rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)

Browse Source 
Remove unused patches, update tarball, sync spec to upstream spec

ipa_kpasswd has been dropped upstream
This commit is contained in:
Rob Crittenden 2012-02-06 14:51:43 -05:00
parent fd3bdcaf1e
commit c3929a4ff3
10 changed files with 47 additions and 603 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,3 +11,4 @@
/freeipa-2.1.3.tar.gz
/freeipa-2.1.3-wait_for_socket.patch.gz
/freeipa-2.1.4.tar.gz
/freeipa-2.1.90.pre1.tar.gz

95
freeipa-2.1.4-connection-failure-recovery.patch
View File

@ -1,95 +0,0 @@
From 859d28ce9d4b0f356122b576eab397ed7a066745 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 8 Dec 2011 14:52:49 +0100
Subject: [PATCH 4/6] Add connection failure recovery to IPAdmin
Recover from connection failures in IPAdmin LDAP bind functions and
rather try reconnect in scope of a given timeout instead of giving
up after the first failed connection.
The recovery fixes ipa-ldap-updater on F-16 which always failed
because of a missing dirsrv socket.
https://fedorahosted.org/freeipa/ticket/2175
---
ipaserver/ipaldap.py | 35 +++++++++++++++++++++++++++++------
1 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 74cfbfda911facbf6f3bddf5972b3f035a9cfde0..1820e690b10c820efcd3217801bde6b685bbf20b 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -30,14 +30,17 @@ import cStringIO
import time
import struct
import ldap.sasl
+import ldapurl
from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
from ldap.ldapobject import SimpleLDAPObject
from ipaserver import ipautil
+from ipaserver.install import installutils
from ipalib import errors
from ipapython.ipautil import format_netloc
# Global variable to define SASL auth
SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')
+DEFAULT_TIMEOUT = 10
class Entry:
"""
@@ -330,6 +333,26 @@ class IPAdmin(SimpleLDAPObject):
except ldap.LDAPError, e:
raise errors.DatabaseError(desc=desc,info=info)
+ def __wait_for_connection(self, timeout):
+ lurl = ldapurl.LDAPUrl(self._uri)
+ if lurl.urlscheme == 'ldapi':
+ installutils.wait_for_open_socket(lurl.hostport, timeout)
+ else:
+ (host,port) = lurl.hostport.split(':')
+ installutils.wait_for_open_ports(host, int(port), timeout)
+
+ def __bind_with_wait(self, bind_func, timeout, *args, **kwargs):
+ try:
+ bind_func(*args, **kwargs)
+ except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
+ if not timeout:
+ raise e
+ try:
+ self.__wait_for_connection(timeout)
+ except:
+ raise e
+ bind_func(*args, **kwargs)
+
def toLDAPURL(self):
return "ldap://%s/" % format_netloc(self.host, self.port)
@@ -346,19 +369,19 @@ class IPAdmin(SimpleLDAPObject):
except ldap.LDAPError, e:
self.__handle_errors(e, **{})
- def do_simple_bind(self, binddn="cn=directory manager", bindpw=""):
+ def do_simple_bind(self, binddn="cn=directory manager", bindpw="", timeout=DEFAULT_TIMEOUT):
self.binddn = binddn
self.bindpwd = bindpw
- self.simple_bind_s(binddn, bindpw)
+ self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw)
self.__lateinit()
- def do_sasl_gssapi_bind(self):
- self.sasl_interactive_bind_s('', SASL_AUTH)
+ def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT):
+ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', SASL_AUTH)
self.__lateinit()
- def do_external_bind(self, user_name=None):
+ def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT):
auth_tokens = ldap.sasl.external(user_name)
- self.sasl_interactive_bind_s("", auth_tokens)
+ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
self.__lateinit()
def getEntry(self,*args):
--
1.7.7.4

