2009-10-12 15:00:00 -05:00
|
|
|
# Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages
|
2010-01-07 13:12:52 -06:00
|
|
|
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
|
2009-10-12 15:00:00 -05:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
%global alt_name ipa
|
2010-01-07 13:12:52 -06:00
|
|
|
%global plugin_dir %{_libdir}/dirsrv/plugins
|
2013-03-12 09:25:40 -05:00
|
|
|
%global POLICYCOREUTILSVER 2.1.12-5
|
2010-02-09 12:14:25 -06:00
|
|
|
%global gettext_domain ipa
|
2013-11-27 07:13:16 -06:00
|
|
|
%define _hardened_build 1
|
|
|
|
|
2011-01-17 03:26:19 -06:00
|
|
|
Name: freeipa
|
2009-02-02 12:50:53 -06:00
|
|
|
Version: __VERSION__
|
|
|
|
Release: __RELEASE__%{?dist}
|
|
|
|
Summary: The Identity, Policy and Audit system
|
|
|
|
|
|
|
|
Group: System Environment/Base
|
2010-12-09 06:59:11 -06:00
|
|
|
License: GPLv3+
|
2009-02-02 12:50:53 -06:00
|
|
|
URL: http://www.freeipa.org/
|
|
|
|
Source0: freeipa-%{version}.tar.gz
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2014-09-12 05:43:31 -05:00
|
|
|
BuildRequires: 389-ds-base-devel >= 1.3.3.2
|
2009-02-02 12:50:53 -06:00
|
|
|
BuildRequires: svrcore-devel
|
2011-02-21 12:04:38 -06:00
|
|
|
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
|
2011-10-21 08:44:36 -05:00
|
|
|
BuildRequires: systemd-units
|
2013-04-16 02:44:28 -05:00
|
|
|
BuildRequires: samba-devel >= 2:4.0.5-1
|
2012-10-01 08:32:36 -05:00
|
|
|
BuildRequires: samba-python
|
|
|
|
BuildRequires: libwbclient-devel
|
2012-07-25 10:23:11 -05:00
|
|
|
BuildRequires: libtalloc-devel
|
|
|
|
BuildRequires: libtevent-devel
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
BuildRequires: nspr-devel
|
2011-02-21 12:04:38 -06:00
|
|
|
BuildRequires: nss-devel
|
2009-02-02 12:50:53 -06:00
|
|
|
BuildRequires: openssl-devel
|
|
|
|
BuildRequires: openldap-devel
|
2013-03-12 09:25:40 -05:00
|
|
|
BuildRequires: krb5-devel >= 1.11
|
2011-02-21 12:04:38 -06:00
|
|
|
BuildRequires: krb5-workstation
|
|
|
|
BuildRequires: libuuid-devel
|
2011-08-11 03:42:29 -05:00
|
|
|
BuildRequires: libcurl-devel >= 7.21.7-2
|
|
|
|
BuildRequires: xmlrpc-c-devel >= 1.27.4
|
2011-02-21 12:04:38 -06:00
|
|
|
BuildRequires: popt-devel
|
2009-02-02 12:50:53 -06:00
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: automake
|
|
|
|
BuildRequires: m4
|
2011-02-21 12:04:38 -06:00
|
|
|
BuildRequires: libtool
|
|
|
|
BuildRequires: gettext
|
|
|
|
BuildRequires: python-devel
|
|
|
|
BuildRequires: python-ldap
|
2009-02-23 11:41:00 -06:00
|
|
|
BuildRequires: python-setuptools
|
|
|
|
BuildRequires: python-krbV
|
2011-01-13 13:29:16 -06:00
|
|
|
BuildRequires: python-nss
|
|
|
|
BuildRequires: python-netaddr
|
2013-12-03 10:14:00 -06:00
|
|
|
BuildRequires: python-kerberos >= 1.1-14
|
2011-05-05 08:06:54 -05:00
|
|
|
BuildRequires: python-rhsm
|
2011-02-11 08:34:57 -06:00
|
|
|
BuildRequires: pyOpenSSL
|
2011-05-05 08:06:54 -05:00
|
|
|
BuildRequires: pylint
|
Replace broken i18n shell test with Python test
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy. We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.
* add python-polib to BuildRequires
* Remove the logic for creating the test lang from Makefile.in and
replace it with calls to test_i18n.py
* add argument parsing, usage, configuration parameters, etc. to
test_i18n.py to make it easier to use and configurable.
* add function to generate a test po and mo file. It also
writes the files and creates the test directory structure.
* Took the existing validate code and refactored it into validation
function. It used to just pick one string and test it, now it
iterates over all strings and all plural forms.
* Validate anonymous Python format substitutions in pot file
* added support for plural forms.
* Add pot po file validation for variable substitution
* In install/po subdir you can now do:
$ make test
$ make validate-pot
$ make validate-po
* The options for running test_i18n.py are:
$ ./test_i18n.py --help
Usage:
test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]
Options:
-h, --help show this help message and exit
-s, --show-strings show the offending string when an error is detected
--pedantic be aggressive when validating
-v, --verbose be informative
--traceback print the traceback when an exception occurs
Operational Mode:
You must select one these modes to run in
-g, --test-gettext create the test translation file(s) and exercise them
-c, --create-test create the test translation file(s)
-P, --validate-pot validate pot file(s)
-p, --validate-po validate po file(s)
Run Time Parameters:
These may be used to modify the run time defaults
--test-lang=TEST_LANG
test po file uses this as it's basename (default=test)
--lang=LANG lang used for locale, MUST be a valid lang
(default=xh_ZA)
--domain=DOMAIN translation domain used during test (default=ipa)
--locale=LOCALE locale used during test (default=test_locale)
--pot-file=POT_FILE
default pot file, used when validating pot file or
generating test po and mo files (default=ipa.pot)
https://fedorahosted.org/freeipa/ticket/2044
2012-03-23 00:44:04 -05:00
|
|
|
BuildRequires: python-polib
|
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-22 08:30:44 -05:00
|
|
|
BuildRequires: libipa_hbac-python
|
2012-02-15 09:26:42 -06:00
|
|
|
BuildRequires: python-memcached
|
2012-10-31 04:59:04 -05:00
|
|
|
BuildRequires: sssd >= 1.9.2
|
2012-03-23 11:21:08 -05:00
|
|
|
BuildRequires: python-lxml
|
|
|
|
BuildRequires: python-pyasn1 >= 0.0.9a
|
2014-09-10 16:35:37 -05:00
|
|
|
BuildRequires: python-qrcode-core >= 5.0.0
|
2012-05-11 07:38:09 -05:00
|
|
|
BuildRequires: python-dns
|
2012-11-21 10:33:49 -06:00
|
|
|
BuildRequires: m2crypto
|
2012-11-14 09:45:41 -06:00
|
|
|
BuildRequires: check
|
2011-11-30 06:29:10 -06:00
|
|
|
BuildRequires: libsss_idmap-devel
|
2013-07-11 06:33:31 -05:00
|
|
|
BuildRequires: libsss_nss_idmap-devel
|
2014-08-20 06:56:59 -05:00
|
|
|
BuildRequires: java-headless
|
2014-03-13 16:09:49 -05:00
|
|
|
BuildRequires: rhino
|
2013-04-11 13:03:25 -05:00
|
|
|
BuildRequires: libverto-devel
|
|
|
|
BuildRequires: systemd
|
2013-07-16 10:47:27 -05:00
|
|
|
BuildRequires: libunistring-devel
|
2013-10-10 06:41:31 -05:00
|
|
|
BuildRequires: python-lesscpy
|
2014-06-27 03:16:41 -05:00
|
|
|
BuildRequires: python-yubico
|
2014-09-02 09:43:10 -05:00
|
|
|
BuildRequires: python-backports-ssl_match_hostname
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
%description
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof).
