diff --git a/.ipa.metadata b/.ipa.metadata new file mode 100644 index 0000000..91392e4 --- /dev/null +++ b/.ipa.metadata @@ -0,0 +1,2 @@ +7460c1ae34b05ea659275fe169c19f94a28db2f7 SOURCES/rh-ipabanner.png +32702b534b3f82c141107820283833d54d8287f2 SOURCES/freeipa-3.3.3.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch b/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch new file mode 100644 index 0000000..4202105 --- /dev/null +++ b/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch @@ -0,0 +1,41 @@ +From 90ac36c780d6e5d0bcb26f8c7f153d35af1db70f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 4 Nov 2013 17:15:23 +0200 +Subject: [PATCH] Guard import of adtrustinstance for case without trusts + +https://fedorahosted.org/freeipa/ticket/4011 +--- + install/tools/ipa-server-install | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index b3dcf6d93a70e2910a3d7fa62139efbf640d1cbe..458ebba550d0fe7675bd874e23c7d730c53297e6 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -40,7 +40,12 @@ import pwd + import textwrap + from optparse import OptionGroup, OptionValueError + +-from ipaserver.install import adtrustinstance ++try: ++ from ipaserver.install import adtrustinstance ++ _server_trust_ad_installed = True ++except ImportError: ++ _server_trust_ad_installed = False ++ + from ipaserver.install import dsinstance + from ipaserver.install import krbinstance + from ipaserver.install import bindinstance +@@ -493,7 +498,8 @@ def uninstall(): + httpinstance.HTTPInstance(fstore).uninstall() + krbinstance.KrbInstance(fstore).uninstall() + dsinstance.DsInstance(fstore=fstore).uninstall() +- adtrustinstance.ADTRUSTInstance(fstore).uninstall() ++ if _server_trust_ad_installed: ++ adtrustinstance.ADTRUSTInstance(fstore).uninstall() + memcacheinstance.MemcacheInstance().uninstall() + otpdinstance.OtpdInstance().uninstall() + ipaservices.restore_network_configuration(fstore, sstore) +-- +1.8.3.1 + diff --git a/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch b/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch new file mode 100644 index 0000000..9b81558 --- /dev/null +++ b/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch @@ -0,0 +1,61 @@ +From 8955e9f236ea9ca3ccfd32cb17c6b4baf9d492a2 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 6 Nov 2013 10:14:40 +0100 +Subject: [PATCH] Server does not detect different server and IPA domain + +Server installer does not properly recognize a situation when server +fqdn is not in a subdomain of the IPA domain, but shares the same +suffix. + +For example, if server FQDN is ipa-idm.example.com and domain +is idm.example.com, server's FQDN is not in the main domain, but +installer does not recognize that. proper Kerberos realm-domain +mapping is not created in this case and server does not work +(httpd reports gssapi errors). + +https://fedorahosted.org/freeipa/ticket/4012 +--- + ipaserver/install/krbinstance.py | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index a16e4d5f0cb3b70c6c69aac3251785ef3e8fa7f2..98687a4002cd7b19faea03acc552759e962d8832 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -24,6 +24,7 @@ + import os + import pwd + import socket ++import dns.name + + import service + import installutils +@@ -237,15 +238,18 @@ def __setup_sub_dict(self): + + # IPA server/KDC is not a subdomain of default domain + # Proper domain-realm mapping needs to be specified +- dr_map = '' +- if not self.fqdn.endswith(self.domain): +- root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \ +- % (self.fqdn, self.domain)) +- server_host, dot, server_domain = self.fqdn.partition('.') +- root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \ +- % server_domain) ++ domain = dns.name.from_text(self.domain) ++ fqdn = dns.name.from_text(self.fqdn) ++ if not fqdn.is_subdomain(domain): ++ root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'", ++ fqdn, domain) ++ server_domain = fqdn.parent().to_unicode(omit_final_dot=True) ++ root_logger.debug("Domain '%s' needs additional mapping in krb5.conf", ++ server_domain) + dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \ + % dict(domain=server_domain, realm=self.realm) ++ else: ++ dr_map = "" + self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + + def __configure_sasl_mappings(self): +-- +1.8.3.1 + diff --git a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch new file mode 100644 index 0000000..ee5a7db --- /dev/null +++ b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch @@ -0,0 +1,112 @@ +From a66fc51f69b0d19ecb63a5a78d2a052e810913c9 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 6 Nov 2013 12:48:26 +0100 +Subject: [PATCH] Allow kernel keyring CCACHE when supported + +Allow ipa-server-install and ipa-client-install to allow kernel keyring +ccache when supported. + +https://fedorahosted.org/freeipa/ticket/4013 +--- + install/share/krb5.conf.template | 2 +- + ipa-client/ipa-install/ipa-client-install | 11 +++++++++++ + ipapython/kernel_keyring.py | 6 ++++++ + ipaserver/install/krbinstance.py | 16 ++++++++++++++++ + 4 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template +index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644 +--- a/install/share/krb5.conf.template ++++ b/install/share/krb5.conf.template +@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ + rdns = false + ticket_lifetime = 24h + forwardable = yes +- ++$OTHER_LIBDEFAULTS + [realms] + $REALM = { + kdc = $FQDN:88 +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a49ba0e087 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -43,6 +43,7 @@ try: + run, user_input, CalledProcessError, file_exists, realm_to_suffix) + import ipapython.services as ipaservices + from ipapython import ipautil, sysrestore, version, certmonger, ipaldap ++ from ipapython import kernel_keyring + from ipapython.config import IPAOptionParser + from ipalib import api, errors + from ipalib import x509 +@@ -926,6 +927,16 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, + libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) + libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + ++ # Configure KEYRING CCACHE if supported ++ uid = os.geteuid() ++ try: ++ kernel_keyring.get_persistent_key(str(uid)) ++ except ValueError: ++ pass ++ else: ++ libopts.append({'name':'default_ccache_name', 'type':'option', ++ 'value':'KEYRING:persistent:%{uid}'}) ++ + opts.append({'name':'libdefaults', 'type':'section', 'value':libopts}) + opts.append({'name':'empty', 'type':'empty'}) + +diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py +index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead143f19fc 100644 +--- a/ipapython/kernel_keyring.py ++++ b/ipapython/kernel_keyring.py +@@ -47,6 +47,12 @@ def get_real_key(key): + raise ValueError('key %s not found' % key) + return stdout.rstrip() + ++def get_persistent_key(key): ++ (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False) ++ if rc: ++ raise ValueError('persistent key %s not found' % key) ++ return stdout.rstrip() ++ + def has_key(key): + """ + Returns True/False whether the key exists in the keyring. +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e52b9c165 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -31,6 +31,7 @@ + from ipapython import sysrestore + from ipapython import ipautil + from ipapython import services as ipaservices ++from ipapython import kernel_keyring + from ipalib import errors + from ipapython.ipa_log_manager import * + from ipapython.dn import DN +@@ -252,6 +253,21 @@ def __setup_sub_dict(self): + dr_map = "" + self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + ++ # Configure KEYRING CCACHE if supported ++ uid = os.geteuid() ++ try: ++ kernel_keyring.get_persistent_key(str(uid)) ++ except ValueError: ++ keyring_ccache_supported = False ++ else: ++ keyring_ccache_supported = True ++ ++ if keyring_ccache_supported: ++ self.sub_dict['OTHER_LIBDEFAULTS'] = \ ++ " default_ccache_name = KEYRING:persistent:%{uid}\n" ++ else: ++ self.sub_dict['OTHER_LIBDEFAULTS'] = '' ++ + def __configure_sasl_mappings(self): + # we need to remove any existing SASL mappings in the directory as otherwise they + # they may conflict. +-- +1.8.3.1 + diff --git a/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch b/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch new file mode 100644 index 0000000..5839449 --- /dev/null +++ b/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch @@ -0,0 +1,31 @@ +From 2f3c2538595664796d673517eb1c91edf5712d80 Mon Sep 17 00:00:00 2001 +From: Ana Krivokapic +Date: Tue, 12 Nov 2013 14:50:57 +0100 +Subject: [PATCH] Fix regression which prevents creating a winsync agreement + +A regression, which prevented creation of a winsync agreement, +was introduced in the original fix for ticket #3989. + +https://fedorahosted.org/freeipa/ticket/3989 +--- + ipaserver/install/replication.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 4d8a4687e162155d7855e11ba5048bed2ff13fa5..c4e62fc91b4fb33c37b9f18ce167149ccd3bd54f 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -626,8 +626,9 @@ def setup_agreement(self, a_conn, b_hostname, port=389, + + if iswinsync: + self.setup_winsync_agmt(entry, win_subtree) ++ else: ++ entry['nsds5ReplicaStripAttrs'] = [" ".join(STRIP_ATTRS)] + +- entry['nsds5ReplicaStripAttrs'] = [" ".join(STRIP_ATTRS)] + a_conn.add_entry(entry) + + try: +-- +1.8.3.1 + diff --git a/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch b/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch new file mode 100644 index 0000000..29e4c01 --- /dev/null +++ b/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch @@ -0,0 +1,40 @@ +From bcf89f59d86f4031f3b2ea39dc1dff9484d81e67 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Thu, 21 Nov 2013 14:44:42 +0100 +Subject: [PATCH 5/6] trusts: Do not pass base-id to the subdomain ranges + +For trusted domains base id is calculated using a murmur3 hash of the +domain Security Identifier (SID). During trust-add we create ranges for +forest root domain and other forest domains. Since --base-id explicitly +overrides generated base id for forest root domain, its value should not +be passed to other forest domains' ranges -- their base ids must be +calculated based on their SIDs. + +In case base id change for non-root forest domains is required, it can +be done manually through idrange-mod command after the trust is +established. + +https://fedorahosted.org/freeipa/ticket/4041 +--- + ipalib/plugins/trust.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -375,6 +375,11 @@ def execute(self, *keys, **options): + passed_options = options + passed_options.update(range_type=created_range_type) + ++ # Do not pass the base id to the subdomains since it would ++ # clash with the root level domain ++ if 'base_id' in passed_options: ++ del passed_options['base_id'] ++ + # Try to add the range for each subdomain + try: + self.add_range(range_name, dom_sid, *keys, +-- +1.8.3.1 + diff --git a/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch b/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch new file mode 100644 index 0000000..52c1290 --- /dev/null +++ b/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch @@ -0,0 +1,32 @@ +From f3292de4abee43c35c25d7ecd8b3638173fb24b8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 12 Nov 2013 11:36:22 +0200 +Subject: [PATCH 6/6] Map NT_STATUS_INVALID_PARAMETER to most likely error + cause: clock skew + +When we get NT_STATUS_INVALID_PARAMETER in response to establish +DCE RPC pipe with Kerberos, the most likely reason is clock skew. +Suggest that it is so in the error message. + +https://fedorahosted.org/freeipa/ticket/4024 +--- + ipaserver/dcerpc.