rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.8.7-4.module+el8.3.0+7222+7c0a6564

Browse Source
This commit is contained in:
CentOS Sources 2020-07-28 04:27:17 -04:00 committed by Stepan Oksanichenko
parent b31f93b6d4
commit ea368e57a3
12 changed files with 2164 additions and 531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.8.4.tar.gz
SOURCES/freeipa-4.8.7.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz
0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz

47
SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
View File

@ -1,47 +0,0 @@
From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Dec 16 2019 20:37:17 +0000
Subject: DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 36ba6f8..9f08e86 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
-
- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
- if hst not in e.kwargs['ns']:
- raise ValueError(str(e))
+ else:
+ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+ if hst not in e.kwargs['ns']:
+ raise ValueError(str(e))
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
- except ValueError as e:
+ except dnsutil.DNSZoneAlreadyExists as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', str(e))
else:

293
SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch Normal file
View File

@ -0,0 +1,293 @@
From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 28 May 2020 08:47:49 +0200
Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/association.js | 13 ++++-
install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
install/ui/src/freeipa/group.js | 14 +++++
install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
ipaserver/plugins/internal.py | 6 +++
5 files changed, 133 insertions(+), 31 deletions(-)
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index f10ccb2a5..b083a79f9 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -25,6 +25,7 @@
define([
'dojo/_base/lang',
'dojo/Deferred',
+ './builder',
'./metadata',
'./ipa',
'./jquery',
@@ -38,7 +39,7 @@ define([
'./facet',
'./search',
'./dialog'],
- function(lang, Deferred, metadata_provider, IPA, $, metadata,
+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
navigation, phases, reg, rpc, su, text) {
/**
@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
var pkeys = that.data.result.result[that.get_attribute_name()];
- var dialog = IPA.association_adder_dialog({
+ var dialog = builder.build('association_adder_dialog', {
+ $type: that.other_entity.name,
title: title,
entity: that.entity,
pkey: pkey,
@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
return that;
};
+// Create a registry for adder dialogs where key is name of 'other entity'.
+// It allows to override dialogs for some specific cases of association
+// creation.
+var dialog_builder = builder.get('association_adder_dialog');
+dialog_builder.factory = IPA.association_adder_dialog;
+reg.set('association_adder_dialog', dialog_builder.registry);
+
phases.on('registration', function() {
var w = reg.widget;
var f = reg.field;
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
index c153120df..d67d63b6d 100644
--- a/install/ui/src/freeipa/dialog.js
+++ b/install/ui/src/freeipa/dialog.js
@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
'class': 'input-group col-md-12 adder-dialog-top'
}).appendTo(container);
- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
- filter_placeholder = filter_placeholder.replace('${other_entity}',
- that.other_entity.metadata.label);
-
- that.filter_field = $('<input/>', {
- type: 'text',
- name: 'filter',
- 'class': 'form-control',
- 'placeholder': filter_placeholder,
- keyup: function(event) {
- if (event.keyCode === keys.ENTER) {
- that.search();
- return false;
- }
- }
- }).appendTo(input_group);
-
- var input_group_btn = $('<div/>', {
- 'class': 'input-group-btn'
- }).appendTo(input_group);
-
- that.find_button = IPA.button({
- name: 'find',
- label: '@i18n:buttons.filter',
- click: function() {
- that.search();
- return false;
- }
- }).appendTo(input_group_btn);
+ that.filter_field = that.get_filter_field(input_group);
var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
//
@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
