diff --git a/.gitignore b/.gitignore index 0146c04..501d9c6 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,5 @@ /freeipa-4.4.3.tar.gz /freeipa-4.4.4.tar.gz /freeipa-4.4.4.tar.gz.asc +/freeipa-4.5.1.tar.gz +/freeipa-4.5.1.tar.gz.asc diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch index 632e68f..a85cf63 100644 --- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch +++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch @@ -43,9 +43,9 @@ index ee9311e..bb201fa 100644 + +sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None + + from ipaplatform.paths import paths from ipalib import api from ipalib.config import Env - from ipalib.constants import DEFAULT_CONFIG -- 2.7.4 diff --git a/0002-bind-dyndb-ldap-DNS-fixes.patch b/0002-bind-dyndb-ldap-DNS-fixes.patch deleted file mode 100644 index c3d1782..0000000 --- a/0002-bind-dyndb-ldap-DNS-fixes.patch +++ /dev/null @@ -1,359 +0,0 @@ -From 8ccf7266c6c37cc1e402f9a3fa4c0f15462a2e15 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Mon, 16 Jan 2017 13:48:54 +0100 -Subject: [PATCH 1/6] Remove obsolete serial_autoincrement from named.conf - parsing - -Option serial_autoincrement is no longer supported. Remove it from -the named.conf parser and add it to deprecated options to be removed. - -https://fedorahosted.org/freeipa/ticket/6565 - -Reviewed-By: Martin Basti ---- - ipaserver/install/server/upgrade.py | 56 +++---------------------------------- - 1 file changed, 4 insertions(+), 52 deletions(-) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index eb4950d394a6297c13159c9d2de91d17f97a8943..b4c15ba7600bcdadd7a6cc50c9aac2805548dbd5 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -420,8 +420,8 @@ def named_remove_deprecated_options(): - From IPA 3.3, persistent search is a default mechanism for new DNS zone - detection. - -- Remove psearch, zone_refresh and cache_ttl options, as they have been -- deprecated in bind-dyndb-ldap configuration file. -+ Remove psearch, zone_refresh cache_ttl and serial_autoincrement options, -+ as they have been deprecated in bind-dyndb-ldap configuration file. - - When some change in named.conf is done, this functions returns True. - """ -@@ -433,7 +433,8 @@ def named_remove_deprecated_options(): - root_logger.info('DNS is not configured') - return False - -- deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl'] -+ deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl', -+ 'serial_autoincrement'] - removed_options = [] - - try: -@@ -510,54 +511,6 @@ def named_set_minimum_connections(): - return changed - - --def named_enable_serial_autoincrement(): -- """ -- Serial autoincrement is a requirement for zone transfers or DNSSEC. It -- should be enabled both for new installs and upgraded servers. -- -- When some change in named.conf is done, this functions returns True -- """ -- changed = False -- -- root_logger.info('[Enabling serial autoincrement in DNS]') -- -- if not bindinstance.named_conf_exists(): -- # DNS service may not be configured -- root_logger.info('DNS is not configured') -- return changed -- -- try: -- serial_autoincrement = bindinstance.named_conf_get_directive( -- 'serial_autoincrement') -- except IOError as e: -- root_logger.debug('Cannot retrieve psearch option from %s: %s', -- bindinstance.NAMED_CONF, e) -- return changed -- else: -- serial_autoincrement = None if serial_autoincrement is None \ -- else serial_autoincrement.lower() -- -- # enable SOA serial autoincrement -- if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'): -- if serial_autoincrement != 'yes': -- try: -- bindinstance.named_conf_set_directive('serial_autoincrement', -- 'yes') -- except IOError as e: -- root_logger.error('Cannot enable serial_autoincrement in %s: %s', -- bindinstance.NAMED_CONF, e) -- return changed -- else: -- root_logger.debug('Serial autoincrement enabled') -- changed = True -- else: -- root_logger.debug('Serial autoincrement is alredy enabled') -- sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True) -- else: -- root_logger.debug('Skip serial autoincrement check') -- -- return changed -- - def named_update_gssapi_configuration(): - """ - Update GSSAPI configuration in named.conf to a recent API. -@@ -1755,7 +1708,6 @@ def upgrade_configuration(): - named_conf_changes = ( - named_remove_deprecated_options(), - named_set_minimum_connections(), -- named_enable_serial_autoincrement(), - named_update_gssapi_configuration(), - named_update_pid_file(), - named_enable_dnssec(), --- -2.9.3 - - -From 465c2a8df87a555162b91a9e34280b3d208ad8b3 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Mon, 19 Dec 2016 13:12:19 +0100 -Subject: [PATCH 2/6] named.conf template: update API for bind 9.11 - -Use the new API for bind 9.11. Removed deprecated "serial_autoincrement" -and updated the rest of configuration to conform to the new format. - -This only fixes new IPA installations. For existing installations, -named.conf will be transformed when the new version of bind-dyndb-ldap -is installed. - -https://fedorahosted.org/freeipa/ticket/6565 - -Reviewed-By: Martin Basti ---- - install/share/bind.named.conf.template | 16 +++++++--------- - ipaplatform/redhat/paths.py | 1 + - ipaserver/install/bindinstance.py | 1 + - 3 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template -index e8ea8fba022c4f539fb84a64875b0c5ca46c761b..b7c3a0b78e23f9b5ac2d221dad24a039af201035 100644 ---- a/install/share/bind.named.conf.template -+++ b/install/share/bind.named.conf.template -@@ -43,13 +43,11 @@ zone "." IN { - include "$RFC1912_ZONES"; - include "$ROOT_KEY"; - --dynamic-db "ipa" { -- library "ldap.so"; -- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket"; -- arg "base cn=dns, $SUFFIX"; -- arg "server_id $FQDN"; -- arg "auth_method sasl"; -- arg "sasl_mech GSSAPI"; -- arg "sasl_user DNS/$FQDN"; -- arg "serial_autoincrement yes"; -+dyndb "ipa" "$BIND_LDAP_SO" { -+ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket"; -+ base "cn=dns, $SUFFIX"; -+ server_id "$FQDN"; -+ auth_method "sasl"; -+ sasl_mech "GSSAPI"; -+ sasl_user "DNS/$FQDN"; - }; -diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py -index b27b065ad52c49852231039a66c47c2b80df3a62..8212f40cf8afcbd9017018ed538befdaceeb2d9d 100644 ---- a/ipaplatform/redhat/paths.py -+++ b/ipaplatform/redhat/paths.py -@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace): - if sys.maxsize > 2**32: - LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64 - PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64 -+ BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64 - - - paths = RedHatPathNamespace() -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 7aa9ed4f4baedc686b929e758d72bf992a68a967..478ec4a168667affe6bb00cdac965e39e1858ebb 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -798,6 +798,7 @@ class BindInstance(service.Service): - RFC1912_ZONES=paths.NAMED_RFC1912_ZONES, - NAMED_PID=paths.NAMED_PID, - NAMED_VAR_DIR=paths.NAMED_VAR_DIR, -+ BIND_LDAP_SO=paths.BIND_LDAP_SO, - ) - - def __setup_dns_container(self): --- -2.9.3 - - -From 8cba2c137bd7de298f41f001ab8b27687691fc44 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Mon, 19 Dec 