From c3929a4ff38e7796a03dbb5265f41133f3200382 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 6 Feb 2012 14:51:43 -0500 Subject: [PATCH] Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) Remove unused patches, update tarball, sync spec to upstream spec ipa_kpasswd has been dropped upstream --- .gitignore | 1 + ...pa-2.1.4-connection-failure-recovery.patch | 95 ------------ freeipa-2.1.4-fix-pylint-f16.patch | 88 ----------- freeipa-2.1.4-logging.patch | 138 ------------------ freeipa-2.1.4-replica-install-services.patch | 72 --------- freeipa-2.1.4-replication-addentry.patch | 93 ------------ ...a-2.1.4-selinux-web-migration-policy.patch | 35 ----- ...plugins-use-thread-safe-ldap-library.patch | 39 ----- freeipa.spec | 87 +++++------ sources | 2 +- 10 files changed, 47 insertions(+), 603 deletions(-) delete mode 100644 freeipa-2.1.4-connection-failure-recovery.patch delete mode 100644 freeipa-2.1.4-fix-pylint-f16.patch delete mode 100644 freeipa-2.1.4-logging.patch delete mode 100644 freeipa-2.1.4-replica-install-services.patch delete mode 100644 freeipa-2.1.4-replication-addentry.patch delete mode 100644 freeipa-2.1.4-selinux-web-migration-policy.patch delete mode 100644 freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch diff --git a/.gitignore b/.gitignore index f7374d7..e26dc56 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /freeipa-2.1.3.tar.gz /freeipa-2.1.3-wait_for_socket.patch.gz /freeipa-2.1.4.tar.gz +/freeipa-2.1.90.pre1.tar.gz diff --git a/freeipa-2.1.4-connection-failure-recovery.patch b/freeipa-2.1.4-connection-failure-recovery.patch deleted file mode 100644 index 98c7d95..0000000 --- a/freeipa-2.1.4-connection-failure-recovery.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 859d28ce9d4b0f356122b576eab397ed7a066745 Mon Sep 17 00:00:00 2001 -From: Martin Kosek -Date: Thu, 8 Dec 2011 14:52:49 +0100 -Subject: [PATCH 4/6] Add connection failure recovery to IPAdmin - -Recover from connection failures in IPAdmin LDAP bind functions and -rather try reconnect in scope of a given timeout instead of giving -up after the first failed connection. - -The recovery fixes ipa-ldap-updater on F-16 which always failed -because of a missing dirsrv socket. - -https://fedorahosted.org/freeipa/ticket/2175 ---- - ipaserver/ipaldap.py | 35 +++++++++++++++++++++++++++++------ - 1 files changed, 29 insertions(+), 6 deletions(-) - -diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py -index 74cfbfda911facbf6f3bddf5972b3f035a9cfde0..1820e690b10c820efcd3217801bde6b685bbf20b 100644 ---- a/ipaserver/ipaldap.py -+++ b/ipaserver/ipaldap.py -@@ -30,14 +30,17 @@ import cStringIO - import time - import struct - import ldap.sasl -+import ldapurl - from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples - from ldap.ldapobject import SimpleLDAPObject - from ipaserver import ipautil -+from ipaserver.install import installutils - from ipalib import errors - from ipapython.ipautil import format_netloc - - # Global variable to define SASL auth - SASL_AUTH = ldap.sasl.sasl({},'GSSAPI') -+DEFAULT_TIMEOUT = 10 - - class Entry: - """ -@@ -330,6 +333,26 @@ class IPAdmin(SimpleLDAPObject): - except ldap.LDAPError, e: - raise errors.DatabaseError(desc=desc,info=info) - -+ def __wait_for_connection(self, timeout): -+ lurl = ldapurl.LDAPUrl(self._uri) -+ if lurl.urlscheme == 'ldapi': -+ installutils.wait_for_open_socket(lurl.hostport, timeout) -+ else: -+ (host,port) = lurl.hostport.split(':') -+ installutils.wait_for_open_ports(host, int(port), timeout) -+ -+ def __bind_with_wait(self, bind_func, timeout, *args, **kwargs): -+ try: -+ bind_func(*args, **kwargs) -+ except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e: -+ if not timeout: -+ raise e -+ try: -+ self.__wait_for_connection(timeout) -+ except: -+ raise e -+ bind_func(*args, **kwargs) -+ - def toLDAPURL(self): - return "ldap://%s/" % format_netloc(self.host, self.port) - -@@ -346,19 +369,19 @@ class IPAdmin(SimpleLDAPObject): - except ldap.LDAPError, e: - self.__handle_errors(e, **{}) - -- def do_simple_bind(self, binddn="cn=directory manager", bindpw=""): -+ def do_simple_bind(self, binddn="cn=directory manager", bindpw="", timeout=DEFAULT_TIMEOUT): - self.binddn = binddn - self.bindpwd = bindpw -- self.simple_bind_s(binddn, bindpw) -+ self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw) - self.