|
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2009-02-02 12:50:53 -06:00
|
|
|
%package server
|
|
|
|
Summary: The IPA authentication server
|
|
|
|
Group: System Environment/Base
|
|
|
|
Requires: %{name}-python = %{version}-%{release}
|
|
|
|
Requires: %{name}-client = %{version}-%{release}
|
|
|
|
Requires: %{name}-admintools = %{version}-%{release}
|
2014-09-12 05:43:31 -05:00
|
|
|
Requires: 389-ds-base >= 1.3.3.2
|
2013-05-10 06:50:21 -05:00
|
|
|
Requires: openldap-clients > 2.4.35-4
|
2013-04-26 11:36:05 -05:00
|
|
|
Requires: nss >= 3.14.3-12.0
|
|
|
|
Requires: nss-tools >= 3.14.3-12.0
|
2014-07-21 11:32:03 -05:00
|
|
|
Requires: krb5-server >= 1.11.5-5
|
2010-12-13 13:46:09 -06:00
|
|
|
Requires: krb5-pkinit-openssl
|
2011-07-22 08:06:13 -05:00
|
|
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires: ntp
|
2013-11-26 02:53:34 -06:00
|
|
|
Requires: httpd >= 2.4.6-6
|
2010-02-24 12:29:23 -06:00
|
|
|
Requires: mod_wsgi
|
2012-06-20 13:09:55 -05:00
|
|
|
Requires: mod_auth_kerb >= 5.4-16
|
2013-11-26 02:53:34 -06:00
|
|
|
Requires: mod_nss >= 1.0.8-26
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires: python-ldap
|
|
|
|
Requires: python-krbV
|
|
|
|
Requires: acl
|
2012-11-14 09:45:41 -06:00
|
|
|
Requires: python-pyasn1
|
2012-02-06 12:15:06 -06:00
|
|
|
Requires: memcached
|
|
|
|
Requires: python-memcached
|
2013-10-15 13:49:07 -05:00
|
|
|
Requires: dbus-python
|
2013-03-27 08:58:16 -05:00
|
|
|
Requires: systemd-units >= 38
|
2011-10-21 08:44:36 -05:00
|
|
|
Requires(pre): systemd-units
|
|
|
|
Requires(post): systemd-units
|
2014-09-02 04:28:16 -05:00
|
|
|
Requires: selinux-policy >= 3.12.1-179
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires(post): selinux-policy-base
|
2013-08-08 07:39:14 -05:00
|
|
|
Requires: slapi-nis >= 0.47.7
|
2014-09-12 06:19:40 -05:00
|
|
|
Requires: pki-ca >= 10.2.0
|
|
|
|
Requires: pki-kra >= 10.2.0
|
2011-08-23 07:15:27 -05:00
|
|
|
%if 0%{?rhel}
|
|
|
|
Requires: subscription-manager
|
|
|
|
%endif
|
2011-10-21 08:44:36 -05:00
|
|
|
Requires(preun): python systemd-units
|
|
|
|
Requires(postun): python systemd-units
|
2012-05-11 07:38:09 -05:00
|
|
|
Requires: python-dns
|
2012-10-08 06:54:47 -05:00
|
|
|
Requires: zip
|
2012-10-24 05:35:36 -05:00
|
|
|
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
|
2012-11-14 09:45:41 -06:00
|
|
|
Requires: tar
|
2014-09-03 02:07:16 -05:00
|
|
|
Requires(pre): certmonger >= 0.75.13
|
2014-09-12 05:43:31 -05:00
|
|
|
Requires(pre): 389-ds-base >= 1.3.3.2
|
2013-12-04 09:15:20 -06:00
|
|
|
Requires: fontawesome-fonts
|
|
|
|
Requires: open-sans-fonts
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-server
|
|
|
|
Obsoletes: %{alt_name}-server < %{version}
|
|
|
|
|
2013-06-13 07:40:52 -05:00
|
|
|
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
|
|
|
|
# entire SELinux policy is stored in the system policy
|
|
|
|
Obsoletes: freeipa-server-selinux < 3.3.0
|
|
|
|
|
2011-09-09 05:30:00 -05:00
|
|
|
# We have a soft-requires on bind. It is an optional part of
|
|
|
|
# IPA but if it is configured we need a way to require versions
|
|
|
|
# that work for us.
|
2014-07-04 09:35:17 -05:00
|
|
|
Conflicts: bind-dyndb-ldap < 5.0
|
2012-03-20 09:35:54 -05:00
|
|
|
Conflicts: bind < 9.8.2-0.4.rc2
|
2011-09-09 05:30:00 -05:00
|
|
|
|
2013-04-30 13:35:19 -05:00
|
|
|
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
|
|
|
|
# member.
|
|
|
|
Conflicts: nss-pam-ldapd < 0.8.4
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%description server
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof). If you are installing an IPA server you need
|
|
|
|
to install this package (in other words, most people should NOT install
|
|
|
|
this package).
|
|
|
|
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
%package server-trust-ad
|
|
|
|
Summary: Virtual package to install packages required for Active Directory trusts
|
|
|
|
Group: System Environment/Base
|
|
|
|
Requires: %{name}-server = %version-%release
|
2012-11-21 10:33:49 -06:00
|
|
|
Requires: m2crypto
|
2012-10-01 08:32:36 -05:00
|
|
|
Requires: samba-python
|
2013-04-16 02:44:28 -05:00
|
|
|
Requires: samba >= 2:4.0.5-1
|
2012-10-01 08:32:36 -05:00
|
|
|
Requires: samba-winbind
|
|
|
|
Requires: libsss_idmap
|
2013-05-06 10:10:56 -05:00
|
|
|
Requires: libsss_nss_idmap-python
|
2012-10-10 01:46:08 -05:00
|
|
|
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
|
|
|
|
# on the installes where server-trust-ad subpackage is installed because
|
|
|
|
# IPA AD trusts cannot be used at the same time with the locator plugin
|
|
|
|
# since Winbindd will be configured in a different mode
|
|
|
|
Requires(post): %{_sbindir}/update-alternatives
|
2012-10-26 06:12:17 -05:00
|
|
|
Requires(post): python
|
2012-10-10 01:46:08 -05:00
|
|
|
Requires(postun): %{_sbindir}/update-alternatives
|
|
|
|
Requires(preun): %{_sbindir}/update-alternatives
|
2012-02-28 05:24:41 -06:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-server-trust-ad
|
|
|
|
Obsoletes: %{alt_name}-server-trust-ad < %{version}
|
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
%description server-trust-ad
|
2013-08-13 03:59:57 -05:00
|
|
|
Cross-realm trusts with Active Directory in IPA require working Samba 4
|
|
|
|
installation. This package is provided for convenience to install all required
|
|
|
|
dependencies at once.