2016 16:52:08 +0100 -Subject: [PATCH 3/6] bump required version of BIND, bind-dyndb-ldap - -bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11, -an API was accepted upstream. This caused backward incompatible changes -to the named.conf configuration file used to configure the -bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and -BIND 9.11 are required to use with the new config file format. - -https://fedorahosted.org/freeipa/ticket/6565 - -Reviewed-By: Martin Basti ---- - freeipa.spec.in | 17 +++++------------ - 1 file changed, 5 insertions(+), 12 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 8a8e3a592cc0e414dc71202dc8c1f7d9b0526d5c..8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -257,18 +257,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing - Group: System Environment/Base - BuildArch: noarch - Requires: %{name}-server = %{version}-%{release} --Requires: bind-dyndb-ldap >= 10.0 --%if 0%{?fedora} >= 21 --Requires: bind >= 9.9.6-3 --Requires: bind-utils >= 9.9.6-3 --Requires: bind-pkcs11 >= 9.9.6-3 --Requires: bind-pkcs11-utils >= 9.9.6-3 --%else --Requires: bind >= 9.9.4-21 --Requires: bind-utils >= 9.9.4-21 --Requires: bind-pkcs11 >= 9.9.4-21 --Requires: bind-pkcs11-utils >= 9.9.4-21 --%endif -+Requires: bind-dyndb-ldap >= 11.0 -+Requires: bind >= 9.11.0-6.P2 -+Requires: bind-utils >= 9.11.0-6.P2 -+Requires: bind-pkcs11 >= 9.11.0-6.P2 -+Requires: bind-pkcs11-utils >= 9.11.0-6.P2 - Requires: opendnssec >= 1.4.6-4 - - Provides: %{alt_name}-server-dns = %{version} --- -2.9.3 - - -From b6eb03369a7546077f28ff45db27c76c5bc44584 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Fri, 10 Feb 2017 11:30:40 +0100 -Subject: [PATCH 4/6] PEP8: fix line length for regexs in bindinstance - -Reviewed-By: Martin Basti ---- - ipaserver/install/bindinstance.py | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 478ec4a168667affe6bb00cdac965e39e1858ebb..9c10ac98175e0dd5ea98c54eeadcb3452aac04e5 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -69,12 +69,15 @@ RESOLV_CONF = paths.RESOLV_CONF - named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{') - named_conf_section_options_start_re = re.compile('\s*options\s+{') - named_conf_section_end_re = re.compile('};') --named_conf_arg_ipa_re = re.compile(r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') --named_conf_arg_options_re = re.compile(r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') -+named_conf_arg_ipa_re = re.compile( -+ r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') -+named_conf_arg_options_re = re.compile( -+ r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') - named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n" - named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n" - # non string args for options section --named_conf_arg_options_re_nonstr = re.compile(r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;') -+named_conf_arg_options_re_nonstr = re.compile( -+ r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;') - named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n" - # include directive - named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;') --- -2.9.3 - - -From 06fd56b4f5f57a0cf9258ecede8af8ab40433364 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Fri, 10 Feb 2017 11:16:56 +0100 -Subject: [PATCH 5/6] bindinstance: fix named.conf parsing regexs - -Since named.conf API for bind-dyndb-ldap was updated, our parsing -regexes have to change. - -https://fedorahosted.org/freeipa/ticket/6565 - -Reviewed-By: Martin Basti ---- - ipaserver/install/bindinstance.py | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 9c10ac98175e0dd5ea98c54eeadcb3452aac04e5..30123b74065c7a209c95baedec35ed25d3e112fd 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -66,14 +66,14 @@ if six.PY3: - NAMED_CONF = paths.NAMED_CONF - RESOLV_CONF = paths.RESOLV_CONF - --named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{') -+named_conf_section_ipa_start_re = re.compile('\s*dyndb\s+"ipa"\s+"[^"]+"\s+{') - named_conf_section_options_start_re = re.compile('\s*options\s+{') - named_conf_section_end_re = re.compile('};') - named_conf_arg_ipa_re = re.compile( -- r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') -+ r'(?P\s*)(?P\S+)\s"(?P[^"]+)";') - named_conf_arg_options_re = re.compile( - r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') --named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n" -+named_conf_arg_ipa_template = "%(indent)s%(name)s \"%(value)s\";\n" - named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n" - # non string args for options section - named_conf_arg_options_re_nonstr = re.compile( -@@ -92,13 +92,12 @@ def create_reverse(): - - def named_conf_exists(): - try: -- named_fd = open(NAMED_CONF, 'r') -+ with open(NAMED_CONF, 'r') as named_fd: -+ lines = named_fd.readlines() - except IOError: - return False -- lines = named_fd.readlines() -- named_fd.close() - for line in lines: -- if line.startswith('dynamic-db "ipa"'): -+ if named_conf_section_ipa_start_re.match(line): - return True - return False - --- -2.9.3 - - -From 7d425b90ebb66f9c3e2f18e78709215b59e4a985 Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Mon, 13 Feb 2017 18:36:12 +0100 -Subject: [PATCH 6/6] Bump required version of bind-dyndb-ldap to 11.0-2 - -Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf -old style API to the new style API. This package version is required -to enable upgrade of existing IPA installations to new version. - -https://fedorahosted.org/freeipa/ticket/6565 - -Reviewed-By: Pavel Vomacka ---- - freeipa.spec.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8..1dd8d0c60cacfc79554bb3c61fa8297e89b7b192 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -257,7 +257,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing - Group: System Environment/Base - BuildArch: noarch - Requires: %{name}-server = %{version}-%{release} --Requires: bind-dyndb-ldap >= 11.0 -+Requires: bind-dyndb-ldap >= 11.0-2 - Requires: bind >= 9.11.0-6.P2 - Requires: bind-utils >= 9.11.0-6.P2 - Requires: bind-pkcs11 >= 9.11.0-6.P2 --- -2.9.3 - diff --git a/0003-Run-ipa-custodia-under-Python-2.patch b/0003-Run-ipa-custodia-under-Python-2.patch deleted file mode 100644 index 804fa1e..0000000 --- a/0003-Run-ipa-custodia-under-Python-2.