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 86bb42884067ec91477d8efb37a5e7729ad50315..0dde3473b12b857ff269a936ad9a07d098405c45 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -82,6 +82,9 @@ def is_sid_valid(sid): + -1073741614: access_denied_error, + -1073741603: + errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')), ++ -1073741811: # NT_STATUS_INVALID_PARAMETER ++ errors.RemoteRetrieveError( ++ reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), + } + + dcerpc_error_messages = { +-- +1.8.3.1 + diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch new file mode 100644 index 0000000..53301a0 --- /dev/null +++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch @@ -0,0 +1,117 @@ +From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 May 2013 09:38:50 +0200 +Subject: [PATCH 1001/1006] Hide pkinit functionality from production version + +Rebased from original patch from Jan Zeleny and Rob Crittenden. + +https://fedorahosted.org/freeipa/ticket/616 +--- + install/tools/ipa-replica-install | 5 +++-- + install/tools/ipa-server-install | 10 ++++------ + ipaserver/install/ipa_replica_prepare.py | 11 +++-------- + 3 files changed, 10 insertions(+), 16 deletions(-) + +diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install +index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755 +--- a/install/tools/ipa-replica-install ++++ b/install/tools/ipa-replica-install +@@ -96,8 +96,6 @@ def parse_options(): + parser.add_option_group(basic_group) + + cert_group = OptionGroup(parser, "certificate system options") +- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", +- default=True, help="disables pkinit setup steps") + cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true", + default=False, help="skip check for updated CA DS schema on the remote master") + parser.add_option_group(cert_group) +@@ -122,6 +120,9 @@ def parse_options(): + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + ++ # pkinit is disabled in production version ++ options.setup_pkinit = False ++ + if len(args) != 1: + parser.error("you must provide a file generated by ipa-replica-prepare") + +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -173,20 +173,14 @@ def parse_options(): + help="PEM file containing a certificate signed by the external CA") + cert_group.add_option("", "--external_ca_file", dest="external_ca_file", + help="PEM file containing the external CA chain") +- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", +- default=True, help="disables pkinit setup steps") + cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", + help="PKCS#12 file containing the Directory Server SSL certificate") + cert_group.add_option("--http_pkcs12", dest="http_pkcs12", + help="PKCS#12 file containing the Apache Server SSL certificate") +- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", +- help="PKCS#12 file containing the Kerberos KDC SSL certificate") + cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, + help="The password of the Directory Server PKCS#12 file") + cert_group.add_option("--http_pin", dest="http_pin", sensitive=True, + help="The password of the Apache Server PKCS#12 file") +- cert_group.add_option("--pkinit_pin", dest="pkinit_pin", +- help="The password of the Kerberos KDC PKCS#12 file") + cert_group.add_option("--root-ca-file", dest="root_ca_file", + help="PEM file with root CA certificate(s) to trust") + cert_group.add_option("--subject", action="callback", callback=subject_callback, +@@ -236,6 +230,10 @@ def parse_options(): + options, args = parser.parse_args() + safe_options = parser.get_safe_opts(options) + ++ # pkinit is disabled in production version ++ options.pkinit_pin = False ++ options.pkinit_pkcs12 = False ++ + if options.dm_password is not None: + try: + validate_dm_password(options.dm_password) +diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py +index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644 +--- a/ipaserver/install/ipa_replica_prepare.py ++++ b/ipaserver/install/ipa_replica_prepare.py +@@ -57,9 +57,6 @@ def add_options(cls, parser): + parser.add_option("--no-reverse", dest="no_reverse", + action="store_true", default=False, + help="do not create reverse DNS zone") +- parser.add_option("--no-pkinit", dest="setup_pkinit", +- action="store_false", default=True, +- help="disables pkinit setup steps") + parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", + metavar="FILE", + help="location of CA PKCS#12 file, default /root/cacert.p12") +@@ -72,15 +69,10 @@ def add_options(cls, parser): + group.add_option("--http_pkcs12", dest="http_pkcs12", + metavar="FILE", + help="install certificate for the http server") +- group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", +- metavar="FILE", +- help="install certificate for the KDC") + group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN", + help="PIN for the Directory Server PKCS#12 file") + group.add_option("--http_pin", dest="http_pin", metavar="PIN", + help="PIN for the Apache Server PKCS#12 file") +- group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN", +- help="PIN for the KDC pkinit PKCS#12 file") + parser.add_option_group(group) + + def validate_options(self): +@@ -100,7 +92,10 @@ def validate_options(self): + "option together with --no-reverse") + + #Automatically disable pkinit w/ dogtag until that is supported ++ # pkinit is disabled in production version + options.setup_pkinit = False ++ options.pkinit_pin = False ++ options.pkinit_pkcs12 = False + + # If any of the PKCS#12 options are selected, all are required. + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +-- +1.8.3.1 + diff --git a/SOURCES/1002-Remove-pkinit-plugin.patch b/SOURCES/1002-Remove-pkinit-plugin.patch new file mode 100644 index 0000000..6c53550 --- /dev/null +++ b/SOURCES/1002-Remove-pkinit-plugin.patch @@ -0,0 +1,144 @@ +From 62b7d72f65ab8ac90a62486bb170133755764bc7 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 May 2013 09:40:39 +0200 +Subject: [PATCH 1002/1006] Remove pkinit plugin + +This patch completely removes any signs of pkinit in the IPA package. It +should be used only as addition to the first patch attached to the +ticket. + +Rebased patch by Jan Zeleny and Rob Crittenden. + +https://fedorahosted.org/freeipa/ticket/616 +--- + API.txt | 5 --- + ipalib/plugins/pkinit.py | 101 ----------------------------------------------- + 2 files changed, 106 deletions(-) + delete mode 100644 ipalib/plugins/pkinit.py + +diff --git a/API.txt b/API.txt +index 5418f31dc8d936ee629155aff08c05577cf9c4ee..ec5b3c9f6459e048c516a64dbab2396306fa6a72 100644 +--- a/API.txt ++++ b/API.txt +@@ -2336,11 +2336,6 @@ command: ping + args: 0,1,1 + option: Str('version?', exclude='webui') + output: Output('summary', (, ), None) +-command: pkinit_anonymous +-args: 1,1,1 +-arg: Str('action') +-option: Str('version?', exclude='webui') +-output: Output('result', None, None) + command: plugins + args: 0,3,3 + option: Flag('all', autofill=True, cli_name='all', default=True, exclude='webui') +diff --git a/ipalib/plugins/pkinit.py b/ipalib/plugins/pkinit.py +deleted file mode 100644 +index 981e411df520e175fa88f1de02a4eae36d687ede..0000000000000000000000000000000000000000 +--- a/ipalib/plugins/pkinit.py ++++ /dev/null +@@ -1,101 +0,0 @@ +-# Authors: +-# Simo Sorce +-# +-# Copyright (C) 2010 Red Hat +-# see file 'COPYING' for use and warranty information +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation, either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +- +-from ipalib import api, errors +-from ipalib import Int, Str +-from ipalib import Object, Command +-from ipalib import _ +-from ipapython.dn import DN +- +-__doc__ = _(""" +-Kerberos pkinit options +- +-Enable or disable anonymous pkinit using the principal +-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +-pkinit support. +- +-EXAMPLES: +- +- Enable anonymous pkinit: +- ipa pkinit-anonymous enable +- +- Disable anonymous pkinit: +- ipa pkinit-anonymous disable +- +-For more information on anonymous pkinit see: +- +-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +-""") +- +-class pkinit(Object): +- """ +- PKINIT Options +- """ +- object_name = _('pkinit') +- +- label=_('PKINIT') +- +-api.register(pkinit) +- +-def valid_arg(ugettext, action): +- """ +- Accepts only Enable/Disable. +- """ +- a = action.lower() +- if a != 'enable' and a != 'disable': +- raise errors.ValidationError( +- name='action', +- error=_('Unknown command %s') % action +- ) +- +-class pkinit_anonymous(Command): +- __doc__ = _('Enable or Disable Anonymous PKINIT.') +- +- princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm +- default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) +- +- takes_args = ( +- Str('action', valid_arg), +- ) +- +- def execute(self, action, **options): +- ldap = self.api.Backend.ldap2 +- set_lock = False +- lock = None +- +- (dn, entry_attrs) = ldap.get_entry(self.default_dn, ['nsaccountlock']) +- +- if 'nsaccountlock' in entry_attrs: +- lock = entry_attrs['nsaccountlock'][0].lower() +- +- if action.lower() == 'enable': +- if lock == 'true': +- set_lock = True +- lock = None +- elif action.lower() == 'disable': +- if lock != 'true': +- set_lock = True +- lock = 'TRUE' +- +- if set_lock: +- ldap.update_entry(dn, {'nsaccountlock':lock}) +- +- return dict(result=True) +- +-api.register(pkinit_anonymous) +-- +1.8.3.1 + diff --git a/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch b/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch new file mode 100644 index 0000000..d4a0099 --- /dev/null +++ b/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch @@ -0,0 +1,93 @@ +From e7dcef627095e38ce29a5f446c08a55ee88fc893 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 May 2013 09:59:12 +0200 +Subject: [PATCH 1003/1006] Remove pkinit references from tool man pages + +--- + install/tools/man/ipa-replica-install.1 | 3 --- + install/tools/man/ipa-replica-prepare.1 | 9 --------- + install/tools/man/ipa-server-install.1 | 9 --------- + 3 files changed, 21 deletions(-) + +diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 +index b7a55cb748dfd5536d86e1b2634df34fd43f319b..993606d83c8117b47b73bb13ac1e7431ba03f369 100644 +--- a/install/tools/man/ipa-replica-install.1 ++++ b/install/tools/man/ipa-replica-install.1 +@@ -76,9 +76,6 @@ An unattended installation that will never prompt for user input + + .SS "CERTIFICATE SYSTEM OPTIONS" + .TP +-\fB\-\-no\-pkinit\fR +-Disables pkinit setup steps +-.TP + \fB\-\-skip\-schema\-check\fR + Skip check for updated CA DS schema on the remote master + +diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 +index 8e1e60a25628432bf380e7af1d2d2dac9abf8c8a..88c30757b38cfdfec36dce85e995d419dd05c17b 100644 +--- a/install/tools/man/ipa-replica-prepare.1 ++++ b/install/tools/man/ipa-replica-prepare.1 +@@ -41,18 +41,12 @@ PKCS#12 file containing the Directory Server SSL Certificate and Private Key + \fB\-\-http_pkcs12\fR=\fIFILE\fR + PKCS#12 file containing the Apache Server SSL Certificate and Private Key + .TP +-\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR +-PKCS#12 file containing the Kerberos KDC Certificate and Private Key +-.TP + \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR + The password of the Directory Server PKCS#12 file + .TP + \fB\-\-http_pin\fR=\fIHTTP_PIN\fR + The password of the Apache Server PKCS#12 file + .TP +-\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR +-The password of the Kerberos KDC PKCS#12 file +-.TP + \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR + Directory Manager (existing master) password + .TP +@@ -68,9 +62,6 @@ Do not create reverse DNS zone + \fB\-\-ca\fR=\fICA_FILE\fR + Location of CA PKCS#12 file, default /root/cacert.p12 + .TP +-\fB\-\-no\-pkinit\fR +-Disables pkinit setup steps +-.TP + \fB\-\-debug\fR + Prints info log messages to the output + .SH "EXIT STATUS" +diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 +index 59219c14727c5a3062d06d5ef02eb0eebdc9c4f2..409dcf24beb6c53a9908437738fbbe3c90078367 100644 +--- a/install/tools/man/ipa-server-install.1 ++++ b/install/tools/man/ipa-server-install.1 +@@ -93,27 +93,18 @@ PEM file containing a certificate signed by the external CA. Must be given with + \fB\-\-external_ca_file\fR=\fIFILE\fR + PEM file containing the external CA chain + .TP +-\fB\-\-no\-pkinit\fR +-Disables pkinit setup steps +-.TP + \fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR + PKCS#12 file containing the Directory Server SSL Certificate + .TP + \fB\-\-http_pkcs12\fR=\fIFILE\fR + PKCS#12 file