|
2012-02-28 05:24:41 -06:00
|
|
|
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
|
|
|
|
%package client
|
|
|
|
Summary: IPA authentication for use on clients
|
|
|
|
Group: System Environment/Base
|
|
|
|
Requires: %{name}-python = %{version}-%{release}
|
|
|
|
Requires: python-ldap
|
2011-07-22 08:06:13 -05:00
|
|
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires: ntp
|
|
|
|
Requires: krb5-workstation
|
|
|
|
Requires: authconfig
|
|
|
|
Requires: pam_krb5
|
2009-02-19 16:20:37 -06:00
|
|
|
Requires: wget
|
2012-11-14 09:45:41 -06:00
|
|
|
Requires: libcurl >= 7.21.7-2
|
|
|
|
Requires: xmlrpc-c >= 1.27.4
|
2013-10-04 03:23:14 -05:00
|
|
|
Requires: sssd >= 1.11.1
|
2014-03-13 04:28:27 -05:00
|
|
|
Requires: certmonger >= 0.75.6
|
2010-09-09 17:10:14 -05:00
|
|
|
Requires: nss-tools
|
2011-02-17 07:30:36 -06:00
|
|
|
Requires: bind-utils
|
2012-02-27 03:59:25 -06:00
|
|
|
Requires: oddjob-mkhomedir
|
2012-03-28 01:51:02 -05:00
|
|
|
Requires: python-krbV
|
2012-05-11 07:38:09 -05:00
|
|
|
Requires: python-dns
|
2012-05-29 13:20:38 -05:00
|
|
|
Requires: libsss_autofs
|
|
|
|
Requires: autofs
|
|
|
|
Requires: libnfsidmap
|
|
|
|
Requires: nfs-utils
|
2014-09-01 06:01:41 -05:00
|
|
|
Requires: python-backports-ssl_match_hostname
|
2012-10-31 04:15:28 -05:00
|
|
|
Requires(post): policycoreutils
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-client
|
|
|
|
Obsoletes: %{alt_name}-client < %{version}
|
2011-01-17 03:26:19 -06:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%description client
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof). If your network uses IPA for authentication,
|
|
|
|
this package should be installed on every client machine.
|
|
|
|
|
|
|
|
|
|
|
|
%package admintools
|
|
|
|
Summary: IPA administrative tools
|
|
|
|
Group: System Environment/Base
|
|
|
|
Requires: %{name}-python = %{version}-%{release}
|
2010-10-15 14:03:51 -05:00
|
|
|
Requires: %{name}-client = %{version}-%{release}
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires: python-krbV
|
|
|
|
Requires: python-ldap
|
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-admintools
|
|
|
|
Obsoletes: %{alt_name}-admintools < %{version}
|
2011-01-17 03:26:19 -06:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%description admintools
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof). This package provides command-line tools for
|
|
|
|
IPA administrators.
|
|
|
|
|
|
|
|
%package python
|
|
|
|
Summary: Python libraries used by IPA
|
|
|
|
Group: System Environment/Libraries
|
2014-06-09 08:41:45 -05:00
|
|
|
Requires: python-kerberos >= 1.1-14
|
2009-02-02 12:50:53 -06:00
|
|
|
Requires: gnupg
|
2011-05-27 13:17:22 -05:00
|
|
|
Requires: iproute
|
2013-07-23 10:21:47 -05:00
|
|
|
Requires: keyutils
|
2009-02-19 16:20:37 -06:00
|
|
|
Requires: pyOpenSSL
|
2014-06-18 02:02:03 -05:00
|
|
|
Requires: python-nss >= 0.15
|
2009-11-23 15:52:06 -06:00
|
|
|
Requires: python-lxml
|
2010-11-08 21:34:14 -06:00
|
|
|
Requires: python-netaddr
|
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-22 08:30:44 -05:00
|
|
|
Requires: libipa_hbac-python
|
2014-09-10 16:35:37 -05:00
|
|
|
Requires: python-qrcode-core >= 5.0.0
|
2014-03-26 06:49:56 -05:00
|
|
|
Requires: python-pyasn1
|
2014-05-08 10:06:16 -05:00
|
|
|
Requires: python-dateutil
|
2014-06-19 11:28:32 -05:00
|
|
|
Requires: python-yubico
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-python
|
|
|
|
Obsoletes: %{alt_name}-python < %{version}
|
2011-01-17 03:26:19 -06:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%description python
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof). If you are using IPA you need to install this
|
|
|
|
package.
|
|
|
|
|
2013-05-21 06:40:27 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
|
|
|
%package tests
|
|
|
|
Summary: IPA tests and test tools
|
|
|
|
Requires: %{name}-client = %{version}-%{release}
|
|
|
|
Requires: %{name}-python = %{version}-%{release}
|
2013-07-24 07:43:43 -05:00
|
|
|
Requires: tar
|
|
|
|
Requires: xz
|
2013-05-21 06:40:27 -05:00
|
|
|
Requires: python-nose
|
|
|
|
Requires: python-paste
|
|
|
|
Requires: python-coverage
|
|
|
|
Requires: python-polib
|
2013-08-12 08:38:32 -05:00
|
|
|
Requires: python-paramiko >= 1.7.7
|
2013-05-21 06:40:27 -05:00
|
|
|
|
2014-09-17 03:02:01 -05:00
|
|
|
Conflicts: %{alt_name}-tests
|
|
|
|
Obsoletes: %{alt_name}-tests < %{version}
|
|
|
|
|
2013-05-21 06:40:27 -05:00
|
|
|
%description tests
|
|
|
|
IPA is an integrated solution to provide centrally managed Identity (machine,
|
|
|
|
user, virtual machines, groups, authentication credentials), Policy
|
|
|
|
(configuration settings, access control information) and Audit (events,
|
|
|
|
logs, analysis thereof).
|
|
|
|
This package contains tests that verify IPA functionality.