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 307c4bd62609c9ac58633e3ccc61d85e2caacbcc Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 3 May 2017 16:38:21 +0200 -Subject: [PATCH] Run ipa-custodia under Python 2 - -Closes: https://pagure.io/freeipa/issue/6926 -Signed-off-by: Christian Heimes -Reviewed-By: Stanislav Laznicka ---- - freeipa.spec.in | 10 ++++++---- - init/systemd/ipa-custodia.service | 3 +-- - install/tools/Makefile.am | 1 + - install/tools/ipa-custodia | 6 ++++++ - 4 files changed, 14 insertions(+), 6 deletions(-) - create mode 100755 install/tools/ipa-custodia - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index e0f1df2..21f2416 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -112,7 +112,8 @@ BuildRequires: python-pytest-sourceorder - BuildRequires: python-kdcproxy >= 0.3 - BuildRequires: python-six - BuildRequires: python-jwcrypto --BuildRequires: custodia -+# install/tools/ipa-custodia needs custodia 0.2+ -+BuildRequires: custodia >= 0.2 - BuildRequires: libini_config-devel >= 1.2.0 - BuildRequires: dbus-python - BuildRequires: python-netifaces >= 0.10.4 -@@ -246,7 +247,7 @@ BuildArch: noarch - Requires: %{name}-client-common = %{version}-%{release} - Requires: httpd >= 2.4.6-31 - Requires: systemd-units >= 38 --Requires: custodia -+Requires: custodia >= 0.2 - - Provides: %{alt_name}-server-common = %{version} - Conflicts: %{alt_name}-server-common -@@ -498,7 +499,7 @@ Requires: python-jwcrypto - Requires: python-cffi - Requires: python-ldap >= 2.4.15 - Requires: python-requests --Requires: python-custodia -+Requires: python-custodia >= 0.2 - Requires: python-dns >= 1.13 - Requires: python-netifaces >= 0.10.4 - Requires: pyusb -@@ -546,7 +547,7 @@ Requires: python3-six - Requires: python3-jwcrypto - Requires: python3-cffi - Requires: python3-pyldap >= 2.4.15 --Requires: python3-custodia -+Requires: python3-custodia >= 0.2 - Requires: python3-requests - Requires: python3-dns >= 1.11.1 - Requires: python3-netifaces >= 0.10.4 -@@ -1069,6 +1070,7 @@ fi - %{_libexecdir}/certmonger/ipa-server-guard - %{_libexecdir}/ipa-otpd - %dir %{_libexecdir}/ipa -+%{_libexecdir}/ipa/ipa-custodia - %{_libexecdir}/ipa/ipa-dnskeysyncd - %{_libexecdir}/ipa/ipa-dnskeysync-replica - %{_libexecdir}/ipa/ipa-ods-exporter -diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service -index ff930fb..63246c4 100644 ---- a/init/systemd/ipa-custodia.service -+++ b/init/systemd/ipa-custodia.service -@@ -3,8 +3,7 @@ Description=IPA Custodia Service - - [Service] - Type=simple -- --ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf -+ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf - PrivateTmp=yes - Restart=on-failure - RestartSec=60s -diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am -index 2866a30..66ee9e3 100644 ---- a/install/tools/Makefile.am -+++ b/install/tools/Makefile.am -@@ -38,6 +38,7 @@ EXTRA_DIST = \ - - appdir = $(libexecdir)/ipa/ - app_SCRIPTS = \ -+ ipa-custodia \ - ipa-httpd-kdcproxy \ - ipa-pki-retrieve-key \ - $(NULL) -diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia -new file mode 100755 -index 0000000..2086a9c ---- /dev/null -+++ b/install/tools/ipa-custodia -@@ -0,0 +1,6 @@ -+#!/usr/bin/python2 -+# Copyright (C) 2017 IPA Project Contributors, see COPYING for license -+from custodia.server import main -+ -+if __name__ == '__main__': -+ main() --- -2.9.3 - diff --git a/0004-Remove-surplus-the-in-output-of-ipa-adtrust-install.patch b/0004-Remove-surplus-the-in-output-of-ipa-adtrust-install.patch deleted file mode 100644 index 2dc207c..0000000 --- a/0004-Remove-surplus-the-in-output-of-ipa-adtrust-install.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 9d5a719a2436d5afca74ce78ae1b14ccdcfbbf0e Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Wed, 17 May 2017 09:33:42 +0200 -Subject: [PATCH] Remove surplus 'the' in output of ipa-adtrust-install - -Fixing the typo - -https://pagure.io/freeipa/issue/6864 - -Reviewed-By: Stanislav Laznicka ---- - install/tools/ipa-adtrust-install | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install -index d738cc6..0f61075 100755 ---- a/install/tools/ipa-adtrust-install -+++ b/install/tools/ipa-adtrust-install -@@ -370,7 +370,7 @@ def main(): - print("WARNING: %d existing users or groups do not have a SID identifier assigned." \ - % len(entries)) - print("Installer can run a task to have ipa-sidgen Directory Server plugin generate") -- print("the SID identifier for all these users. Please note, the in case of a high") -+ print("the SID identifier for all these users. Please note, in case of a high") - print("number of users and groups, the operation might lead to high replication") - print("traffic and performance degradation. Refer to ipa-adtrust-install(1) man page") - print("for details.") --- -2.9.3 - diff --git a/0005-Add-fix-for-ipa-plugins-command.patch b/0005-Add-fix-for-ipa-plugins-command.patch deleted file mode 100644 index 3f2b904..0000000 --- a/0005-Add-fix-for-ipa-plugins-command.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 5536b06c0f289f1408d5ca5525a53494a08337a5 Mon Sep 17 00:00:00 2001 -From: Abhijeet Kasurde -Date: Thu, 12 Jan 2017 18:38:37 +0530 -Subject: [PATCH] Add fix for ipa plugins command - -Fix adds count of plugins loaded to return dict - -Fixes https://fedorahosted.org/freeipa/ticket/6513 - -Signed-off-by: Abhijeet Kasurde -Reviewed-By: Martin Basti -Reviewed-By: Martin Babinsky ---- - ipaserver/plugins/misc.py | 3 ++- - ipatests/test_cmdline/test_cli.py | 3 +++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/misc.py b/ipaserver/plugins/misc.py -index 7618e23..fa8224f 100644 ---- a/ipaserver/plugins/misc.py -+++ b/ipaserver/plugins/misc.py -@@ -138,8 +138,9 @@ class plugins(LocalOrRemote): - for plugin in self.api[namespace](): - cls = type(plugin) - key = '{}.{}'.format(cls.__module__, cls.__name__) -- result.setdefault(key, []).append(namespace) -+ result.setdefault(key, []).append(namespace.decode('utf-8')) - - return dict( - result=result, -+ count=len(result), - ) -diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py -index 07bab23..4585126 100644 ---- a/ipatests/test_cmdline/test_cli.py -+++ b/ipatests/test_cmdline/test_cli.py -@@ -51,6 +51,9 @@ class TestCLIParsing(object): - def test_ping(self): - self.check_command('ping', 'ping') - -+ def test_plugins(self): -+ self.check_command('plugins', 'plugins') -+ - def test_user_show(self): - self.check_command('user-show admin', 'user_show', uid=u'admin') - --- -2.9.3 - diff --git a/freeipa.spec b/freeipa.spec index 1502641..8e5f5f5 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -1,6 +1,21 @@ # Define ONLY_CLIENT to only make the ipa-client and ipa-python # subpackages %{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%if %{ONLY_CLIENT} + %global enable_server_option --disable-server +%else + %global enable_server_option --enable-server +%endif + +# Build with ipatests +%if ! %{ONLY_CLIENT} + %global with_ipatests 1 +%endif +%if 0%{?with_ipatests} + %global with_ipatests_option --with-ipatests +%else + %global with_ipatests_option --without-ipatests +%endif %if 0%{?rhel} %global with_python3 0 @@ -8,14 +23,35 @@ %global with_python3 1 %endif +# lint is not executed during rpmbuild +# %%global with_lint 1 +%if 0%{?with_lint} + %global linter_options --enable-pylint --with-jslint +%else + %global linter_options --disable-pylint --without-jslint +%endif + +# Python wheel support and PyPI packages +%global with_wheels 0 + %global alt_name ipa %if 0%{?rhel} -%global samba_version 4.0.5-1 +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-4 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.5-8 +# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation +%global samba_version 4.6.0-4 %global samba_build_version %{samba_version} %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else -%global samba_version 2:4.3.1-1 +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-7 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 +# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation +%global samba_version 2:4.6.0-4 %global samba_build_version 2:4.2.1 %global selinux_policy_version 3.13.1-158.4 %global slapi_nis_version 0.56.1 @@ -26,19 +62,14 @@ %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%if 0%{?rhel} -%global platform_module rhel -%else -%global platform_module fedora -%endif -%global VERSION 4.4.4 +%global VERSION 4.5.1 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 2%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -49,98 +80,171 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.as BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch -Patch0002: 0002-bind-dyndb-ldap-DNS-fixes.patch -Patch0003: 0003-Run-ipa-custodia-under-Python-2.patch -Patch0004: 0004-Remove-surplus-the-in-output-of-ipa-adtrust-install.patch -Patch0005: 0005-Add-fix-for-ipa-plugins-command.patch -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_build_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel # For KDB DAL version, make explicit dependency so that increase of version # will cause the build to fail due to unsatisfied dependencies. # DAL version change may cause code crash or memory leaks, it is better to fail early. %if 0%{?fedora} > 25 -BuildRequires: krb5-devel >= 1.15-5 BuildRequires: krb5-kdb-version = 6.1 -%else -# 1.12+: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) -BuildRequires: krb5-devel >= 1.13 %endif -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +BuildRequires: krb5-devel >= %{krb5_version} +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext +BuildRequires: gettext-devel BuildRequires: python-devel -BuildRequires: python-ldap BuildRequires: python-setuptools +%if 0%{?with_python3} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +# systemd-tmpfiles which is executed from make install requires apache user +BuildRequires: httpd +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +BuildRequires: samba-devel >= %{samba_build_version} +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libuuid-devel +BuildRequires: libsss_idmap-devel +BuildRequires: libsss_certmap-devel +# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050) +BuildRequires: libsss_nss_idmap-devel >= 1.15.3 +BuildRequires: rhino +BuildRequires: libverto-devel +BuildRequires: libunistring-devel +BuildRequires: python-lesscpy +%endif # ONLY_CLIENT + +# +# Build dependencies for makeapi/makeaci +# makeapi/makeaci is using Python 2 only for now +# +BuildRequires: python-ldap BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: m2crypto BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 +BuildRequires: python-pyasn1 +BuildRequires: python-pyasn1-modules +BuildRequires: python-dns +BuildRequires: python-six +BuildRequires: python-libsss_nss_idmap +BuildRequires: python-cffi + +# +# Build dependencies for wheel packaging and PyPI upload +# +%if 0%{with_wheels} +BuildRequires: python2-twine +BuildRequires: python2-wheel +%if 0%{?with_python3} +BuildRequires: python3-twine +BuildRequires: python3-wheel +%endif +%endif # with_wheels + +# +# Build dependencies for lint +# +%if 0%{?with_lint} +BuildRequires: samba-python +# 1.4: the version where Certificate.serial changed to .serial_number +BuildRequires: python-cryptography >= 1.4 +BuildRequires: python-gssapi >= 1.2.0 +BuildRequires: pylint >= 1.6 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib BuildRequires: python-libipa_hbac -BuildRequires: python-memcached BuildRequires: python-lxml -BuildRequires: python-pyasn1 >= 0.0.9a +# 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 -BuildRequires: python-dns >= 1.13 -BuildRequires: libsss_idmap-devel -BuildRequires: libsss_nss_idmap-devel >= 1.14.0 -BuildRequires: java-headless +# 1.15: python-dns changed return type in to_text() method in PY3 +BuildRequires: python-dns >= 1.15 BuildRequires: jsl -BuildRequires: rhino -BuildRequires: libverto-devel -BuildRequires: systemd -BuildRequires: libunistring-devel -BuildRequires: python-lesscpy -BuildRequires: python-yubico >= 1.2.3 -BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 -BuildRequires: python-pytest-multihost >= 0.5 +BuildRequires: python-yubico +# pki Python package +BuildRequires: pki-base-python2 +BuildRequires: python-pytest-multihost BuildRequires: python-pytest-sourceorder -BuildRequires: python-kdcproxy >= 0.3 -BuildRequires: python-six BuildRequires: python-jwcrypto # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) -BuildRequires: custodia >= 0.3.1 -BuildRequires: libini_config-devel >= 1.2.0 +BuildRequires: python-custodia >= 0.3.1 BuildRequires: dbus-python -BuildRequires: python-netifaces >= 0.10.4 -BuildRequires: python-libsss_nss_idmap +BuildRequires: python-dateutil +BuildRequires: python-enum34 +BuildRequires: python-netifaces BuildRequires: python-sss +BuildRequires: python-sss-murmur +BuildRequires: python-sssdconfig +BuildRequires: python-nose +BuildRequires: python-paste +BuildRequires: systemd-python +BuildRequires: python2-jinja2 +BuildRequires: python-augeas +%if 0%{?with_python3} +# FIXME: this depedency is missing - server will not work +#BuildRequires: python3-samba +# 1.4: the version where Certificate.serial changed to .serial_number +BuildRequires: python3-cryptography >= 1.4 +BuildRequires: python3-gssapi >= 1.2.0 +BuildRequires: python3-pylint >= 1.6 +# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 +BuildRequires: python3-polib +BuildRequires: python3-libipa_hbac +BuildRequires: python3-memcached +BuildRequires: python3-lxml +# 5.0.0: QRCode.print_ascii +BuildRequires: python3-qrcode-core >= 5.0.0 +# 1.15: python-dns changed return type in to_text() method in PY3 +BuildRequires: python3-dns >= 1.15 +BuildRequires: python3-yubico +# pki Python package +BuildRequires: pki-base-python3 +BuildRequires: python3-pytest-multihost +BuildRequires: python3-pytest-sourceorder +BuildRequires: python3-jwcrypto +# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) +BuildRequires: python3-custodia >= 0.3.1 +BuildRequires: python3-dbus +BuildRequires: python3-dateutil +BuildRequires: python3-enum34 +BuildRequires: python3-netifaces +BuildRequires: python3-sss +BuildRequires: python3-sss-murmur +BuildRequires: python3-sssdconfig +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-nose +BuildRequires: python3-paste +BuildRequires: python3-systemd +BuildRequires: python3-jinja2 +BuildRequires: python3-augeas +%endif # with_python3 +%endif # with_lint + +# # Build dependencies for unit tests +# +%if ! %{ONLY_CLIENT} BuildRequires: libcmocka-devel BuildRequires: nss_wrapper # Required by ipa_kdb_tests BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so - -%if 0%{?with_python3} -BuildRequires: python3-devel -%endif # with_python3 +%endif # ONLY_CLIENT %description IPA is an integrated solution to provide centrally managed Identity (users, @@ -163,19 +267,22 @@ Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 +Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 -Requires: krb5-pkinit-openssl +Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.4.0 -Requires: mod_nss >= 1.0.8-26 +Requires: mod_auth_gssapi >= 