Get merged tree into an installalble state.

I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.

The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.

Makefile

@@ -1,6 +1,6 @@
 include VERSION
 
-SUBDIRS=ipa-server ipa-admintools ipa-python ipa-client ipa-radius-server ipa-radius-admintools
+SUBDIRS=daemons install ipa-python ipa-client ipa-radius-server ipa-radius-admintools
 
 PRJ_PREFIX=ipa
 
@@ -29,47 +29,31 @@ endif # rc
 endif # pre
 endif # ipa_version
 
-SERV_TARBALL_PREFIX=$(PRJ_PREFIX)-server-$(IPA_VERSION)
+TARBALL_PREFIX=freeipa-$(IPA_VERSION)
-SERV_TARBALL=$(SERV_TARBALL_PREFIX).tgz
+TARBALL=$(TARBALL_PREFIX).tar.gz
-
-ADMIN_TARBALL_PREFIX=$(PRJ_PREFIX)-admintools-$(IPA_VERSION)
-ADMIN_TARBALL=$(ADMIN_TARBALL_PREFIX).tgz
-
-PYTHON_TARBALL_PREFIX=$(PRJ_PREFIX)-python-$(IPA_VERSION)
-PYTHON_TARBALL=$(PYTHON_TARBALL_PREFIX).tgz
-
-CLI_TARBALL_PREFIX=$(PRJ_PREFIX)-client-$(IPA_VERSION)
-CLI_TARBALL=$(CLI_TARBALL_PREFIX).tgz
-
-RADIUS_SERVER_TARBALL_PREFIX=$(PRJ_PREFIX)-radius-server-$(IPA_VERSION)
-RADIUS_SERVER_TARBALL=$(RADIUS_SERVER_TARBALL_PREFIX).tgz
-
-RADIUS_ADMINTOOLS_TARBALL_PREFIX=$(PRJ_PREFIX)-radius-admintools-$(IPA_VERSION)
-RADIUS_ADMINTOOLS_TARBALL=$(RADIUS_ADMINTOOLS_TARBALL_PREFIX).tgz
-
-SERV_SELINUX_TARBALL_PREFIX=$(PRJ_PREFIX)-server-selinux-$(IPA_VERSION)
-SERV_SELINUX_TARBALL=$(SERV_SELINUX_TARBALL_PREFIX).tgz
 
 IPA_RPM_RELEASE=$(shell cat RELEASE)
 
 LIBDIR ?= /usr/lib
 
-all: bootstrap-autogen
+all: bootstrap-autogen server
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
 
 bootstrap-autogen: version-update
 	@echo "Building IPA $(IPA_VERSION)"
-	cd ipa-server; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+	cd daemons; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+	cd install; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
 	cd ipa-client; if [ ! -e Makefile ]; then ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
 
 autogen: version-update
 	@echo "Building IPA $(IPA_VERSION)"
-	cd ipa-server; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR)
+	cd daemons; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+	cd install; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
 	cd ipa-client; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR)
 
-install: all
+install: all server-install
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
@@ -84,32 +68,9 @@ release-update:
 
 version-update: release-update
 	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-server/ipa-server.spec.in > ipa-server/ipa-server.spec
+		ipa.spec.in > ipa.spec
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-server/version.m4.in \
+	sed -e s/__VERSION__/$(IPA_VERSION)/ version.m4.in \
-		> ipa-server/version.m4
+		> version.m4
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-admintools/ipa-admintools.spec.in > ipa-admintools/ipa-admintools.spec
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-python/ipa-python.spec.in > ipa-python/ipa-python.spec
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-client/ipa-client.spec.in > ipa-client/ipa-client.spec
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-client/version.m4.in \
-		> ipa-client/version.m4
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-radius-server/ipa-radius-server.spec.in \
-		> ipa-radius-server/ipa-radius-server.spec
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-radius-admintools/ipa-radius-admintools.spec.in \
-		> ipa-radius-admintools/ipa-radius-admintools.spec
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-server/selinux/ipa-server-selinux.spec.in \
-		> ipa-server/selinux/ipa-server-selinux.spec
 
 	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-python/setup.py.in \
 		> ipa-python/setup.py
@@ -117,63 +78,40 @@ version-update: release-update
 		> ipa-python/version.py
 	perl -pi -e "s:__NUM_VERSION__:$(IPA_VERSION_MAJOR)$(IPA_VERSION_MINOR)$(IPA_VERSION_RELEASE):" ipa-python/version.py
 