__lateinit() - -- def do_sasl_gssapi_bind(self): -- self.sasl_interactive_bind_s('', SASL_AUTH) -+ def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT): -+ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', SASL_AUTH) - self.__lateinit() - -- def do_external_bind(self, user_name=None): -+ def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT): - auth_tokens = ldap.sasl.external(user_name) -- self.sasl_interactive_bind_s("", auth_tokens) -+ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens) - self.__lateinit() - - def getEntry(self,*args): --- -1.7.7.4 - diff --git a/freeipa-2.1.4-fix-pylint-f16.patch b/freeipa-2.1.4-fix-pylint-f16.patch deleted file mode 100644 index 06d24c6..0000000 --- a/freeipa-2.1.4-fix-pylint-f16.patch +++ /dev/null @@ -1,88 +0,0 @@ -From d27b23d4315d24e62d83ddf0012b347ffad36e9c Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 8 Dec 2011 16:11:22 -0500 -Subject: [PATCH 6/6] Fix some pylint issues found in F-16 - -* Using default_attributes rather than what would be defined in output - is the preferred mechanism for determining what attributes to - retrieve. - -* Replace some add_s() calls with addEntry() ---- - doc/examples/examples.py | 9 +++++++-- - ipaserver/install/krbinstance.py | 4 ++-- - ipaserver/install/service.py | 2 +- - 3 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/doc/examples/examples.py b/doc/examples/examples.py -index a969c898bcf8a6829b83898bd2d68400ae939ff3..7053e589a1a058d7742b51cbceaf683971555621 100644 ---- a/doc/examples/examples.py -+++ b/doc/examples/examples.py -@@ -314,6 +314,11 @@ class exuser(Object): - ), - ) - -+ # You may not want to return all attributes in the entry by default. -+ # Use default_attributes to limit the list of returned values. The -+ # caller can set all to True to return all attributes. -+ default_attributes = ['uid', 'givenname', 'sn'] -+ - # register the object, uncomment this line if you want to try it out - #api.register(exuser) - -@@ -352,7 +357,7 @@ class exuser_show(Method): - if options.get('all', False): - attrs_list = ['*'] - else: -- attrs_list = [p.name for p in self.output_params()] -+ attrs_list = self.obj.default_attributes - - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - entry_attrs['dn'] = dn -@@ -398,7 +403,7 @@ class exuser_find(Method): - if options.get('all', False): - attrs_list = ['*'] - else: -- attrs_list = [p.name for p in self.output_params()] -+ attrs_list = self.obj.default_attributes - - # perform the search - (entries, truncated) = ldap.find_entries( -diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py -index ce70c231dfb7e7b6b59c0496721cced0d09f1604..df6fc5a6ea6fbc4d9c207122dbb3c1ce1f5b4f50 100644 ---- a/ipaserver/install/krbinstance.py -+++ b/ipaserver/install/krbinstance.py -@@ -284,7 +284,7 @@ class KrbInstance(service.Service): - entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)') - - try: -- self.admin_conn.add_s(entry) -+ self.admin_conn.addEntry(entry) - except ldap.ALREADY_EXISTS: - logging.critical("failed to add Full Principal Sasl mapping") - raise e -@@ -297,7 +297,7 @@ class KrbInstance(service.Service): - entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm) - - try: -- self.admin_conn.add_s(entry) -+ self.admin_conn.addEntry(entry) - except ldap.ALREADY_EXISTS: - logging.critical("failed to add Name Only Sasl mapping") - raise e -diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py -index 2fd15d8f8010114914549871fc5d0a228561fe1c..9fcc095b64f1abc121f1960d7c7ec15dbe53821f 100644 ---- a/ipaserver/install/service.py -+++ b/ipaserver/install/service.py -@@ -287,7 +287,7 @@ class Service(object): - "enabledService", "startOrder " + str(order)) - - try: -- conn.add_s(entry) -+ conn.addEntry(entry) - except ldap.ALREADY_EXISTS, e: - logging.critical("failed to add %s Service startup entry" % name) - raise e --- -1.7.7.4 - diff --git a/freeipa-2.1.4-logging.patch b/freeipa-2.1.4-logging.patch deleted file mode 100644 index f9f7fb3..0000000 --- a/freeipa-2.1.4-logging.