|
|
|
|
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2013-05-21 06:40:27 -05:00
|
|
|
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%prep
|
|
|
|
%setup -n freeipa-%{version} -q
|
|
|
|
|
|
|
|
%build
|
2014-05-21 03:06:03 -05:00
|
|
|
%ifarch ppc %{power64} s390 s390x aarch64
|
2014-01-03 06:52:54 -06:00
|
|
|
# UI compilation segfaulted on some arches when the stack was lower (#1040576)
|
2013-12-13 08:20:40 -06:00
|
|
|
export JAVA_STACK_SIZE="8m"
|
|
|
|
%endif
|
2013-12-04 11:37:18 -06:00
|
|
|
export CFLAGS="%{optflags} $CFLAGS"
|
2013-12-04 11:39:44 -06:00
|
|
|
export LDFLAGS="%{__global_ldflags} $LDFLAGS"
|
2014-03-13 08:39:03 -05:00
|
|
|
|
2011-10-21 08:44:36 -05:00
|
|
|
# Force re-generate of platform support
|
2014-03-13 08:39:03 -05:00
|
|
|
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
|
2014-06-02 00:50:12 -05:00
|
|
|
rm -f ipapython/version.py
|
|
|
|
rm -f ipaplatform/services.py
|
|
|
|
rm -f ipaplatform/tasks.py
|
|
|
|
rm -f ipaplatform/paths.py
|
2009-02-02 12:50:53 -06:00
|
|
|
make version-update
|
2010-06-02 13:54:58 -05:00
|
|
|
cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2010-12-03 14:02:29 -06:00
|
|
|
cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
|
2009-02-03 15:56:41 -06:00
|
|
|
cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2011-06-17 03:58:01 -05:00
|
|
|
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
|
2009-10-12 15:00:00 -05:00
|
|
|
%else
|
2011-06-17 03:58:01 -05:00
|
|
|
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
%install
|
|
|
|
rm -rf %{buildroot}
|
2011-10-21 08:44:36 -05:00
|
|
|
# Force re-generate of platform support
|
2014-03-13 08:39:03 -05:00
|
|
|
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
|
2014-06-02 00:50:12 -05:00
|
|
|
rm -f ipapython/version.py
|
|
|
|
rm -f ipaplatform/services.py
|
|
|
|
rm -f ipaplatform/tasks.py
|
|
|
|
rm -f ipaplatform/paths.py
|
2014-03-13 08:39:03 -05:00
|
|
|
make version-update
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2009-02-02 12:50:53 -06:00
|
|
|
make install DESTDIR=%{buildroot}
|
2009-10-12 15:00:00 -05:00
|
|
|
%else
|
|
|
|
make client-install DESTDIR=%{buildroot}
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2010-02-09 12:14:25 -06:00
|
|
|
%find_lang %{gettext_domain}
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2014-09-17 04:49:51 -05:00
|
|
|
mkdir -p %{buildroot}%{_usr}/share/ipa
|
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2009-02-02 12:50:53 -06:00
|
|
|
# Remove .la files from libtool - we don't want to package
|
|
|
|
# these files
|
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
|
2009-09-14 16:04:08 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
|
2009-02-02 12:50:53 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
|
2010-06-24 09:31:52 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
|
2010-10-15 09:49:29 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
|
2010-10-19 16:11:31 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
|
2011-01-18 13:58:58 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
|
2011-11-09 18:03:48 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
|
2013-03-08 11:54:58 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_dns.la
|
2012-06-21 05:54:34 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
|
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
|
2011-11-30 06:29:10 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
|
2012-06-18 14:25:31 -05:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
|
2013-12-16 15:19:08 -06:00
|
|
|
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
|
2011-05-19 15:24:57 -05:00
|
|
|
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
|
2011-10-25 03:33:30 -05:00
|
|
|
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
# Some user-modifiable HTML files are provided. Move these to /etc
|
|
|
|
# and link back.
|
|
|
|
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
|
|
|
|
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
|
2012-06-08 01:31:37 -05:00
|
|
|
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
|
2009-02-02 12:50:53 -06:00
|
|
|
mkdir %{buildroot}%{_usr}/share/ipa/html/
|
2012-10-01 10:36:42 -05:00
|
|
|
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
|
|
|
|
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js
|
|
|
|
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig_page.js \
|
|
|
|
%{buildroot}%{_usr}/share/ipa/html/ffconfig_page.js
|
2009-02-02 12:50:53 -06:00
|
|
|
ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \
|
|
|
|
%{buildroot}%{_usr}/share/ipa/html/ssbrowser.html
|
|
|
|
ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
|
|
|
|
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
|
2011-01-25 13:44:42 -06:00
|
|
|
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
|
|
|
|
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2009-05-14 08:29:16 -05:00
|
|
|
# So we can own our Apache configuration
|
2011-01-25 10:03:40 -06:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
|
|
|
|
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
|
2011-08-17 14:36:18 -05:00
|
|
|
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
2011-01-25 10:03:40 -06:00
|
|
|
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
2012-01-31 11:32:47 -06:00
|
|
|
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
|
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
|
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
|
2012-10-04 10:08:17 -05:00
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
|
2012-01-31 11:32:47 -06:00
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
|
2012-10-04 10:08:17 -05:00
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
|
2012-01-31 11:32:47 -06:00
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
|
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
|
|
|
|
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
|
2011-07-20 17:11:05 -05:00
|
|
|
mkdir -p %{buildroot}%{_initrddir}
|
2012-02-06 12:15:06 -06:00
|
|
|
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
|
|
|
|
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
|
|
|
|
|
2013-03-20 11:28:17 -05:00
|
|
|
# Web UI plugin dir
|
|
|
|
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
|
|
|
|
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2014-09-08 08:57:50 -05:00
|
|
|
mkdir -p %{buildroot}%{_tmpfilesdir}
|
|
|
|
install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2012-02-06 12:15:06 -06:00
|
|
|
|
|
|
|
mkdir -p %{buildroot}%{_localstatedir}/run/
|
|
|
|
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
|
2012-10-31 13:10:41 -05:00
|
|
|
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
|
2012-02-06 12:15:06 -06:00
|
|
|
|
2012-10-10 01:46:08 -05:00
|
|
|
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
|
|
|
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
|
|
|
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2011-10-21 08:44:36 -05:00
|
|
|
mkdir -p %{buildroot}%{_unitdir}
|
|
|
|
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
|
2012-02-06 12:15:06 -06:00
|
|
|
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2013-03-13 08:36:41 -05:00
|
|
|
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2010-12-04 14:42:14 -06:00
|
|
|
|
2011-01-25 10:03:40 -06:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/ipa/
|
|
|
|
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
|
2012-01-31 11:32:47 -06:00
|
|
|
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
|
2009-10-12 15:00:00 -05:00
|
|
|
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
|
2011-01-25 10:03:40 -06:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
|
|
|
|
install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
|
2014-09-17 04:52:37 -05:00
|
|
|
|
|
|
|
%if ! %{ONLY_CLIENT}
|
2011-02-01 13:24:46 -06:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
|
2009-11-23 15:19:14 -06:00
|
|
|
|
2012-06-12 07:58:50 -05:00
|
|
|
(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \
|
2013-08-13 03:56:26 -05:00
|
|
|
grep -v dcerpc | grep -v adtrustinstance | \
|
|
|
|
sed -e 's,\.py.*$,.*,g' | sort -u | \
|
|
|
|
sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list
|
2013-05-21 06:40:27 -05:00
|
|
|
|
|
|
|
(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \
|
|
|
|
sed -e 's,\.py.*$,.*,g' | sort -u | \
|
|
|
|
sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2012-06-12 07:58:50 -05:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%clean
|
|
|
|
rm -rf %{buildroot}
|
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2009-02-02 12:50:53 -06:00
|
|
|
%post server
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2011-10-21 08:44:36 -05:00
|
|
|
/bin/systemctl --system daemon-reload 2>&1 || :
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2011-03-18 10:19:53 -05:00
|
|
|
if [ $1 -gt 1 ] ; then
|
2013-01-24 15:14:31 -06:00
|
|
|
/bin/systemctl condrestart certmonger.service 2>&1 || :
