From 9ad913ef1e069db40c613eb2c43bc59a92520797 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 12 2019 16:37:37 +0000 Subject: import ipa-4.6.4-10.el7_6.3 --- diff --git a/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch b/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch new file mode 100644 index 0000000..2bb8cdd --- /dev/null +++ b/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch @@ -0,0 +1,54 @@ +From b2cb212a12982cb6c9901ae0e71198c49e915258 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 14 Dec 2018 14:02:26 +0200 +Subject: [PATCH] ipa-sidgen: make internal fetch_attr helper really internal + +With 389-ds landing a change for +https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function +is exposed in slapi-plugin.h. However, in order to be able to build +FreeIPA plugins against older 389-ds versions, prefer using a local +variant of it. + +Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't +conflict at all. + +Fixes: https://pagure.io/freeipa/issue/7811 +Reviewed-By: Christian Heimes +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c +index 9e474e83dd0e1bfc52b2e2da3fda12420d2ea281..007b1c945d0e37c4061f6a33cfdd667c45118c99 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c +@@ -63,7 +63,7 @@ struct worker_ctx { + struct range_info **ranges; + }; + +-static const char *fetch_attr(Slapi_Entry *e, const char *attrname, ++static const char *ipa_sidgen_fetch_attr(Slapi_Entry *e, const char *attrname, + const char *default_val) + { + Slapi_Attr *attr; +@@ -242,7 +242,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e, + + worker_ctx->plugin_id = global_sidgen_plugin_id; + +- str = fetch_attr(e, "delay", NULL); ++ str = ipa_sidgen_fetch_attr(e, "delay", NULL); + if (str != NULL) { + errno = 0; + worker_ctx->delay = strtol(str, &endptr, 10); +@@ -255,7 +255,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e, + } + LOG("delay is [%li].\n", worker_ctx->delay); + +- str = fetch_attr(e, "nsslapd-basedn", NULL); ++ str = ipa_sidgen_fetch_attr(e, "nsslapd-basedn", NULL); + if (str == NULL) { + LOG_FATAL("Missing nsslapd-basedn!\n"); + *returncode = LDAP_CONSTRAINT_VIOLATION; +-- +2.20.1 + diff --git a/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch b/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch new file mode 100644 index 0000000..ff6ff8a --- /dev/null +++ b/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch @@ -0,0 +1,61 @@ +From 0ed1632ac9f659734f9397c21d0b2de3c2c2d895 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 15 Jan 2019 17:53:55 +0100 +Subject: [PATCH] replica installation: add master record only if in managed + zone + +Scenario: install a replica with DNS, whose IP address is part of a +forward zone. +Currently, the replica installation fails because the installer is +trying to add a A/AAAA record for the replica in the zone +when setting up the bind instance, and addition of records in a +forward zone is forbidden. + +The bind installer should check if the IP address is in a master zone +(i.e. a DNS zone managed by IdM, not a forward zone), and avoid +creating the record if it's not the case. + +During uninstallation, perform the same check before removing the +DNS record (if in a forward zone, no need to call dnsrecord-del). +Fixes: https://pagure.io/freeipa/issue/7369 +Reviewed-By: Francois Cami +Reviewed-By: Christian Heimes +--- + ipaserver/install/bindinstance.