return that.filter_field.val();
};
+ /**
+ * Return field for filtering available items
+ *
+ * Default implementation returns text input + "Filter" button.
+ * It can be overridden.
+ *
+ * @param {HTMLElement} input_group - container for a filter field
+ * @return {HTMLElement}
+ */
+ that.get_filter_field = function(input_group) {
+ var filter_placeholder = text.get(
+ '@i18n:association.filter_placeholder'
+ ).replace('${other_entity}', that.other_entity.metadata.label);
+
+ var filter_field = $('<input/>', {
+ type: 'text',
+ name: 'filter',
+ 'class': 'form-control',
+ 'placeholder': filter_placeholder,
+ keyup: function(event) {
+ if (event.keyCode === keys.ENTER) {
+ that.search();
+ return false;
+ }
+ }
+ }).appendTo(input_group);
+
+ var input_group_btn = $('<div/>', {
+ 'class': 'input-group-btn'
+ }).appendTo(input_group);
+
+ that.find_button = IPA.button({
+ name: 'find',
+ label: '@i18n:buttons.filter',
+ click: function() {
+ that.search();
+ return false;
+ }
+ }).appendTo(input_group_btn);
+
+ return filter_field;
+ };
+
/**
* Clear rows in available table
*/
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index e46d8c7e3..2984bd4b2 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -205,6 +205,20 @@ return {
add_title: '@i18n:objects.group.add_into_sudo',
remove_method: 'remove_user',
remove_title: '@i18n:objects.group.remove_from_sudo'
+ },
+ {
+ $type: 'association',
+ name: 'member_idoverrideuser',
+ associator: IPA.serial_associator,
+ add_title: '@i18n:objects.group.add_idoverride_user',
+ remove_title: '@i18n:objects.group.remove_idoverride_users',
+ columns: [
+ {
+ name: 'ipaanchoruuid',
+ label: '@i18n:objects.idoverrideuser.anchor_label',
+ link: false
+ }
+ ]
}
],
standard_association_facets: true,
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 35dc998c8..a4fca6205 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
return that;
};
+idviews.idoverrideuser_adder_dialog = function(spec) {
+
+ spec = spec || {};
+
+ var that = IPA.association_adder_dialog(spec);
+
+ that.base_search = that.search;
+
+ that.search = function() {
+ // Search for users only in case a ID view is selected
+ if (that.get_filter()) {
+ that.base_search();
+ }
+ };
+
+ /**
+ * Replace default text filter with a select box for filtering by ID view
+ */
+ that.get_filter_field = function(input_group) {
+
+ var filter_field = $('<select/>', {
+ name: 'filter',
+ 'class': 'form-control',
+ change: function(event) {
+ that.search();
+ }
+ }).appendTo(input_group);
+
+ rpc.command({
+ entity: 'idview',
+ method: 'find',
+ on_success: function(data) {
+ var results = data.result;
+
+ for (var i=0; i<results.count; i++) {
+ var result = results.result[i];
+ $('<option/>', {
+ text: result.cn[0],
+ value: result.cn[0]
+ }).appendTo(filter_field);
+ }
+
+ that.search();
+ }
+ }).execute();
+
+ return filter_field;
+ };
+
+ return that;
+};
+
/**
* ID View entity specification object
* @member idviews
@@ -993,6 +1045,7 @@ idviews.register = function() {
var f = reg.facet;
var a = reg.action;
var w = reg.widget;
+ var ad = reg.association_adder_dialog;
e.register({type: 'idview', spec: idviews.spec});
e.register({
@@ -1012,6 +1065,11 @@ idviews.register = function() {
w.register('idviews_certs', idviews.idviews_certs_widget);
w.register('cert_textarea', idviews.cert_textarea_widget);
+
+ ad.register({
+ type: 'idoverrideuser',
+ factory: idviews.idoverrideuser_adder_dialog
+ });
};
phases.on('registration', idviews.register);
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5f2b1fdc2..7622e65dc 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -835,6 +835,9 @@ class i18n_messages(Command):
"Remove users from member managers for user group "
"'${primary_key}'"
),
+ "add_idoverride_user": _(
+ "Add user ID override into user group '${primary_key}'"
+ ),
"details": _("Group Settings"),
"external": _("External"),
"groups": _("Groups"),
@@ -868,6 +871,9 @@ class i18n_messages(Command):
"remove_users": _(
"Remove users from user group '${primary_key}'"
),
+ "remove_idoverride_users": _(
+ "Remove user ID overrides from user group '${primary_key}'"
+ ),
"type": _("Group Type"),
"user_groups": _("User Groups"),
},
--
2.26.2