|
2011-03-18 10:19:53 -05:00
|
|
|
fi
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2011-11-23 15:52:40 -06:00
|
|
|
%posttrans server
|
|
|
|
# This must be run in posttrans so that updates from previous
|
|
|
|
# execution that may no longer be shipped are not applied.
|
2013-03-12 09:25:40 -05:00
|
|
|
/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
|
2013-07-11 09:35:26 -05:00
|
|
|
/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
|
|
|
|
|
|
|
|
# Restart IPA processes. This must be also run in postrans so that plugins
|
|
|
|
# and software is in consistent state
|
2013-11-27 07:53:57 -06:00
|
|
|
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
|
2013-07-11 09:35:26 -05:00
|
|
|
# NOTE: systemd specific section
|
|
|
|
if [ $? -eq 0 ]; then
|
2014-06-17 09:12:47 -05:00
|
|
|
/bin/systemctl is-enabled ipa.service >/dev/null 2>&1
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
/bin/systemctl restart ipa.service >/dev/null 2>&1 || :
|
|
|
|
fi
|
2013-07-11 09:35:26 -05:00
|
|
|
fi
|
|
|
|
# END
|
2011-11-23 15:52:40 -06:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%preun server
|
|
|
|
if [ $1 = 0 ]; then
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2011-10-21 08:44:36 -05:00
|
|
|
/bin/systemctl --quiet stop ipa.service || :
|
|
|
|
/bin/systemctl --quiet disable ipa.service || :
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2009-02-02 12:50:53 -06:00
|
|
|
fi
|
|
|
|
|
2012-02-13 08:16:26 -06:00
|
|
|
%pre server
|
|
|
|
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
|
|
|
|
# zombie process when we're done.
|
|
|
|
if [ -e /usr/sbin/ipa_kpasswd ]; then
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2012-02-13 08:16:26 -06:00
|
|
|
/bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2012-02-13 08:16:26 -06:00
|
|
|
fi
|
|
|
|
|
2012-10-10 01:46:08 -05:00
|
|
|
%postun server-trust-ad
|
|
|
|
if [ "$1" -ge "1" ]; then
|
2013-08-13 03:56:26 -05:00
|
|
|
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
|
|
|
|
%{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
|
|
|
|
fi
|
2012-10-10 01:46:08 -05:00
|
|
|
fi
|
|
|
|
|
|
|
|
%post server-trust-ad
|
|
|
|
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
|
2013-08-13 03:56:26 -05:00
|
|
|
winbind_krb5_locator.so /dev/null 90
|
2013-07-11 09:35:26 -05:00
|
|
|
|
|
|
|
%posttrans server-trust-ad
|
2013-11-27 07:53:57 -06:00
|
|
|
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
|
2012-10-26 06:12:17 -05:00
|
|
|
if [ $? -eq 0 ]; then
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2012-10-26 06:12:17 -05:00
|
|
|
/bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2012-10-26 06:12:17 -05:00
|
|
|
fi
|
2012-10-10 01:46:08 -05:00
|
|
|
|
|
|
|
%preun server-trust-ad
|
|
|
|
if [ $1 -eq 0 ]; then
|
2013-08-13 03:56:26 -05:00
|
|
|
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
|
2012-10-10 01:46:08 -05:00
|
|
|
fi
|
2013-12-03 10:14:00 -06:00
|
|
|
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2012-10-31 04:15:28 -05:00
|
|
|
%post client
|
|
|
|
if [ $1 -gt 1 ] ; then
|
|
|
|
# Has the client been configured?
|
|
|
|
restore=0
|
|
|
|
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
|
|
|
|
|
|
|
if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
|
2013-08-13 03:56:26 -05:00
|
|
|
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
|
2012-10-31 04:15:28 -05:00
|
|
|
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
|
|
|
|
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
|
|
|
|
mv /etc/krb5.conf.ipanew /etc/krb5.conf
|
|
|
|
/sbin/restorecon /etc/krb5.conf
|
|
|
|
fi
|
|
|
|
fi
|
2014-01-24 03:16:48 -06:00
|
|
|
|
|
|
|
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
|
|
|
|
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
|
|
|
|
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
|
|
|
|
mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
|
|
|
|
/sbin/restorecon /etc/sysconfig/ntpd
|
|
|
|
|
|
|
|
/bin/systemctl condrestart ntpd.service 2>&1 || :