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 7c858aab4417ccf3a4999fcaaa1c7e0f93464e4d..3b03e536117677f0f073fc1f06a28ebab0cfe006 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -844,10 +844,13 @@ class BindInstance(service.Service): + + # Add forward and reverse records to self + for addr in addrs: +- try: ++ # Check first if the zone is a master zone ++ # (if it is a forward zone, dns_zone_exists will return False) ++ if dns_zone_exists(zone, api=self.api): + add_fwd_rr(zone, host, addr, self.api) +- except errors.NotFound: +- pass ++ else: ++ logger.debug("Skip adding record %s to a zone %s " ++ "not managed by IPA", addr, zone) + + reverse_zone = find_reverse_zone(addr, self.api) + if reverse_zone: +@@ -1063,6 +1066,10 @@ class BindInstance(service.Service): + self.fqdn = fqdn + self.domain = domain_name + ++ if not dns_zone_exists(zone, api=self.api): ++ # Zone may be a forward zone, skip update ++ return ++ + areclist = get_fwd_rr(zone, host, api=self.api) + for rdata in areclist: + del_fwd_rr(zone, host, rdata, api=self.api) +-- +2.20.1 + diff --git a/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch b/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch new file mode 100644 index 0000000..1a49fcb --- /dev/null +++ b/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch @@ -0,0 +1,130 @@ +From 8e5149c36651eaded5d06a32fd94e78fc2e3dcb0 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 17 Jan 2019 11:10:52 +0100 +Subject: [PATCH] ipatests: add test for replica in forward zone + +Scenario: +install a replica with DNS, with the replica part of a forward zone. +The replica installation should proceed successfully and avoid +trying to add a DNS record for the replica in the forward zone, +as the forward zone is not managed by IPA DNS. + +Test added to nightly definitions. + +Related to https://pagure.io/freeipa/issue/7369 + +Reviewed-By: Francois Cami +Reviewed-By: Christian Heimes +--- + .../test_replica_promotion.py | 98 +++++++++++++++++++ + 1 file changed, 98 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 7fdc12dc4a4269772c77ff543239be49c46d199a..c635d932bc92ed8c0a147379718933aabaae0f16 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -644,3 +644,101 @@ class TestSubCAkeyReplication(IntegrationTest): + ssl_cmd = ['openssl', 'x509', '-text', '-in', TEST_CRT_FILE] + ssl = replica.run_command(ssl_cmd) + assert 'Issuer: CN = {}'.format(self.SUBCA) in ssl.stdout_text ++ ++ ++def update_etc_hosts(host, ip, old_hostname, new_hostname): ++ '''Adds or update /etc/hosts ++ ++ If /etc/hosts contains an entry for old_hostname, replace it with ++ new_hostname. ++ If /etc/hosts did not contain the entry, create one for new_hostname with ++ the provided ip. ++ The function makes a backup in /etc/hosts.sav ++ ++ :param host the machine on which /etc/hosts needs to be update_dns_records ++ :param ip the ip address for the new record ++ :param old_hostname the hostname to replace ++ :param new_hostname the new hostname to put in /etc/hosts ++ ''' ++ # Make a backup ++ host.run_command(['/usr/bin/cp', ++ paths.HOSTS, ++ '%s.sav' % paths.HOSTS]) ++ contents = host.get_file_contents(paths.HOSTS, encoding='utf-8') ++ # If /etc/hosts already contains old_hostname, simply replace ++ pattern = r'^(.*\s){}(\s)'.format(old_hostname) ++ new_contents, mods = re.subn(pattern, r'\1{}\2'.format(new_hostname), ++ contents, flags=re.MULTILINE) ++ # If it didn't contain any entry for old_hostname, just add new_hostname ++ if mods == 0: ++ short = new_hostname.split(".", 1)[0] ++ new_contents = new_contents + "\n{}\t{} {}\n".format(ip, ++ new_hostname, ++ short) ++ host.put_file_contents(paths.HOSTS, new_contents) ++ ++ ++def restore_etc_hosts(host): ++ '''Restores /etc/hosts.sav into /etc/hosts ++ ''' ++ host.run_command(['/usr/bin/mv', ++ '%s.sav' % paths.HOSTS, ++ paths.HOSTS], ++ raiseonerr=False) ++ ++ ++class TestReplicaInForwardZone(IntegrationTest): ++ """ ++ Pagure Reference: https://pagure.io/freeipa/issue/7369 ++ ++ Scenario: install a replica whose name is in a forwarded zone ++ """ ++ ++ forwardzone = 'forward.test' ++ num_replicas = 1 ++ ++ @classmethod ++ def install(cls, mh): ++ tasks.install_master(cls.master, setup_dns=True) ++ ++ def test_replica_install_in_forward_zone(self): ++ master = self.master ++ replica = self.replicas[0] ++ ++ # Create a forward zone on the master ++ master.run_command(['ipa', 'dnsforwardzone-add', self.forwardzone, ++ '--skip-overlap-check', ++ '--forwarder', master.config.dns_forwarder]) ++ ++ # Configure the client with a name in the forwardzone ++ r_shortname = replica.hostname.split(".", 1)[0] ++ r_new_hostname = '{}.