601
SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch Normal file
View File

@ -0,0 +1,601 @@
From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 11 Jun 2020 11:17:25 +0200
Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
.gitignore | 4 +--
client/Makefile.am | 1 +
client/share/Makefile.am | 5 ++++
{install => client}/share/expire_msg.template | 0
client/systemd/Makefile.am | 27 +++++++++++++++++++
{init => client}/systemd/ipa-epn.service.in | 0
{init => client}/systemd/ipa-epn.timer.in | 0
configure.ac | 24 +++++++++++++++--
freeipa.spec.in | 15 +++++++++++
init/systemd/Makefile.am | 8 +++---
install/share/Makefile.am | 5 ----
server.m4 | 19 -------------
12 files changed, 76 insertions(+), 32 deletions(-)
rename {install => client}/share/expire_msg.template (100%)
create mode 100644 client/systemd/Makefile.am
rename {init => client}/systemd/ipa-epn.service.in (100%)
rename {init => client}/systemd/ipa-epn.timer.in (100%)
#diff --git a/.gitignore b/.gitignore
#index 6584c3b4f..4cedb1ff2 100644
#--- a/.gitignore
#+++ b/.gitignore
#@@ -94,8 +94,6 @@ freeipa2-dev-doc
# /init/ipa_memcached
# /init/systemd/ipa-custodia.service
# /init/systemd/ipa.service
#-/init/systemd/ipa-epn.service
#-/init/systemd/ipa-epn.timer
# /init/tmpfilesd/ipa.conf
#
# !/install/ui/doc/Makefile.in
#@@ -116,6 +114,8 @@ freeipa2-dev-doc
# /client/ipa-getkeytab
# /client/ipa-join
# /client/ipa-rmkeytab
#+/client/systemd/ipa-epn.service
#+/client/systemd/ipa-epn.timer
#
# /ipaplatform/override.py
# /ipapython/version.py
diff --git a/client/Makefile.am b/client/Makefile.am
index 858a9369e..87da87fcd 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -95,6 +95,7 @@ SUBDIRS = \
share \
man \
sysconfig \
+ systemd \
$(NULL)
# init
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 6d4a62d5e..1402a3a9d 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
$(NULL)
+
+epnconfdir = $(IPA_SYSCONF_DIR)/epn
+dist_epnconf_DATA = \
+ expire_msg.template \
+ $(NULL)
diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
similarity index 100%
rename from install/share/expire_msg.template
rename to client/share/expire_msg.template
diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
new file mode 100644
index 000000000..1f591be83
--- /dev/null
+++ b/client/systemd/Makefile.am
@@ -0,0 +1,27 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+dist_noinst_DATA = \
+ ipa-epn.service.in \
+ ipa-epn.timer.in \
+ $(NULL)
+
+systemdsystemunit_DATA = \
+ ipa-epn.service \
+ ipa-epn.timer \
+ $(NULL)
+
+CLEANFILES = $(systemdsystemunit_DATA)
+
+%: %.in Makefile
+ sed \
+ -e 's|@bindir[@]|$(bindir)|g' \
+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
+ '$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
similarity index 100%
rename from init/systemd/ipa-epn.service.in
rename to client/systemd/ipa-epn.service.in
diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
similarity index 100%
rename from init/systemd/ipa-epn.timer.in
rename to client/systemd/ipa-epn.timer.in
diff --git a/configure.ac b/configure.ac
index 5ec529088..586b2532a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
[runstatedir="/run"])
AC_SUBST([runstatedir])
+dnl ---------------------------------------------------------------------------
+dnl - Check for systemd directories
+dnl ---------------------------------------------------------------------------
+
+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
+AC_ARG_WITH([systemdsystemunitdir],
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
+ [Directory for systemd service files]),
+ [systemdsystemunitdir=$with_systemdsystemunitdir],
+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
+AC_SUBST([systemdsystemunitdir])
+
+AC_ARG_WITH([systemdtmpfilesdir],
+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
+ [Directory for systemd-tmpfiles configuration files]),
+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
+AC_SUBST([systemdtmpfilesdir])
+
dnl ---------------------------------------------------------------------------
dnl - Server-only configuration
dnl ---------------------------------------------------------------------------
@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
client/share/Makefile
client/man/Makefile
client/sysconfig/Makefile
+ client/systemd/Makefile
contrib/completion/Makefile
contrib/Makefile
daemons/dnssec/Makefile
@@ -637,13 +657,13 @@ echo "
jslint: ${JSLINT}
LDAP libs: ${LDAP_LIBS}
OpenSSL crypto libs: ${CRYPTO_LIBS}
- KRB5 libs: ${KRB5_LIBS}"
+ KRB5 libs: ${KRB5_LIBS}
+ systemdsystemunitdir: ${systemdsystemunitdir}"
AM_COND_IF([ENABLE_SERVER], [
echo "\
KRAD libs: ${KRAD_LIBS}
krb5rundir: ${krb5rundir}
- systemdsystemunitdir: ${systemdsystemunitdir}
systemdtmpfilesdir: ${systemdtmpfilesdir}
build mode: server & client"
], [
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cec57e64e..1d8f4e6aa 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
+Requires: systemd-units
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
Requires: %{name}-client = %{version}-%{release}
%description client-epn
@@ -1003,6 +1007,17 @@ fi
# ONLY_CLIENT
%endif
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
%post client
if [ $1 -gt 1 ] ; then
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 5053dbff6..175178787 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -2,17 +2,17 @@
#
AUTOMAKE_OPTIONS = 1.7
+NULL =
+
dist_noinst_DATA = \
ipa-custodia.service.in \
ipa.service.in \
- ipa-epn.service.in \
- ipa-epn.timer.in
+ $(NULL)
systemdsystemunit_DATA = \
ipa-custodia.service \
ipa.service \
- ipa-epn.service \
- ipa-epn.timer
+ $(NULL)
CLEANFILES = $(systemdsystemunit_DATA)
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 496e81288..e95796dfb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -106,8 +106,3 @@ dist_app_DATA = \
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
dist_kdcproxyconf_DATA = \
kdcproxy.conf
-
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
-dist_epnconf_DATA = \
- expire_msg.template \
- $(NULL)
diff --git a/server.m4 b/server.m4
index d35823e80..842d599d2 100644
--- a/server.m4
+++ b/server.m4
@@ -153,22 +153,3 @@ dnl Check for libverto
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBVERTO], [libverto])
-
-dnl ---------------------------------------------------------------------------
-dnl - Check for systemd directories
-dnl ---------------------------------------------------------------------------
-
-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
-AC_ARG_WITH([systemdsystemunitdir],
- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
- [Directory for systemd service files]),
- [systemdsystemunitdir=$with_systemdsystemunitdir],
- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
-AC_SUBST([systemdsystemunitdir])
-
-AC_ARG_WITH([systemdtmpfilesdir],
- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
- [Directory for systemd-tmpfiles configuration files]),
- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
-AC_SUBST([systemdtmpfilesdir])
--
2.26.2
From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 22 Jun 2020 16:39:02 +0200
Subject: [PATCH] EPN: ship the configuration file.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 5 ++--
client/share/Makefile.am | 7 +++++-
client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
freeipa.spec.in | 4 ++-
4 files changed, 65 insertions(+), 5 deletions(-)
create mode 100644 client/share/epn.conf
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 38e99e25d..14f5dbb75 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
root@localhost. Bounces will be sent here.
.TP
.B smtp_delay <milliseconds>
-Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
.TP
.B mail_from <address>
-Specifies the From: e-mal address value in the e-mails sent. The default is
-noreply@ipadefaultemaildomain. This value can be found by running
+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
.I ipa config-show
.TP
.B notify_ttls <list of days>
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 1402a3a9d..472242e62 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -5,7 +5,12 @@ dist_app_DATA = \
freeipa.template \
$(NULL)
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
+epnconfdir = $(IPA_SYSCONF_DIR)
dist_epnconf_DATA = \
+ epn.conf \
+ $(NULL)
+
+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
+dist_epntemplate_DATA = \
expire_msg.template \
$(NULL)
diff --git a/client/share/epn.conf b/client/share/epn.conf
new file mode 100644
index 000000000..0e590dfc3
--- /dev/null
+++ b/client/share/epn.conf
@@ -0,0 +1,54 @@
+# Global IPA-EPN [0] configuration file.
+# For a complete explanation of each parameter, see the epn.conf(5)
+# manual page.
+# For best results, change no more than a single parameter at a time,
+# and test if ipa-epn(1) still works as intended, using --dry-run when
+# it makes sense.
+#
+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
+
+[global]
+
+# Specifies the SMTP server to use.
+smtp_server = localhost
+
+# Specifies the SMTP port.
+smtp_port = 25
+
+# Specifies the id of the user to authenticate with the SMTP server.
+# Default None (empty value).
+# smtp_user =
+
+# Specifies the password for the authorized user.
+# Default None (empty value).
+# smtp_password =
+
+# pecifies the number of seconds to wait for SMTP to respond.
+smtp_timeout = 60
+
+# Specifies the type of secure connection to make. Options are: none,
+# starttls and ssl.
+smtp_security = none
+
+# Specifies the From e-mail address value in the e-mails sent. Bounces will
+# be sent here.
+smtp_admin = root@localhost
+
+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
+# overloading the mail queue.
+smtp_delay = 0
+
+# Specifies the From: e-mail address value in the e-mails sent.
+# The default when unset is noreply@ipadefaultemaildomain.
+# This value can be found by running ipa config-show.
+# mail_from =
+
+# The list of days before a password expiration when ipa-epn should notify
+# a user that their password will soon require a reset.
+notify_ttls = 28, 14, 7, 3, 1
+
+# Set the character set of the message.
+msg_charset = utf8
+
+# Set the message's MIME sub-content type.
+msg_subtype = plain
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5bce6f118..8cca99697 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1387,13 +1387,15 @@ fi
%files client-epn
%doc README.md Contributors.txt
+%dir %{_sysconfdir}/ipa/epn
%license COPYING
%{_sbindir}/ipa-epn
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
%files -n python3-ipaclient
%doc README.md Contributors.txt
--
2.26.2
From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 09:39:02 +0200
Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 2 +-
client/man/ipa-epn.1 | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 14f5dbb75..df1f0156c 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
-.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
epn.conf \- Expiring Password Notification configuration file
.SH "SYNOPSIS"
diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
index 9999ea8ca..124fd4536 100644
--- a/client/man/ipa-epn.1
+++ b/client/man/ipa-epn.1
@@ -15,14 +15,14 @@
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\"
-.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-epn \- Send expiring password nofications
.SH "SYNOPSIS"
-ipa\-epn \[options\]
+ipa\-epn \fR[options\fR]
.SH "DESCRIPTION"
-ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
-if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
--
2.26.2
From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 13:50:02 +0200
Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 7f56d4bc0..409d588d5 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ def test_EPN_config_file(self):
+ """Check that the EPN configuration file is installed.
+ https://pagure.io/freeipa/issue/8374
+ """
+ epn_conf = "/etc/ipa/epn.conf"
+ epn_template = "/etc/ipa/epn/expire_msg.template"
+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
+ assert epn_conf in cmd1.stdout_text
+ assert epn_template in cmd1.stdout_text
+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ assert cmd2.stdout_text.find(ck) == 0
+
def test_EPN_smoketest_1(self):
"""No users except admin. Check --dry-run output.
With the default configuration, the result should be an empty list.
--
2.26.2
From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 24 Jun 2020 23:24:36 +0200
Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 409d588d5..9a9fb17b9 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="Cannot check installed packages using RPM"
+ )
def test_EPN_config_file(self):
"""Check that the EPN configuration file is installed.
https://pagure.io/freeipa/issue/8374
"""
+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
+ rpm_q_cmds = [
+ ["rpm", "-qi", "freeipa-client"],
+ ["rpm", "-qi", "freeipa-client-epn"],
+ ["rpm", "-qc", "freeipa-client-epn"],
+ ["rpm", "-V", "freeipa-client-epn"],
+ ["rpm", "-qvc", "freeipa-client-epn"],
+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
+ ]
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
+ tasks.install_packages(self.master, ["*ipa-client-epn"])
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ # end workaround
epn_conf = "/etc/ipa/epn.conf"
epn_template = "/etc/ipa/epn/expire_msg.template"
cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
--
2.26.2