+	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
+		ipa-client/ipa-client.spec.in > ipa-client/ipa-client.spec
+	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-client/version.m4.in \
+		> ipa-client/version.m4
+
+server:
+	python setup.py build
+
+server-install: server
+	 if [ "$(DESTDIR)" = "" ]; then \
+		python setup.py install; \
+	else \
+		python setup.py install --root $(DESTDIR); \
+	fi
+
 archive:
 	-mkdir -p dist
 	git archive --format=tar --prefix=ipa/ $(TARGET) | (cd dist && tar xf -)
 
 local-archive:
-	-mkdir -p dist/ipa
+	-mkdir -p dist/$(TARBALL_PREFIX)
-	@for subdir in $(SUBDIRS); do \
+	rsync -a --exclude=dist --exclude=.git --exclude=build --exclude=rpmbuild . dist/$(TARBALL_PREFIX)
-		cp -pr $$subdir dist/ipa/.; \
-	done
 
 archive-cleanup:
-	rm -fr dist/ipa
+	rm -fr dist/freeipa
 
-tarballs:
+tarballs: local-archive
 	-mkdir -p dist/sources
-
+	# tar up clean sources
-        # ipa-server
+	cd dist/$(TARBALL_PREFIX)/ipa-client; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	mv dist/ipa/ipa-server dist/$(SERV_TARBALL_PREFIX)
+	cd dist/$(TARBALL_PREFIX)/daemons; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	rm -f dist/sources/$(SERV_TARBALL)
+	cd dist/$(TARBALL_PREFIX)/install; ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	cd dist/$(SERV_TARBALL_PREFIX); ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
+	cd dist; tar cfz sources/$(TARBALL) $(TARBALL_PREFIX)
-	cd dist; tar cfz sources/$(SERV_TARBALL) $(SERV_TARBALL_PREFIX)
+	rm -rf dist/$(TARBALL_PREFIX)
-	rm -fr dist/$(SERV_TARBALL_PREFIX)
-
-        # ipa-admintools
-	mv dist/ipa/ipa-admintools dist/$(ADMIN_TARBALL_PREFIX)
-	rm -f dist/sources/$(ADMIN_TARBALL)
-	cd dist; tar cfz sources/$(ADMIN_TARBALL) $(ADMIN_TARBALL_PREFIX)
-	rm -fr dist/$(ADMIN_TARBALL_PREFIX)
-
-        # ipa-python
-	mv dist/ipa/ipa-python dist/$(PYTHON_TARBALL_PREFIX)
-	rm -f dist/sources/$(PYTHON_TARBALL)
-	cd dist; tar cfz sources/$(PYTHON_TARBALL) $(PYTHON_TARBALL_PREFIX)
-	rm -fr dist/$(PYTHON_TARBALL_PREFIX)
-
-        # ipa-client
-	mv dist/ipa/ipa-client dist/$(CLI_TARBALL_PREFIX)
-	rm -f dist/sources/$(CLI_TARBALL)
-	cd dist/$(CLI_TARBALL_PREFIX); ./autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	cd dist; tar cfz sources/$(CLI_TARBALL) $(CLI_TARBALL_PREFIX)
-	rm -fr dist/$(CLI_TARBALL_PREFIX)
-
-        # ipa-radius-server
-	mv dist/ipa/ipa-radius-server dist/$(RADIUS_SERVER_TARBALL_PREFIX)
-	rm -f dist/sources/$(RADIUS_SERVER_TARBALL)
-	cd dist; tar cfz sources/$(RADIUS_SERVER_TARBALL) $(RADIUS_SERVER_TARBALL_PREFIX)
-	rm -fr dist/$(RADIUS_SERVER_TARBALL_PREFIX)
-
-        # ipa-radius-admintools
-	mv dist/ipa/ipa-radius-admintools dist/$(RADIUS_ADMINTOOLS_TARBALL_PREFIX)
-	rm -f dist/sources/$(RADIUS_ADMINTOOLS_TARBALL)
-	cd dist; tar cfz sources/$(RADIUS_ADMINTOOLS_TARBALL) $(RADIUS_ADMINTOOLS_TARBALL_PREFIX)
-	rm -fr dist/$(RADIUS_ADMINTOOLS_TARBALL_PREFIX)
-
-	# ipa-server/selinux
-	cp dist/sources/$(SERV_TARBALL) dist/sources/$(SERV_SELINUX_TARBALL)
-
 
 rpmroot:
 	mkdir -p $(RPMBUILD)/BUILD
@@ -186,49 +124,11 @@ rpmdistdir:
 	mkdir -p dist/rpms
 	mkdir -p dist/srpms
 