88
freeipa-2.1.4-fix-pylint-f16.patch
View File

@ -1,88 +0,0 @@
From d27b23d4315d24e62d83ddf0012b347ffad36e9c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Dec 2011 16:11:22 -0500
Subject: [PATCH 6/6] Fix some pylint issues found in F-16
* Using default_attributes rather than what would be defined in output
is the preferred mechanism for determining what attributes to
retrieve.
* Replace some add_s() calls with addEntry()
---
doc/examples/examples.py | 9 +++++++--
ipaserver/install/krbinstance.py | 4 ++--
ipaserver/install/service.py | 2 +-
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/doc/examples/examples.py b/doc/examples/examples.py
index a969c898bcf8a6829b83898bd2d68400ae939ff3..7053e589a1a058d7742b51cbceaf683971555621 100644
--- a/doc/examples/examples.py
+++ b/doc/examples/examples.py
@@ -314,6 +314,11 @@ class exuser(Object):
),
)
+ # You may not want to return all attributes in the entry by default.
+ # Use default_attributes to limit the list of returned values. The
+ # caller can set all to True to return all attributes.
+ default_attributes = ['uid', 'givenname', 'sn']
+
# register the object, uncomment this line if you want to try it out
#api.register(exuser)
@@ -352,7 +357,7 @@ class exuser_show(Method):
if options.get('all', False):
attrs_list = ['*']
else:
- attrs_list = [p.name for p in self.output_params()]
+ attrs_list = self.obj.default_attributes
(dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
entry_attrs['dn'] = dn
@@ -398,7 +403,7 @@ class exuser_find(Method):
if options.get('all', False):
attrs_list = ['*']
else:
- attrs_list = [p.name for p in self.output_params()]
+ attrs_list = self.obj.default_attributes
# perform the search
(entries, truncated) = ldap.find_entries(
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index ce70c231dfb7e7b6b59c0496721cced0d09f1604..df6fc5a6ea6fbc4d9c207122dbb3c1ce1f5b4f50 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -284,7 +284,7 @@ class KrbInstance(service.Service):
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)')
try:
- self.admin_conn.add_s(entry)
+ self.admin_conn.addEntry(entry)
except ldap.ALREADY_EXISTS:
logging.critical("failed to add Full Principal Sasl mapping")
raise e
@@ -297,7 +297,7 @@ class KrbInstance(service.Service):
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm)
try:
- self.admin_conn.add_s(entry)
+ self.admin_conn.addEntry(entry)
except ldap.ALREADY_EXISTS:
logging.critical("failed to add Name Only Sasl mapping")
raise e
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 2fd15d8f8010114914549871fc5d0a228561fe1c..9fcc095b64f1abc121f1960d7c7ec15dbe53821f 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -287,7 +287,7 @@ class Service(object):
"enabledService", "startOrder " + str(order))
try:
- conn.add_s(entry)
+ conn.addEntry(entry)
except ldap.ALREADY_EXISTS, e:
logging.critical("failed to add %s Service startup entry" % name)
raise e
--
1.7.7.4