|
|
|
|
fi
|
|
|
|
fi
|
2012-10-31 04:15:28 -05:00
|
|
|
fi
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2013-04-18 11:06:54 -05:00
|
|
|
%triggerin -n freeipa-client -- openssh-server
|
|
|
|
# Has the client been configured?
|
|
|
|
restore=0
|
|
|
|
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
|
|
|
|
|
|
|
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
2013-08-13 03:56:26 -05:00
|
|
|
if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
|
2013-04-18 11:06:54 -05:00
|
|
|
sed -r '
|
|
|
|
/^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
|
|
|
|
' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
|
|
|
|
|
|
|
|
if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
|
|
|
|
sed -ri '
|
|
|
|
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
|
|
|
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
|
|
|
|
' /etc/ssh/sshd_config.ipanew
|
|
|
|
elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
|
|
|
|
sed -ri '
|
|
|
|
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
|
|
|
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
|
|
|
|
' /etc/ssh/sshd_config.ipanew
|
|
|
|
elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
|
|
|
|
sed -ri '
|
|
|
|
s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
|
|
|
|
s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
|
|
|
|
' /etc/ssh/sshd_config.ipanew
|
|
|
|
fi
|
|
|
|
|
|
|
|
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
|
|
|
/sbin/restorecon /etc/ssh/sshd_config
|
|
|
|
chmod 600 /etc/ssh/sshd_config
|
|
|
|
|
|
|
|
/bin/systemctl condrestart sshd.service 2>&1 || :
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2009-10-12 15:00:00 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
2012-06-12 07:58:50 -05:00
|
|
|
%files server -f server-python.list
|
2009-02-02 12:50:53 -06:00
|
|
|
%defattr(-,root,root,-)
|
2011-01-25 10:03:40 -06:00
|
|
|
%doc COPYING README Contributors.txt
|
2013-03-13 08:36:41 -05:00
|
|
|
%{_sbindir}/ipa-backup
|
|
|
|
%{_sbindir}/ipa-restore
|
2011-06-17 15:47:39 -05:00
|
|
|
%{_sbindir}/ipa-ca-install
|
2009-11-23 02:26:50 -06:00
|
|
|
%{_sbindir}/ipa-dns-install
|
2014-03-18 10:23:30 -05:00
|
|
|
%{_sbindir}/ipa-kra-install
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipa-server-install
|
2011-05-22 12:17:07 -05:00
|
|
|
%{_sbindir}/ipa-replica-conncheck
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipa-replica-install
|
|
|
|
%{_sbindir}/ipa-replica-prepare
|
|
|
|
%{_sbindir}/ipa-replica-manage
|
2011-07-14 22:35:01 -05:00
|
|
|
%{_sbindir}/ipa-csreplica-manage
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipa-server-certinstall
|
2011-02-11 13:05:20 -06:00
|
|
|
%{_sbindir}/ipa-ldap-updater
|
2014-05-08 10:06:16 -05:00
|
|
|
%{_sbindir}/ipa-otptoken-import
|
2011-02-11 13:05:20 -06:00
|
|
|
%{_sbindir}/ipa-compat-manage
|
|
|
|
%{_sbindir}/ipa-nis-manage
|
2011-09-20 11:13:42 -05:00
|
|
|
%{_sbindir}/ipa-managed-entries
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipactl
|
|
|
|
%{_sbindir}/ipa-upgradeconfig
|
2013-06-10 07:43:24 -05:00
|
|
|
%{_sbindir}/ipa-advise
|
2014-03-13 04:28:27 -05:00
|
|
|
%{_sbindir}/ipa-cacert-manage
|
2013-10-16 02:26:39 -05:00
|
|
|
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
2013-04-11 13:03:25 -05:00
|
|
|
%{_libexecdir}/ipa-otpd
|
2012-02-06 12:15:06 -06:00
|
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
|
|
|
|
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
2012-10-31 13:10:41 -05:00
|
|
|
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
2012-11-14 09:45:41 -06:00
|
|
|
# NOTE: systemd specific section
|
2014-09-08 08:57:50 -05:00
|
|
|
%{_tmpfilesdir}/%{name}.conf
|
2011-10-21 08:44:36 -05:00
|
|
|
%attr(644,root,root) %{_unitdir}/ipa.service
|
2012-02-06 12:15:06 -06:00
|
|
|
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
|
2013-04-11 13:03:25 -05:00
|
|
|
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
|
|
|
|
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
|
2012-11-14 09:45:41 -06:00
|
|
|
# END
|
2011-01-05 14:51:56 -06:00
|
|
|
%dir %{python_sitelib}/ipaserver
|
2012-06-12 07:58:50 -05:00
|
|
|
%dir %{python_sitelib}/ipaserver/install
|
|
|
|
%dir %{python_sitelib}/ipaserver/install/plugins
|
2013-06-10 07:43:24 -05:00
|
|
|
%dir %{python_sitelib}/ipaserver/advise
|
|
|
|
%dir %{python_sitelib}/ipaserver/advise/plugins
|
2012-06-12 07:58:50 -05:00
|
|
|
%dir %{python_sitelib}/ipaserver/plugins
|
2012-04-10 14:21:08 -05:00
|
|
|
%dir %{_libdir}/ipa/certmonger
|
|
|
|
%attr(755,root,root) %{_libdir}/ipa/certmonger/*
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_usr}/share/ipa
|
2010-03-01 22:41:41 -06:00
|
|
|
%{_usr}/share/ipa/wsgi.py*
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
%{_usr}/share/ipa/copy-schema-to-ca.py*
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_usr}/share/ipa/*.ldif
|
|
|
|
%{_usr}/share/ipa/*.uldif
|
|
|
|
%{_usr}/share/ipa/*.template
|
2013-08-01 07:12:39 -05:00
|
|
|
%dir %{_usr}/share/ipa/advise
|
|
|
|
%dir %{_usr}/share/ipa/advise/legacy
|
|
|
|
%{_usr}/share/ipa/advise/legacy/*.template
|
2012-10-02 09:47:28 -05:00
|
|
|
%dir %{_usr}/share/ipa/ffextension
|
|
|
|
%{_usr}/share/ipa/ffextension/bootstrap.js
|
|
|
|
%{_usr}/share/ipa/ffextension/install.rdf
|
|
|
|
%{_usr}/share/ipa/ffextension/chrome.manifest
|
|
|
|
%dir %{_usr}/share/ipa/ffextension/chrome
|
|
|
|
%dir %{_usr}/share/ipa/ffextension/chrome/content
|
|
|
|
%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth.js
|
|
|
|
%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth_overlay.xul
|
|
|
|
%dir %{_usr}/share/ipa/ffextension/locale
|
|
|
|
%dir %{_usr}/share/ipa/ffextension/locale/en-US
|
|
|
|
%{_usr}/share/ipa/ffextension/locale/en-US/kerberosauth.properties
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_usr}/share/ipa/html
|
2012-10-01 10:36:42 -05:00
|
|
|
%{_usr}/share/ipa/html/ffconfig.js
