempting to upgrade server.xml at the same time.
+ # Hopefully this is guaranteed for us.
self.ajp_secret = connector.attrib[oldattr]
connector.attrib[secretattr] = self.ajp_secret
del connector.attrib[oldattr]
else:
- # Generate password, don't use special chars to not break XML
+ # Generate password, don't use special chars to not break XML.
+ #
+ # If we hit this case, pkispawn was run on an older Dogtag
+ # version and we're stuck migrating, choosing a password
+ # ourselves. Dogtag can't generate one randomly because a
+ # Dogtag administrator might've configured AJP and might
+ # not be using IPA.
+ #
+ # Newer Dogtag versions will generate a random password
+ # during pkispawn.
self.ajp_secret = ipautil.ipa_generate_password(special=None)
connector.attrib[secretattr] = self.ajp_secret
--
2.26.2
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 17 Jun 2020 16:00:25 -0400
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/ipaca_customize.ini | 1 +
install/share/ipaca_default.ini | 2 ++
ipaserver/install/dogtaginstance.py | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
index 6d58579af..948734241 100644
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -12,6 +12,7 @@
#
# Predefined variables
# - ipa_ca_subject
+# - ipa_ajp_secret
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 2b9900286..a51256116 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
+# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
+pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index aa3baeb7c..361d80a8c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -840,7 +840,9 @@ class PKIIniLoader:
pki_subsystem_type=subsystem.lower(),
home_dir=os.path.expanduser("~"),
# for softhsm2 testing
- softhsm2_so=paths.LIBSOFTHSM2_SO
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
+ # Configure a more secure AJP password by default
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
)
@classmethod
--
2.26.2

167
SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
View File

@ -1,167 +0,0 @@
From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:27:30 +0200
Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 8 ++++----
ipaserver/plugins/baseuser.py | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index 5354a33a0..300b3d9b1 100644
--- a/API.txt
+++ b/API.txt
@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index a0ed65874..e1b7763f0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
label=_('SMB Home Directory'),
flags=['no_create'],
),
- StrEnum('ipanthomedirectoryrive?',
+ StrEnum('ipanthomedirectorydrive?',
cli_name='smb_home_drive',
label=_('SMB Home Directory Drive'),
flags=['no_create'],
--
2.26.2
From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:11:33 +0200
Subject: [PATCH] webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/user.js | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index fb626f2a1..8f1f5cd85 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -367,36 +367,39 @@ return {
{
name: 'smb_attributes',
label: '@i18n:objects.smb_attributes.title',
- show_cond: ['oc_ipantuserattrs'],
fields: [{
name: 'ipantlogonscript',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipantprofilepath',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectory',
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectorydrive',
$type: 'select',
options: IPA.create_options([
- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
]),
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
- }
+ },
+ hidden_if_empty: true
}
]
}
@@ -482,7 +485,6 @@ return {
IPA.user.self_service_other_user_evaluator,
IPA.user.preserved_user_evaluator,
IPA.user.is_locked_evaluator,
- IPA.object_class_evaluator,
IPA.cert.certificate_evaluator
],
summary_conditions: [
--
2.26.2

2713
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
View File

File diff suppressed because one or more lines are too long

2051
SOURCES/1002-4.8.0-Remove-csrgen.patch
View File

File diff suppressed because it is too large Load Diff

134
SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
View File

@ -1,134 +0,0 @@
From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 11 Jun 2020 10:40:57 +0200
Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
---
.lgtm.yml | 4 ++--
freeipa.spec.in | 2 +-
install/ui/build/freeipa/Makefile.am | 2 +-
install/ui/src/webui.profile.js | 4 ++--
install/ui/util/build/README | 4 ++--
install/ui/util/compile.sh | 8 ++++----
6 files changed, 12 insertions(+), 12 deletions(-)
#diff --git a/.lgtm.yml b/.lgtm.yml
#index b3898116e..e63615918 100644
#--- a/.lgtm.yml
#+++ b/.lgtm.yml
#@@ -39,7 +39,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
#@@ -79,7 +79,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b6eb79593..a4682497a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
BuildRequires: nodejs(abi)
-BuildRequires: python3-rjsmin
+BuildRequires: uglify-js
BuildRequires: libverto-devel
BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
index f4d97819e..05e82f4da 100644
--- a/install/ui/build/freeipa/Makefile.am
+++ b/install/ui/build/freeipa/Makefile.am
@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
nav := $(wildcard ../../src/freeipa/navigation/*.js)
app.js: $(core) $(base) $(widgets) $(nav)
- PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
+ $(srcdir)/../../util/make-ui.sh
core.js: app.js
diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
index 2d4d691dc..1d7a6cc84 100644
--- a/install/ui/src/webui.profile.js
+++ b/install/ui/src/webui.profile.js
@@ -9,7 +9,7 @@ var profile = (function(){
releaseName: "lib",
action: "release",
- // optimization done separately by python3-rjsmin
+ // optimization done separately by uglify.js
layerOptimize: false,
optimize: false,
cssOptimize: false,
@@ -123,4 +123,4 @@ var profile = (function(){
}
}
};
-})();
+})();
\ No newline at end of file
diff --git a/install/ui/util/build/README b/install/ui/util/build/README
index 2c4e0ecac..0772532d4 100644
--- a/install/ui/util/build/README
+++ b/install/ui/util/build/README
@@ -1,5 +1,5 @@
build.js is builded dojo builder, with applied patches from 'patches' folder, by
-itself and compiled using python3-rjsmin
+itself and compiled using uglify.js
_base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
see: http://dojotoolkit.org/license for details
= License =
-Full Dojo license is in LICENSE file.
+Full Dojo license is in LICENSE file.
\ No newline at end of file
diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
index 1516b815f..d14f90ab0 100755
--- a/install/ui/util/compile.sh
+++ b/install/ui/util/compile.sh
@@ -26,14 +26,14 @@ RDIR=$DIR/../release
usage() {
cat <<-__EOF__;
NAME
- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
+ compile.sh - Compiles layer file of Dojo build using uglify.js.
Deletes all other files.
SYNOPSIS
path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
DESCRIPTION
- Compiles layer file of Dojo build output using Python rjsmin.
+ Compiles layer file of Dojo build output using uglify.js.
Deletes all other files.
OPTIONS
@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
fi
-# compile using python rjsmin
+# compile using uglifyjs
echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
echo "Target file: $OUTPUT_FILE"
-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
--
2.26.2

16
SOURCES/freeipa-4.8.7.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
=B33Z
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
=XC/f
-----END PGP SIGNATURE-----

614
SPECS/ipa.spec
View File

File diff suppressed because it is too large Load Diff