The Identity, Policy and Audit system
CentOS Sources
2017-04-12 76b7d5fe670b99aad856addbf8c290bcca980584
import ipa-4.4.0-14.el7_3.7
2 files added
1 files deleted
2 files renamed
1 files modified
246 ■■■■ changed files
SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch 12 ●●●●● patch | view | raw | blame | history
SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch 129 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 34 ●●●●● patch | view | raw | blame | history
SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
File was renamed from SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
@@ -1,15 +1,15 @@
From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
From 036d6fbf3d2af9f805f28f03679afc6ae1c25282 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 12 Jan 2017 18:17:15 +0100
Date: Fri, 17 Feb 2017 15:59:57 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />
        protocol="AJP/1.3"
        redirectPort="8443"
        address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
@@ -19,6 +19,8 @@
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch
New file
@@ -0,0 +1,27 @@
From c9e05427f20f79a8304a9874ae6793a0b5f54987 Mon Sep 17 00:00:00 2001
From: Thorsten Scherf <tscherf@redhat.com>
Date: Fri, 24 Feb 2017 11:53:46 +0100
Subject: [PATCH] added ssl verification using IPA trust anchor
https://fedorahosted.org/freeipa/ticket/6686
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipapython/secrets/client.py | 1 +
 1 file changed, 1 insertion(+)
diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index d9cc7d0f5b066dfd8efba480feb5f271ed1ebe83..f2f14af694df4468b3eedaac0fc762787b62e623 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -94,6 +94,7 @@ class CustodiaClient(object):
         # Perform request
         r = requests.get(url, headers=headers,
+                         verify=paths.IPA_CA_CRT,
                          params={'type': 'kem', 'value': request})
         r.raise_for_status()
         reply = r.json()
--
2.9.3
SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
File was renamed from SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@@ -1,4 +1,4 @@
From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001
From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 13 Jan 2017 20:33:45 +1000
Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
@@ -16,6 +16,10 @@
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
https://pagure.io/freeipa/issue/6713
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/ca.py | 6 ++++++
 1 file changed, 6 insertions(+)
SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
New file
@@ -0,0 +1,129 @@
From e5311fbfd5ad83671c61473d7acf4ddaf157e994 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 23 Feb 2017 13:04:19 +0000
Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord`
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.
https://fedorahosted.org/freeipa/ticket/6647
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaclient/remote_plugins/2_114/batch.py | 2 +-
 ipaclient/remote_plugins/2_114/dns.py   | 2 +-
 ipaclient/remote_plugins/2_156/batch.py | 2 +-
 ipaclient/remote_plugins/2_156/dns.py   | 2 +-
 ipaclient/remote_plugins/2_164/batch.py | 2 +-
 ipaclient/remote_plugins/2_164/dns.py   | 2 +-
 ipaclient/remote_plugins/2_49/batch.py  | 2 +-
 ipaclient/remote_plugins/2_49/dns.py    | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py
index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
--- a/ipaclient/remote_plugins/2_114/batch.py
+++ b/ipaclient/remote_plugins/2_114/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
     NO_CLI = True
     takes_args = (
-        parameters.Str(
+        parameters.Any(
             'methods',
             required=False,
             multivalue=True,
diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
index 5d91dbcb37fcb42cb67ab76a1871fd3df6217cf8..acb8a658204fb18b088766f947f82839f053cbf3 100644
--- a/ipaclient/remote_plugins/2_114/dns.py
+++ b/ipaclient/remote_plugins/2_114/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
             'dnsclass',
             required=False,
         ),
-        parameters.Str(
+        parameters.Any(
             'dnsrecords',
             required=False,
             label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py
index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
--- a/ipaclient/remote_plugins/2_156/batch.py
+++ b/ipaclient/remote_plugins/2_156/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
     NO_CLI = True
     takes_args = (
-        parameters.Str(
+        parameters.Any(
             'methods',
             required=False,
             multivalue=True,
diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
index 39a0b269533481bcb5b193ad8a463a48146e5275..bbfaa9fd0fb2b582430a5c85761af206d53884f9 100644
--- a/ipaclient/remote_plugins/2_156/dns.py
+++ b/ipaclient/remote_plugins/2_156/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
             'dnsclass',
             required=False,
         ),
-        parameters.Str(
+        parameters.Any(
             'dnsrecords',
             required=False,
             label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py
index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
--- a/ipaclient/remote_plugins/2_164/batch.py
+++ b/ipaclient/remote_plugins/2_164/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
     NO_CLI = True
     takes_args = (
-        parameters.Str(
+        parameters.Any(
             'methods',
             required=False,
             multivalue=True,
diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
index b07a94f1942e3913d6d169b61d84a3b3db268671..244be87f32db6664e5264038b97bc53b704ff166 100644
--- a/ipaclient/remote_plugins/2_164/dns.py
+++ b/ipaclient/remote_plugins/2_164/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
             'dnsclass',
             required=False,
         ),
-        parameters.Str(
+        parameters.Any(
             'dnsrecords',
             required=False,
             label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py
index a1f351d332d56c959bf8632cb218de8540f45005..67e5978e634b71735c1940086a80943d967ff1f6 100644
--- a/ipaclient/remote_plugins/2_49/batch.py
+++ b/ipaclient/remote_plugins/2_49/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
     NO_CLI = True
     takes_args = (
-        parameters.Str(
+        parameters.Any(
             'methods',
             required=False,
             multivalue=True,
diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
index 07cef75c2a97c07a77a9ffa3997ec6fa431e3151..4b543a2c2539f7b67467b0a38ab8013a1ebe0840 100644
--- a/ipaclient/remote_plugins/2_49/dns.py
+++ b/ipaclient/remote_plugins/2_49/dns.py
@@ -256,7 +256,7 @@ class dnsrecord(Object):
             label=_(u'Class'),
             doc=_(u'DNS class'),
         ),
-        parameters.Str(
+        parameters.Any(
             'dnsrecords',
             required=False,
             label=_(u'Records'),
--
2.9.3
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name:           ipa
Version:        4.4.0
Release:        14%{?dist}.6
Release:        14%{?dist}.7
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -51,10 +51,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -215,6 +215,10 @@
Patch0154:      0154-wait_for_entry-use-only-DN-as-parameter.patch
Patch0155:      0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
Patch0156:      0156-Use-proper-logging-for-error-messages.patch
Patch0157:      0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
Patch0158:      0158-added-ssl-verification-using-IPA-trust-anchor.patch
Patch0159:      0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
Patch0160:      0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -226,9 +230,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
Patch1011:      1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
Patch1012:      1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
Patch1013:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -808,10 +809,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1547,8 +1548,13 @@
%changelog
* Thu Mar 02 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.6
- Roll in CentOS Branding
* Tue Mar 14 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.7
- Resolves: #1429872 ipa-replica-install fails promotecustodia.create_replica
  with cert errors (untrusted)
  - added ssl verification using IPA trust anchor
- Resolves: #1430674 batch param compatibility is incorrect
  - compat: fix `Any` params in `batch` and `dnsrecord`
- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
- Resolves: #1416488 replication race condition prevents IPA to install