rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

FreeIPA 4.9.9

Browse Source 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2022-04-27 17:53:56 +03:00
parent 95b29321ec
commit f256fb899c
5 changed files with 24 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -116,3 +116,5 @@
/freeipa-4.9.7.tar.gz.asc /freeipa-4.9.7.tar.gz.asc
/freeipa-4.9.8.tar.gz /freeipa-4.9.8.tar.gz
/freeipa-4.9.8.tar.gz.asc /freeipa-4.9.8.tar.gz.asc
/freeipa-4.9.9.tar.gz
/freeipa-4.9.9.tar.gz.asc

44
freeipa-openldap-2.6.patch
View File

@ -1,44 +0,0 @@
From f0191040616e6fe58fef5b20b7d9c284de913be7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 11 Jan 2022 16:10:24 +0200
Subject: [PATCH] Support building against OpenLDAP 2.6+
OpenLDAP 2.6 deprecated separate libldap/libldap_r, there is only one
(reentrant) variant for the library.
Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.
Fixes: https://pagure.io/freeipa/issue/9080
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
configure.ac | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1ae4dc8dd..a64b434fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -101,9 +101,13 @@ dnl ---------------------------------------------------------------------------
SAVE_CPPFLAGS=$CPPFLAGS
CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
-AC_CHECK_LIB([ldap_r], [ldap_search], [ ], AC_MSG_ERROR([libldap_r not found]))
-AC_CHECK_LIB([lber], [ber_peek_tag], [ ], AC_MSG_ERROR([liblber not found]))
-LDAP_LIBS="-lldap_r -llber"
+SAVE_LIBS="$LIBS"
+LIBS=
+AC_SEARCH_LIBS([ldap_search], [ldap_r ldap], [], [AC_MSG_ERROR([libldap or libldap_r not found])])
+AC_SEARCH_LIBS([ber_peek_tag], [lber], [], [AC_MSG_ERROR([liblber not found])])
+LDAP_LIBS="$LIBS"
+LDAP_CFLAGS=""
+LIBS="$SAVE_LIBS"
LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
--
2.33.1

164
freeipa-openldap-updates.patch
View File

@ -1,164 +0,0 @@
From d9f92dabda1492a4c6a95603ab7cfd66a8cc84b4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:42:40 +0200
Subject: [PATCH 1/2] OpenLDAP 2.6+: use only -H option to specify LDAP url
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.
Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Fixes: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaclient/remote_plugins/2_114/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_156/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_164/sudorule.py | 4 +++-
ipaclient/remote_plugins/2_49/sudorule.py | 4 +++-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/plugins/sudorule.py | 2 +-
ipatests/pytest_ipa/integration/tasks.py | 3 +--
7 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
index 4b020738f..48a107ff9 100644
--- a/ipaclient/remote_plugins/2_114/sudorule.py
+++ b/ipaclient/remote_plugins/2_114/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_156/sudorule.py
+++ b/ipaclient/remote_plugins/2_156/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_164/sudorule.py
+++ b/ipaclient/remote_plugins/2_164/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
EXAMPLES:
diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
index 912a0b1ef..44f8ae7fe 100644
--- a/ipaclient/remote_plugins/2_49/sudorule.py
+++ b/ipaclient/remote_plugins/2_49/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
For more information, see the IPA Documentation to Sudo.
""")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index ac9e131bb..04d26452d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1040,7 +1040,7 @@ class DsInstance(service.Service):
admpwdfile.write(password)
admpwdfile.flush()
- args = [paths.LDAPPASSWD, "-h", self.fqdn,
+ args = [paths.LDAPPASSWD, "-H", "ldap://{}".format(self.fqdn),
"-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
"-y", dmpwdfile.name, "-T", admpwdfile.name,
str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
index 688065715..8528b6328 100644
--- a/ipaserver/plugins/sudorule.py
+++ b/ipaserver/plugins/sudorule.py
@@ -66,7 +66,7 @@ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
""") + _("""
To enable the binddn run the following command to set the password:
LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
--h ipa.example.com -ZZ -D "cn=Directory Manager" \
+-H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
""") + _("""
EXAMPLES:
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 836d140d4..7e1b7c24d 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2086,8 +2086,7 @@ def ldapsearch_dm(host, base, ldap_args, scope='sub', **kwargs):
args = [
'ldapsearch',
'-x', '-ZZ',
- '-h', host.hostname,
- '-p', '389',
+ '-H', "ldap://{}".format(host.hostname),
'-D', str(host.config.dirman_dn),
'-w', host.config.dirman_password,
'-s', scope,
--
2.34.1
From fd5b2a3748c187df67c61b35f28d2e57c1298e32 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:45:52 +0200
Subject: [PATCH 2/2] pylint: workaround incorrect pylint detection of a local
function
pylint 2.9 thinks that __add_principal is a class-level method that is
unused. It is a local function inside one of class methods and is used
directly inside that method.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dsinstance.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 04d26452d..57fc4870f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -993,6 +993,7 @@ class DsInstance(service.Service):
def __setup_s4u2proxy(self):
+ # pylint: disable=unused-private-member
def __add_principal(last_cn, principal, self):
dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
('cn', 'etc'), self.suffix)
--
2.34.1