1.5.0 +# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 +Requires: mod_nss >= 1.0.14-3 +Requires: mod_session +# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 +Requires: mod_lookup_identity >= 0.9.9 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: acl -Requires: memcached -Requires: python-memcached Requires: systemd-units >= 38 Requires(pre): shadow-utils Requires(pre): systemd-units @@ -187,7 +294,6 @@ Requires: pki-ca >= 10.3.5-11 Requires: pki-kra >= 10.3.5-11 Requires(preun): python systemd-units Requires(postun): python systemd-units -Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.78 @@ -201,6 +307,10 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip Requires: oddjob +# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 +Requires: gssproxy >= 0.7.0-2 +# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) +Requires: sssd-dbus >= 1.15.2 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -231,17 +341,22 @@ Summary: Python libraries used by IPA server Group: System Environment/Libraries BuildArch: noarch %{?python_provide:%python_provide python2-ipaserver} +%{!?python_provide:Provides: python-ipaserver = %{version}-%{release}} Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} +Requires: python-custodia >= 0.3.1 Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.1.2 +Requires: python-lxml +Requires: python-gssapi >= 1.2.0 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs +Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -252,6 +367,40 @@ and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. +%if 0%{?with_python3} + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-custodia >= 0.3.1 +Requires: python3-pyldap >= 2.4.15 +Requires: python3-lxml +Requires: python3-gssapi >= 1.2.0 +Requires: python3-sssdconfig +Requires: python3-pyasn1 +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas +Requires: rpm-libs +Requires: pki-base-python3 + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + +%endif # with_python3 + + %package server-common Summary: Common files used by IPA server Group: System Environment/Base @@ -339,7 +488,7 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: krb5-workstation +Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service @@ -352,7 +501,7 @@ Requires: certmonger >= 0.78 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: libsss_autofs Requires: autofs Requires: libnfsidmap @@ -386,10 +535,12 @@ Summary: Python libraries used by IPA client Group: System Environment/Libraries BuildArch: noarch %{?python_provide:%python_provide python2-ipaclient} +%{!?python_provide:Provides: python-ipaclient = %{version}-%{release}} Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 +Requires: python2-jinja2 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -411,7 +562,8 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 +Requires: python3-jinja2 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -478,23 +630,27 @@ Group: System Environment/Libraries BuildArch: noarch Conflicts: %{name}-python < 4.2.91 %{?python_provide:%python_provide python2-ipalib} +%{!?python_provide:Provides: python-ipalib = %{version}-%{release}} Provides: python2-ipapython = %{version}-%{release} %{?python_provide:%python_provide python2-ipapython} +%{!?python_provide:Provides: python-ipapython = %{version}-%{release}} Provides: python2-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python2-ipaplatform} +%{!?python_provide:Provides: python-ipaplatform = %{version}-%{release}} Requires: %{name}-common = %{version}-%{release} -Requires: python-gssapi >= 1.1.2 +Requires: python-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: pyOpenSSL +Requires: python >= 2.7.9 Requires: python-nss >= 0.16 -Requires: python-cryptography >= 0.9 Requires: m2crypto -Requires: python-lxml -Requires: python-netaddr +Requires: python-cryptography >= 1.4 +Requires: python-netaddr >= %{python_netaddr_version} Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 +Requires: python-pyasn1-modules Requires: python-dateutil Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur @@ -505,8 +661,8 @@ Requires: python-jwcrypto Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests -Requires: python-custodia >= 0.3.1 -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 +Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -533,17 +689,17 @@ Provides: python3-ipapython = %{version}-%{release} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.1.2 +Requires: python3-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 -Requires: python3-cryptography -Requires: python3-lxml -Requires: python3-netaddr +Requires: python3-cryptography >= 1.4 +Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 Requires: python3-pyasn1 +Requires: python3-pyasn1-modules Requires: python3-dateutil Requires: python3-yubico >= 1.2.3 Requires: python3-sss-murmur @@ -553,9 +709,8 @@ Requires: python3-six Requires: python3-jwcrypto Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 -Requires: python3-custodia >= 0.3.1 Requires: python3-requests -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 Requires: python3-pyusb @@ -591,7 +746,7 @@ and integration with Active Directory based infrastructures (Trusts). If you are using IPA, you need to install this package. -%if ! %{ONLY_CLIENT} +%if 0%{?with_ipatests} %package -n python2-ipatests Summary: IPA tests and test tools @@ -599,6 +754,7 @@ BuildArch: noarch Obsoletes: %{name}-tests < 4.2.91 Provides: %{name}-tests = %{version}-%{release} %{?python_provide:%python_provide python2-ipatests} +%{!?python_provide:Provides: python-ipatests = %{version}-%{release}} Requires: python2-ipaclient = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} Requires: tar @@ -613,7 +769,7 @@ Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils Requires: python-sssdconfig -Requires: python2-cryptography +Requires: python2-cryptography >= 1.4 Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -647,7 +803,7 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography +Requires: python3-cryptography >= 1.4 %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -659,7 +815,7 @@ This package contains tests that verify IPA functionality under Python 3. %endif # with_python3 -%endif # ONLY_CLIENT +%endif # with_ipatests %prep @@ -687,102 +843,128 @@ for p in %patches ; do done # Fedora spec file only: END +%if 0%{?with_python3} +# Workaround: We want to build Python things twice. To be sure we do not mess +# up something, do two separate builds in separate directories. +cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 +%endif # with_python3 + %build # UI compilation segfaulted on some arches when the stack was lower (#1040576) export JAVA_STACK_SIZE="8m" +# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 +export PATH=/usr/bin:/usr/sbin:$PATH +export PYTHON=%{__python2} +# Workaround: make sure all shebangs are pointing to Python 2 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; +%configure --with-vendor-suffix=-%{release} \ + %{enable_server_option} \ + %{with_ipatests_option} \ + %{linter_options} -export CFLAGS="%{optflags} $CFLAGS" -export