138
freeipa-2.1.4-logging.patch
View File

@ -1,138 +0,0 @@
From 402867038f8664e88e2d9ca42f2c77a46a0be7ae Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Mon, 2 Jan 2012 16:49:59 +0100
Subject: [PATCH 1/3] Make sure that install tools log
When any log message is emitted before IPA install tools logging is
configured, it may break and leave install tools log empty. This
happens for example when
ipa-server-install --ip-address=$IP_ADDRESS
is run.
This patch makes sure that logging is right in these cases.
https://fedorahosted.org/freeipa/ticket/2214
---
install/tools/ipa-ca-install | 1 +
install/tools/ipa-dns-install | 1 +
install/tools/ipa-replica-install | 1 +
install/tools/ipa-server-install | 2 +
ipaserver/install/installutils.py | 43 +++++++++++++++++++++++++++++++++++++
5 files changed, 48 insertions(+), 0 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 445b0621419b7aa5b4616e154d9f8193a5d517fb..c813659f34f4471132b83fd4159b69b76f5ce487 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -70,6 +70,7 @@ def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def main():
+ installutils.bootstrap_logging()
safe_options, options, filename = parse_options()
installutils.standard_logging_setup("/var/log/ipareplica-ca-install.log", options.debug)
logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index d81b6a2e804a815d5bece8426a286e3190f6dee3..25c1bb0cac251d098e3744afd7b7eeab32a3fe6b 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -82,6 +82,7 @@ def parse_options():
return safe_options, options
def main():
+ bootstrap_logging()
safe_options, options = parse_options()
if os.getegid() != 0:
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index dbc736764f38489df15900c4540a381764d0c261..7310d286292f571ef25b57b29d2a213f4bd855a1 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -286,6 +286,7 @@ def check_bind():
sys.exit(1)
def main():
+ installutils.bootstrap_logging()
safe_options, options, filename = parse_options()
installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8f156e8dde7fbc4cfde00a0f6a2fc8e23403cc73..755f2772780010c62fdc642125107843bef61668 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -562,6 +562,8 @@ def main():
global installation_cleanup
ds = None
+ bootstrap_logging()
+
safe_options, options = parse_options()
if os.getegid() != 0:
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 0a36c354e1d2f901bfdef51c151d035ba8ee64ca..d0f611c611847d02f3d264d669a2e90689f5a87b 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -314,7 +314,47 @@ def port_available(port):
return rv
+class BufferingHandler(logging.Handler):
+ log_queue = []
+
+ def __init__(self):
+ logging.Handler.__init__(self)
+ self.level = logging.DEBUG
+
+ def emit(self, record):
+ self.log_queue.append(record)
+
+ def flush(self):
+ pass
+
+def bootstrap_logging():
+ """
+ Bootstrap logging and create special handler which will buffer any log
+ emitted before standard_logging_setup is called. These will be later
+ processed when the logging is set up.
+ """
+ root_logger = logging.getLogger()
+ root_logger.setLevel(logging.DEBUG)
+ root_logger.addHandler(BufferingHandler())
+
def standard_logging_setup(log_filename, debug=False, filemode='w'):
+ """
+ Set up logging. bootstrap_logging() should be called earlier if there
+ is a chance that a log is emitted before this setup.
+ """
+ root_logger = logging.getLogger()
+ log_queue = []
+
+ if root_logger.handlers:
+ # Remove any handlers that may have been set and which may cause
+ # problems with logging in install utils
+ handler_list = list(logging.getLogger().handlers)
+
+ for handler in handler_list:
+ if isinstance(handler, BufferingHandler):
+ log_queue.extend(handler.log_queue)
+ root_logger.removeHandler(handler)
+
old_umask = os.umask(077)
# Always log everything (i.e., DEBUG) to the log
# file.
@@ -335,6 +375,9 @@ def standard_logging_setup(log_filename, debug=False, filemode='w'):
console.setFormatter(formatter)
logging.getLogger('').addHandler(console)
+ for log_record in log_queue:
+ root_logger.handle(log_record)
+
def get_password(prompt):
if os.isatty(sys.stdin.fileno()):
return getpass.getpass(prompt)
--
1.7.7.5

