rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

FreeIPA 4.9.9

Browse Source 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2022-04-27 17:53:56 +03:00
parent 95b29321ec
commit f256fb899c
5 changed files with 24 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -116,3 +116,5 @@
/freeipa-4.9.7.tar.gz.asc
/freeipa-4.9.8.tar.gz
/freeipa-4.9.8.tar.gz.asc
/freeipa-4.9.9.tar.gz
/freeipa-4.9.9.tar.gz.asc

44
freeipa-openldap-2.6.patch
View File

@ -1,44 +0,0 @@
From f0191040616e6fe58fef5b20b7d9c284de913be7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 11 Jan 2022 16:10:24 +0200
Subject: [PATCH] Support building against OpenLDAP 2.6+
OpenLDAP 2.6 deprecated separate libldap/libldap_r, there is only one
(reentrant) variant for the library.
Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.
Fixes: https://pagure.io/freeipa/issue/9080
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
configure.ac | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1ae4dc8dd..a64b434fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -101,9 +101,13 @@ dnl ---------------------------------------------------------------------------
SAVE_CPPFLAGS=$CPPFLAGS
CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
-AC_CHECK_LIB([ldap_r], [ldap_search], [ ], AC_MSG_ERROR([libldap_r not found]))
-AC_CHECK_LIB([lber], [ber_peek_tag], [ ], AC_MSG_ERROR([liblber not found]))
-LDAP_LIBS="-lldap_r -llber"
+SAVE_LIBS="$LIBS"
+LIBS=
+AC_SEARCH_LIBS([ldap_search], [ldap_r ldap], [], [AC_MSG_ERROR([libldap or libldap_r not found])])
+AC_SEARCH_LIBS([ber_peek_tag], [lber], [], [AC_MSG_ERROR([liblber not found])])
+LDAP_LIBS="$LIBS"
+LDAP_CFLAGS=""
+LIBS="$SAVE_LIBS"
LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
--
2.33.1

164
freeipa-openldap-updates.patch
View File

@ -1,164 +0,0 @@
From d9f92dabda1492a4c6a95603ab7cfd66a8cc84b4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:42:40 +0200
Subject: [PATCH 1/2] OpenLDAP 2.6+: use only -H option to specify LDAP url
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.
Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Fixes: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaclient/remote_plugins/2_114/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_156/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_164/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_49/sudorule.py | 4 +++-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/plugins/sudorule.py | 2 +-
ipatests/pytest_ipa/integration/tasks.py | 3 +--
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
index 4b020738f..48a107ff9 100644
--- a/ipaclient/remote_plugins/2_114/sudorule.py
+++ b/ipaclient/remote_plugins/2_114/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_156/sudorule.py
+++ b/ipaclient/remote_plugins/2_156/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_164/sudorule.py
+++ b/ipaclient/remote_plugins/2_164/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
index 912a0b1ef..44f8ae7fe 100644
--- a/ipaclient/remote_plugins/2_49/sudorule.py
+++ b/ipaclient/remote_plugins/2_49/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
For more information, see the IPA Documentation to Sudo.
""")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index ac9e131bb..04d26452d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1040,7 +1040,7 @@ class DsInstance(service.Service):
admpwdfile.write(password)
admpwdfile.flush()
- args = [paths.LDAPPASSWD, "-h", self.fqdn,
+ args = [paths.LDAPPASSWD, "-H", "ldap://{}".format(self.fqdn),
"-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
"-y", dmpwdfile.name, "-T", admpwdfile.name,
str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
index 688065715..8528b6328 100644
--- a/ipaserver/plugins/sudorule.py
+++ b/ipaserver/plugins/sudorule.py
@@ -66,7 +66,7 @@ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
""") + _("""
To enable the binddn run the following command to set the password:
LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
--h ipa.example.com -ZZ -D "cn=Directory Manager" \
+-H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
""") + _("""
EXAMPLES:
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 836d140d4..7e1b7c24d 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2086,8 +2086,7 @@ def ldapsearch_dm(host, base, ldap_args, scope='sub', **kwargs):
args = [
'ldapsearch',
'-x', '-ZZ',
- '-h', host.hostname,
- '-p', '389',
+ '-H', "ldap://{}".format(host.hostname),
'-D', str(host.config.dirman_dn),
'-w', host.config.dirman_password,
'-s', scope,
--
2.34.1
From fd5b2a3748c187df67c61b35f28d2e57c1298e32 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:45:52 +0200
Subject: [PATCH 2/2] pylint: workaround incorrect pylint detection of a local
function
pylint 2.9 thinks that __add_principal is a class-level method that is
unused. It is a local function inside one of class methods and is used
directly inside that method.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dsinstance.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 04d26452d..57fc4870f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -993,6 +993,7 @@ class DsInstance(service.Service):
def __setup_s4u2proxy(self):
+ # pylint: disable=unused-private-member
def __add_principal(last_cn, principal, self):
dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
('cn', 'etc'), self.suffix)
--
2.34.1

27
freeipa.spec
View File

@ -1,3 +1,5 @@
%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
# ipatests enabled by default, can be disabled with --without ipatests
%bcond_without ipatests
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
@ -183,7 +185,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.8
%define IPA_VERSION 4.9.9
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -196,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -207,9 +209,6 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
%endif
Patch0001: freeipa-openldap-2.6.patch
Patch0002: freeipa-openldap-updates.patch
# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@ -471,6 +470,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
%ipa_requires_gt samba-client-libs
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@ -570,9 +571,11 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
# https://pagure.io/freeipa/issue/9026
Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
@ -687,6 +690,12 @@ Provides: %{name}-admintools = %{version}-%{release}
Conflicts: crypto-policies < 20200629-1
%endif
%if 0%{?rhel} == 9
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
# AD-SUPPORT-LEGACY policy modules
Conflicts: crypto-policies < 20220223-1
%endif
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -1228,6 +1237,7 @@ if [ $1 -gt 1 ] ; then
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
chmod 0600 /var/log/ipaupgrade.log
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@ -1375,8 +1385,8 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger
@ -1706,6 +1716,9 @@ fi
%endif
%changelog
* Wed Apr 27 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.9-1
- Upstream release FreeIPA 4.9.9
* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-3
- Use -H option for OpenLDAP client tools as -h and -p are deprecated now
- Resolves: rhbz#2050921

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.9.8.tar.gz) = 2fc27c5eb6f3fd0ed8cdba7668f72da3c5a84ec089159bd1dfde44b1d4abefb1280a18d559979b2167ba942facbf33e6d80fa32ee1af2b6881ecdf9162b6b32e
SHA512 (freeipa-4.9.8.tar.gz.asc) = 40a72f993c599c78d21ba6c1352eef1b48f91d31805d351fef0f18b978c42624788f6ed72b1c4c0fc11e7525c8072e99e197987f3315761905c4c9dc52abbbc0
SHA512 (freeipa-4.9.9.tar.gz) = 835184417a30e3b5563aef67df07deacdbbac5fa62f92bfc0dc6488ee10278e982900b3efc68496c65a684e522b475f1d423c7df0bef8207e35cc5d070bbbb77
SHA512 (freeipa-4.9.9.tar.gz.asc) = eeb28faa86130a0e3309300cc52f14b4ad81c391ae0f32c720595e1985a750322db68b34849452a1fe7e7d1a70830e68560d3a0817287fdc78dff1bf1d205ff2