import ipa-4.7.90.pre1-3.module+el8.1.0+3396+9683e56e
This commit is contained in:
commit
f4088435db
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/freeipa-4.7.90.pre1.tar.gz
|
1
.ipa.metadata
Normal file
1
.ipa.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz
|
@ -0,0 +1,30 @@
|
|||||||
|
From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Adam Williamson <awilliam@redhat.com>
|
||||||
|
Date: Wed, 1 May 2019 16:19:53 -0700
|
||||||
|
Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
|
||||||
|
|
||||||
|
On Fedora/RHEL, it does not have a dash in it. The changes in
|
||||||
|
da2cf1c5 inadvertently added a dash to the path in the 'base'
|
||||||
|
paths definition (used on Fedora/RHEL), so the font wasn't found.
|
||||||
|
|
||||||
|
Signed-off-by: Adam Williamson <awilliam@redhat.com>
|
||||||
|
---
|
||||||
|
ipaplatform/base/paths.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||||||
|
index 1cd2591bc..e1d396690 100644
|
||||||
|
--- a/ipaplatform/base/paths.py
|
||||||
|
+++ b/ipaplatform/base/paths.py
|
||||||
|
@@ -249,7 +249,7 @@ class BasePathNamespace:
|
||||||
|
USERADD = "/usr/sbin/useradd"
|
||||||
|
FONTS_DIR = "/usr/share/fonts"
|
||||||
|
FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
|
||||||
|
- FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
|
||||||
|
+ FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
|
||||||
|
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
|
||||||
|
USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
|
||||||
|
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 20 Jul 2018 11:06:55 -0400
|
||||||
|
Subject: [PATCH] No need to call rhel-specific domainname service
|
||||||
|
|
||||||
|
It was moved upstream into hostname package which named it
|
||||||
|
nis-domainname. When it was in the initscripts package there were
|
||||||
|
separate fedora-domainname and rhel-domainname services.
|
||||||
|
|
||||||
|
From F29+ it will be nis-domainname. We can use that as well in
|
||||||
|
RHEL 8.
|
||||||
|
---
|
||||||
|
ipaplatform/rhel/services.py | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
|
||||||
|
index 1403d08..06fa633 100644
|
||||||
|
--- a/ipaplatform/rhel/services.py
|
||||||
|
+++ b/ipaplatform/rhel/services.py
|
||||||
|
@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
|
||||||
|
# to their actual systemd service names
|
||||||
|
rhel_system_units = redhat_services.redhat_system_units
|
||||||
|
|
||||||
|
-# Service that sets domainname on RHEL is called rhel-domainname.service
|
||||||
|
-rhel_system_units['domainname'] = 'rhel-domainname.service'
|
||||||
|
-
|
||||||
|
|
||||||
|
# Service classes that implement RHEL-specific behaviour
|
||||||
|
|
||||||
|
--
|
||||||
|
2.13.6
|
||||||
|
|
136
SOURCES/0001-revert-minssf-defaults.patch
Normal file
136
SOURCES/0001-revert-minssf-defaults.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Wed, 1 May 2019 21:25:31 +0300
|
||||||
|
Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
|
||||||
|
|
||||||
|
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
|
||||||
|
---
|
||||||
|
install/share/Makefile.am | 1 -
|
||||||
|
install/share/min-ssf.ldif | 14 --------------
|
||||||
|
ipalib/constants.py | 3 ---
|
||||||
|
ipapython/ipaldap.py | 17 ++---------------
|
||||||
|
ipaserver/install/dsinstance.py | 5 -----
|
||||||
|
5 files changed, 2 insertions(+), 38 deletions(-)
|
||||||
|
delete mode 100644 install/share/min-ssf.ldif
|
||||||
|
|
||||||
|
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||||
|
index be83bdf75..8d039d95c 100644
|
||||||
|
--- a/install/share/Makefile.am
|
||||||
|
+++ b/install/share/Makefile.am
|
||||||
|
@@ -94,7 +94,6 @@ dist_app_DATA = \
|
||||||
|
ipa-kdc-proxy.conf.template \
|
||||||
|
ipa-pki-proxy.conf.template \
|
||||||
|
ipa-rewrite.conf.template \
|
||||||
|
- min-ssf.ldif \
|
||||||
|
ipaca_default.ini \
|
||||||
|
ipaca_customize.ini \
|
||||||
|
ipaca_softhsm2.ini \
|
||||||
|
diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
|
||||||
|
deleted file mode 100644
|
||||||
|
index 1c2566f84..000000000
|
||||||
|
--- a/install/share/min-ssf.ldif
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,14 +0,0 @@
|
||||||
|
-# config
|
||||||
|
-# pretend SSF for LDAPI connections
|
||||||
|
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
|
||||||
|
-dn: cn=config
|
||||||
|
-changetype: modify
|
||||||
|
-replace: nsslapd-localssf
|
||||||
|
-nsslapd-localssf: 256
|
||||||
|
-
|
||||||
|
-# minimum security strength factor for SASL and TLS
|
||||||
|
-# 56 is considered weak, but some old clients announce wrong SSF.