72
freeipa-2.1.4-replica-install-services.patch
View File

@ -1,72 +0,0 @@
From a018ba4013ad18eb75bdfd50887ef12ad2d77972 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 11 Jan 2012 10:07:03 +0100
Subject: [PATCH 3/3] Prevent service restart failures in ipa-replica-install
Call restart() methods of appropriate services instead of calling
the system service restart command directly as service() method
has a capability to wait until the service is fully up. Without
this patch ipa-replica-install crashed on F-16 because krb5kdc
service was started before dirsrv service was fully up.
https://fedorahosted.org/freeipa/ticket/2139
---
install/tools/ipa-replica-install | 21 ++++++++++++++++-----
1 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 7310d286292f571ef25b57b29d2a213f4bd855a1..9c637202917fc67da68cea61ebc1b41169bbf2db 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -155,6 +155,8 @@ def install_krb(config, setup_pkinit=False):
ldappwd_filename, kpasswd_filename,
setup_pkinit, pkcs12_info)
+ return krb
+
def install_ca_cert(config):
cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
@@ -188,6 +190,8 @@ def install_http(config, auto_redirect):
print "error copying files: " + str(e)
sys.exit(1)
+ return http
+
def install_bind(config, options):
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager",
bind_pw=config.dirman_password)
@@ -442,8 +446,8 @@ def main():
cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
cs.add_cert_to_service()
- install_krb(config, setup_pkinit=options.setup_pkinit)
- install_http(config, auto_redirect=options.ui_redirect)
+ krb = install_krb(config, setup_pkinit=options.setup_pkinit)
+ http = install_http(config, auto_redirect=options.ui_redirect)
if CA:
CA.import_ra_cert(dir + "/ra.p12")
CA.fix_ra_perms()
@@ -457,9 +461,16 @@ def main():
service.print_msg("Applying LDAP updates")
ds.apply_updates()
- ipaservices.knownservices.dirsrv.restart()
- ipaservices.knownservices.krb5kdc.restart()
- ipaservices.knownservices.httpd.restart()
+ # Restart ds and krb after configurations have been changed
+ service.print_msg("Restarting the directory server")
+ ds.restart()
+
+ service.print_msg("Restarting the KDC")
+ krb.restart()
+
+ # Restart httpd to pick up the new IPA configuration
+ service.print_msg("Restarting the web server")
+ http.restart()
if options.setup_dns:
install_bind(config, options)
--
1.7.7.5

93
freeipa-2.1.4-replication-addentry.patch
View File

@ -1,93 +0,0 @@
From e14b13000890ff13cb9c062e6a32e1e127587bc7 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 11 Jan 2012 10:06:39 +0100
Subject: [PATCH 2/3] Fix LDAP add calls in replication module
Replace conn.add_s(entry) with conn.addEntry(entry) to avoid
function calls with an invalid number of parameters.
https://fedorahosted.org/freeipa/ticket/2139
---
ipaserver/install/replication.py | 22 +++++++++++-----------
1 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index a6bd7af37bb7c6761841d68ff733276045a7ddab..8f0f226dbacc0ee3b84357c059c91936af034fed 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -225,8 +225,8 @@ class ReplicationManager(object):
ent.setValues("sn", "replication manager pseudo user")
try:
- conn.add_s(ent)
- except ldap.ALREADY_EXISTS:
+ conn.addEntry(ent)
+ except errors.DuplicateEntry:
conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)])
pass
@@ -275,7 +275,7 @@ class ReplicationManager(object):
entry.setValues('nsds5replicabinddn', [replica_binddn])
entry.setValues('nsds5replicalegacyconsumer', "off")
- conn.add_s(entry)
+ conn.addEntry(entry)
def setup_changelog(self, conn):
dn = "cn=changelog5, cn=config"
@@ -285,8 +285,8 @@ class ReplicationManager(object):
entry.setValues('cn', "changelog5")
entry.setValues('nsslapd-changelogdir', dirpath)
try:
- conn.add_s(entry)
- except ldap.ALREADY_EXISTS:
+ conn.addEntry(entry)
+ except errors.DuplicateEntry:
return
def setup_chaining_backend(self, conn):
@@ -308,11 +308,11 @@ class ReplicationManager(object):
entry.setValues('nsmultiplexorbinddn', self.repl_man_dn)
entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd)
- self.conn.add_s(entry)
+ self.conn.addEntry(entry)
done = True
- except ldap.ALREADY_EXISTS:
+ except errors.DuplicateEntry:
benum += 1
- except ldap.LDAPError, e:
+ except errors.ExecutionError, e:
print "Could not add backend entry " + dn, e
raise
@@ -376,7 +376,7 @@ class ReplicationManager(object):
entry.setValues("objectclass", ["account", "simplesecurityobject"])
entry.setValues("uid", "passsync")
entry.setValues("userPassword", password)
- conn.add_s(entry)
+ conn.addEntry(entry)
# Add it to the list of users allowed to bypass password policy
extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config"
@@ -470,7 +470,7 @@ class ReplicationManager(object):
if iswinsync:
self.setup_winsync_agmt(entry, win_subtree)
- a_conn.add_s(entry)
+ a_conn.addEntry(entry)
entry = a_conn.waitForEntry(entry)
@@ -746,7 +746,7 @@ class ReplicationManager(object):
entry.setValues("ipaConfigString", "winsync:%s" % self.hostname)
try:
- self.conn.add_s(entry)
+ self.conn.addEntry(entry)
except Exception, e:
logging.info("Failed to create public entry for winsync replica")
--
1.7.7.5