|
|
|
|
%{_usr}/share/ipa/html/ffconfig_page.js
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_usr}/share/ipa/html/ssbrowser.html
|
2011-01-25 13:44:42 -06:00
|
|
|
%{_usr}/share/ipa/html/browserconfig.html
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_usr}/share/ipa/html/unauthorized.html
|
2010-01-12 09:40:09 -06:00
|
|
|
%dir %{_usr}/share/ipa/migration
|
|
|
|
%{_usr}/share/ipa/migration/error.html
|
|
|
|
%{_usr}/share/ipa/migration/index.html
|
|
|
|
%{_usr}/share/ipa/migration/invalid.html
|
|
|
|
%{_usr}/share/ipa/migration/migration.py*
|
2011-01-19 11:26:14 -06:00
|
|
|
%dir %{_usr}/share/ipa/ui
|
|
|
|
%{_usr}/share/ipa/ui/index.html
|
2012-06-08 09:38:17 -05:00
|
|
|
%{_usr}/share/ipa/ui/reset_password.html
|
2014-06-05 11:50:03 -05:00
|
|
|
%{_usr}/share/ipa/ui/sync_otp.html
|
2011-08-02 12:42:42 -05:00
|
|
|
%{_usr}/share/ipa/ui/*.ico
|
2011-01-19 11:26:14 -06:00
|
|
|
%{_usr}/share/ipa/ui/*.css
|
|
|
|
%{_usr}/share/ipa/ui/*.js
|
2013-12-04 09:15:20 -06:00
|
|
|
%dir %{_usr}/share/ipa/ui/css
|
2013-10-10 06:41:31 -05:00
|
|
|
%{_usr}/share/ipa/ui/css/*.css
|
2013-11-27 07:20:22 -06:00
|
|
|
%dir %{_usr}/share/ipa/ui/js
|
2012-11-23 10:19:37 -06:00
|
|
|
%dir %{_usr}/share/ipa/ui/js/dojo
|
|
|
|
%{_usr}/share/ipa/ui/js/dojo/dojo.js
|
|
|
|
%dir %{_usr}/share/ipa/ui/js/libs
|
|
|
|
%{_usr}/share/ipa/ui/js/libs/*.js
|
|
|
|
%dir %{_usr}/share/ipa/ui/js/freeipa
|
|
|
|
%{_usr}/share/ipa/ui/js/freeipa/app.js
|
2014-06-05 10:12:41 -05:00
|
|
|
%{_usr}/share/ipa/ui/js/freeipa/core.js
|
2013-03-20 11:28:17 -05:00
|
|
|
%dir %{_usr}/share/ipa/ui/js/plugins
|
2011-10-26 16:06:17 -05:00
|
|
|
%dir %{_usr}/share/ipa/ui/images
|
2013-11-13 09:02:48 -06:00
|
|
|
%{_usr}/share/ipa/ui/images/*.jpg
|
2011-10-26 16:06:17 -05:00
|
|
|
%{_usr}/share/ipa/ui/images/*.png
|
2013-04-23 12:54:21 -05:00
|
|
|
%dir %{_usr}/share/ipa/wsgi
|
|
|
|
%{_usr}/share/ipa/wsgi/plugins.py*
|
|
|
|
%dir %{_sysconfdir}/ipa
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_sysconfdir}/ipa/html
|
2012-10-01 10:36:42 -05:00
|
|
|
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
|
|
|
|
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
|
2009-02-02 12:50:53 -06:00
|
|
|
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
|
|
|
|
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
|
2011-01-25 13:44:42 -06:00
|
|
|
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
|
2009-09-16 12:04:14 -05:00
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
2011-08-17 14:36:18 -05:00
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_usr}/share/ipa/ipa.conf
|
|
|
|
%{_usr}/share/ipa/ipa-rewrite.conf
|
2011-08-17 14:36:18 -05:00
|
|
|
%{_usr}/share/ipa/ipa-pki-proxy.conf
|
2012-01-31 11:32:47 -06:00
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
|
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
|
2012-10-04 10:08:17 -05:00
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
|
2012-01-31 11:32:47 -06:00
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
|
2012-10-04 10:08:17 -05:00
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
|
2012-01-31 11:32:47 -06:00
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
|
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
|
|
|
|
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_usr}/share/ipa/updates/
|
|
|
|
%{_usr}/share/ipa/updates/*
|
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
|
2009-09-14 16:04:08 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
|
2009-02-02 12:50:53 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
|
2010-06-24 09:31:52 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
|
2010-10-15 09:49:29 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
|
2010-10-19 16:11:31 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
|
2011-01-18 13:58:58 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
|
2011-11-09 18:03:48 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
|
2013-03-08 11:54:58 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
|
2012-06-18 14:25:31 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
|
2013-12-16 15:19:08 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_localstatedir}/lib/ipa
|
2013-04-16 02:44:28 -05:00
|
|
|
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
|
2009-02-02 12:50:53 -06:00
|
|
|
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
|
2012-06-08 01:31:37 -05:00
|
|
|
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
|
2012-10-08 08:58:48 -05:00
|
|
|
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
|
2013-07-16 05:10:54 -05:00
|
|
|
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
|
2011-05-19 15:24:57 -05:00
|
|
|
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
|
2011-05-22 12:17:07 -05:00
|
|
|
%{_mandir}/man1/ipa-replica-conncheck.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_mandir}/man1/ipa-replica-install.1.gz
|
|
|
|
%{_mandir}/man1/ipa-replica-manage.1.gz
|
2011-07-14 22:35:01 -05:00
|
|
|
%{_mandir}/man1/ipa-csreplica-manage.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_mandir}/man1/ipa-replica-prepare.1.gz
|
|
|
|
%{_mandir}/man1/ipa-server-certinstall.1.gz
|
|
|
|
%{_mandir}/man1/ipa-server-install.1.gz
|
2011-01-10 09:37:45 -06:00
|
|
|
%{_mandir}/man1/ipa-dns-install.1.gz
|
2011-06-17 15:47:39 -05:00
|
|
|
%{_mandir}/man1/ipa-ca-install.1.gz
|
2014-08-24 11:19:55 -05:00
|
|
|
%{_mandir}/man1/ipa-kra-install.1.gz
|
2011-02-11 13:05:20 -06:00
|
|
|
%{_mandir}/man1/ipa-compat-manage.1.gz
|
|
|
|
%{_mandir}/man1/ipa-nis-manage.1.gz
|
2011-09-20 11:13:42 -05:00
|
|
|
%{_mandir}/man1/ipa-managed-entries.1.gz
|
2011-02-11 13:05:20 -06:00
|
|
|
%{_mandir}/man1/ipa-ldap-updater.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_mandir}/man8/ipactl.8.gz
|
2012-01-20 12:30:25 -06:00
|
|
|
%{_mandir}/man8/ipa-upgradeconfig.8.gz
|
2013-03-13 08:36:41 -05:00
|
|
|