147
SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch Normal file
View File

@ -0,0 +1,147 @@
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 15 Jun 2020 18:38:35 -0400
Subject: [PATCH] Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 42c9db3fb..aa3baeb7c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
doc = server_xml.getroot()
# no AJP connector means no need to update anything
- connectors = doc.xpath('//Connector[@port="8009"]')
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
if len(connectors) == 0:
return
- # AJP connector is set on port 8009. Use non-greedy search to find it
+ # AJP protocol is at version 1.3. Assume there is only one as
+ # Dogtag only provisions one.
connector = connectors[0]
# Detect tomcat version and choose the right option name
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
rewrite = False
else:
if oldattr in connector.attrib:
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
+ # upgrade for us; we need only to ensure that we're not both
+ # attempting to upgrade server.xml at the same time.
+ # Hopefully this is guaranteed for us.
self.ajp_secret = connector.attrib[oldattr]
connector.attrib[secretattr] = self.ajp_secret
del connector.attrib[oldattr]
else:
- # Generate password, don't use special chars to not break XML
+ # Generate password, don't use special chars to not break XML.
+ #
+ # If we hit this case, pkispawn was run on an older Dogtag
+ # version and we're stuck migrating, choosing a password
+ # ourselves. Dogtag can't generate one randomly because a
+ # Dogtag administrator might've configured AJP and might
+ # not be using IPA.
+ #
+ # Newer Dogtag versions will generate a random password
+ # during pkispawn.
self.ajp_secret = ipautil.ipa_generate_password(special=None)
connector.attrib[secretattr] = self.ajp_secret
--
2.26.2
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 17 Jun 2020 16:00:25 -0400
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/ipaca_customize.ini | 1 +
install/share/ipaca_default.ini | 2 ++
ipaserver/install/dogtaginstance.py | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
index 6d58579af..948734241 100644
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -12,6 +12,7 @@
#
# Predefined variables
# - ipa_ca_subject
+# - ipa_ajp_secret
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 2b9900286..a51256116 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
+# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
+pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index aa3baeb7c..361d80a8c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -840,7 +840,9 @@ class PKIIniLoader:
pki_subsystem_type=subsystem.lower(),
home_dir=os.path.expanduser("~"),
# for softhsm2 testing
- softhsm2_so=paths.LIBSOFTHSM2_SO
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
+ # Configure a more secure AJP password by default
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
)
@classmethod
--
2.26.2

167
SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch Normal file
View File

@ -0,0 +1,167 @@
From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:27:30 +0200
Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 8 ++++----
ipaserver/plugins/baseuser.py | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index 5354a33a0..300b3d9b1 100644
--- a/API.txt
+++ b/API.txt
@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index a0ed65874..e1b7763f0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
label=_('SMB Home Directory'),
flags=['no_create'],
),
- StrEnum('ipanthomedirectoryrive?',
+ StrEnum('ipanthomedirectorydrive?',
cli_name='smb_home_drive',
label=_('SMB Home Directory Drive'),
flags=['no_create'],
--
2.26.2
From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:11:33 +0200
Subject: [PATCH] webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/user.js | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index fb626f2a1..8f1f5cd85 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -367,36 +367,39 @@ return {
{
name: 'smb_attributes',
label: '@i18n:objects.smb_attributes.title',
- show_cond: ['oc_ipantuserattrs'],
fields: [{
name: 'ipantlogonscript',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipantprofilepath',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectory',
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectorydrive',
$type: 'select',
options: IPA.create_options([
- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
]),
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
- }
+ },
+ hidden_if_empty: true
}
]
}
@@ -482,7 +485,6 @@ return {
IPA.user.self_service_other_user_evaluator,
IPA.user.preserved_user_evaluator,
IPA.user.is_locked_evaluator,
- IPA.object_class_evaluator,
IPA.cert.certificate_evaluator
],
summary_conditions: [
--
2.26.2