35
freeipa-2.1.4-selinux-web-migration-policy.patch
View File

@ -1,35 +0,0 @@
From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 21 Dec 2011 14:44:06 +0200
Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
policy restrictions
Web password migration tool uses connection to the LDAPI socket.
Enable access to the ns-slapd socket.
---
selinux/ipa_httpd/ipa_httpd.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -7,6 +7,7 @@ require {
type var_run_t;
type krb5kdc_t;
type cert_t;
+ type dirsrv_t;
class sock_file write;
class unix_stream_socket connectto;
class file write;
@@ -15,6 +16,7 @@ require {
# Let Apache, bind and the KDC talk to DS over ldapi
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
+allow httpd_t dirsrv_t:unix_stream_socket connectto;
allow krb5kdc_t var_run_t:sock_file write;
allow krb5kdc_t initrc_t:unix_stream_socket connectto;
allow named_t var_run_t:sock_file write;
--
1.7.8

39
freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
View File

@ -1,39 +0,0 @@
>From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Tue, 20 Dec 2011 12:39:34 -0500
Subject: [PATCH] slapi-plugins: use thread-safe ldap library
---
daemons/configure.ac | 2 +-
freeipa.spec.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then
if test "$with_ldap_lber" = "yes" ; then
OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
fi
- OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r"
else
AC_MSG_ERROR([OpenLDAP not found])
fi
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,7 +24,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.2.9
+BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
--
1.7.7.4