|
||||||
|
-dn: cn=config
|
||||||
|
-changetype: modify
|
||||||
|
-replace: nsslapd-minssf
|
||||||
|
-nsslapd-minssf: 56
|
||||||
|
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||||
|
index bcf6f3373..c22dd26ae 100644
|
||||||
|
--- a/ipalib/constants.py
|
||||||
|
+++ b/ipalib/constants.py
|
||||||
|
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
|
||||||
|
]
|
||||||
|
TLS_VERSION_MINIMAL = "tls1.0"
|
||||||
|
|
||||||
|
-# minimum SASL secure strength factor for LDAP connections
|
||||||
|
-# 56 provides backwards compatibility with old libraries.
|
||||||
|
-LDAP_SSF_MIN_THRESHOLD = 56
|
||||||
|
|
||||||
|
# Use cache path
|
||||||
|
USER_CACHE_PATH = (
|
||||||
|
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
||||||
|
index d9d67be1d..9ff443fe4 100644
|
||||||
|
--- a/ipapython/ipaldap.py
|
||||||
|
+++ b/ipapython/ipaldap.py
|
||||||
|
@@ -43,9 +43,7 @@ import six
|
||||||
|
|
||||||
|
# pylint: disable=ipa-forbidden-import
|
||||||
|
from ipalib import errors, x509, _
|
||||||
|
-from ipalib.constants import (
|
||||||
|
- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
|
||||||
|
-)
|
||||||
|
+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
|
||||||
|
# pylint: enable=ipa-forbidden-import
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
from ipapython.ipautil import format_netloc, CIDict
|
||||||
|
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
|
||||||
|
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
|
||||||
|
|
||||||
|
|
||||||
|
-def ldap_initialize(uri, cacertfile=None,
|
||||||
|
- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
|
||||||
|
+def ldap_initialize(uri, cacertfile=None):
|
||||||
|
"""Wrapper around ldap.initialize()
|
||||||
|
|
||||||
|
The function undoes global and local ldap.conf settings that may cause
|
||||||
|
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
|
||||||
|
locations, also known as system-wide trust store.
|
||||||
|
* Cert validation is enforced.
|
||||||
|
* SSLv2 and SSLv3 are disabled.
|
||||||
|
- * Require a minimum SASL security factor of 56. That level ensures
|
||||||
|
- data integrity and confidentiality. Although at least AES128 is
|
||||||
|
- enforced pretty much everywhere, 56 is required for backwards
|
||||||
|
- compatibility with systems that announce wrong SSF.
|
||||||
|
"""
|
||||||
|
conn = ldap.initialize(uri)
|
||||||
|
|
||||||
|
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
|
||||||
|
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
|
||||||
|
|
||||||
|
if not uri.startswith('ldapi://'):
|
||||||
|
- # require a minimum SSF for TCP connections, but don't lower SSF_MIN
|
||||||
|
- # if the current value is already larger.