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 402867038f8664e88e2d9ca42f2c77a46a0be7ae Mon Sep 17 00:00:00 2001 -From: Martin Kosek -Date: Mon, 2 Jan 2012 16:49:59 +0100 -Subject: [PATCH 1/3] Make sure that install tools log - -When any log message is emitted before IPA install tools logging is -configured, it may break and leave install tools log empty. This -happens for example when - -ipa-server-install --ip-address=$IP_ADDRESS - -is run. - -This patch makes sure that logging is right in these cases. - -https://fedorahosted.org/freeipa/ticket/2214 ---- - install/tools/ipa-ca-install | 1 + - install/tools/ipa-dns-install | 1 + - install/tools/ipa-replica-install | 1 + - install/tools/ipa-server-install | 2 + - ipaserver/install/installutils.py | 43 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 48 insertions(+), 0 deletions(-) - -diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install -index 445b0621419b7aa5b4616e154d9f8193a5d517fb..c813659f34f4471132b83fd4159b69b76f5ce487 100755 ---- a/install/tools/ipa-ca-install -+++ b/install/tools/ipa-ca-install -@@ -70,6 +70,7 @@ def get_dirman_password(): - return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) - - def main(): -+ installutils.bootstrap_logging() - safe_options, options, filename = parse_options() - installutils.standard_logging_setup("/var/log/ipareplica-ca-install.log", options.debug) - logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options)) -diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install -index d81b6a2e804a815d5bece8426a286e3190f6dee3..25c1bb0cac251d098e3744afd7b7eeab32a3fe6b 100755 ---- a/install/tools/ipa-dns-install -+++ b/install/tools/ipa-dns-install -@@ -82,6 +82,7 @@ def parse_options(): - return safe_options, options - - def main(): -+ bootstrap_logging() - safe_options, options = parse_options() - - if os.getegid() != 0: -diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install -index dbc736764f38489df15900c4540a381764d0c261..7310d286292f571ef25b57b29d2a213f4bd855a1 100755 ---- a/install/tools/ipa-replica-install -+++ b/install/tools/ipa-replica-install -@@ -286,6 +286,7 @@ def check_bind(): - sys.exit(1) - - def main(): -+ installutils.bootstrap_logging() - safe_options, options, filename = parse_options() - installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug) - logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options)) -diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install -index 8f156e8dde7fbc4cfde00a0f6a2fc8e23403cc73..755f2772780010c62fdc642125107843bef61668 100755 ---- a/install/tools/ipa-server-install -+++ b/install/tools/ipa-server-install -@@ -562,6 +562,8 @@ def main(): - global installation_cleanup - ds = None - -+ bootstrap_logging() -+ - safe_options, options = parse_options() - - if os.getegid() != 0: -diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py -index 0a36c354e1d2f901bfdef51c151d035ba8ee64ca..d0f611c611847d02f3d264d669a2e90689f5a87b 100644 ---- a/ipaserver/install/installutils.py -+++ b/ipaserver/install/installutils.py -@@ -314,7 +314,47 @@ def port_available(port): - - return rv - -+class BufferingHandler(logging.Handler): -+ log_queue = [] -+ -+ def __init__(self): -+ logging.Handler.__init__(self) -+ self.level = logging.DEBUG -+ -+ def emit(self, record): -+ self.log_queue.append(record) -+ -+ def flush(self): -+ pass -+ -+def bootstrap_logging(): -+ """ -+ Bootstrap logging and create special handler which will buffer any log -+ emitted before standard_logging_setup is called. These will be later -+ processed when the logging is set up. -+ """ -+ root_logger = logging.getLogger() -+ root_logger.setLevel(logging.DEBUG) -+ root_logger.addHandler(BufferingHandler()) -+ - def standard_logging_setup(log_filename, debug=False, filemode='w'): -+ """ -+ Set up logging. bootstrap_logging() should be called earlier if there -+ is a chance that a log is emitted before this setup. -+ """ -+ root_logger = logging.getLogger() -+ log_queue = [] -+ -+ if root_logger.handlers: -+ # Remove any handlers that may have been set and which may cause -+ # problems with logging in install utils -+ handler_list = list(logging.getLogger().handlers) -+ -+ for