27
freeipa.spec
View File

@ -1,3 +1,5 @@
%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
# ipatests enabled by default, can be disabled with --without ipatests # ipatests enabled by default, can be disabled with --without ipatests
%bcond_without ipatests %bcond_without ipatests
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
@ -183,7 +185,7 @@
# Work-around fact that RPM SPEC parser does not accept # Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.8 %define IPA_VERSION 4.9.9
# Release candidate version -- uncomment with one percent for RC versions # Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil #%%global rc_version %%nil
%define AT_SIGN @ %define AT_SIGN @
@ -196,7 +198,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist} Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -207,9 +209,6 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
%endif %endif
Patch0001: freeipa-openldap-2.6.patch
Patch0002: freeipa-openldap-updates.patch
# RHEL spec file only: START: Change branding to IPA and Identity Management # RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4: # Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png, # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@ -471,6 +470,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version} Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality Requires: libpwquality
Requires: cracklib-dicts Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
%ipa_requires_gt samba-client-libs
Provides: %{alt_name}-server = %{version} Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server Conflicts: %{alt_name}-server
@ -570,9 +571,11 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2 Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version} Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version} Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
# https://pagure.io/freeipa/issue/9026
Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11} %if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version} Requires: bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11-utils >= %{bind_version}
%else %else
Requires: softhsm >= %{softhsm_version} Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
@ -687,6 +690,12 @@ Provides: %{name}-admintools = %{version}-%{release}
Conflicts: crypto-policies < 20200629-1 Conflicts: crypto-policies < 20200629-1
%endif %endif
%if 0%{?rhel} == 9
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
# AD-SUPPORT-LEGACY policy modules
Conflicts: crypto-policies < 20220223-1
%endif
%description client %description client
IPA is an integrated solution to provide centrally managed Identity (users, IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization hosts, services), Authentication (SSO, 2FA), and Authorization
@ -1228,6 +1237,7 @@ if [ $1 -gt 1 ] ; then
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
chmod 0600 /var/log/ipaupgrade.log
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@ -1375,8 +1385,8 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob %dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger %dir %{_libexecdir}/ipa/certmonger
@ -1706,6 +1716,9 @@ fi
%endif %endif
%changelog %changelog
* Wed Apr 27 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.9-1
- Upstream release FreeIPA 4.9.9
* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-3 * Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-3
- Use -H option for OpenLDAP client tools as -h and -p are deprecated now - Use -H option for OpenLDAP client tools as -h and -p are deprecated now
- Resolves: rhbz#2050921 - Resolves: rhbz#2050921

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.9.8.tar.gz) = 2fc27c5eb6f3fd0ed8cdba7668f72da3c5a84ec089159bd1dfde44b1d4abefb1280a18d559979b2167ba942facbf33e6d80fa32ee1af2b6881ecdf9162b6b32e SHA512 (freeipa-4.9.9.tar.gz) = 835184417a30e3b5563aef67df07deacdbbac5fa62f92bfc0dc6488ee10278e982900b3efc68496c65a684e522b475f1d423c7df0bef8207e35cc5d070bbbb77
SHA512 (freeipa-4.9.8.tar.gz.asc) = 40a72f993c599c78d21ba6c1352eef1b48f91d31805d351fef0f18b978c42624788f6ed72b1c4c0fc11e7525c8072e99e197987f3315761905c4c9dc52abbbc0 SHA512 (freeipa-4.9.9.tar.gz.asc) = eeb28faa86130a0e3309300cc52f14b4ad81c391ae0f32c720595e1985a750322db68b34849452a1fe7e7d1a70830e68560d3a0817287fdc78dff1bf1d205ff2