containing the Apache Server SSL Certificate + .TP +-\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR +-PKCS#12 file containing the Kerberos KDC SSL certificate +-.TP + \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR + The password of the Directory Server PKCS#12 file + .TP + \fB\-\-http_pin\fR=\fIHTTP_PIN\fR + The password of the Apache Server PKCS#12 file + .TP +-\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR +-The password of the Kerberos KDC PKCS#12 file +-.TP + \fB\-\-subject\fR=\fISUBJECT\fR + The certificate subject base (default O=REALM.NAME) + +-- +1.8.3.1 + diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch new file mode 100644 index 0000000..3f300c0 --- /dev/null +++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch @@ -0,0 +1,564 @@ +From 8f1aaebb76015f92601d012a4ce1d8da27a1c90c Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 18 Jul 2013 08:48:29 +0200 +Subject: [PATCH 1004/1006] Change branding to IPA and Identity Management + +--- + install/html/browserconfig.html | 2 +- + install/html/ssbrowser.html | 2 +- + install/html/unauthorized.html | 2 +- + install/migration/error.html | 2 +- + install/migration/index.html | 2 +- + install/migration/invalid.html | 2 +- + install/tools/ipa-adtrust-install | 6 +++--- + install/tools/ipa-dns-install | 2 +- + install/tools/ipa-replica-conncheck | 2 +- + install/tools/ipa-server-install | 2 +- + install/tools/man/ipa-adtrust-install.1 | 2 +- + install/tools/man/ipa-advise.1 | 4 ++-- + install/tools/man/ipa-backup.1 | 2 +- + install/tools/man/ipa-ca-install.1 | 2 +- + install/tools/man/ipa-compat-manage.1 | 2 +- + install/tools/man/ipa-csreplica-manage.1 | 2 +- + install/tools/man/ipa-dns-install.1 | 2 +- + install/tools/man/ipa-ldap-updater.1 | 2 +- + install/tools/man/ipa-managed-entries.1 | 2 +- + install/tools/man/ipa-nis-manage.1 | 2 +- + install/tools/man/ipa-replica-conncheck.1 | 2 +- + install/tools/man/ipa-replica-install.1 | 2 +- + install/tools/man/ipa-replica-manage.1 | 2 +- + install/tools/man/ipa-replica-prepare.1 | 2 +- + install/tools/man/ipa-restore.1 | 2 +- + install/tools/man/ipa-server-certinstall.1 | 2 +- + install/tools/man/ipa-server-install.1 | 2 +- + install/tools/man/ipactl.8 | 2 +- + install/ui/index.html | 2 +- + install/ui/login.html | 2 +- + install/ui/logout.html | 2 +- + install/ui/reset_password.html | 2 +- + ipa-client/man/default.conf.5 | 2 +- + ipa-client/man/ipa-client-automount.1 | 2 +- + ipa-client/man/ipa-client-install.1 | 2 +- + ipa-client/man/ipa-getkeytab.1 | 2 +- + ipa-client/man/ipa-join.1 | 2 +- + ipa-client/man/ipa-rmkeytab.1 | 2 +- + 38 files changed, 41 insertions(+), 41 deletions(-) + +diff --git a/install/html/browserconfig.html b/install/html/browserconfig.html +index a7784f75b8dabb19a5658b06a008bc3f4660823d..31508e95521b9c196c102cfda0be94bb25e43cf3 100644 +--- a/install/html/browserconfig.html ++++ b/install/html/browserconfig.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html +index 72fd573cf907e7ce3a27a17a2857633480cff9de..9a52a9f4d6920a949c071d58312c3d8177d4a1d6 100644 +--- a/install/html/ssbrowser.html ++++ b/install/html/ssbrowser.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html +index 0fac88b98bc6eebeaa776af8341dfb5fdad4773d..19c7eb19a04530273893156b3a61141a65f29076 100644 +--- a/install/html/unauthorized.html ++++ b/install/html/unauthorized.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/migration/error.html b/install/migration/error.html +index 9e1e3bd0b27f264534d013e8e526c3cded448c77..333ee1e5030596917a15a5b864719cc2abb374b4 100644 +--- a/install/migration/error.html ++++ b/install/migration/error.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/migration/index.html b/install/migration/index.html +index eb816b35d9f420f8f64ee8a63c443818793e5e59..78c5165f076f77de59f5554bedfe59f4a580a133 100644 +--- a/install/migration/index.html ++++ b/install/migration/index.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/migration/invalid.html b/install/migration/invalid.html +index 4f46934066602b5bc52c62ad7006fe4b85ae2a6d..4f4e87a7d9490cab4ac97ed623d1f364d87be909 100644 +--- a/install/migration/invalid.html ++++ b/install/migration/invalid.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install +index 838f7226bca66f4980c1144d7907bc42fcd31a22..bcf90a621ff052715951ed494d29c4d89742a458 100755 +--- a/install/tools/ipa-adtrust-install ++++ b/install/tools/ipa-adtrust-install +@@ -225,11 +225,11 @@ def main(): + + print "==============================================================================" + print "This program will setup components needed to establish trust to AD domains for" +- print "the FreeIPA Server." ++ print "the IPA Server." + print "" + print "This includes:" + print " * Configure Samba" +- print " * Add trust related objects to FreeIPA LDAP server" ++ print " * Add trust related objects to IPA LDAP server" + #TODO: + #print " * Add a SID to all users and Posix groups" + print "" +@@ -398,7 +398,7 @@ You must make sure these network ports are open: + \t * 389: (C)LDAP + \t * 445: microsoft-ds + +-Additionally you have to make sure the FreeIPA LDAP server is not reachable ++Additionally you have to make sure the IPA LDAP server is not reachable + by any domain controller in the Active Directory domain by closing down + the following ports for these servers: + \tTCP Ports: +diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install +index 275e699ebc824e0eb454ac80089105c5e9ac2146..505f3d5b651c75df4f592f880bf29657c2f6b650 100755 +--- a/install/tools/ipa-dns-install ++++ b/install/tools/ipa-dns-install +@@ -112,7 +112,7 @@ def main(): + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + + print "==============================================================================" +- print "This program will setup DNS for the FreeIPA Server." ++ print "This program will setup DNS for the IPA Server." + print "" + print "This includes:" + print " * Configure DNS (bind)" +diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck +index 583b5d5e75090483ddd9549862de04ea30fe820f..b2d4bc253e334ccce742489b376e29af649bd2e0 100755 +--- a/install/tools/ipa-replica-conncheck ++++ b/install/tools/ipa-replica-conncheck +@@ -223,7 +223,7 @@ class PortResponder(threading.Thread): + ipautil.bind_port_responder(self.port, + self.port_type, + socket_timeout=self.socket_timeout, +- responder_data="FreeIPA") ++ responder_data="IPA") + except socket.timeout: + pass + except socket.error, e: +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index 00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62..fa9e4c47fe961c2296c5491ca19c61cc7869af0b 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -730,7 +730,7 @@ def main(): + external = 0 + + print "==============================================================================" +- print "This program will set up the FreeIPA Server." ++ print "This program will set up the IPA Server." + print "" + print "This includes:" + if setup_ca: +diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 +index 7f0566e135ce1eec049987ff99e922f76c53177b..3b591a033ee4639b951e15b937249c7890fbf3b6 100644 +--- a/install/tools/man/ipa-adtrust-install.1 ++++ b/install/tools/man/ipa-adtrust-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Sumit Bose + .\" +-.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-adtrust-install" "1" "Aug 23 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1 +index 4c494aab90fe307bf0a2bf82677efda4b5e67e3e..515bbddbe4de8a38a2797d6aa5e95c1ae76fb718 100644 +--- a/install/tools/man/ipa-advise.1 ++++ b/install/tools/man/ipa-advise.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Tomas Babej + .\" +-.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-advise \- Provide configurations advice for various use cases. + .SH "SYNOPSIS" +@@ -41,4 +41,4 @@ Log to the given file + .SH "EXIT STATUS" + 0 if the command was successful + +-1 if an error occurred +\ No newline at end of file ++1 if an error occurred +diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1 +index ff9759ec77d54f32532c4ececfa5081daab9ec15..476f9b534d514b03200369212807fc6d001c70b8 100644 +--- a/install/tools/man/ipa-backup.1 ++++ b/install/tools/man/ipa-backup.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-backup \- Back up an IPA master + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 +index 13ef43a80aa16afad8b7432ef2bce361e45d1fb8..0a6977dbf9780182f0d86564575433002ab50b71 100644 +--- a/install/tools/man/ipa-ca-install.1 ++++ b/install/tools/man/ipa-ca-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-ca-install" "1" "Jun 17 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-ca-install" "1" "Jun 17 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-ca\-install \- Install a CA on a replica + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1 +index f22b1743e31c3b07132acfcfdd8600544f9ace6c..26470331a127af9445c4473525434c237e23dbcf 100644 +--- a/install/tools/man/ipa-compat-manage.1 ++++ b/install/tools/man/ipa-compat-manage.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Simo Sorce + .\" +-.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-compat\-manage \- Enables or disables the schema compatibility plugin + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1 +index ddb28da414ee12f4a8d09032b8b7346b2d3a06ea..ee1a030ace8dce345e66f42b37d2621d954083d9 100644 +--- a/install/tools/man/ipa-csreplica-manage.1 ++++ b/install/tools/man/ipa-csreplica-manage.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-csreplica\-manage \- Manage an IPA CS replica + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 +index b0bdca94f4aea4a17fecc3362a92a9885bbafed0..68789506c11857190273d2ea67ce299517e3d338 100644 +--- a/install/tools/man/ipa-dns-install.1 ++++ b/install/tools/man/ipa-dns-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-dns\-install \- Add DNS as a service to an IPA server + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1 +index 37e200f520218150af4e1be63fc442131f908e27..23b8dc8177c85e351eae30a27e6001780ad267bb 100644 +--- a/install/tools/man/ipa-ldap-updater.1 ++++ b/install/tools/man/ipa-ldap-updater.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-ldap-updater" "1" "Sep 12 2008" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-ldap\-updater \- Update the IPA LDAP configuration + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1 +index 3d5ca22b87846d2b46122c7171016019aa07028e..edaa0a90d1a6b123d32cbbdceb30b68c736fe8cb 100644 +--- a/install/tools/man/ipa-managed-entries.1 ++++ b/install/tools/man/ipa-managed-entries.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Jr Aquino + .\" +-.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-managed-entries" "1" "Feb 06 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 +index fa02cfc76fa6bd076ebddde702036fa0b36f1413..e25f53eddca6cf1da1b631c1bf4ae275efb5a2b1 100644 +--- a/install/tools/man/ipa-nis-manage.1 ++++ b/install/tools/man/ipa-nis-manage.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-nis-manage" "1" "May 6 2009" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-nis-manage" "1" "May 6 2009" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-nis\-manage \- Enables or disables the NIS listener plugin + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1 +index 566322cf035bbb51d1ba8b14166a1b61375015da..7f220de96cc03a1f883f585740a82bff062f0ce9 100644 +--- a/install/tools/man/ipa-replica-conncheck.1 ++++ b/install/tools/man/ipa-replica-conncheck.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Martin Kosek + .\" +-.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-replica\-conncheck \- Check a replica\-master network connection before installation + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 +index 993606d83c8117b47b73bb13ac1e7431ba03f369..4452c807d963a4a501eeb802f1d96e5761e0c0f3 100644 +--- a/install/tools/man/ipa-replica-install.1 ++++ b/install/tools/man/ipa-replica-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-replica-install" "1" "May 16 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-replica-install" "1" "May 16 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-replica\-install \- Create an IPA replica + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 +index a981c72f59e23024110e0d9e8331cd50cbb22130..8703caa2baaf83211a5e64e4cd724c42a78a835f 100644 +--- a/install/tools/man/ipa-replica-manage.1 ++++ b/install/tools/man/ipa-replica-manage.