949
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
View File

File diff suppressed because one or more lines are too long

134
SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch Normal file
View File

@ -0,0 +1,134 @@
From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 11 Jun 2020 10:40:57 +0200
Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
---
.lgtm.yml | 4 ++--
freeipa.spec.in | 2 +-
install/ui/build/freeipa/Makefile.am | 2 +-
install/ui/src/webui.profile.js | 4 ++--
install/ui/util/build/README | 4 ++--
install/ui/util/compile.sh | 8 ++++----
6 files changed, 12 insertions(+), 12 deletions(-)
#diff --git a/.lgtm.yml b/.lgtm.yml
#index b3898116e..e63615918 100644
#--- a/.lgtm.yml
#+++ b/.lgtm.yml
#@@ -39,7 +39,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
#@@ -79,7 +79,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b6eb79593..a4682497a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
BuildRequires: nodejs(abi)
-BuildRequires: python3-rjsmin
+BuildRequires: uglify-js
BuildRequires: libverto-devel
BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
index f4d97819e..05e82f4da 100644
--- a/install/ui/build/freeipa/Makefile.am
+++ b/install/ui/build/freeipa/Makefile.am
@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
nav := $(wildcard ../../src/freeipa/navigation/*.js)
app.js: $(core) $(base) $(widgets) $(nav)
- PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
+ $(srcdir)/../../util/make-ui.sh
core.js: app.js
diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
index 2d4d691dc..1d7a6cc84 100644
--- a/install/ui/src/webui.profile.js
+++ b/install/ui/src/webui.profile.js
@@ -9,7 +9,7 @@ var profile = (function(){
releaseName: "lib",
action: "release",
- // optimization done separately by python3-rjsmin
+ // optimization done separately by uglify.js
layerOptimize: false,
optimize: false,
cssOptimize: false,
@@ -123,4 +123,4 @@ var profile = (function(){
}
}
};
-})();
+})();
\ No newline at end of file
diff --git a/install/ui/util/build/README b/install/ui/util/build/README
index 2c4e0ecac..0772532d4 100644
--- a/install/ui/util/build/README
+++ b/install/ui/util/build/README
@@ -1,5 +1,5 @@
build.js is builded dojo builder, with applied patches from 'patches' folder, by
-itself and compiled using python3-rjsmin
+itself and compiled using uglify.js
_base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
see: http://dojotoolkit.org/license for details
= License =
-Full Dojo license is in LICENSE file.
+Full Dojo license is in LICENSE file.
\ No newline at end of file
diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
index 1516b815f..d14f90ab0 100755
--- a/install/ui/util/compile.sh
+++ b/install/ui/util/compile.sh
@@ -26,14 +26,14 @@ RDIR=$DIR/../release
usage() {
cat <<-__EOF__;
NAME
- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
+ compile.sh - Compiles layer file of Dojo build using uglify.js.
Deletes all other files.
SYNOPSIS
path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
DESCRIPTION
- Compiles layer file of Dojo build output using Python rjsmin.
+ Compiles layer file of Dojo build output using uglify.js.
Deletes all other files.
OPTIONS
@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
fi
-# compile using python rjsmin
+# compile using uglifyjs
echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
echo "Target file: $OUTPUT_FILE"
-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
--
2.26.2

16
SOURCES/freeipa-4.8.4.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
+fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
=TTzs
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.8.7.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
=B33Z
-----END PGP SIGNATURE-----