87
freeipa.spec
View File

@ -11,27 +11,21 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
%global POLICYCOREUTILSVER 1.33.12-1
%global gettext_domain ipa
%global VERSION 2.1.90.pre1
Name: freeipa
Version: 2.1.4
Release: 5%{?dist}
Version: 2.1.90
Release: 0.1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
License: GPLv3+
URL: http://www.freeipa.org/
Source0: freeipa-%{version}.tar.gz
Patch0: freeipa-2.1.4-connection-failure-recovery.patch
Patch1: freeipa-2.1.4-fix-pylint-f16.patch
Patch2: freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
Patch3: freeipa-2.1.4-selinux-web-migration-policy.patch
Patch4: freeipa-2.1.4-logging.patch
Patch5: freeipa-2.1.4-replication-addentry.patch
Patch6: freeipa-2.1.4-replica-install-services.patch
Source0: freeipa-%{VERSION}.tar.gz
Patch7: freeipa-2.1.4-inifiles-support.patch
Patch8: freeipa-2.1.4-python-ldap-2.4.6-support.patch
Patch9: freeipa-2.1.4-upgrade-systemd.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRoot: %{_tmppath}/%{name}-%{VERSION}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
@ -86,7 +80,7 @@ Requires(pre): 389-ds-base >= 1.2.10-0.8.a7
Requires: openldap-clients
Requires: nss
Requires: nss-tools
Requires: krb5-server >= 1.9.1-15
Requires: krb5-server >= 1.10-2
Requires: krb5-server-ldap
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
@ -102,9 +96,9 @@ Requires: python-pyasn1 >= 0.0.9a
Requires: systemd-units >= 36-3
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= 3.10.0-31
Requires: selinux-policy >= 3.10.0-82
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.21
Requires: slapi-nis >= 0.36
Requires: pki-ca >= 9.0.17
Requires: pki-silent >= 9.0.17
# Only tomcat6 greater than this version provides proper systemd support
@ -163,8 +157,8 @@ Requires: krb5-workstation
Requires: authconfig
Requires: pam_krb5
Requires: wget
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.6.2
Requires: certmonger >= 0.26
Requires: nss-tools
@ -223,14 +217,7 @@ package.
%prep
%setup -n freeipa-%{version} -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%setup -n freeipa-%{VERSION} -q
%patch7 -p1
%patch8 -p1
%patch9 -p1
@ -283,6 +270,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
# Some user-modifiable HTML files are provided. Move these to /etc
# and link back.
@ -295,8 +283,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@ -305,18 +291,24 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
# Default to systemd initscripts for F16 and above
mkdir -p %{buildroot}%{_unitdir}
for i in ipa.service ipa_kpasswd.service ; do
install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
done
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
mkdir -p %{buildroot}%{_libexecdir}
install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
%endif
mkdir -p %{buildroot}%{_sysconfdir}/ipa/
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
%if ! %{ONLY_CLIENT}
@ -341,9 +333,13 @@ if [ $1 -gt 1 ] ; then
# after it has been migrated to systemd setup
/usr/libexec/freeipa-systemd-upgrade || :
/usr/sbin/ipa-upgradeconfig || :
/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
fi
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
%preun server
if [ $1 = 0 ]; then
# Use systemd scheme
@ -368,7 +364,7 @@ if [ -s /etc/selinux/config ]; then
fi
%post server-selinux
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@ -390,7 +386,7 @@ fi
%postun server-selinux
if [ $1 = 0 ]; then
semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag
semodule -s targeted -r ipa_httpd ipa_dogtag
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@ -419,14 +415,12 @@ fi
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipa_kpasswd
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-compliance
%{_sysconfdir}/cron.d/ipa-compliance
# Use systemd scheme
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
%{_libexecdir}/freeipa-systemd-upgrade
%dir %{python_sitelib}/ipaserver
%{python_sitelib}/ipaserver/*
@ -439,7 +433,6 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@ -449,8 +442,6 @@ fi
%{_usr}/share/ipa/migration/migration.py*
%dir %{_usr}/share/ipa/ui
%{_usr}/share/ipa/ui/index.html
%{_usr}/share/ipa/ui/*.png
%{_usr}/share/ipa/ui/*.gif
%{_usr}/share/ipa/ui/*.ico
%{_usr}/share/ipa/ui/*.css
%{_usr}/share/ipa/ui/*.js
@ -458,19 +449,28 @@ fi
%{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff
%config(noreplace) %{_usr}/share/ipa/ui/extension.js
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.png
%{_usr}/share/ipa/ui/images/*.gif
%dir %{_sysconfdir}/ipa
%dir %{_sysconfdir}/ipa/html
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
@ -484,7 +484,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%dir %{_localstatedir}/cache/ipa
%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
%{_mandir}/man1/ipa-replica-manage.1.gz
@ -498,14 +498,13 @@ fi
%{_mandir}/man1/ipa-nis-manage.1.gz
%{_mandir}/man1/ipa-managed-entries.1.gz
%{_mandir}/man1/ipa-ldap-updater.1.gz
%{_mandir}/man8/ipa_kpasswd.8.gz
%{_mandir}/man8/ipactl.8.gz
%{_mandir}/man8/ipa-upgradeconfig.8.gz
%{_mandir}/man1/ipa-compliance.1.gz
%files server-selinux
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
%{_usr}/share/selinux/targeted/ipa_httpd.pp
%{_usr}/share/selinux/targeted/ipa_dogtag.pp
%endif
@ -554,8 +553,12 @@ fi
%{python_sitelib}/freeipa-*.egg-info
%{python_sitearch}/python_default_encoding-*.egg-info
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
- Force to use 389-ds 1.2.10-0.8.a7 or above
- Improve upgrade script to handle systemd 389-ds change

2
sources
View File

@ -1 +1 @@
213047f62f3dfa5d6088fe916356c298 freeipa-2.1.4.tar.gz
c0d9c3bbc2ba603d14f97098fe11057d freeipa-2.1.90.pre1.tar.gz