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-replica-manage" "1" "Mar 1 2013" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-replica\-manage \- Manage an IPA replica + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 +index 88c30757b38cfdfec36dce85e995d419dd05c17b..24b6464d1683f23c1a95c952a27b8a92adfbf385 100644 +--- a/install/tools/man/ipa-replica-prepare.1 ++++ b/install/tools/man/ipa-replica-prepare.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-replica-prepare" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-replica-prepare" "1" "Mar 14 2008" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-replica\-prepare \- Create an IPA replica file + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1 +index 31734b259524e4b07312a4009184e725aafc3728..689dc133fc4f526bffac0458b0c5c25ff5a8f674 100644 +--- a/install/tools/man/ipa-restore.1 ++++ b/install/tools/man/ipa-restore.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-restore" "1" "Mar 22 2013" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-restore \- Restore an IPA master + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 +index ab293cf0fdcb2fb231c39f2a32eaa62842a94a94..023971db661d4c0bee495d14bd226534b50559c2 100644 +--- a/install/tools/man/ipa-server-certinstall.1 ++++ b/install/tools/man/ipa-server-certinstall.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-server-certinstall" "1" "Mar 14 2008" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-server\-certinstall \- Install new SSL server certificates + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 +index 409dcf24beb6c53a9908437738fbbe3c90078367..807e1b38201c504b601a21751798a332d257e819 100644 +--- a/install/tools/man/ipa-server-install.1 ++++ b/install/tools/man/ipa-server-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-server-install" "1" "Jun 28 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-server-install" "1" "Jun 28 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-server\-install \- Configure an IPA server + .SH "SYNOPSIS" +diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8 +index 05be8e0e29f792ad2a2159ca3f8f38624a42ffa4..b9e4700858c7490298bac58c092fe97d2c6d3a19 100644 +--- a/install/tools/man/ipactl.8 ++++ b/install/tools/man/ipactl.8 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipactl" "8" "Mar 14 2008" "IPA" "IPA Manual Pages" + .SH "NAME" + ipactl \- IPA Server Control Interface + .SH "SYNOPSIS" +diff --git a/install/ui/index.html b/install/ui/index.html +index 75ff829970a42c6efa0f62a61bf922d07fb779a5..7a71f815496a6651850d7076015f30c6df281fed 100644 +--- a/install/ui/index.html ++++ b/install/ui/index.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/ui/login.html b/install/ui/login.html +index 5545e8834a38fd24a6f0debf263a56402be42dbc..7b4d13962790e6b9457727424c37b41879a3404a 100644 +--- a/install/ui/login.html ++++ b/install/ui/login.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/ui/logout.html b/install/ui/logout.html +index e356d2a5f9b59f0b516825fb039eaa4210dc5d98..80740069c9c3b3fa1b5ccbcf64487b4f1ab4a2cd 100644 +--- a/install/ui/logout.html ++++ b/install/ui/logout.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html +index 4dbbb7aacd52fe4ab787a8db73ca780225a98307..2d9c7aa7e704fa76ad5e1a93672626ad71b78568 100644 +--- a/install/ui/reset_password.html ++++ b/install/ui/reset_password.html +@@ -2,7 +2,7 @@ + + + +- IPA: Identity Policy Audit ++ Identity Management + + + +diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 +index 9e87bb7c8b0b2767b590e0b920a752f83a2fde51..315f15d75ecb10a30690adb41fa12837ca32a6c6 100644 +--- a/ipa-client/man/default.conf.5 ++++ b/ipa-client/man/default.conf.5 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages" ++.TH "default.conf" "5" "Feb 21 2011" "IPA" "IPA Manual Pages" + .SH "NAME" + default.conf \- IPA configuration file + .SH "SYNOPSIS" +diff --git a/ipa-client/man/ipa-client-automount.1 b/ipa-client/man/ipa-client-automount.1 +index 5b60503f1304d0a0b03a8862708ba126c50c7eff..2e6f78aa659e90f879f66431c4e52e303a4c9b15 100644 +--- a/ipa-client/man/ipa-client-automount.1 ++++ b/ipa-client/man/ipa-client-automount.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-client-automount" "1" "May 25 2012" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-client\-automount \- Configure automount and NFS for IPA + .SH "SYNOPSIS" +diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 +index bb19041b13622e3384fb800fca60b7b6f695e8f0..17b0666232d95e84692a7ecba7cd7b7e6117b2e7 100644 +--- a/ipa-client/man/ipa-client-install.1 ++++ b/ipa-client/man/ipa-client-install.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-client-install" "1" "Jan 31 2013" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-client\-install \- Configure an IPA client + .SH "SYNOPSIS" +diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 +index ce62d9d09df07401a4d067e9247035ca6f957b83..07f0f05b604a6bf50f6149e1d3699d4643013b82 100644 +--- a/ipa-client/man/ipa-getkeytab.1 ++++ b/ipa-client/man/ipa-getkeytab.1 +@@ -17,7 +17,7 @@ + .\" Author: Karl MacMillan + .\" Author: Simo Sorce + .\" +-.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-getkeytab" "1" "Oct 10 2007" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-getkeytab \- Get a keytab for a Kerberos principal + .SH "SYNOPSIS" +diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 +index 5dd4004b36c096bbccf1cd966e3f189fa2e356ca..86272b6409b8966348969e998848fac5039193db 100644 +--- a/ipa-client/man/ipa-join.1 ++++ b/ipa-client/man/ipa-join.1 +@@ -16,7 +16,7 @@ + .\" + .\" Author: Rob Crittenden + .\" +-.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-join" "1" "Oct 8 2009" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal + .SH "SYNOPSIS" +diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1 +index 4f4fcee2665c105c5cdab5f964e3295bea4b7997..84d8abd548b873213d165fe5fb012ec018a8424a 100644 +--- a/ipa-client/man/ipa-rmkeytab.1 ++++ b/ipa-client/man/ipa-rmkeytab.1 +@@ -17,7 +17,7 @@ + .\" Author: Rob Crittenden + .\" + .\" +-.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages" ++.TH "ipa-rmkeytab" "1" "Oct 30 2009" "IPA" "IPA Manual Pages" + .SH "NAME" + ipa\-rmkeytab \- Remove a kerberos principal from a keytab + .SH "SYNOPSIS" +-- +1.8.3.1 + diff --git a/SOURCES/1005-Remove-pylint-from-build-process.patch b/SOURCES/1005-Remove-pylint-from-build-process.patch new file mode 100644 index 0000000..d74e340 --- /dev/null +++ b/SOURCES/1005-Remove-pylint-from-build-process.patch @@ -0,0 +1,35 @@ +From d48ef24f108af76f950fc67cd728d5eeee1221c4 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 May 2013 10:52:32 +0200 +Subject: [PATCH 1005/1006] Remove pylint from build process + +pylint is not present in RHEL-7.0. +--- + Makefile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 484144fd6f2dfb905abfc96621fc03b306d2f230..0718367cd78e070e160d50f28006ded580be78cf 100644 +--- a/Makefile ++++ b/Makefile +@@ -46,9 +46,6 @@ IPA_RPM_RELEASE=$(shell cat RELEASE) + LIBDIR ?= /usr/lib + + DEVELOPER_MODE ?= 0 +-ifneq ($(DEVELOPER_MODE),0) +-LINT_OPTIONS=--no-fail +-endif + + PYTHON ?= $(shell rpm -E %__python) + +@@ -97,7 +94,6 @@ client-dirs: + fi + + lint: bootstrap-autogen +- ./make-lint $(LINT_OPTIONS) + $(MAKE) -C install/po validate-src-strings + + +-- +1.8.3.1 + diff --git a/SOURCES/1006-Remove-i18test-from-build-process.patch b/SOURCES/1006-Remove-i18test-from-build-process.patch new file mode 100644 index 0000000..aee4946 --- /dev/null +++ b/SOURCES/1006-Remove-i18test-from-build-process.patch @@ -0,0 +1,26 @@ +From 87a676e2d02194a37343e32660a2228b92f56ea9 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 22 May 2013 11:55:06 +0200 +Subject: [PATCH 1006/1006] Remove i18test from build process + +Required package python-polib is not present in RHEL-7.0. +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0718367cd78e070e160d50f28006ded580be78cf..f53fcd8ff79289e867e17c71dcb3fc7b38e40c63 100644 +--- a/Makefile ++++ b/Makefile +@@ -94,7 +94,7 @@ client-dirs: + fi + + lint: bootstrap-autogen +- $(MAKE) -C install/po validate-src-strings ++ @echo "lint target skipped in RHEL-7.0 due to missing dependencies" + + + test: +-- +1.8.3.1 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec new file mode 100644 index 0000000..806ab5b --- /dev/null +++ b/SPECS/ipa.spec @@ -0,0 +1,1543 @@ +# Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages +%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} + +%ifarch x86_64 %{ix86} +# Nothing, we want to force just building client on non-Intel +%else +%global ONLY_CLIENT 1 +%endif + +%global plugin_dir %{_libdir}/dirsrv/plugins +%global POLICYCOREUTILSVER 2.1.14-37 +%global gettext_domain ipa +%global VERSION 3.3.3 + +Name: ipa +Version: 3.3.3 +Release: 5%{?dist} +Summary: The Identity, Policy and Audit system + +Group: System Environment/Base +License: GPLv3+ +URL: http://www.freeipa.org/ +Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz +Source1: rh-ipabanner.png +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch +Patch0002: 0002-Server-does-not-detect-different-server-and-IPA-doma.patch +Patch0003: 0003-Allow-kernel-keyring-CCACHE-when-supported.patch +Patch0004: 0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch +Patch0005: 0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch +Patch0006: 0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch + +Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch +Patch1002: 1002-Remove-pkinit-plugin.patch +Patch1003: 1003-Remove-pkinit-references-from-tool-man-pages.patch +Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch +Patch1005: 1005-Remove-pylint-from-build-process.patch +Patch1006: 1006-Remove-i18test-from-build-process.patch + +%if ! %{ONLY_CLIENT} +BuildRequires: 389-ds-base-devel >= 1.3.1 +BuildRequires: svrcore-devel +BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} +BuildRequires: systemd-units +BuildRequires: samba-devel >= 4.0.5-1 +BuildRequires: samba-python +BuildRequires: libwbclient-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +%endif # ONLY_CLIENT +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: openldap-devel +BuildRequires: krb5-devel >= 1.11 +BuildRequires: krb5-workstation +BuildRequires: libuuid-devel +BuildRequires: libcurl-devel >= 7.21.7-2 +BuildRequires: xmlrpc-c-devel >= 1.27.4 +BuildRequires: popt-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: m4 +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: python-devel +BuildRequires: python-ldap +BuildRequires: python-setuptools +BuildRequires: python-krbV +BuildRequires: python-nss +BuildRequires: python-netaddr +BuildRequires: python-kerberos +BuildRequires: python-rhsm +BuildRequires: pyOpenSSL +BuildRequires: libipa_hbac-python +BuildRequires: python-memcached +BuildRequires: sssd >= 1.9.2 +BuildRequires: python-lxml +BuildRequires: python-pyasn1 >= 0.0.9a +BuildRequires: python-dns +BuildRequires: m2crypto +BuildRequires: check +BuildRequires: libsss_idmap-devel +BuildRequires: libsss_nss_idmap-devel +BuildRequires: java-1.7.0-openjdk +BuildRequires: libverto-devel +BuildRequires: systemd +BuildRequires: libunistring-devel +BuildRequires: diffstat + +# Find out Kerberos middle version to infer ABI changes in DAL driver +# We cannot load DAL driver into KDC with wrong ABI. +# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18 +%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)} + +%description +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). + +%if ! %{ONLY_CLIENT} +%package server +Summary: The IPA authentication server +Group: System Environment/Base +Requires: %{name}-python = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-admintools = %{version}-%{release} +Requires: 389-ds-base >= 1.3.1.3 +Requires: openldap-clients > 2.4.35-4 +Requires: nss >= 3.14.3-12.0 +Requires: nss-tools >= 3.14.3-12.0 +%if 0%{?krb5_dal_version} >= 4 +Requires: krb5-server >= 1.11.2-1 +%else +%if 0%{krb5_dal_version} == 3 +# krb5 1.11 bumped DAL interface major version, a rebuild is needed +Requires: krb5-server < 1.11 +Requires: krb5-server >= 1.10 +%else +Requires: krb5-server >= 1.10 +%endif +%endif +Requires: krb5-pkinit-openssl +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: ntp +Requires: httpd +Requires: mod_wsgi +Requires: mod_auth_kerb >= 5.4-16 +Requires: mod_nss >= 1.0.8-24 +Requires: python-ldap +Requires: python-krbV +Requires: acl +Requires: python-pyasn1 +Requires: memcached +Requires: python-memcached +Requires: systemd-units >= 38 +Requires(pre): systemd-units +Requires(post): systemd-units +Requires: selinux-policy >= 3.12.1-65 +Requires(post): selinux-policy-base +Requires: slapi-nis >= 0.47.7 +Requires: pki-ca >= 10.0.4 +%if 0%{?rhel} +Requires: subscription-manager +%endif +Requires(preun): python systemd-units +Requires(postun): python systemd-units +Requires: python-dns +Requires: zip +Requires: policycoreutils >= %{POLICYCOREUTILSVER} +Requires: tar +Requires(pre): certmonger >= 0.65 +Requires(pre): 389-ds-base >= 1.3.1.3 + +# We have a soft-requires on bind. It is an optional part of +# IPA but if it is configured we need a way to require versions +# that work for us. +Conflicts: bind-dyndb-ldap < 3.5 +Conflicts: bind < 9.8.2-0.4.rc2 + +# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to +# member. +Conflicts: nss-pam-ldapd < 0.8.4 + +%description server +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). If you are installing an IPA server you need +to install this package (in other words, most people should NOT install +this package). + + +%package server-trust-ad +Summary: Virtual package to install packages required for Active Directory trusts +Group: System Environment/Base +Requires: %{name}-server = %version-%release +Requires: m2crypto +Requires: samba-python +Requires: samba >= 4.0.5-1 +Requires: samba-winbind +Requires: libsss_idmap +Requires: libsss_nss_idmap-python +# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 +# on the installes where server-trust-ad subpackage is installed because +# IPA AD trusts cannot be used at the same time with the locator plugin +# since Winbindd will be configured in a different mode +Requires(post): %{_sbindir}/update-alternatives +Requires(post): python +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives + +%description server-trust-ad +Cross-realm trusts with Active Directory in IPA require working Samba 4 +installation. This package is provided for convenience to install all required +dependencies at once. + +%endif # ONLY_CLIENT + + +%package client +Summary: IPA authentication for use on clients +Group: System Environment/Base +Requires: %{name}-python = %{version}-%{release} +Requires: python-ldap +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: ntp +Requires: krb5-workstation +Requires: authconfig +Requires: pam_krb5 +Requires: wget +Requires: libcurl >= 7.21.7-2 +Requires: xmlrpc-c >= 1.27.4 +Requires: sssd >= 1.11.1 +Requires: certmonger >= 0.65 +Requires: nss-tools +Requires: bind-utils +Requires: oddjob-mkhomedir +Requires: python-krbV +Requires: python-dns +Requires: libsss_autofs +Requires: autofs +Requires: libnfsidmap +Requires: nfs-utils +Requires(post): policycoreutils + +%description client +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). If your network uses IPA for authentication, +this package should be installed on every client machine. + + +%if ! %{ONLY_CLIENT} +%package admintools +Summary: IPA administrative tools +Group: System Environment/Base +Requires: %{name}-python = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: python-krbV +Requires: python-ldap + +%description admintools +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). This package provides command-line tools for +IPA administrators. +%endif # ONLY_CLIENT + +%package python +Summary: Python libraries used by IPA +Group: System Environment/Libraries +Requires: python-kerberos +Requires: gnupg +Requires: iproute +Requires: keyutils +Requires: pyOpenSSL +Requires: python-nss +Requires: python-lxml +Requires: python-netaddr +Requires: libipa_hbac-python + +%description python +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). If you are using IPA you need to install this +package. + +%if ! %{ONLY_CLIENT} +%package tests +Summary: IPA tests and test tools +Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-python = %{version}-%{release} +Requires: tar +Requires: xz +Requires: python-nose +Requires: python-paste +Requires: python-coverage +Requires: openssh-clients + +%description tests +IPA is an integrated solution to provide centrally managed Identity (machine, +user, virtual machines, groups, authentication credentials), Policy +(configuration settings, access control information) and Audit (events, +logs, analysis thereof). +This package contains tests that verify IPA functionality. + +%endif # ONLY_CLIENT + + +%prep +# RHEL spec file only: START +# Update timestamps on the files touched by a patch, to avoid non-equal +# .pyc/.pyo files across the multilib peers within a build, where "Level" +# is the patch prefix option (e.g. -p1) +# Taken from specfile for sssd and python-simplejson +UpdateTimestamps() { + Level=$1 + PatchFile=$2 + + # Locate the affected files: + for f in $(diffstat $Level -l $PatchFile); do + # Set the files to have the same timestamp as that of the patch: + touch -r $PatchFile $f + done +} + +%setup -n freeipa-%{VERSION} -q + +for p in %patches ; do + %__patch -p1 -i $p + UpdateTimestamps -p1 $p +done +# RHEL spec file only: END + +%build +export CFLAGS="$CFLAGS %{optflags}" +export CPPFLAGS="$CPPFLAGS %{optflags}" +# use fedora18 platform which is based on fedora16 platform with systemd +# support + fedora18 changes +export SUPPORTED_PLATFORM=fedora18 +# Force re-generate of platform support +rm -f ipapython/services.py +make version-update +cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. +%if ! %{ONLY_CLIENT} +cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. +cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. +%endif # ONLY_CLIENT + +%if ! %{ONLY_CLIENT} +make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all +%else +make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client +%endif # ONLY_CLIENT + +%install +rm -rf %{buildroot} +# use fedora18 platform which is based on fedora16 platform with systemd +# support + fedora18 changes +export SUPPORTED_PLATFORM=fedora18 +# Force re-generate of platform support +rm -f ipapython/services.py +%if ! %{ONLY_CLIENT} +make install DESTDIR=%{buildroot} +# Start RHEL-7.0: Red Hat's Identity Management branding +cp %SOURCE1 %{buildroot}%{_usr}/share/ipa/ui/images/ipa-banner.png +# End RHEL-7.0 +%else +make client-install DESTDIR=%{buildroot} +%endif # ONLY_CLIENT +%find_lang %{gettext_domain} + + +%if ! %{ONLY_CLIENT} +# Remove .la files from libtool - we don't want to package +# these files +rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_winsync.la +rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la +rm %{buildroot}/%{plugin_dir}/libipa_uuid.la +rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la +rm %{buildroot}/%{plugin_dir}/libipa_lockout.la +rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_dns.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la +rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la +rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la + +# Some user-modifiable HTML files are provided. Move these to /etc +# and link back. +mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html +mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore +mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade +mkdir %{buildroot}%{_usr}/share/ipa/html/ +ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \ + %{buildroot}%{_usr}/share/ipa/html/ffconfig.js +ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig_page.js \ + %{buildroot}%{_usr}/share/ipa/html/ffconfig_page.js +ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \ + %{buildroot}%{_usr}/share/ipa/html/ssbrowser.html +ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \ + %{buildroot}%{_usr}/share/ipa/html/unauthorized.html +ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ + %{buildroot}%{_usr}/share/ipa/html/browserconfig.html +ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ + %{buildroot}%{_usr}/share/ipa/html/ipa_error.css + +# So we can own our Apache configuration +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +mkdir -p %{buildroot}%{_usr}/share/ipa/html/ +/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt +/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar +/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html +mkdir -p %{buildroot}%{_initrddir} +mkdir %{buildroot}%{_sysconfdir}/sysconfig/ +install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached + +# Web UI plugin dir +mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins + +# NOTE: systemd specific section +mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d +install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf +# END + +mkdir -p %{buildroot}%{_localstatedir}/run/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ + +mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +# NOTE: systemd specific section +mkdir -p %{buildroot}%{_unitdir} +install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service +install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +# END + +mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup +%endif # ONLY_CLIENT + +mkdir -p %{buildroot}%{_sysconfdir}/ipa/ +/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf +/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt +mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore + +%if ! %{ONLY_CLIENT} +mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d +install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa +mkdir -p %{buildroot}%{_sysconfdir}/cron.d + +(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \ + grep -v dcerpc | grep -v adtrustinstance | \ + sed -e 's,\.py.*$,.*,g' | sort -u | \ + sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list + +(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \ + sed -e 's,\.py.*$,.