321
SPECS/ipa.spec
View File

@ -52,24 +52,33 @@
%global linter_options --disable-pylint --without-jslint
%endif
# Include SELinux subpackage
%if 0%{?fedora} >= 30 || 0%{?rhel} > 8
%global with_selinux 1
%global selinuxtype targeted
%global modulename ipa
%endif
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.17-12
%global krb5_kdb_version 7.0
%global krb5_version 1.18.2-2
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.10.4-9
%global samba_version 4.12.3-0
%global slapi_nis_version 0.56.4
# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
%global selinux_policy_version 3.14.3-24
# SELinux context for /etc/named directory, RHBZ#1759495
%global selinux_policy_version 3.14.3-43
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
# currently set to 1.4.1.3 until 389-ds rebases to 1.4.2
%global ds_version 1.4.1.3
%global ds_version 1.4.2.4-6
%global httpd_version 2.4.6-31
%else
# Fedora
@ -81,10 +90,14 @@
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
#global samba_version 2:4.12
%global samba_version 2:4.9.0
# DNSSEC AVC violation, RHBZ#1537971
%global selinux_policy_version 3.13.1-283.24
%global slapi_nis_version 0.56.1
# SELinux context for /etc/named directory, RHBZ#1759495
#global selinux_policy_version 3.14.3-52
%global selinux_policy_version 3.14.3-41
#global slapi_nis_version 0.56.4
%global slapi_nis_version 0.56.3
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
@ -96,8 +109,8 @@
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}
%endif # Fedora
# Fedora
%endif
# Require Dogtag PKI 10.6.8-3 (10.6.7 was never pushed to stable)
# 10.6.7 fixes UpdateNumberRange clone installation issue
@ -113,11 +126,12 @@
%if 0%{?fedora} == 28
%global nss_version 3.41.0-3
%else
%global nss_version 3.41.0-1
%global nss_version 3.44.0-4
%endif
%global sssd_version 2.2.0-19
%global sssd_version 2.2.3-11
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
%global kdcproxy_version 0.4-3
%global plugin_dir %{_libdir}/dirsrv/plugins
@ -128,7 +142,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.8.4
%define IPA_VERSION 4.8.7
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@ -137,7 +151,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 2%{?dist}
Release: 4%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -152,9 +166,13 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
Patch0001: 0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
Patch0001: 0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
Patch0002: 0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
Patch0003: 0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
Patch0004: 0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
# RHEL spec file only: END
# For the timestamp trick in patch application
@ -165,7 +183,7 @@ BuildRequires: openldap-devel
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
BuildRequires: krb5-devel >= %{krb5_version}
BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
BuildRequires: popt-devel
@ -183,7 +201,6 @@ BuildRequires: systemd
# systemd-tmpfiles which is executed from make install requires apache user
BuildRequires: httpd
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: openssl-devel
BuildRequires: libini_config-devel
BuildRequires: cyrus-sasl-devel
@ -204,7 +221,8 @@ BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
# 0.13.0-2: fix for missing dependency on python-six
BuildRequires: python3-lesscpy >= 0.13.0-2
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
#
# Build dependencies for makeapi/makeaci
@ -231,7 +249,8 @@ BuildRequires: python3-twine
BuildRequires: twine
%endif
BuildRequires: python3-wheel
%endif # with_wheels
# with_wheels
%endif
#
# Build dependencies for lint and fastcheck
@ -281,7 +300,8 @@ BuildRequires: python3-sss-murmur
BuildRequires: python3-sssdconfig >= %{sssd_version}
BuildRequires: python3-systemd
BuildRequires: python3-yubico
%endif # with_lint
# with_lint
%endif
#
# Build dependencies for unit tests
@ -289,8 +309,14 @@ BuildRequires: python3-yubico
%if ! %{ONLY_CLIENT}
BuildRequires: libcmocka-devel
# Required by ipa_kdb_tests
BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so
%endif # ONLY_CLIENT
BuildRequires: krb5-server >= %{krb5_version}
# ONLY_CLIENT
%endif
# Build dependencies for SELinux policy
%if 0%{?with_selinux}
BuildRequires: selinux-policy-devel >= %{selinux_policy_version}
%endif
%description
IPA is an integrated solution to provide centrally managed Identity (users,
@ -311,22 +337,21 @@ Requires: python3-ipaserver = %{version}-%{release}
Requires: python3-ldap >= %{python_ldap_version}
Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-kdb-version = %{krb5_kdb_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
Requires: httpd >= 2.4.6-31
Requires: httpd >= %{httpd_version}
Requires(preun): python3
Requires(postun): python3
Requires: python3-gssapi >= 1.2.0-5
Requires: python3-systemd
Requires: python3-mod_wsgi
Requires: mod_auth_gssapi >= 1.5.0
Requires: mod_ssl
Requires: mod_session
Requires: mod_ssl >= %{httpd_version}
Requires: mod_session >= %{httpd_version}
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
Requires: mod_lookup_identity >= 0.9.9
Requires: acl
@ -420,7 +445,7 @@ If you are installing an IPA server, you need to install this package.
Summary: Common files used by IPA server
BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= 2.4.6-31
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= 38
Requires: custodia >= 0.3.1
%if 0%{?rhel} > 7
@ -472,6 +497,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
Obsoletes: ipa-idoverride-memberof-plugin
Requires(post): python3
Requires: python3-samba
@ -495,7 +521,8 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%package client
@ -565,6 +592,17 @@ Requires: cifs-utils
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment
%if ! %{ONLY_CLIENT}
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
Requires: %{name}-client = %{version}-%{release}
%description client-epn
This package provides a service to collect and send expiring password
notifications via email (SMTP).
%endif
%package -n python3-ipaclient
Summary: Python libraries used by IPA client
BuildArch: noarch
@ -689,6 +727,13 @@ Obsoletes: %{alt_name}-common < %{version}
Conflicts: %{alt_name}-python < %{version}
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description common
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -711,12 +756,14 @@ Requires: ldns-utils
Requires: python3-coverage
Requires: python3-cryptography >= 1.6
Requires: python3-polib