{}'.format(r_shortname, ++ self.forwardzone) ++ ++ # Update /etc/hosts on the master with an entry for the replica ++ # otherwise replica conncheck would fail ++ update_etc_hosts(master, replica.ip, replica.hostname, ++ r_new_hostname) ++ # Remove the replica previous hostname from /etc/hosts ++ # and add the replica new hostname ++ # otherwise replica install will complain because ++ # hostname does not match ++ update_etc_hosts(replica, replica.ip, replica.hostname, ++ r_new_hostname) ++ ++ try: ++ # install client with a hostname in the forward zone ++ tasks.install_client(self.master, replica, ++ extra_args=['--hostname', r_new_hostname]) ++ ++ replica.run_command(['ipa-replica-install', ++ '--principal', replica.config.admin_name, ++ '--admin-password', ++ replica.config.admin_password, ++ '--setup-dns', ++ '--forwarder', master.config.dns_forwarder, ++ '-U']) ++ finally: ++ # Restore /etc/hosts on master and replica ++ restore_etc_hosts(master) ++ restore_etc_hosts(replica) +-- +2.20.1 + diff --git a/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch b/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch new file mode 100644 index 0000000..af4a5cd --- /dev/null +++ b/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch @@ -0,0 +1,50 @@ +From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 25 Jan 2019 16:12:11 +0100 +Subject: [PATCH] Add workaround for slow host/service del + +host-del and service-del are slow because cert revokation is implemented +inefficiently. The internal cert_find() call retrieves all certificates +from Dogtag. + +The workaround special cases service and host find without additional RA +search options. A search for service and host certs limits the scope to +certificate with matching subject common name. + +See: https://pagure.io/freeipa/issue/7835 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/cert.py | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod): + result = collections.OrderedDict() + complete = bool(ra_options) + ++ # workaround for RHBZ#1669012 ++ # Improve performance for service and host case by also searching ++ # for subject. This limits the amount of certificate retrieved from ++ # Dogtag. The special case is only used, when no ra_options are set ++ # and exactly one service or host is supplied. ++ # The complete flag is left to False. ++ if not ra_options: ++ services = options.get('service', ()) ++ hosts = options.get('host', ()) ++ if len(services) == 1 and not hosts: ++ principal = kerberos.Principal(options['service'][0]) ++ if principal.is_service: ++ ra_options['subject'] = principal.hostname ++ elif len(hosts) == 1 and not services: ++ ra_options['subject'] = options['host'][0] ++ + try: + ca_enabled_check(self.api) + except errors.NotFound: +-- +2.20.1 + diff --git a/SOURCES/0061-Optimize-cert-remove-case.patch b/SOURCES/0061-Optimize-cert-remove-case.patch new file mode 100644 index 0000000..b642e25 --- /dev/null +++ b/SOURCES/0061-Optimize-cert-remove-case.patch @@ -0,0 +1,70 @@ +From 964a4d858e7f30e62691e6e0a1abdcd55cc68405 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 25 Jan 2019 16:18:59 +0100 +Subject: [PATCH] Optimize cert remove case + +The cert_remove and mod subcommands for service and host now pass in the +name to cert_find() to benefit from special cases. + +See: https://pagure.io/freeipa/issue/7835 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/host.py | 8 ++++++-- + ipaserver/plugins/service.py | 7 +++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py +index 