handler in handler_list: -+ if isinstance(handler, BufferingHandler): -+ log_queue.extend(handler.log_queue) -+ root_logger.removeHandler(handler) -+ - old_umask = os.umask(077) - # Always log everything (i.e., DEBUG) to the log - # file. -@@ -335,6 +375,9 @@ def standard_logging_setup(log_filename, debug=False, filemode='w'): - console.setFormatter(formatter) - logging.getLogger('').addHandler(console) - -+ for log_record in log_queue: -+ root_logger.handle(log_record) -+ - def get_password(prompt): - if os.isatty(sys.stdin.fileno()): - return getpass.getpass(prompt) --- -1.7.7.5 - diff --git a/freeipa-2.1.4-replica-install-services.patch b/freeipa-2.1.4-replica-install-services.patch deleted file mode 100644 index a00895a..0000000 --- a/freeipa-2.1.4-replica-install-services.patch +++ /dev/null @@ -1,72 +0,0 @@ -From a018ba4013ad18eb75bdfd50887ef12ad2d77972 Mon Sep 17 00:00:00 2001 -From: Martin Kosek -Date: Wed, 11 Jan 2012 10:07:03 +0100 -Subject: [PATCH 3/3] Prevent service restart failures in ipa-replica-install - -Call restart() methods of appropriate services instead of calling -the system service restart command directly as service() method -has a capability to wait until the service is fully up. Without -this patch ipa-replica-install crashed on F-16 because krb5kdc -service was started before dirsrv service was fully up. - -https://fedorahosted.org/freeipa/ticket/2139 ---- - install/tools/ipa-replica-install | 21 ++++++++++++++++----- - 1 files changed, 16 insertions(+), 5 deletions(-) - -diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install -index 7310d286292f571ef25b57b29d2a213f4bd855a1..9c637202917fc67da68cea61ebc1b41169bbf2db 100755 ---- a/install/tools/ipa-replica-install -+++ b/install/tools/ipa-replica-install -@@ -155,6 +155,8 @@ def install_krb(config, setup_pkinit=False): - ldappwd_filename, kpasswd_filename, - setup_pkinit, pkcs12_info) - -+ return krb -+ - def install_ca_cert(config): - cafile = config.dir + "/ca.crt" - if not ipautil.file_exists(cafile): -@@ -188,6 +190,8 @@ def install_http(config, auto_redirect): - print "error copying files: " + str(e) - sys.exit(1) - -+ return http -+ - def install_bind(config, options): - api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", - bind_pw=config.dirman_password) -@@ -442,8 +446,8 @@ def main(): - cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) - cs.add_cert_to_service() - -- install_krb(config, setup_pkinit=options.setup_pkinit) -- install_http(config, auto_redirect=options.ui_redirect) -+ krb = install_krb(config, setup_pkinit=options.setup_pkinit) -+ http = install_http(config, auto_redirect=options.ui_redirect) - if CA: - CA.import_ra_cert(dir + "/ra.p12") - CA.fix_ra_perms() -@@ -457,9 +461,16 @@ def main(): - service.print_msg("Applying LDAP updates") - ds.apply_updates() - -- ipaservices.knownservices.dirsrv.restart() -- ipaservices.knownservices.krb5kdc.restart() -- ipaservices.knownservices.httpd.restart() -+ # Restart ds and krb after configurations have been changed -+ service.print_msg("Restarting the directory server") -+ ds.restart() -+ -+ service.print_msg("Restarting the KDC") -+ krb.restart() -+ -+ # Restart httpd to pick up the new IPA configuration -+ service.print_msg("Restarting the web server") -+ http.restart() - - if options.setup_dns: - install_bind(config, options) --- -1.7.7.5 - diff --git a/freeipa-2.1.4-replication-addentry.patch b/freeipa-2.1.4-replication-addentry.patch deleted file mode 100644 index 1b89234..0000000 --- a/freeipa-2.1.4-replication-addentry.patch +++ /dev/null @@ -1,93 +0,0 @@ -From e14b13000890ff13cb9c062e6a32e1e127587bc7 Mon Sep 17 00:00:00 2001 -From: Martin Kosek -Date: Wed, 11 Jan 2012 10:06:39 +0100 -Subject: [PATCH 2/3] Fix LDAP add calls in replication module - -Replace conn.add_s(entry) with conn.addEntry(entry) to avoid -function calls with an invalid number of parameters. - -https://fedorahosted.org/freeipa/ticket/2139 ---- - ipaserver/install/replication.py | 22 +++++++++++----------- - 1 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py -index a6bd7af37bb7c6761841d68ff733276045a7ddab..8f0f226dbacc0ee3b84357c059c91936af034fed 100644 ---- a/ipaserver/install/replication.py -+++ b/ipaserver/install/replication.py -@@ -225,8 +225,8 @@ class ReplicationManager(object): - ent.setValues("sn", "replication manager pseudo user") - - try: -- conn.add_s(ent) -- except ldap.ALREADY_EXISTS: -+ conn.addEntry(ent) -+ except errors.DuplicateEntry: - conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)]) - pass - -@@ -275,7 +275,7 @@ class ReplicationManager(object): - entry.setValues('nsds5replicabinddn', [replica_binddn]) - entry.setValues('nsds5replicalegacyconsumer', "off") - -- conn.add_s(entry) -+ conn.addEntry(entry) - - def setup_changelog(self, conn): - dn = "cn=changelog5, cn=config" -@@ -285,8 +285,8 @@ class ReplicationManager(object): - entry.setValues('cn', "changelog5") - entry.setValues('nsslapd-changelogdir', dirpath) - try: -- conn.add_s(entry) -- except ldap.ALREADY_EXISTS: -+ conn.addEntry(entry) -+ except errors.DuplicateEntry: - return - - def setup_chaining_backend(self, conn): -@@ -308,11 +308,11 @@ class ReplicationManager(object): - entry.setValues('nsmultiplexorbinddn', self.repl_man_dn) - entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd) - -- self.conn.add_s(entry) -+ self.conn.addEntry(entry) - done = True -- except ldap.ALREADY_EXISTS: -+ except errors.DuplicateEntry: - benum += 1 -- except ldap.LDAPError, e: -+ except errors.ExecutionError, e: - print "Could not add backend entry " + dn, e - raise - -@@ -376,7 +376,7 @@ class ReplicationManager(object): - entry.setValues("objectclass", ["account", "simplesecurityobject"]) - entry.setValues("uid", "passsync") - entry.setValues("userPassword", password) -- conn.add_s(entry) -+ conn.addEntry(entry) - - # Add it to the list of users allowed to bypass password policy - extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config" -@@ -470,7 +470,7 @@ class ReplicationManager(object): - if iswinsync: - self.setup_winsync_agmt(entry, win_subtree) - -- a_conn.add_s(entry) -+ a_conn.addEntry(entry) - - entry = a_conn.waitForEntry(entry) - -@@ -746,7 +746,7 @@ class ReplicationManager(object): - entry.setValues("ipaConfigString", "winsync:%s" % self.hostname) - - try: -- self.conn.add_s(entry) -+ self.conn.addEntry(entry) - except Exception, e: - logging.info("Failed to create public entry for winsync replica") - --- -1.7.7.5 - diff --git a/freeipa-2.1.4-selinux-web-migration-policy.patch b/freeipa-2.1.4-selinux-web-migration-policy.patch deleted file mode 100644 index 4795631..0000000 --- a/freeipa-2.1.4-selinux-web-migration-policy.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 21 Dec 2011 14:44:06 +0200 -Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux - policy restrictions - -Web password migration tool uses connection to the LDAPI socket. -Enable access to the ns-slapd socket. ---- - selinux/ipa_httpd/ipa_httpd.te | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te -index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644 ---- a/selinux/ipa_httpd/ipa_httpd.te -+++ b/selinux/ipa_httpd/ipa_httpd.te -@@ -7,6 +7,7 @@ require { - type var_run_t; - type krb5kdc_t; - type cert_t; -+ type dirsrv_t; - class sock_file write; - class unix_stream_socket connectto; - class file write; -@@ -15,6 +16,7 @@ require { - # Let Apache, bind and the KDC talk to DS over ldapi - allow httpd_t var_run_t:sock_file write; - allow httpd_t initrc_t:unix_stream_socket connectto; -+allow httpd_t dirsrv_t:unix_stream_socket connectto; - allow krb5kdc_t var_run_t:sock_file write; - allow krb5kdc_t initrc_t:unix_stream_socket connectto; - allow named_t var_run_t:sock_file write; --- -1.7.8 - diff --git a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch deleted file mode 100644 index 2e51e09..0000000 --- a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch +++ /dev/null @@ -1,39 +0,0 @@ ->From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 20 Dec 2011 12:39:34 -0500 -Subject: [PATCH] slapi-plugins: use thread-safe ldap library - ---- - daemons/configure.ac | 2 +- - freeipa.spec.in | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/daemons/configure.ac b/daemons/configure.ac -index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644 ---- a/daemons/configure.ac -+++ b/daemons/configure.ac -@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then - if test "$with_ldap_lber" = "yes" ; then - OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber" - fi -- OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap" -+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r" - else - AC_MSG_ERROR([OpenLDAP not found]) - fi -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -24,7 +24,7 @@ Source0: freeipa-%{version}.tar.gz - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - - %if ! %{ONLY_CLIENT} --BuildRequires: 389-ds-base-devel >= 1.2.9 -+BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6 - BuildRequires: svrcore-devel - BuildRequires: /usr/share/selinux/devel/Makefile - BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} --- -1.7.7.4 - diff --git a/freeipa.spec b/freeipa.spec index 0fb8cbb..6d23c3b 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -11,27 +11,21 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} %endif %global POLICYCOREUTILSVER 1.33.12-1 %global gettext_domain ipa +%global VERSION 2.1.90.pre1 Name: freeipa -Version: 2.1.4 -Release: 5%{?dist} +Version: 2.1.90 +Release: 0.1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base License: GPLv3+ URL: http://www.freeipa.org/ -Source0: freeipa-%{version}.tar.gz -Patch0: freeipa-2.1.4-connection-failure-recovery.patch -Patch1: freeipa-2.1.4-fix-pylint-f16.patch -Patch2: freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch -Patch3: freeipa-2.1.4-selinux-web-migration-policy.patch -Patch4: freeipa-2.1.4-logging.patch -Patch5: freeipa-2.1.4-replication-addentry.patch -Patch6: freeipa-2.1.4-replica-install-services.patch +Source0: freeipa-%{VERSION}.tar.gz Patch7: freeipa-2.1.4-inifiles-support.patch Patch8: freeipa-2.1.4-python-ldap-2.4.6-support.patch Patch9: freeipa-2.1.4-upgrade-systemd.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRoot: %{_tmppath}/%{name}-%{VERSION}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6 @@ -86,7 +80,7 @@ Requires(pre): 389-ds-base >= 1.2.10-0.8.a7 Requires: openldap-clients Requires: nss Requires: nss-tools -Requires: krb5-server >= 1.9.1-15 +Requires: krb5-server >= 1.10-2 Requires: krb5-server-ldap Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} @@ -102,9 +96,9 @@ Requires: python-pyasn1 >= 0.0.9a Requires: systemd-units >= 36-3 Requires(pre): systemd-units Requires(post): systemd-units -Requires: selinux-policy >= 3.10.0-31 +Requires: selinux-policy >= 3.10.0-82 Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.21 +Requires: slapi-nis >= 0.36 Requires: pki-ca >= 9.0.17 Requires: pki-silent >= 9.0.17 # Only tomcat6 greater than this version provides proper systemd support @@ -163,8 +157,8 @@ Requires: krb5-workstation Requires: authconfig Requires: pam_krb5 Requires: wget -Requires: libcurl >= 7.21.7-2 -Requires: xmlrpc-c >= 1.27.4 +Requires: libcurl >= 7.21.7-2 +Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.6.2 Requires: certmonger >= 0.26 Requires: nss-tools @@ -223,14 +217,7 @@ package. %prep -%setup -n freeipa-%{version} -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 +%setup -n freeipa-%{VERSION} -q %patch7 -p1 %patch8 -p1 %patch9 -p1 @@ -283,6 +270,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la +rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la # Some user-modifiable HTML files are provided. Move these to /etc # and link back. @@ -295,8 +283,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \ %{buildroot}%{_usr}/share/ipa/html/unauthorized.html ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ %{buildroot}%{_usr}/share/ipa/html/browserconfig.html -ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \ - %{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ %{buildroot}%{_usr}/share/ipa/html/ipa_error.css @@ -305,18 +291,24 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +mkdir -p %{buildroot}%{_usr}/share/ipa/html/ +/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt +/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html +mkdir -p %{buildroot}%{_initrddir} # Default to systemd initscripts for F16 and above mkdir -p %{buildroot}%{_unitdir} -for i in ipa.service ipa_kpasswd.service ; do - install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i -done +install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service mkdir -p %{buildroot}%{_libexecdir} install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade -rm -f %{buildroot}%{_initrddir}/ipa_kpasswd %endif mkdir -p %{buildroot}%{_sysconfdir}/ipa/ /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf +/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore %if ! %{ONLY_CLIENT} @@ -341,9 +333,13 @@ if [ $1 -gt 1 ] ; then # after it has been migrated to systemd setup /usr/libexec/freeipa-systemd-upgrade || : /usr/sbin/ipa-upgradeconfig || : - /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || : fi +%posttrans server +# This must be run in posttrans so that updates from previous +# execution that may no longer be shipped are not applied. +/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || : + %preun server if [ $1 = 0 ]; then # Use systemd scheme @@ -368,7 +364,7 @@ if [ -s /etc/selinux/config ]; then fi %post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -390,7 +386,7 @@ fi %postun server-selinux if [ $1 = 0 ]; then -semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag +semodule -s targeted -r ipa_httpd ipa_dogtag . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -419,14 +415,12 @@ fi %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries -%{_sbindir}/ipa_kpasswd %{_sbindir}/ipactl %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-compliance %{_sysconfdir}/cron.d/ipa-compliance # Use systemd scheme %attr(644,root,root) %{_unitdir}/ipa.service -%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service %{_libexecdir}/freeipa-systemd-upgrade %dir %{python_sitelib}/ipaserver %{python_sitelib}/ipaserver/* @@ -439,7 +433,6 @@ fi %{_usr}/share/ipa/html/ssbrowser.html %{_usr}/share/ipa/html/browserconfig.html %{_usr}/share/ipa/html/unauthorized.html -%{_usr}/share/ipa/html/hbac-deny-remove.html %{_usr}/share/ipa/html/ipa_error.css %dir %{_usr}/share/ipa/migration %{_usr}/share/ipa/migration/error.html @@ -449,8 +442,6 @@ fi %{_usr}/share/ipa/migration/migration.py* %dir %{_usr}/share/ipa/ui %{_usr}/share/ipa/ui/index.html -%{_usr}/share/ipa/ui/*.png -%{_usr}/share/ipa/ui/*.gif %{_usr}/share/ipa/ui/*.ico %{_usr}/share/ipa/ui/*.css %{_usr}/share/ipa/ui/*.js @@ -458,19 +449,28 @@ fi %{_usr}/share/ipa/ui/*.svg %{_usr}/share/ipa/ui/*.ttf %{_usr}/share/ipa/ui/*.woff +%config(noreplace) %{_usr}/share/ipa/ui/extension.js +%dir %{_usr}/share/ipa/ui/images +%{_usr}/share/ipa/ui/images/*.png +%{_usr}/share/ipa/ui/images/*.gif %dir %{_sysconfdir}/ipa %dir %{_sysconfdir}/ipa/html %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html -%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so @@ -484,7 +484,7 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %dir %{_localstatedir}/cache/ipa %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions -%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd +%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1.gz %{_mandir}/man1/ipa-replica-install.1.gz %{_mandir}/man1/ipa-replica-manage.1.gz @@ -498,14 +498,13 @@ fi %{_mandir}/man1/ipa-nis-manage.1.gz %{_mandir}/man1/ipa-managed-entries.1.gz %{_mandir}/man1/ipa-ldap-updater.1.gz -%{_mandir}/man8/ipa_kpasswd.8.gz %{_mandir}/man8/ipactl.8.gz +%{_mandir}/man8/ipa-upgradeconfig.8.gz %{_mandir}/man1/ipa-compliance.1.gz %files server-selinux %defattr(-,root,root,-) %doc COPYING README Contributors.txt -%{_usr}/share/selinux/targeted/ipa_kpasswd.pp %{_usr}/share/selinux/targeted/ipa_httpd.pp %{_usr}/share/selinux/targeted/ipa_dogtag.pp %endif @@ -554,8 +553,12 @@ fi %{python_sitelib}/freeipa-*.egg-info %{python_sitearch}/python_default_encoding-*.egg-info %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 +- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) + * Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 - Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change diff --git a/sources b/sources index 983450e..664d51b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -213047f62f3dfa5d6088fe916356c298 freeipa-2.1.4.tar.gz +c0d9c3bbc2ba603d14f97098fe11057d freeipa-2.1.90.pre1.tar.gz