LDFLAGS="%{__global_ldflags} $LDFLAGS" -export SUPPORTED_PLATFORM=%{platform_module} +# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 +%make_build -Onone -# Force re-generate of platform support -export IPA_VENDOR_VERSION_SUFFIX=-%{release} -rm -f ipapython/version.py -rm -f ipaplatform/services.py -rm -f ipaplatform/tasks.py -rm -f ipaplatform/paths.py -rm -f ipaplatform/constants.py -make version-update -cd client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. -%if ! %{ONLY_CLIENT} -cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. -cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. -%endif # ONLY_CLIENT - -%if ! %{ONLY_CLIENT} -make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all -%else -make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client -%endif # ONLY_CLIENT +%if 0%{?with_python3} +pushd %{_builddir}/freeipa-%{version}-python3 +export PYTHON=%{__python3} +# Workaround: make sure all shebangs are pointing to Python 3 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +%configure --with-vendor-suffix=-%{release} \ + %{enable_server_option} \ + %{with_ipatests_option} \ + %{linter_options} +popd +%endif # with_python3 %check -%if ! %{ONLY_CLIENT} -make %{?_smp_mflags} check VERBOSE=yes -%else -make %{?_smp_mflags} client-check VERBOSE=yes -%endif # ONLY_CLIENT +make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} %install -rm -rf %{buildroot} -export SUPPORTED_PLATFORM=%{platform_module} -# Force re-generate of platform support -export IPA_VENDOR_VERSION_SUFFIX=-%{release} -rm -f ipapython/version.py -rm -f ipaplatform/services.py -rm -f ipaplatform/tasks.py -rm -f ipaplatform/paths.py -rm -f ipaplatform/constants.py -make version-update -%if ! %{ONLY_CLIENT} -make install DESTDIR=%{buildroot} - -mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python2_version} -mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python2_version} -mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python2_version} +# Please put as much logic as possible into make install. It allows: +# - easier porting to other distributions +# - rapid devel & install cycle using make install +# (instead of full RPM build and installation each time) +# +# All files and directories created by spec install should be marked as ghost. +# (These are typically configuration files created by IPA installer.) +# All other artifacts should be created by make install. +# +# Exception to this rule are test programs which where want to install +# Python2/3 versions at the same time so we need to rename them. Yuck. %if 0%{?with_python3} -(cd ipatests && %{__python3} setup.py install --root %{buildroot}) +# Python 3 installation needs to be done first. Subsequent Python 2 install +# will overwrite /usr/bin/ipa and other scripts with variants using +# python2 shebang. +pushd %{_builddir}/freeipa-%{version}-python3 +(cd ipaclient && %make_install) +(cd ipalib && %make_install) +(cd ipaplatform && %make_install) +(cd ipapython && %make_install) +%if ! %{ONLY_CLIENT} +(cd ipaserver && %make_install) +%endif # ONLY_CLIENT +%if 0%{?with_ipatests} +(cd ipatests && %make_install) +%endif # with_ipatests +popd + +%if 0%{?with_ipatests} mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 +%endif # with_ipatests + %endif # with_python3 +# Python 2 installation +%make_install + +%if 0%{?with_ipatests} +mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python2_version} +mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python2_version} +mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python2_version} ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2 +# test framework defaults to Python 2 ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task - -%else -make client-install DESTDIR=%{buildroot} -%endif # ONLY_CLIENT +%endif # with_ipatests # Move /usr/bin/ipa out of the way # XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2 # in any case mv %{buildroot}%{_bindir}/ipa %{buildroot}%{_bindir}/ipa-py2 -%if 0%{?with_python3} -(cd ipalib && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install) -(cd ipapython && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install) -(cd ipaplatform && %{__python3} setup.py install --root %{buildroot}) -(cd ipaclient && %{__python3} setup.py install --root %{buildroot}) -%endif # with_python3 - # Use Python 2 version of /usr/bin/ipa # XXX: see comment above mv %{buildroot}%{_bindir}/ipa-py2 %{buildroot}%{_bindir}/ipa -%find_lang %{gettext_domain} +# remove files which are useful only for make uninstall +find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -mkdir -p %{buildroot}%{_usr}/share/ipa +%find_lang %{gettext_domain} %if ! %{ONLY_CLIENT} # Remove .la files from libtool - we don't want to package @@ -806,109 +988,29 @@ rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la -# Some user-modifiable HTML files are provided. Move these to /etc -# and link back. -mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html -mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore -mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade -mkdir %{buildroot}%{_usr}/share/ipa/html/ -ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \ - %{buildroot}%{_usr}/share/ipa/html/ffconfig.js -ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig_page.js \ - %{buildroot}%{_usr}/share/ipa/html/ffconfig_page.js -ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \ - %{buildroot}%{_usr}/share/ipa/html/ssbrowser.html -ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \ - %{buildroot}%{_usr}/share/ipa/html/unauthorized.html -ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ - %{buildroot}%{_usr}/share/ipa/html/browserconfig.html - # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt /bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con -mkdir -p %{buildroot}%{_initrddir} -mkdir %{buildroot}%{_sysconfdir}/sysconfig/ -install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached -install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd -install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter -install -m 644 daemons/dnssec/ipa-ods-exporter.socket %{buildroot}%{_unitdir}/ipa-ods-exporter.socket -install -m 644 daemons/dnssec/ipa-ods-exporter.service %{buildroot}%{_unitdir}/ipa-ods-exporter.service -install -m 644 daemons/dnssec/ipa-dnskeysyncd.service %{buildroot}%{_unitdir}/ipa-dnskeysyncd.service - -# dnssec daemons -mkdir -p %{buildroot}%{_libexecdir}/ipa/ -install daemons/dnssec/ipa-dnskeysyncd %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysyncd -install daemons/dnssec/ipa-dnskeysync-replica %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysync-replica -install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-exporter - -# Web UI plugin dir -mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins - -# DNSSEC config -mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec - -# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) -mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ -install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf - -# NOTE: systemd specific section -mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf -# END - -mkdir -p %{buildroot}%{_localstatedir}/run/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -# NOTE: systemd specific section -mkdir -p %{buildroot}%{_unitdir} -mkdir -p %{buildroot}%{etc_systemd_dir} -install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service -install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service -install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service -# END -mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT -mkdir -p %{buildroot}%{_sysconfdir}/ipa/ /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt -mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb -mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore -mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d -install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa %if ! %{ONLY_CLIENT} mkdir -p %{buildroot}%{_sysconfdir}/cron.d - -(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \ - sed -e 's,\.py.