%{_mandir}/man1/ipa-backup.1.gz
|
|
|
|
%{_mandir}/man1/ipa-restore.1.gz
|
2013-06-10 07:43:24 -05:00
|
|
|
%{_mandir}/man1/ipa-advise.1.gz
|
2014-06-25 01:46:39 -05:00
|
|
|
%{_mandir}/man1/ipa-otptoken-import.1.gz
|
2014-03-13 04:28:27 -05:00
|
|
|
%{_mandir}/man1/ipa-cacert-manage.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2012-02-28 05:24:41 -06:00
|
|
|
%files server-trust-ad
|
2012-06-12 07:58:50 -05:00
|
|
|
%{_sbindir}/ipa-adtrust-install
|
2011-11-30 06:29:10 -06:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
|
2012-02-28 05:24:41 -06:00
|
|
|
%{_usr}/share/ipa/smb.conf.empty
|
2012-06-12 07:58:50 -05:00
|
|
|
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
|
2012-06-21 05:54:34 -05:00
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
|
|
|
|
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
|
2012-06-12 07:58:50 -05:00
|
|
|
%{_mandir}/man1/ipa-adtrust-install.1.gz
|
|
|
|
%{python_sitelib}/ipaserver/dcerpc*
|
|
|
|
%{python_sitelib}/ipaserver/install/adtrustinstance*
|
2012-10-10 01:46:08 -05:00
|
|
|
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
2013-12-03 10:14:00 -06:00
|
|
|
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
%files client
|
2011-01-25 10:03:40 -06:00
|
|
|
%defattr(-,root,root,-)
|
2010-12-09 06:59:11 -06:00
|
|
|
%doc COPYING README Contributors.txt
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipa-client-install
|
2012-05-29 13:20:38 -05:00
|
|
|
%{_sbindir}/ipa-client-automount
|
2014-06-27 05:31:50 -05:00
|
|
|
%{_sbindir}/ipa-certupdate
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_sbindir}/ipa-getkeytab
|
2009-12-04 15:29:09 -06:00
|
|
|
%{_sbindir}/ipa-rmkeytab
|
2009-09-14 16:04:08 -05:00
|
|
|
%{_sbindir}/ipa-join
|
2009-02-02 12:50:53 -06:00
|
|
|
%dir %{_usr}/share/ipa
|
|
|
|
%dir %{_localstatedir}/lib/ipa-client
|
|
|
|
%dir %{_localstatedir}/lib/ipa-client/sysrestore
|
|
|
|
%dir %{python_sitelib}/ipaclient
|
|
|
|
%{python_sitelib}/ipaclient/*.py*
|
|
|
|
%{_mandir}/man1/ipa-getkeytab.1.gz
|
2009-12-04 15:29:09 -06:00
|
|
|
%{_mandir}/man1/ipa-rmkeytab.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
%{_mandir}/man1/ipa-client-install.1.gz
|
2012-05-29 13:20:38 -05:00
|
|
|
%{_mandir}/man1/ipa-client-automount.1.gz
|
2014-06-27 05:31:50 -05:00
|
|
|
%{_mandir}/man1/ipa-certupdate.1.gz
|
2009-10-08 10:10:21 -05:00
|
|
|
%{_mandir}/man1/ipa-join.1.gz
|
2011-02-23 10:55:32 -06:00
|
|
|
%{_mandir}/man5/default.conf.5.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
|
|
|
|
%files admintools
|
|
|
|
%defattr(-,root,root,-)
|
2011-01-25 10:03:40 -06:00
|
|
|
%doc COPYING README Contributors.txt
|
2009-02-04 09:50:52 -06:00
|
|
|
%{_bindir}/ipa
|
2011-01-27 16:02:24 -06:00
|
|
|
%config %{_sysconfdir}/bash_completion.d
|
2010-03-29 07:25:57 -05:00
|
|
|
%{_mandir}/man1/ipa.1.gz
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2010-02-09 12:14:25 -06:00
|
|
|
%files python -f %{gettext_domain}.lang
|
2009-02-02 12:50:53 -06:00
|
|
|
%defattr(-,root,root,-)
|
2011-01-25 10:03:40 -06:00
|
|
|
%doc COPYING README Contributors.txt
|
2009-02-05 14:03:08 -06:00
|
|
|
%dir %{python_sitelib}/ipapython
|
|
|
|
%{python_sitelib}/ipapython/*.py*
|
2011-01-05 14:51:56 -06:00
|
|
|
%dir %{python_sitelib}/ipalib
|
2009-05-21 14:25:57 -05:00
|
|
|
%{python_sitelib}/ipalib/*
|
2014-06-02 00:50:12 -05:00
|
|
|
%dir %{python_sitelib}/ipaplatform
|
2014-06-19 08:09:37 -05:00
|
|
|
%{python_sitelib}/ipaplatform/*
|
2013-08-13 03:59:57 -05:00
|
|
|
%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
|
2009-02-05 14:03:08 -06:00
|
|
|
%{python_sitelib}/ipapython-*.egg-info
|
2009-10-12 15:00:00 -05:00
|
|
|
%{python_sitelib}/freeipa-*.egg-info
|
2014-09-17 04:49:51 -05:00
|
|
|
%{python_sitelib}/ipaplatform-*.egg-info
|
2010-10-06 12:41:26 -05:00
|
|
|
%{python_sitearch}/python_default_encoding-*.egg-info
|
2013-04-22 04:22:42 -05:00
|
|
|
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
|
2011-01-27 16:02:24 -06:00
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
|
2012-01-31 11:32:47 -06:00
|
|
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
2009-02-02 12:50:53 -06:00
|
|
|
|
2013-05-21 06:40:27 -05:00
|
|
|
%if ! %{ONLY_CLIENT}
|
|
|
|
%files tests -f tests-python.list
|
|
|
|
%defattr(-,root,root,-)
|
|
|
|
%doc COPYING README Contributors.txt
|
|
|
|
%dir %{python_sitelib}/ipatests
|
|
|
|
%dir %{python_sitelib}/ipatests/test_cmdline
|
|
|
|
%dir %{python_sitelib}/ipatests/test_install
|
|
|
|
%dir %{python_sitelib}/ipatests/test_ipalib
|
|
|
|
%dir %{python_sitelib}/ipatests/test_ipapython
|
|
|
|
%dir %{python_sitelib}/ipatests/test_ipaserver
|
2012-04-20 06:03:16 -05:00
|
|
|
%dir %{python_sitelib}/ipatests/test_ipaserver/test_install
|
2014-07-02 09:35:27 -05:00
|
|
|
%dir %{python_sitelib}/ipatests/test_ipaserver/data
|
2013-05-21 06:40:27 -05:00
|
|
|
%dir %{python_sitelib}/ipatests/test_pkcs10
|
2013-05-24 06:48:53 -05:00
|
|
|
%dir %{python_sitelib}/ipatests/test_webui
|
2013-05-21 06:40:27 -05:00
|
|
|
%dir %{python_sitelib}/ipatests/test_xmlrpc
|
2013-05-22 04:08:10 -05:00
|
|
|
%{_bindir}/ipa-run-tests
|
2013-05-24 12:55:21 -05:00
|
|
|
%{_bindir}/ipa-test-config
|
2013-06-27 03:47:58 -05:00
|
|
|
%{_bindir}/ipa-test-task
|
2013-05-21 06:40:27 -05:00
|
|
|
%{python_sitelib}/ipatests-*.egg-info
|
2013-08-13 11:32:36 -05:00
|
|
|
%{_mandir}/man1/ipa-run-tests.1.gz
|
|
|
|
%{_mandir}/man1/ipa-test-config.1.gz
|
|
|
|
%{_mandir}/man1/ipa-test-task.1.gz
|
2013-08-13 03:56:26 -05:00
|
|
|
%endif # ONLY_CLIENT
|
2013-05-21 06:40:27 -05:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
%changelog
|
2013-11-26 06:06:07 -06:00
|
|
|
* Tue Nov 26 2013 Petr Viktorin<pviktori@redhat.com> - __VERSION__-__RELEASE__
|
|
|
|
- Remove changelog. The history is kept in Git, downstreams have own logs.
|
|
|
|
# note, this entry is here to placate tools that expect a non-empty changelog
|