306105d67a58fd4343933349db70a1d786eaa4b2..c74a3e58f8af6b33e284ba54b5763a684d91bac3 100644 +--- a/ipaserver/plugins/host.py ++++ b/ipaserver/plugins/host.py +@@ -899,7 +899,9 @@ class host_mod(LDAPUpdate): + old_certs = entry_attrs_old.get('usercertificate', []) + removed_certs = set(old_certs) - set(certs) + for cert in removed_certs: +- rm_certs = api.Command.cert_find(certificate=cert)['result'] ++ rm_certs = api.Command.cert_find( ++ certificate=cert, ++ host=keys)['result'] + revoke_certs(rm_certs) + + if certs: +@@ -1335,7 +1337,9 @@ class host_remove_cert(LDAPRemoveAttributeViaOption): + assert isinstance(dn, DN) + + for cert in options.get('usercertificate', []): +- revoke_certs(api.Command.cert_find(certificate=cert)['result']) ++ revoke_certs(api.Command.cert_find( ++ certificate=cert, ++ host=keys)['result']) + + return dn + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index be31f810275214eb28a3f6b7ed9e6dc8ec808ae0..d176adddff8d2590d64ba4059018606ff1eb8d48 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -703,7 +703,8 @@ class service_mod(LDAPUpdate): + removed_certs = set(old_certs) - set(certs) + for cert in removed_certs: + rm_certs = api.Command.cert_find( +- certificate=cert.public_bytes(x509.Encoding.DER))['result'] ++ certificate=cert.public_bytes(x509.Encoding.DER), ++ service=keys)['result'] + revoke_certs(rm_certs) + + if certs: +@@ -983,7 +984,9 @@ class service_remove_cert(LDAPRemoveAttributeViaOption): + assert isinstance(dn, DN) + + for cert in options.get('usercertificate', []): +- revoke_certs(api.Command.cert_find(certificate=cert)['result']) ++ revoke_certs(api.Command.cert_find( ++ certificate=cert, ++ service=keys)['result']) + + return dn + +-- +2.20.1 + diff --git a/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch b/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch new file mode 100644 index 0000000..adc804c --- /dev/null +++ b/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch @@ -0,0 +1,125 @@ +From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 1 Feb 2019 10:30:40 -0500 +Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x + master + +dogtag updated its cipher list, disabling a lot of ciphers, which +causes an overlap problem with a RHEL 6.x IPA master. + +This update script adds the two available ciphers to the nss.conf +so that creating a CA replica is possible. + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++ + 1 file changed, 79 insertions(+) + +diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py +index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755 +--- a/contrib/copy-schema-to-ca-RHEL6.py ++++ b/contrib/copy-schema-to-ca-RHEL6.py +@@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER + from ipaserver.install.cainstance import PKI_USER + from ipapython import services + ++# for mod_nss ++from ipaserver.install.httpinstance import NSS_CONF ++from ipaserver.install.httpinstance import HTTPInstance ++from ipaserver.install import installutils ++from ipapython import sysrestore ++ + SERVERID = "PKI-IPA" + SCHEMA_FILENAMES = ( + "60kerberos.ldif", +@@ -100,6 +106,77 @@ def restart_pki_ds(): + services.service('dirsrv').restart(SERVERID) + + ++# The ipa-3-0 set_directive() has very loose comparision of directive ++# which would cause multiple NSSCipherSuite to be added so provide ++# a custom function for it. ++def set_directive(filename, directive, value, quotes=True, separator=' '): ++ """Set a name/value pair directive in a configuration file. ++ ++ A value of None means to drop the directive. ++ ++ This has only been tested with nss.conf ++ """ ++ valueset = False ++ st = os.stat(filename) ++ fd = open(filename) ++ newfile = [] ++ for line in fd: ++ if line.lstrip().startswith(directive): ++ valueset = True ++ if value is not None: ++ if quotes: ++ newfile.append('%s%s"%s"\n' % ++ (directive, separator, value)) ++ else: ++ newfile.append('%s%s%s\n' % (directive, separator, value)) ++ else: ++ newfile.append(line) ++ fd.close() ++ if not valueset: ++ if value is not None: ++ if quotes: ++ newfile.append('%s%s"%s"\n' % (directive, separator, value)) ++ else: ++ newfile.append('%s%s%s\n' % (directive, separator, value)) ++ ++ fd = open(filename, "w") ++ fd.write("".join(newfile)) ++ fd.close() ++ os.chown(filename, st.st_uid, st.st_gid) # reset perms ++ ++ ++def update_mod_nss_cipher_suite(): ++ add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha'] ++ ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite') ++ ++ # Run through once to see if any of the new ciphers are there but ++ # disabled. If they are then enable them. ++ lciphers = ciphers.split(',') ++ new_ciphers = [] ++ for cipher in lciphers: ++ for add in add_ciphers: ++ if cipher.endswith(add): ++ if cipher.startswith('-'): ++ cipher = '+%s' % add ++ new_ciphers.append(cipher) ++ ++ # Run through again and add remaining ciphers as enabled. ++ for add in add_ciphers: ++ if add not in ciphers: ++ new_ciphers.append('+%s' % add) ++ ++ ciphers = ','.join(new_ciphers) ++ set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False) ++ root_logger.info('Updated Apache cipher list') ++ ++ ++def restart_http(): ++ root_logger.info('Restarting HTTP') ++ fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') ++ http = HTTPInstance(fstore) ++ http.restart() ++ ++ + def main(): + if os.getegid() != 0: + sys.exit("Must be root to run this script") +@@ -110,6 +187,8 @@ def main(): + + add_ca_schema() + restart_pki_ds() ++ update_mod_nss_cipher_suite() ++ restart_http() + + root_logger.info('Schema updated successfully') + +-- +2.20.1 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index b2044c4..449fa3e 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -93,7 +93,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 10%{?dist}.2 +Release: 10%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -101,10 +101,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -165,12 +165,17 @@ Patch0053: 0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch Patch0054: 0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch Patch0055: 0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch Patch0056: 0056-replication-check-remote-ds-version-before-editing-a.patch +Patch0057: 0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch +Patch0058: 0058-replica-installation-add-master-record-only-if-in-ma.patch +Patch0059: 0059-ipatests-add-test-for-replica-in-forward-zone.patch +Patch0060: 0060-Add-workaround-for-slow-host-service-del.patch +Patch0061: 0061-Optimize-cert-remove-case.patch +Patch0062: 0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch Patch1005: 1005-Removing-filesystem-encoding-check.patch -Patch1006: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -976,10 +981,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1740,8 +1745,17 @@ fi %changelog -* Tue Jan 29 2019 CentOS Sources - 4.6.4-10.el7.centos.2 -- Roll in CentOS Branding +* Mon Feb 4 2019 Florence Blanc-Renaud - 4.6.4-10.el7_6.3 +- Resolves: 1672343 pki spawn fails for IPA replica install from RHEL6 IPA master + - Update mod_nss cipher list so there is overlap with a 4.x master +- Resolves: 1672342 Fix compile issue with new 389-ds + - ipa-sidgen: make internal fetch_attr helper really internal +- Resolves: 1672176 host_del and host_disable fails, ra.find() search for every certificates instead of the host's certificate by subject + - Add workaround for slow host/service del + - Optimize cert remove case +- Resolves: 1672238 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain record + - replica installation: add master record only if in managed zone + - ipatests: add test for replica in forward zone * Tue Dec 18 2018 Florence Blanc-Renaud - 4.6.4-10.el7_6.2 - Resolves: 1659492 searching for ipa users by certificate fails