*$,.*,g' | sort -u | \ - sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list - -(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \ - sed -e 's,\.py.*$,.*,g' | sort -u | \ - sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list - -mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia - -mkdir -p %{buildroot}%{_usr}/share/ipa/schema.d - %endif # ONLY_CLIENT @@ -970,6 +1072,15 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %postun server-trust-ad if [ "$1" -ge "1" ]; then @@ -1019,6 +1130,15 @@ if [ $1 -gt 1 ] ; then fi fi + if [ $restore -ge 2 ]; then + if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then + sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem + fi + fi + if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew @@ -1029,7 +1149,7 @@ if [ $1 -gt 1 ] ; then fi if [ $restore -ge 2 ]; then - python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 + python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi fi @@ -1074,7 +1194,7 @@ fi %files server %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-backup %{_sbindir}/ipa-restore @@ -1094,13 +1214,11 @@ fi %{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries %{_sbindir}/ipactl -%{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-advise %{_sbindir}/ipa-cacert-manage %{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-dnskeysyncd @@ -1108,10 +1226,12 @@ fi %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf +%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth %dir %{_libexecdir}/ipa/certmonger %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section @@ -1139,87 +1259,72 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so -%{_mandir}/man1/ipa-replica-conncheck.1.gz -%{_mandir}/man1/ipa-replica-install.1.gz -%{_mandir}/man1/ipa-replica-manage.1.gz -%{_mandir}/man1/ipa-csreplica-manage.1.gz -%{_mandir}/man1/ipa-replica-prepare.1.gz -%{_mandir}/man1/ipa-server-certinstall.1.gz -%{_mandir}/man1/ipa-server-install.1.gz -%{_mandir}/man1/ipa-server-upgrade.1.gz -%{_mandir}/man1/ipa-ca-install.1.gz -%{_mandir}/man1/ipa-kra-install.1.gz -%{_mandir}/man1/ipa-compat-manage.1.gz -%{_mandir}/man1/ipa-nis-manage.1.gz -%{_mandir}/man1/ipa-managed-entries.1.gz -%{_mandir}/man1/ipa-ldap-updater.1.gz -%{_mandir}/man8/ipactl.8.gz -%{_mandir}/man8/ipa-upgradeconfig.8.gz -%{_mandir}/man1/ipa-backup.1.gz -%{_mandir}/man1/ipa-restore.1.gz -%{_mandir}/man1/ipa-advise.1.gz -%{_mandir}/man1/ipa-otptoken-import.1.gz -%{_mandir}/man1/ipa-cacert-manage.1.gz -%{_mandir}/man1/ipa-winsync-migrate.1.gz +%{_mandir}/man1/ipa-replica-conncheck.1* +%{_mandir}/man1/ipa-replica-install.1* +%{_mandir}/man1/ipa-replica-manage.1* +%{_mandir}/man1/ipa-csreplica-manage.1* +%{_mandir}/man1/ipa-replica-prepare.1* +%{_mandir}/man1/ipa-server-certinstall.1* +%{_mandir}/man1/ipa-server-install.1* +%{_mandir}/man1/ipa-server-upgrade.1* +%{_mandir}/man1/ipa-ca-install.1* +%{_mandir}/man1/ipa-kra-install.1* +%{_mandir}/man1/ipa-compat-manage.1* +%{_mandir}/man1/ipa-nis-manage.1* +%{_mandir}/man1/ipa-managed-entries.1* +%{_mandir}/man1/ipa-ldap-updater.1* +%{_mandir}/man8/ipactl.8* +%{_mandir}/man1/ipa-backup.1* +%{_mandir}/man1/ipa-restore.1* +%{_mandir}/man1/ipa-advise.1* +%{_mandir}/man1/ipa-otptoken-import.1* +%{_mandir}/man1/ipa-cacert-manage.1* +%{_mandir}/man1/ipa-winsync-migrate.1* -%files -n python2-ipaserver -f server-python.list +%files -n python2-ipaserver %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING -%{python_sitelib}/freeipa-*.egg-info -%dir %{python_sitelib}/ipaserver -%dir %{python_sitelib}/ipaserver/install -%dir %{python_sitelib}/ipaserver/install/plugins -%dir %{python_sitelib}/ipaserver/install/server -%dir %{python_sitelib}/ipaserver/advise -%dir %{python_sitelib}/ipaserver/advise/plugins -%dir %{python_sitelib}/ipaserver/plugins +%{python2_sitelib}/ipaserver +%{python2_sitelib}/ipaserver-*.egg-info + + +%if 0%{?with_python3} + +%files -n python3-ipaserver +%defattr(-,root,root,-) +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipaserver +%{python3_sitelib}/ipaserver-*.egg-info + +%endif # with_python3 %files server-common %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy -%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf -%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ -%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/ -# NOTE: systemd specific section -%{_tmpfilesdir}/%{name}.conf -%attr(644,root,root) %{_unitdir}/ipa_memcached.service %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* -%{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template +%{_usr}/share/ipa/ipa.conf.tmpfiles %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg -%dir %{_usr}/share/ipa/ffextension -%{_usr}/share/ipa/ffextension/bootstrap.js -%{_usr}/share/ipa/ffextension/install.rdf -%{_usr}/share/ipa/ffextension/chrome.manifest -%dir %{_usr}/share/ipa/ffextension/chrome -%dir %{_usr}/share/ipa/ffextension/chrome/content -%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth.js -%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth_overlay.xul -%dir %{_usr}/share/ipa/ffextension/locale -%dir %{_usr}/share/ipa/ffextension/locale/en-US -%{_usr}/share/ipa/ffextension/locale/en-US/kerberosauth.properties %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ffconfig.js %{_usr}/share/ipa/html/ffconfig_page.js @@ -1270,7 +1375,6 @@ fi %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf -%{_usr}/share/ipa/kdcproxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con @@ -1281,6 +1385,7 @@ fi %{_usr}/share/ipa/updates/* %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca @@ -1289,23 +1394,25 @@ fi %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia %dir %{_usr}/share/ipa/schema.d %attr(0644,root,root) %{_usr}/share/ipa/schema.d/README +%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login +%{_usr}/share/ipa/ipakrb5.aug %files server-dns %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-dns-install -%{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-dns-install.1* %files server-trust-ad %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-adtrust-install %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%{_mandir}/man1/ipa-adtrust-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -1316,7 +1423,7 @@ fi %files client %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-client-install %{_sbindir}/ipa-client-automount @@ -1326,26 +1433,35 @@ fi %{_sbindir}/ipa-join %{_bindir}/ipa %config %{_sysconfdir}/bash_completion.d -%{_mandir}/man1/ipa.1.gz -%{_mandir}/man1/ipa-getkeytab.1.gz -%{_mandir}/man1/ipa-rmkeytab.1.gz -%{_mandir}/man1/ipa-client-install.1.gz -%{_mandir}/man1/ipa-client-automount.1.gz -%{_mandir}/man1/ipa-certupdate.1.gz -%{_mandir}/man1/ipa-join.1.gz +%{_mandir}/man1/ipa.1* +%{_mandir}/man1/ipa-getkeytab.1* +%{_mandir}/man1/ipa-rmkeytab.1* +%{_mandir}/man1/ipa-client-install.1* +%{_mandir}/man1/ipa-client-automount.1* +%{_mandir}/man1/ipa-certupdate.1* +%{_mandir}/man1/ipa-join.1* %files -n python2-ipaclient %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %dir %{python_sitelib}/ipaclient %{python_sitelib}/ipaclient/*.py* +%dir %{python_sitelib}/ipaclient/install +%{python_sitelib}/ipaclient/install/*.py* %dir %{python_sitelib}/ipaclient/plugins %{python_sitelib}/ipaclient/plugins/*.py* %dir %{python_sitelib}/ipaclient/remote_plugins %{python_sitelib}/ipaclient/remote_plugins/*.py* %{python_sitelib}/ipaclient/remote_plugins/2_*/*.py* +%dir %{python_sitelib}/ipaclient/csrgen +%dir %{python_sitelib}/ipaclient/csrgen/profiles +%{python_sitelib}/ipaclient/csrgen/profiles/*.json +%dir %{python_sitelib}/ipaclient/csrgen/rules +%{python_sitelib}/ipaclient/csrgen/rules/*.json +%dir %{python_sitelib}/ipaclient/csrgen/templates +%{python_sitelib}/ipaclient/csrgen/templates/*.tmpl %{python_sitelib}/ipaclient-*.egg-info @@ -1353,11 +1469,14 @@ fi %files -n python3-ipaclient %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %dir %{python3_sitelib}/ipaclient %{python3_sitelib}/ipaclient/*.py %{python3_sitelib}/ipaclient/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/install +%{python3_sitelib}/ipaclient/install/*.py +%{python3_sitelib}/ipaclient/install/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/plugins %{python3_sitelib}/ipaclient/plugins/*.py %{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* @@ -1366,6 +1485,13 @@ fi %{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/csrgen +%dir %{python3_sitelib}/ipaclient/csrgen/profiles +%{python3_sitelib}/ipaclient/csrgen/profiles/*.json +%dir %{python3_sitelib}/ipaclient/csrgen/rules +%{python3_sitelib}/ipaclient/csrgen/rules/*.json +%dir %{python3_sitelib}/ipaclient/csrgen/templates +%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl %{python3_sitelib}/ipaclient-*.egg-info %endif # with_python3 @@ -1373,7 +1499,7 @@ fi %files client-common %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %dir %attr(0755,root,root) %{_sysconfdir}/ipa/ %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf @@ -1384,32 +1510,30 @@ fi %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit -%dir %{_usr}/share/ipa %dir %{_localstatedir}/lib/ipa-client +%dir %{_localstatedir}/lib/ipa-client/pki %dir %{_localstatedir}/lib/ipa-client/sysrestore -%{_mandir}/man5/default.conf.5.gz +%{_mandir}/man5/default.conf.5* %files python-compat %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %files -n python2-ipalib %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %dir %{python_sitelib}/ipapython %{python_sitelib}/ipapython/*.py* -%dir %{python_sitelib}/ipapython/dnssec -%{python_sitelib}/ipapython/dnssec/*.py* %dir %{python_sitelib}/ipapython/install %{python_sitelib}/ipapython/install/*.py* -%dir %{python_sitelib}/ipapython/secrets -%{python_sitelib}/ipapython/secrets/*.py* %dir %{python_sitelib}/ipalib -%{python_sitelib}/ipalib/* +%{python_sitelib}/ipalib/*.py* +%dir %{python_sitelib}/ipalib/install +%{python_sitelib}/ipalib/install/*.py* %dir %{python_sitelib}/ipaplatform %{python_sitelib}/ipaplatform/* %{python_sitelib}/ipapython-*.egg-info @@ -1419,7 +1543,7 @@ fi %files common -f %{gettext_domain}.lang %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING @@ -1427,7 +1551,7 @@ fi %files -n python3-ipalib %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING %{python3_sitelib}/ipapython/ @@ -1440,23 +1564,14 @@ fi %endif # with_python3 -%if ! %{ONLY_CLIENT} +%if 0%{?with_ipatests} -%files -n python2-ipatests -f tests-python.list +%files -n python2-ipatests %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING -%dir %{python_sitelib}/ipatests -%dir %{python_sitelib}/ipatests/test_cmdline -%dir %{python_sitelib}/ipatests/test_install -%dir %{python_sitelib}/ipatests/test_ipalib -%dir %{python_sitelib}/ipatests/test_ipapython -%dir %{python_sitelib}/ipatests/test_ipaserver -%dir %{python_sitelib}/ipatests/test_ipaserver/test_install -%dir %{python_sitelib}/ipatests/test_ipaserver/data -%dir %{python_sitelib}/ipatests/test_pkcs10 -%dir %{python_sitelib}/ipatests/test_webui -%dir %{python_sitelib}/ipatests/test_xmlrpc +%{python_sitelib}/ipatests +%{python_sitelib}/ipatests-*.egg-info %{_bindir}/ipa-run-tests %{_bindir}/ipa-test-config %{_bindir}/ipa-test-task @@ -1466,32 +1581,35 @@ fi %{_bindir}/ipa-run-tests-%{python2_version} %{_bindir}/ipa-test-config-%{python2_version} %{_bindir}/ipa-test-task-%{python2_version} -%{python_sitelib}/ipatests-*.egg-info -%{_mandir}/man1/ipa-run-tests.1.gz -%{_mandir}/man1/ipa-test-config.1.gz -%{_mandir}/man1/ipa-test-task.1.gz +%{_mandir}/man1/ipa-run-tests.1* +%{_mandir}/man1/ipa-test-config.1* +%{_mandir}/man1/ipa-test-task.1* %if 0%{?with_python3} %files -n python3-ipatests %defattr(-,root,root,-) -%doc README Contributors.txt +%doc README.md Contributors.txt %license COPYING -%{python3_sitelib}/ipatests/ +%{python3_sitelib}/ipatests +%{python3_sitelib}/ipatests-*.egg-info %{_bindir}/ipa-run-tests-3 %{_bindir}/ipa-test-config-3 %{_bindir}/ipa-test-task-3 %{_bindir}/ipa-run-tests-%{python3_version} %{_bindir}/ipa-test-config-%{python3_version} %{_bindir}/ipa-test-task-%{python3_version} -%{python3_sitelib}/ipatests-*.egg-info %endif # with_python3 -%endif # ONLY_CLIENT +%endif # with_ipatests %changelog +* Thu May 25 2017 Tomas Krizek - 4.5.1-1 +- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1 +- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes + * Tue May 23 2017 Tomas Krizek - 4.4.4-2 - Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide - Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2 diff --git a/sources b/sources index 307b5a4..6f3e2b0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.4.4.tar.gz) = f35d498529cbd487a93098cd70cd0c16de67e58a90ff576746f73e7a9f428ff465302ac50ca9481984fe838d5988fc36fec79b90dabcdef2029f8a2373e44b8c -SHA512 (freeipa-4.4.4.tar.gz.asc) = 174cba773266fe70dee695270da38f5a989f2e8328ef9b5761bcb50b4948a6836d6761e8aeca83db923bfc827ffae8b7760ef55968e5c3855cab158da2f60b1a +SHA512 (freeipa-4.5.1.tar.gz) = d9579a57724384bdbcc264d9749e66e31a49c243c514444819d61f3f687d65ce2e4552c8c1222283cbe16c6fd0e184887ab707752ca1c38e9ebe3a073e3c5a2b +SHA512 (freeipa-4.5.1.tar.gz.asc) = 9cde8cd9ee65e4cdbf9bbfd7acf7c712e07f547c34e1fc0576ba7aa3cc07a0bd1a35b774a6d8ebba715a5e366002c76ffa5eacbdab2982aca2af59464d79d670