*,g' | sort -u | \ + sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list +%endif # ONLY_CLIENT + +%clean +rm -rf %{buildroot} + +%if ! %{ONLY_CLIENT} +%post server +# NOTE: systemd specific section + /bin/systemctl --system daemon-reload 2>&1 || : +# END +if [ $1 -gt 1 ] ; then + /bin/systemctl condrestart certmonger.service 2>&1 || : +fi + +%posttrans server +# This must be run in posttrans so that updates from previous +# execution that may no longer be shipped are not applied. +/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || : +/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || : + +# Restart IPA processes. This must be also run in postrans so that plugins +# and software is in consistent state +python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 +# NOTE: systemd specific section +if [ $? -eq 0 ]; then + /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || : +fi +# END + +%preun server +if [ $1 = 0 ]; then +# NOTE: systemd specific section + /bin/systemctl --quiet stop ipa.service || : + /bin/systemctl --quiet disable ipa.service || : +# END +fi + +%pre server +# Stop ipa_kpasswd if it exists before upgrading so we don't have a +# zombie process when we're done. +if [ -e /usr/sbin/ipa_kpasswd ]; then +# NOTE: systemd specific section + /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : +# END +fi + +%postun server-trust-ad +if [ "$1" -ge "1" ]; then + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then + %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null + fi +fi + +%post server-trust-ad +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so /dev/null 90 + +%posttrans server-trust-ad +python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 +if [ $? -eq 0 ]; then +# NOTE: systemd specific section + /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : +# END +fi + +%preun server-trust-ad +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null +fi +%endif # ONLY_CLIENT + +%post client +if [ $1 -gt 1 ] ; then + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + + if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then + if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then + echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew + cat /etc/krb5.conf >> /etc/krb5.conf.ipanew + mv /etc/krb5.conf.ipanew /etc/krb5.conf + /sbin/restorecon /etc/krb5.conf + fi + fi +fi + +%triggerin -n ipa-client -- openssh-server +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + /sbin/restorecon /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + +%if ! %{ONLY_CLIENT} +%files server -f server-python.list +%defattr(-,root,root,-) +%doc COPYING README Contributors.txt +%{_sbindir}/ipa-backup +%{_sbindir}/ipa-restore +%{_sbindir}/ipa-ca-install +%{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-server-install +%{_sbindir}/ipa-replica-conncheck +%{_sbindir}/ipa-replica-install +%{_sbindir}/ipa-replica-prepare +%{_sbindir}/ipa-replica-manage +%{_sbindir}/ipa-csreplica-manage +%{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-ldap-updater +%{_sbindir}/ipa-compat-manage +%{_sbindir}/ipa-nis-manage +%{_sbindir}/ipa-managed-entries +%{_sbindir}/ipactl +%{_sbindir}/ipa-upgradeconfig +%{_sbindir}/ipa-advise +%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit +%{_libexecdir}/ipa-otpd +%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached +%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ +%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ +# NOTE: systemd specific section +%{_prefix}/lib/tmpfiles.d/%{name}.conf +%attr(644,root,root) %{_unitdir}/ipa.service +%attr(644,root,root) %{_unitdir}/ipa_memcached.service +# END +%attr(644,root,root) %{_unitdir}/ipa-otpd.socket +%attr(644,root,root) %{_unitdir}/ipa-otpd@.service +%dir %{python_sitelib}/ipaserver +%dir %{python_sitelib}/ipaserver/install +%dir %{python_sitelib}/ipaserver/install/plugins +%dir %{python_sitelib}/ipaserver/advise +%dir %{python_sitelib}/ipaserver/advise/plugins +%dir %{python_sitelib}/ipaserver/plugins +%dir %{_libdir}/ipa/certmonger +%attr(755,root,root) %{_libdir}/ipa/certmonger/* +%dir %{_usr}/share/ipa +%{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/copy-schema-to-ca.py* +%{_usr}/share/ipa/*.ldif +%{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.template +%dir %{_usr}/share/ipa/advise +%dir %{_usr}/share/ipa/advise/legacy +%{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/ffextension +%{_usr}/share/ipa/ffextension/bootstrap.js +%{_usr}/share/ipa/ffextension/install.rdf +%{_usr}/share/ipa/ffextension/chrome.manifest +%dir %{_usr}/share/ipa/ffextension/chrome +%dir %{_usr}/share/ipa/ffextension/chrome/content +%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth.js +%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth_overlay.xul +%dir %{_usr}/share/ipa/ffextension/locale +%dir %{_usr}/share/ipa/ffextension/locale/en-US +%{_usr}/share/ipa/ffextension/locale/en-US/kerberosauth.properties +%dir %{_usr}/share/ipa/html +%{_usr}/share/ipa/html/ffconfig.js +%{_usr}/share/ipa/html/ffconfig_page.js +%{_usr}/share/ipa/html/ssbrowser.html +%{_usr}/share/ipa/html/browserconfig.html +%{_usr}/share/ipa/html/unauthorized.html +%{_usr}/share/ipa/html/ipa_error.css +%dir %{_usr}/share/ipa/migration +%{_usr}/share/ipa/migration/error.html +%{_usr}/share/ipa/migration/index.html +%{_usr}/share/ipa/migration/invalid.html +%{_usr}/share/ipa/migration/migration.py* +%dir %{_usr}/share/ipa/ui +%{_usr}/share/ipa/ui/index.html +%{_usr}/share/ipa/ui/login.html +%{_usr}/share/ipa/ui/logout.html +%{_usr}/share/ipa/ui/reset_password.html +%{_usr}/share/ipa/ui/*.ico +%{_usr}/share/ipa/ui/*.css +%{_usr}/share/ipa/ui/*.js +%{_usr}/share/ipa/ui/*.eot +%{_usr}/share/ipa/ui/*.svg +%{_usr}/share/ipa/ui/*.ttf +%{_usr}/share/ipa/ui/*.woff +%dir %{_usr}/share/ipa/ui/js/dojo +%{_usr}/share/ipa/ui/js/dojo/dojo.js +%dir %{_usr}/share/ipa/ui/js/libs +%{_usr}/share/ipa/ui/js/libs/*.js +%dir %{_usr}/share/ipa/ui/js/freeipa +%{_usr}/share/ipa/ui/js/freeipa/app.js +%dir %{_usr}/share/ipa/ui/js/plugins +%dir %{_usr}/share/ipa/ui/images +%{_usr}/share/ipa/ui/images/*.png +%{_usr}/share/ipa/ui/images/*.gif +%dir %{_usr}/share/ipa/wsgi +%{_usr}/share/ipa/wsgi/plugins.py* +%dir %{_sysconfdir}/ipa +%dir %{_sysconfdir}/ipa/html +%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js +%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js +%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html +%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css +%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html +%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%{_usr}/share/ipa/ca_renewal +%{_usr}/share/ipa/ipa.conf +%{_usr}/share/ipa/ipa-rewrite.conf +%{_usr}/share/ipa/ipa-pki-proxy.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html +%dir %{_usr}/share/ipa/updates/ +%{_usr}/share/ipa/updates/* +%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_winsync.so +%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so +%attr(755,root,root) %{plugin_dir}/libipa_uuid.so +%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so +%attr(755,root,root) %{plugin_dir}/libipa_lockout.so +%attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%attr(755,root,root) %{plugin_dir}/libipa_dns.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so +%dir %{_localstatedir}/lib/ipa +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%ghost %{_localstatedir}/lib/ipa/pki-ca/publish +%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so +%{_mandir}/man1/ipa-replica-conncheck.1.gz +%{_mandir}/man1/ipa-replica-install.1.gz +%{_mandir}/man1/ipa-replica-manage.1.gz +%{_mandir}/man1/ipa-csreplica-manage.1.gz +%{_mandir}/man1/ipa-replica-prepare.1.gz +%{_mandir}/man1/ipa-server-certinstall.1.gz +%{_mandir}/man1/ipa-server-install.1.gz +%{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-ca-install.1.gz +%{_mandir}/man1/ipa-compat-manage.1.gz +%{_mandir}/man1/ipa-nis-manage.1.gz +%{_mandir}/man1/ipa-managed-entries.1.gz +%{_mandir}/man1/ipa-ldap-updater.1.gz +%{_mandir}/man8/ipactl.8.gz +%{_mandir}/man8/ipa-upgradeconfig.8.gz +%{_mandir}/man1/ipa-backup.1.gz +%{_mandir}/man1/ipa-restore.1.gz +%{_mandir}/man1/ipa-advise.1.gz + +%files server-trust-ad +%{_sbindir}/ipa-adtrust-install +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%{_usr}/share/ipa/smb.conf.empty +%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%{_mandir}/man1/ipa-adtrust-install.1.gz +%{python_sitelib}/ipaserver/dcerpc* +%{python_sitelib}/ipaserver/install/adtrustinstance* +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +%endif # ONLY_CLIENT + +%files client +%defattr(-,root,root,-) +%doc COPYING README Contributors.txt +%{_sbindir}/ipa-client-install +%{_sbindir}/ipa-client-automount +%{_sbindir}/ipa-getkeytab +%{_sbindir}/ipa-rmkeytab +%{_sbindir}/ipa-join +%dir %{_usr}/share/ipa +%dir %{_usr}/share/ipa/ipaclient +%dir %{_localstatedir}/lib/ipa-client +%dir %{_localstatedir}/lib/ipa-client/sysrestore +%{_usr}/share/ipa/ipaclient/ipa.cfg +%{_usr}/share/ipa/ipaclient/ipa.js +%dir %{python_sitelib}/ipaclient +%{python_sitelib}/ipaclient/*.py* +%{_mandir}/man1/ipa-getkeytab.1.gz +%{_mandir}/man1/ipa-rmkeytab.1.gz +%{_mandir}/man1/ipa-client-install.1.gz +%{_mandir}/man1/ipa-client-automount.1.gz +%{_mandir}/man1/ipa-join.1.gz +%{_mandir}/man5/default.conf.5.gz + +%if ! %{ONLY_CLIENT} +%files admintools +%defattr(-,root,root,-) +%doc COPYING README Contributors.txt +%{_bindir}/ipa +%config %{_sysconfdir}/bash_completion.d +%{_mandir}/man1/ipa.1.gz +%endif # ONLY_CLIENT + +%files python -f %{gettext_domain}.lang +%defattr(-,root,root,-) +%doc COPYING README Contributors.txt +%dir %{python_sitelib}/ipapython +%dir %{python_sitelib}/ipapython/platform +%dir %{python_sitelib}/ipapython/platform/base +%dir %{python_sitelib}/ipapython/platform/fedora16 +%dir %{python_sitelib}/ipapython/platform/fedora18 +%dir %{python_sitelib}/ipapython/platform/redhat +%{python_sitelib}/ipapython/*.py* +%{python_sitelib}/ipapython/platform/*.py* +%{python_sitelib}/ipapython/platform/base/*.py* +%{python_sitelib}/ipapython/platform/fedora16/*.py* +%{python_sitelib}/ipapython/platform/fedora18/*.py* +%{python_sitelib}/ipapython/platform/redhat/*.py* +%dir %{python_sitelib}/ipalib +%{python_sitelib}/ipalib/* +%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so +%{python_sitelib}/ipapython-*.egg-info +%{python_sitelib}/freeipa-*.egg-info +%{python_sitearch}/python_default_encoding-*.egg-info +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt + +%if ! %{ONLY_CLIENT} +%files tests -f tests-python.list +%defattr(-,root,root,-) +%doc COPYING README Contributors.txt +%dir %{python_sitelib}/ipatests +%dir %{python_sitelib}/ipatests/test_cmdline +%dir %{python_sitelib}/ipatests/test_install +%dir %{python_sitelib}/ipatests/test_ipalib +%dir %{python_sitelib}/ipatests/test_ipapython +%dir %{python_sitelib}/ipatests/test_ipaserver +%dir %{python_sitelib}/ipatests/test_ipaserver/install +%dir %{python_sitelib}/ipatests/test_pkcs10 +%dir %{python_sitelib}/ipatests/test_webui +%dir %{python_sitelib}/ipatests/test_xmlrpc +%{_bindir}/ipa-run-tests +%{_bindir}/ipa-test-config +%{_bindir}/ipa-test-task +%{python_sitelib}/ipatests-*.egg-info +%{_mandir}/man1/ipa-run-tests.1.gz +%{_mandir}/man1/ipa-test-config.1.gz +%{_mandir}/man1/ipa-test-task.1.gz +%endif # ONLY_CLIENT + +%changelog +* Fri Nov 22 2013 Martin Kosek - 3.3.3-5 +- Trust add tries to add same value of --base-id for sub domain, + causing an error (#1033068) +- Improved error reporting for adding trust case (#1029856) + +* Wed Nov 13 2013 Martin Kosek - 3.3.3-4 +- Winsync agreement cannot be created (#1023085) + +* Wed Nov 6 2013 Martin Kosek - 3.3.3-3 +- Installer did not detect different server and IPA domain (#1026845) +- Allow kernel keyring CCACHE when supported (#1026861) + +* Tue Nov 5 2013 Martin Kosek - 3.3.3-2 +- ipa-server-install crashes when AD subpackage is not installed (#1026434) + +* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 +- Update to upstream 3.3.3 (#991064) + +* Tue Oct 29 2013 Martin Kosek - 3.3.2-5 +- Temporarily move ipa-backup and ipa-restore functionality + back to make them available in public Beta (#1003933) + +* Tue Oct 29 2013 Martin Kosek - 3.3.2-4 +- Server install failure during client enrollment shouldn't + roll back (#1023086) +- nsds5ReplicaStripAttrs are not set on agreements (#1023085) +- ipa-server conflicts with mod_ssl (#1018172) + +* Wed Oct 16 2013 Martin Kosek - 3.3.2-3 +- Reinstalling ipa server hangs when configuring certificate + server (#1018804) + +* Fri Oct 11 2013 Martin Kosek - 3.3.2-2 +- Deprecate --serial-autoincrement option (#1016645) +- CA installation always failed on replica (#1005446) +- Re-initializing a winsync connection exited with error (#994980) + +* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 +- Update to upstream 3.3.2 (#991064) +- Add delegation info to MS-PAC (#915799) +- Warn about incompatibility with AD when IPA realm and domain + differs (#1009044) +- Allow PKCS#12 files with empty password in install tools (#1002639) +- Privilege "SELinux User Map Administrators" did not list + permissions (#997085) +- SSH key upload broken when client joins an older server (#1009024) + +* Mon Sep 23 2013 Martin Kosek - 3.3.1-5 +- Remove dependency on python-paramiko (#1002884) +- Broken redirection when deleting last entry of DNS resource + record (#1006360) + +* Tue Sep 10 2013 Martin Kosek - 3.3.1-4 +- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) + +* Mon Sep 9 2013 Martin Kosek - 3.3.1-3 +- Replica installation fails for RHEL 6.4 master (#1004680) +- Server uninstallation crashes if DS is not available (#998069) + +* Thu Sep 5 2013 Martin Kosek - 3.3.1-2 +- Unable to remove replica by