|
||||||
|
- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
|
||||||
|
- if cur_min_ssf < ssf_min_threshold:
|
||||||
|
- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
|
||||||
|
-
|
||||||
|
if cacertfile:
|
||||||
|
if not os.path.isfile(cacertfile):
|
||||||
|
raise IOError(errno.ENOENT, cacertfile)
|
||||||
|
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||||
|
index 8240e3043..9f05db1db 100644
|
||||||
|
--- a/ipaserver/install/dsinstance.py
|
||||||
|
+++ b/ipaserver/install/dsinstance.py
|
||||||
|
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
|
||||||
|
else:
|
||||||
|
self.step("importing CA certificates from LDAP",
|
||||||
|
self.__import_ca_certs)
|
||||||
|
- # set min SSF after DS is configured for TLS
|
||||||
|
- self.step("require minimal SSF", self.__min_ssf)
|
||||||
|
self.step("restarting directory server", self.__restart_instance)
|
||||||
|
|
||||||
|
self.start_creation()
|
||||||
|
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
|
||||||
|
dm_password=self.dm_password
|
||||||
|
)
|
||||||
|
|
||||||
|
- def __min_ssf(self):
|
||||||
|
- self._ldap_mod("min-ssf.ldif")
|
||||||
|
-
|
||||||
|
def __add_sudo_binduser(self):
|
||||||
|
self._ldap_mod("sudobind.ldif", self.sub_dict)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
44
SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
Normal file
44
SOURCES/0002-upgrade-adtrust-when-no-trusts.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Sat, 11 May 2019 11:54:40 +0300
|
||||||
|
Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
|
||||||
|
trusts
|
||||||
|
|
||||||
|
Upgrade failure when ipa-server-upgrade is being run on a system with no
|
||||||
|
trust established but trust configured
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/7939
|
||||||
|
---
|
||||||
|
ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
|
||||||
|
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
||||||
|
index 6b4e2caa2..cdc3a8b04 100644
|
||||||
|
--- a/ipaserver/install/plugins/adtrust.py
|
||||||
|
+++ b/ipaserver/install/plugins/adtrust.py
|
||||||
|
@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
|
||||||
|
|
||||||
|
trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
|
||||||
|
|
||||||
|
- trusts = ldap.get_entries(
|
||||||
|
- base_dn=trusts_dn,
|
||||||
|
- scope=ldap.SCOPE_ONELEVEL,
|
||||||
|
- filter=self.trust_filter,
|
||||||
|
- attrs_list=self.trust_attrs)
|
||||||
|
+ # We might be in a situation when no trusts exist yet
|
||||||
|
+ # In such case there is nothing to upgrade but we have to catch
|
||||||
|
+ # an exception or it will abort the whole upgrade process
|
||||||
|
+ try:
|
||||||
|
+ trusts = ldap.get_entries(
|
||||||
|
+ base_dn=trusts_dn,
|
||||||
|
+ scope=ldap.SCOPE_ONELEVEL,
|
||||||
|
+ filter=self.trust_filter,
|
||||||
|
+ attrs_list=self.trust_attrs)
|
||||||
|
+ except errors.EmptyResult:
|
||||||
|
+ trusts = []
|
||||||
|
|
||||||
|
# For every trust, retrieve its principals and convert
|
||||||
|
for t_entry in trusts:
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
2748
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
Normal file
2748
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
Normal file
File diff suppressed because one or more lines are too long
1986
SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
Normal file
1986
SOURCES/1002-4.7.90pre1-Remove-csrgen.patch
Normal file
File diff suppressed because it is too large
Load Diff
16
SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.7.90.pre1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlzHE98ACgkQRxniuKu/
|
||||||
|
YhrICw/8DE6jyt3bnUmzGiXdsV7q1KZUGSIC7GLpvbmewwpUVcXnplHiVCTjrNGI
|
||||||
|
jw/jc6y9bIlvqfYNWjAmXNGXyB3AbXweaYRAEzntOHlAmFDlwMXv/D6JL0849/9/
|
||||||
|
uRWEefIpHlw/P++WOxm+us7T9h/d6xEe1xY7vaaXVVPjRBewJqddG6ISJgWZ0DSR
|
||||||
|
41b/kgOXEvBMOU+gsKCm1fCgKU6KcfwsFq39uSxmTfhKE/578eOUkSAracOwrP2Z
|
||||||
|
RePKA4JKqw/Tttl26bgKAkAD8hxJhv6J1MYOSPKp7zssSKw1s1qiPbR6DdJGF/E0
|
||||||
|
gqiJwLynZdkkMOsWqHvUK0NDT5LmDdluHBFDle+zupBy1CAE4y1fchsUh910wbRm
|
||||||
|
LnrdtkXKUHtE+WGZianMSc1gHCB6EjipHx9iLTrcsGbjz9ziWRb6P6BLgbw2doPG
|
||||||
|
mYQVMWBNLQi3gcAjN7IX1+dRWoam+ON/M0GMi5jSplqONBFUj5xwB8LFNV5VfIAu
|
||||||
|
zJa0F5V0Qu5XbO7YFoihDcD1OF8fUyKtK+lGa0O/QazR37tl8m5mgYVjDErBx3F+
|
||||||
|
ipiB40w+qA1MsJXqdOljoldTvJZCzN+kEJu8aMdQpKcIfkJjKQsrbrh0Ck3cmRHW
|
||||||
|
vE3sApyx1p9XvoVtb6lz69B1XJu+Q+Gljlm7JSRLQ3p7GZTT7/Q=
|
||||||
|
=5N4+
|
||||||
|
-----END PGP SIGNATURE-----
|
4334
SPECS/ipa.spec
Normal file
4334
SPECS/ipa.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user