Requires: python3-pytest >= 2.6
Requires: python3-pytest >= 3.9.1
Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: python3-sssdconfig >= %{sssd_version}
Requires: tar
Requires: xz
Requires: openssh-clients
Requires: sshpass
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
@ -726,7 +773,23 @@ features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This package contains tests that verify IPA functionality under Python 3.
%endif # with_ipatests
# with_ipatests
%endif
%if 0%{?with_selinux}
# SELinux subpackage
%package selinux
Summary: FreeIPA SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
%{?selinux_requires}
%description selinux
Custom SELinux policy module for FreeIPA
# with_selinux
%endif
%prep
@ -863,15 +926,28 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
%if ! %{ONLY_CLIENT}
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%if %{ONLY_CLIENT}
# Remove ipa-epn parts as we don't have ipa-epn systemd integration generated
# for client-only build
rm %{buildroot}/%{_sbindir}/ipa-epn
rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf
rm -rf %{buildroot}/%{_sysconfdir}/ipa/epn
rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
rm %{buildroot}/%{_unitdir}/ipa-epn.service
rm %{buildroot}/%{_unitdir}/ipa-epn.timer
%endif
%if ! %{ONLY_CLIENT}
@ -983,7 +1059,8 @@ if [ $1 -eq 0 ]; then
/bin/systemctl reload-or-try-restart oddjobd
fi
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%post client
@ -1021,6 +1098,28 @@ if [ $1 -gt 1 ] ; then
fi
%if 0%{?with_selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
semodule -d ipa_custodia &> /dev/null || true;
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
semodule -e ipa_custodia &> /dev/null || true;
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
# with_selinux
%endif
%triggerin client -- openssh-server
# Has the client been configured?
restore=0
@ -1087,11 +1186,12 @@ fi
%{_sbindir}/ipa-cert-fix
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
%{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
@ -1099,8 +1199,10 @@ fi
%{_libexecdir}/ipa/ipa-pki-retrieve-key
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger
@ -1176,7 +1278,6 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
%{_usr}/share/ipa/bind.ipa-ext.conf
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
@ -1217,16 +1318,17 @@ fi
%dir %{_sysconfdir}/ipa/html
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%dir %{_localstatedir}/lib/ipa
@ -1238,8 +1340,8 @@ fi
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
%dir %{_usr}/share/ipa/schema.d
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
@ -1271,9 +1373,10 @@ fi
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
%endif # ONLY_CLIENT
# ONLY_CLIENT
%endif
%files client
@ -1302,6 +1405,20 @@ fi
%{_sbindir}/ipa-client-samba
%{_mandir}/man1/ipa-client-samba.1*
%if ! %{ONLY_CLIENT}
%files client-epn
%doc README.md Contributors.txt
%dir %{_sysconfdir}/ipa/epn
%license COPYING
%{_sbindir}/ipa-epn
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
%endif
%files -n python3-ipaclient
%doc README.md Contributors.txt
%license COPYING
@ -1328,19 +1445,19 @@ fi
%doc README.md Contributors.txt
%license COPYING
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
# old dbm format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
# new sql format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%dir %{_localstatedir}/lib/ipa-client
%dir %{_localstatedir}/lib/ipa-client/pki
%dir %{_localstatedir}/lib/ipa-client/sysrestore
@ -1370,7 +1487,6 @@ fi
%{python3_sitelib}/ipapython-*.egg-info
%{python3_sitelib}/ipalib-*.egg-info
%{python3_sitelib}/ipaplatform-*.egg-info
%{python3_sitelib}/ipaplatform-*-nspkg.pth
%if 0%{?with_ipatests}
@ -1388,11 +1504,86 @@ fi
%{_mandir}/man1/ipa-test-config.1*
%{_mandir}/man1/ipa-test-task.1*
%endif # with_ipatests
# with_ipatests
%endif
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with_selinux
%endif
%changelog
* Mon Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
* Mon Jun 29 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-4
- Remove client-epn left over files for ONLY_CLIENT
Related: RHBZ#1847999
* Mon Jun 29 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-3
- [WebUI] IPA Error 3007: RequirmentError" while adding members in
"User ID overrides" tab
Resolves: RHBZ#1757045
- EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in
freeipa-client-epn
Resolves: RHBZ#1847999
- FreeIPA - Utilize 256-bit AJP connector passwords
Resolves: RHBZ#1849914
- ipa: typo issue in ipanthomedirectoryrive deffinition
Resolves: RHBZ#1851411
* Thu Jun 11 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-2
- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7
Resolves: RHBZ#1846434
* Thu Jun 11 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-1
- Upstream release FreeIPA 4.8.7
- Require new samba build 4.12.3-0
Related: RHBZ#1818765
- New client-epn sub package
Resolves: RHBZ#913799
* Tue Jun 02 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.6-2
- Support krb5 1.18
Resolves: RHBZ#1817579
* Tue Apr 28 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.6-1
- Upstream release FreeIPA 4.8.6
- New SELinux sub package to provide own module
- Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in
SELinux external policy support
Related: RHBZ#1818765
* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-6
- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
Resolves: RHBZ#1790663
* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-5
- Fixed weekday in 4.8.4-2 changelog date
Related: RHBZ#1784003
- adtrust: print DNS records for external DNS case after role is enabled
Resolves: RHBZ#1665051
- AD user without override receive InternalServerError with API
Resolves: RHBZ#1782572
- ipa-client-automount fails after repeated installation/uninstallation
Resolves: RHBZ#1790886
- install/updates: move external members past schema compat update
Resolves: RHBZ#1803165
- kdb: make sure audit_as_req callback signature change is preserved
Resolves: RHBZ#1803786
* Wed Jan 29 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-4
- Update dependencies for samba, 389-ds and sssd
Resolves: RHBZ#1792848
* Fri Jan 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
- Depend on krb5-kdb-version-devel for BuildRequires
- Update nss dependency to 3.44.0-4
- Reset per-indicator Kebreros policy
Resolves: RHBZ#1784761
* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
- DNS install check: Fix overlapping DNS zone from the master itself
Resolves: RHBZ#1784003