ipa-replica-manage (#1001662) +- Before uninstalling a server, warn about active replicas (#998069) + +* Thu Aug 29 2013 Rob Crittenden - 3.3.1-1 +- Update to upstream 3.3.1 (#991064) +- Update minimum version of bind-dyndb-ldap to 3.5 + +* Tue Aug 20 2013 Rob Crittenden - 3.3.0-7 +- Fix replica installation failing on certificate subject (#983075) + +* Tue Aug 13 2013 Martin Kosek - 3.3.0-6 +- Allow ipa-tests to work with older version (1.7.7) of python-paramiko + +* Tue Aug 13 2013 Martin Kosek - 3.3.0-5 +- Prevent multilib failures in *.pyo and *.pyc files + +* Mon Aug 12 2013 Martin Kosek - 3.3.0-4 +- ipa-server-install fails if --subject parameter is other than default + realm (#983075) +- do not allow configuring bind-dyndb-ldap without persistent search (#967876) + +* Mon Aug 12 2013 Martin Kosek - 3.3.0-3 +- diffstat was missing as a build dependency causing multilib problems + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-2 +- Remove ipa-server-selinux obsoletes as upgrades from version prior to + 3.3.0 are not allowed +- Wrap server-trust-ad subpackage description better +- Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf +- Change permissions on default_encoding_utf8.so to fix ipa-python Provides + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-1 +- Update to upstream 3.3.0 (#991064) + +* Thu Aug 8 2013 Martin Kosek - 3.3.0-0.2.beta2 +- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release + +* Wed Aug 7 2013 Martin Kosek - 3.3.0-0.1.beta2 +- Update to upstream 3.3.0 Beta 2 (#991064) + +* Thu Jul 18 2013 Martin Kosek - 3.2.2-1 +- Update to upstream 3.2.2 +- Drop ipa-server-selinux subpackage +- Drop redundant directory /var/cache/ipa/sessions +- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost +- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency + issues when there are still old parts of software (like entitlements plugin) + +* Fri Jun 14 2013 Martin Kosek - 3.2.1-1 +- Update to upstream 3.2.1 +- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 + +* Tue May 14 2013 Rob Crittenden - 3.2.0-2 +- Add OTP patches +- Add patch to set KRB5CCNAME for 389-ds-base + +* Fri May 10 2013 Rob Crittenden - 3.2.0-1 +- Update to upstream 3.2.0 GA +- ipa-client-install fails if /etc/ipa does not exist (#961483) +- Certificate status is not visible in Service and Host page (#956718) +- ipa-client-install removes needed options from ldap.conf (#953991) +- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) +- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) +- Require nss 3.14.3-12.0 to address certutil certificate import + errors (#953485) +- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 + environments. (#953464) +- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) +- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) +- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for + socket based connections (#960222) +- Require libsss_nss_idmap-python +- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to + member is now done automatically and having it in the config file raises + an error. +- Add backup and restore tools, directory. +- require at least systemd 38 which provides the journal (we no longer + need to require syslog.target) +- Update Requires on policycoreutils to 2.1.14-37 +- Update Requires on selinux-policy to 3.12.1-42 +- Update Requires on 389-ds-base to 1.3.1.0 +- Remove a Requires for java-atk-wrapper + +* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 +- Remove release from krb5-server in strict sub-package to allow for rebuilds. + +* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 +- Add a Requires for java-atk-wrapper until we can determine which package + should be pulling it in, dogtag or tomcat. + +* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 +- Update to upstream 3.2.0 Beta 1 + +* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 +- Update to upstream 3.2.0 Prerelease 1 +- Use upstream reference spec file as a base for Fedora spec file + +* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 +- Rebuild for broken deps +- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 + +* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 +- Rebuild for broken deps in rawhide +- Fix 389-ds-base strict dep to be 1.3.0.3 + +* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 +- Update to upstream 3.1.2 +- CVE-2012-4546: Incorrect CRLs publishing +- CVE-2012-5484: MITM Attack during Join process +- CVE-2013-0199: Cross-Realm Trust key leak +- Updated strict dependencies to 389-ds-base = 1.3.0.2 and + pki-ca = 10.0.1 + +* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 +- Remove redundat Requires versions that are already in Fedora 17 +- Replace python-crypto Requires with m2crypto +- Add missing Requires(post) for client and server-trust-ad subpackages +- Restart httpd service when server-trust-ad subpackage is installed +- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes + +* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 +- Updated to upstream 3.1.0 GA +- Set minimum for sssd to 1.9.2 +- Set minimum for pki-ca to 10.0.0-1 +- Set minimum for 389-ds-base to 1.3.0 +- Set minimum for selinux-policy to 3.11.1-60 +- Remove unneeded dogtag package requires + +* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 +- Update Requires on krb5-server to 1.11 + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 +- Configure CA replication to use TLS instead of SSL + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 +- Updated to upstream 3.0.0 GA +- Set minimum for samba to 4.0.0-153. +- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so + plugin to /dev/null since they cannot be used when trusts are configured +- Restrict krb5-server to 1.10. +- Update BR for 389-ds-base to 1.3.0 +- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca +- Add Requires on zip for generating FF browser extension + +* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 +- Updated to upstream 3.0.0 rc 2 +- Include new FF configuration extension +- Set minimum Requires of selinux-policy to 3.11.1-33 +- Set minimum Requires dogtag to 10.0.0-0.43.b1 +- Add new optional strict sub-package to allow users to limit other + package upgrades. + +* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 +- Require samba packages instead of obsoleted samba4 packages + +* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 +- Updated to upstream 3.0.0 rc 1 +- Update BR for 389-ds-base to 1.2.11.14 +- Update BR for krb5 to 1.10 +- Update BR for samba4-devel to 4.0.0-139 (rc1) +- Add BR for python-polib +- Update BR and Requires on sssd to 1.9.0 +- Update Requires on policycoreutils to 2.1.12-5 +- Update Requires on 389-ds-base to 1.2.11.14 +- Update Requires on selinux-policy to 3.11.1-21 +- Update Requires on dogtag to 10.0.0-0.33.a1 +- Update Requires on certmonger to 0.60 +- Update Requires on tomcat to 7.0.29 +- Update minimum version of bind to 9.9.1-10.P3 +- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 +- Remove Requires on authconfig from python sub-package + +* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 +- Rebuild against samba4 beta8 + +* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 +- Rebuild against samba4 beta7 + +* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 +- Adopt to samba4 beta6 (libsecurity -> libsamba-security) +- Add dependency to samba4-winbind + +* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 +- Updated to upstream 3.0.0 beta 2 + +* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 +- Updated to current upstream state of 3.0.0 beta 2 development + +* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 +- Rebuild against samba4 beta4 + +* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 +- Updated to upstream 3.0.0 beta 1 + +* Thu May 3 2012 Rob Crittenden - 2.2.0-1 +- Updated to upstream 2.2.0 GA +- Update minimum n-v-r of certmonger to 0.53 +- Update minimum n-v-r of slapi-nis to 0.40 +- Add Requires in client to oddjob-mkhomedir and python-krbV +- Update minimum selinux-policy to 3.10.0-110 + +* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 +- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) +- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. +- Add Conflicts on mod_ssl +- Update minimum n-v-r of 389-ds-base to 1.2.10.4 +- Update minimum n-v-r of sssd to 1.8.0 +- Update minimum n-v-r of slapi-nis to 0.38 +- Update minimum n-v-r of pki-* to 9.0.18 +- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 +- Update conflicts on bind to < 9.9.0-1 +- Drop requires on krb5-server-ldap +- Add patch to remove escaping arguments to pkisilent + +* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 +- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) + +* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 +- Force to use 389-ds 1.2.10-0.8.a7 or above +- Improve upgrade script to handle systemd 389-ds change +- Fix freeipa to work with python-ldap 2.4.6 + +* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 +- Fix ipa-replica-install crashes +- Fix ipa-server-install and ipa-dns-install logging +- Set minimum version of pki-ca to 9.0.17 to fix sslget problem + caused by FEDORA-2011-17400 update (#771357) + +* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 +- Allow Web-based migration to work with tightened SE Linux policy (#769440) +- Rebuild slapi plugins against re-enterant version of libldap + +* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 +- Allow longer dirsrv startup with systemd: + - IPAdmin class will wait until dirsrv instance is available up to 10 seconds + - Helps with restarts during upgrade for ipa-ldap-updater +- Fix pylint warnings from F16 and Rawhide + +* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 +- Update to upstream 2.1.4 (CVE-2011-3636) + +* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 +- Update SELinux policy to allow ipa_kpasswd to connect ldap and + read /dev/urandom. (#759679) + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 +- Fix wrong path in packaging freeipa-systemd-upgrade + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 +- Introduce upgrade script to recover existing configuration after systemd migration + as user has no means to recover FreeIPA from systemd migration +- Upgrade script: + - recovers symlinks in Dogtag instance install + - recovers systemd configuration for FreeIPA's directory server instances + - recovers freeipa.service + - migrates directory server and KDC configs to use proper keytabs for systemd services + +* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for glibc bug#747377 + +* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 +- clean up spec +- Depend on sssd >= 1.6.2 for better user experience + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 +- Fix Fedora package changelog after merging systemd changes + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 +- Fix postin scriplet for F-15/F-16 + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 +- 2.1.3 + +* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 +- Default to systemd for Fedora 16 and onwards + +* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 +- Update to upstream 2.1.0 + +* Fri May 6 2011 Simo Sorce - 2.0.1-2 +- Fix bug #702633 + +* Mon May 2 2011 Rob Crittenden - 2.0.1-1 +- Update minimum selinux-policy to 3.9.16-18 +- Update minimum pki-ca and pki-selinux to 9.0.7 +- Update minimum 389-ds-base to 1.2.8.0-1 +- Update to upstream 2.0.1 + +* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 +- Update to upstream GA release +- Automatically apply updates when the package is upgraded + +* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 +- Update to upstream freeipa-2.0.0.rc2 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in +- Set minimum version of sssd to 1.5.1 +- Patch to include SuiteSpotGroup when setting up 389-ds instances +- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled + +* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 +- Set the N-V-R so rc1 is an update to beta2. + +* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 +- Set minimum version of sssd to 1.5.1 +- Update to upstream freeipa-2.0.0.rc1 +- Move server-only binaries from admintools subpackage to server + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 +- Set min version of 389-ds-base to 1.2.8 +- Set min version of mod_nss 1.0.8-10 +- Set min version of selinux-policy to 3.9.7-27 +- Add dogtag themes to Requires +- Update to upstream freeipa-2.0.0.pre2 + +* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 +- Remove unnecessary moving of v1 CA serial number file in post script +- Add Obsoletes for server-selinxu subpackage +- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da + +* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 +- Prepare spec file for release +- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 + +* Tue Jan 25 2011 Rob Crittenden - 1.99-41 +- Re-arrange doc and defattr to clean up rpmlint warnings +- Remove conditionals on older releases +- Move some man pages into admintools subpackage +- Remove some explicit Requires in client that aren't needed +- Consistent use of buildroot vs RPM_BUILD_ROOT + +* Wed Jan 19 2011 Adam Young - 1.99-40 +- Moved directory install/static to install/ui + +* Thu Jan 13 2011 Simo Sorce - 1.99-39 +- Remove dependency on nss_ldap/nss-pam-ldapd +- The official client is sssd and that's what we use by default. + +* Thu Jan 13 2011 Simo Sorce - 1.99-38 +- Remove radius subpackages + +* Thu Jan 13 2011 Rob Crittenden - 1.99-37 +- Set minimum pki-ca and pki-silent versions to 9.0.0 + +* Wed Jan 12 2011 Rob Crittenden - 1.99-36 +- Drop BuildRequires on mozldap-devel + +* Mon Dec 13 2010 Rob Crittenden - 1.99-35 +- Add Requires on krb5-pkinit-openssl + +* Fri Dec 10 2010 Jr Aquino - 1.99-34 +- Add ipa-host-net-manage script + +* Tue Dec 7 2010 Simo Sorce - 1.99-33 +- Add ipa init script + +* Fri Nov 19 2010 Rob Crittenden - 1.99-32 +- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin + +* Wed Nov 3 2010 Rob Crittenden - 1.99-31 +- remove ipa-fix-CVE-2008-3274 + +* Wed Oct 6 2010 Rob Crittenden - 1.99-30 +- Remove duplicate %%files entries on share/ipa/static +- Add python default encoding shared library + +* Mon Sep 20 2010 Rob Crittenden - 1.99-29 +- Drop requires on python-configobj (not used any more) +- Drop ipa-ldap-updater message, upgrades are done differently now + +* Wed Sep 8 2010 Rob Crittenden - 1.99-28 +- Drop conflicts on mod_nss +- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) +- Drop a slew of conditionals on older Fedora releases (< 12) +- Add a few conditionals against RHEL 6 +- Add Requires of nss-tools on ipa-client + +* Fri Aug 13 2010 Rob Crittenden - 1.99-27 +- Set minimum version of certmonger to 0.26 (to pck up #621670) +- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) +- Set minimum version of pki-ca to 1.3.6 +- Set minimum version of sssd to 1.2.1 + +* Tue Aug 10 2010 Rob Crittenden - 1.99-26 +- Add BuildRequires for authconfig + +* Mon Jul 19 2010 Rob Crittenden - 1.99-25 +- Bump up minimum version of python-nss to pick up nss_is_initialize() API + +* Thu Jun 24 2010 Adam Young - 1.99-24 +- Removed python-asset based webui + +* Thu Jun 24 2010 Rob Crittenden - 1.99-23 +- Change Requires from fedora-ds-base to 389-ds-base +- Set minimum level of 389-ds-base to 1.2.6 for the replication + version plugin. + +* Tue Jun 1 2010 Rob Crittenden - 1.99-22 +- Drop Requires of python-krbV on ipa-client + +* Mon May 17 2010 Rob Crittenden - 1.99-21 +- Load ipa_dogtag.pp in post install + +* Mon Apr 26 2010 Rob Crittenden - 1.99-20 +- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. + +* Thu Mar 4 2010 Rob Crittenden - 1.99-19 +- No need to create /var/log/ipa_error.log since we aren't using + TurboGears any more. + +* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 +- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included + +* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 +- Added Require mod_wsgi, added share/ipa/wsgi.py + +* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 +- Require python-wehjit >= 0.2.2 + +* Wed Feb 3 2010 Rob Crittenden - 1.99-15 +- Add sssd and certmonger as a Requires on ipa-client + +* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 +- Require python-wehjit >= 0.2.0 + +* Fri Dec 4 2009 Rob Crittenden - 1.99-13 +- Add ipa-rmkeytab tool + +* Tue Dec 1 2009 Rob Crittenden - 1.99-12 +- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 + Any type + +* Wed Nov 25 2009 Rob Crittenden - 1.99-11 +- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf + +* Fri Nov 13 2009 Rob Crittenden - 1.99-10 +- Add bash completion script and own /etc/bash_completion.d in case it + doesn't already exist + +* Tue Nov 3 2009 Rob Crittenden - 1.99-9 +- Remove ipa_webgui, its functions rolled into ipa_httpd + +* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 +- Removed python-cherrypy from BuildRequires and Requires +- Added Requires python-assets, python-wehjit + +* Mon Aug 24 2009 Rob Crittenden - 1.99-7 +- Added httpd SELinux policy so CRLs can be read + +* Thu May 21 2009 Rob Crittenden - 1.99-6 +- Move ipalib to ipa-python subpackage +- Bump minimum version of slapi-nis to 0.15 + +* Wed May 6 2009 Rob Crittenden - 1.99-5 +- Set 0.14 as minimum version for slapi-nis + +* Wed Apr 22 2009 Rob Crittenden - 1.99-4 +- Add Requires: python-nss to ipa-python sub-package + +* Thu Mar 5 2009 Rob Crittenden - 1.99-3 +- Remove the IPA DNA plugin, use the DS one + +* Wed Mar 4 2009 Rob Crittenden - 1.99-2 +- Build radius separately +- Fix a few minor issues + +* Tue Feb 3 2009 Rob Crittenden - 1.99-1 +- Replace TurboGears requirement with python-cherrypy + +* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 +- rebuild with new openssl + +* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 +- Fix SELinux code + +* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 +- Fix breakage caused by python-kerberos update to 1.1 + +* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 +- New upstream release 1.2.1 + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 +- Rebuild for Python 2.6 + +* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 +- Respin after the tarball has been re-released upstream + New hash is 506c9c92dcaf9f227cba5030e999f177 + +* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 +- Conditionally restart also dirsrv and httpd when upgrading + +* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 +- Update to upstream version 1.2.0 +- Set fedora-ds-base minimum version to 1.1.3 for winsync header +- Set the minimum version for SELinux policy +- Remove references to Fedora 7 + +* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 +- Fix for CVE-2008-3274 +- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface +- Add fix for bug #453185 +- Rebuild against openldap libraries, mozldap ones do not work properly +- TurboGears is currently broken in rawhide. Added patch to not build + the UI locales and removed them from the ipa-server files section. + +* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 +- Add call to /usr/sbin/upgradeconfig to post install + +* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 +- Update to upstream version 1.1.0 +- Patch for indexing memberof attribute +- Patch for indexing uidnumber and gidnumber +- Patch to change DNA default values for replicas +- Patch to fix uninitialized variable in ipa-getkeytab + +* Fri May 16 2008 Rob Crittenden - 1.0.0-5 +- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum + version to 1.0.7-4 so we pick up the NSS fixes. +- Add selinux-policy-base(post) to Requires (446496) + +* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 +- Add missing entry for /var/cache/ipa/kpasswd (444624) +- Added patch to fix permissions problems with the Apache NSS database. +- Added patch to fix problem with DNS querying where the query could be + returned as the answer. +- Fix spec error where patch1 was in the wrong section + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 +- Added patch to fix problem reported by ldapmodify + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 +- Fix Requires for krb5-server that was missing for Fedora versions > 9 +- Remove quotes around test for fedora version to package egg-info + +* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 +- Update to upstream version 1.0.0 + +* Tue Mar 18 2008 Rob Crittenden 0.99-12 +- Pull upstream changelog 722 +- Add Conflicts mod_ssl (435360) + +* Fri Feb 29 2008 Rob Crittenden 0.99-11 +- Pull upstream changelog 698 +- Fix ownership of /var/log/ipa_error.log during install (435119) +- Add pwpolicy command and man page + +* Thu Feb 21 2008 Rob Crittenden 0.99-10 +- Pull upstream changelog 678 +- Add new subpackage, ipa-server-selinux +- Add Requires: authconfig to ipa-python (bz #433747) +- Package i18n files + +* Mon Feb 18 2008 Rob Crittenden 0.99-9 +- Pull upstream changelog 641 +- Require minimum version of krb5-server on F-7 and F-8 +- Package some new files + +* Thu Jan 31 2008 Rob Crittenden 0.99-8 +- Marked with wrong license. IPA is GPLv2. + +* Tue Jan 29 2008 Rob Crittenden 0.99-7 +- Ensure that /etc/ipa exists before moving user-modifiable html files there +- Put html files into /etc/ipa/html instead of /etc/ipa + +* Tue Jan 29 2008 Rob Crittenden 0.99-6 +- Pull upstream changelog 608 which renamed several files + +* Thu Jan 24 2008 Rob Crittenden 0.99-5 +- package the sessions dir /var/cache/ipa/sessions +- Pull upstream changelog 597 + +* Thu Jan 24 2008 Rob Crittenden 0.99-4 +- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the + UI to not start. + +* Thu Jan 24 2008 Rob Crittenden 0.99-3 +- Included LICENSE and README in all packages for documentation +- Move user-modifiable content to /etc/ipa and linked back to + /usr/share/ipa/html +- Changed some references to /usr to the {_usr} macro and /etc + to {_sysconfdir} +- Added popt-devel to BuildRequires for Fedora 8 and higher and + popt for Fedora 7 +- Package the egg-info for Fedora 9 and higher for ipa-python + +* Tue Jan 22 2008 Rob Crittenden 0.99-2 +- Added auto* BuildRequires + +* Mon Jan 21 2008 Rob Crittenden 0.99-1 +- Unified spec file + +* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 +- Fixed License in specfile +- Include files from /usr/lib/python*/site-packages/ipaserver + +* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 +- Version bump for release + +* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 +- Preverse mode on ipa-keytab-util +- Version bump for relase and rpm name change + +* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 +- Broke invididual Requires and BuildRequires onto separate lines and + reordered them +- Added python-tgexpandingformwidget as a dependency +- Require at least fedora-ds-base 1.1 + +* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 +- Version bump for release + +* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 +- Add dep for freeipa-admintools and acl + +* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 +- Add dependency for python-krbV + +* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 +- Require mod_nss-1.0.7-2 for mod_proxy fixes + +* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 +- Convert to autotools-based build + +* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 + +* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 +- Added support for libipa-dna-plugin + +* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 +- Added support for ipa_kpasswd and ipa_pwd_extop + +* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 +- Abstracted client class to work directly or over RPC + +* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 +- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires +- Remove references to admin server in ipa-server-setupssl +- Generate a client certificate for the XML-RPC server to connect to LDAP with +- Create a keytab for Apache +- Create an ldif with a test user +- Provide a certmap.conf for doing SSL client authentication + +* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 +- Initial rpm version