-rpm-ipa-server:
+rpms: rpmroot rpmdistdir version-update tarballs
-	cp dist/sources/$(SERV_TARBALL) $(RPMBUILD)/SOURCES/.
+	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server/ipa-server.spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa.spec
-	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-$(IPA_VERSION)-*.rpm dist/rpms/
+	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-*-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-$(IPA_VERSION)-*.src.rpm dist/srpms/
+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-admin:
-	cp dist/sources/$(ADMIN_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-admintools/ipa-admintools.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-admintools-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-admintools-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-python:
-	cp dist/sources/$(PYTHON_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-python/ipa-python.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-python-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-python-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-client:
-	cp dist/sources/$(CLI_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-client/ipa-client.spec
-	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-client-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-client-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-radius-server:
-	cp dist/sources/$(RADIUS_SERVER_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-radius-server/ipa-radius-server.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-radius-server-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-radius-server-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-radius-admintools:
-	cp dist/sources/$(RADIUS_ADMINTOOLS_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-radius-admintools/ipa-radius-admintools.spec
-	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-radius-admintools-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-radius-admintools-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpm-ipa-server-selinux:
-	cp dist/sources/$(SERV_SELINUX_TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server/selinux/ipa-server-selinux.spec
-	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-selinux-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-selinux-$(IPA_VERSION)-*.src.rpm dist/srpms/
-
-rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client rpm-ipa-radius-server rpm-ipa-radius-admintools rpm-ipa-server-selinux
 
 repodata:
 	-createrepo -p dist
@@ -248,14 +148,16 @@ distclean: version-update
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
-	rm -fr rpmbuild dist
+	rm -fr rpmbuild dist build
 
 maintainer-clean: clean
-	rm -fr rpmbuild dist
+	rm -fr rpmbuild dist build
-	cd ipa-server/selinux && $(MAKE) maintainer-clean
+	cd selinux && $(MAKE) maintainer-clean
-	cd ipa-server && $(MAKE) maintainer-clean
+	cd daemons && $(MAKE) maintainer-clean
+	cd install && $(MAKE) maintainer-clean
 	cd ipa-client && $(MAKE) maintainer-clean
 	cd ipa-python && $(MAKE) maintainer-clean
-	cd ipa-admintools && $(MAKE) maintainer-clean
 	cd ipa-radius-admintools && $(MAKE) maintainer-clean
 	cd ipa-radius-server && $(MAKE) maintainer-clean
+	rm -f version.m4
+	rm -f ipa.spec

daemons/Makefile.am

@@ -0,0 +1,35 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+SUBDIRS =			\
+	ipa-kpasswd		\
+	ipa-slapi-plugins	\
+	$(NULL)
+
+DISTCLEANFILES =		\
+	$(NULL)
+
+MAINTAINERCLEANFILES =		\
+	*~			\
+	intltool-*.in		\
+	compile			\
+	configure		\
+	COPYING			\
+	INSTALL			\
+	install-sh		\
+	missing			\
+	mkinstalldirs		\
+	config.guess		\
+	ltmain.sh		\
+	config.sub		\
+	depcomp			\
+	Makefile.in		\
+	config.h.*		\
+	aclocal.m4		\
+	version.m4		\
+	ipa-client.spec		\
+	py-compile		\
+	$(NULL)

daemons/autogen.sh

@@ -179,6 +179,9 @@ do_cmd() {
     $@
 }
 
+# I don't want autotools dictating what files I have
+touch NEWS README AUTHORS ChangeLog
+
 do_cmd $LIBTOOLIZE $LIBTOOLIZE_FLAGS
 
 do_cmd $ACLOCAL $ACLOCAL_FLAGS
@@ -189,6 +192,9 @@ do_cmd $AUTOMAKE $AUTOMAKE_FLAGS
 
 do_cmd $AUTOCONF
 
+# I don't want autotools dictating what files I have
+touch NEWS README AUTHORS ChangeLog
+
 cd $ORIGDIR || exit 1
 
 rm -f config.cache

daemons/configure.ac

@@ -0,0 +1,291 @@
+AC_PREREQ(2.59)
+m4_include(../version.m4)
+AC_INIT([ipa-server],
+        IPA_VERSION,
+        [https://hosted.fedoraproject.org/projects/freeipa/newticket])
+
+#AC_CONFIG_SRCDIR([ipaserver/ipaldap.py])
+AC_CONFIG_HEADERS([config.h])
+
+AM_INIT_AUTOMAKE
+
+AM_MAINTAINER_MODE
+AC_PROG_CC
+AC_STDC_HEADERS
+AC_DISABLE_STATIC
+AC_PROG_LIBTOOL
+
+AC_HEADER_STDC
+
+AC_SUBST(VERSION)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for NSPR
+dnl ---------------------------------------------------------------------------
+AC_CHECK_HEADER(nspr4/nspr.h)
+if test "x$ac_cv_header_nspr4_nspr_h" = "xno" ; then
+	AC_MSG_ERROR([Required NSPR header not available (nspr-devel)])
+fi
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for NSS
+dnl ---------------------------------------------------------------------------
+SAVE_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="-I/usr/include/nspr4"
+AC_CHECK_HEADER(nss3/nss.h)
+CPPFLAGS=$SAVE_CPPFLAGS
+if test "x$ac_cv_header_nss3_nss_h" = "xno" ; then
+	AC_MSG_ERROR([Required NSS header not available (nss-devel)])
+fi
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for DS slapi plugin
+dnl ---------------------------------------------------------------------------
+
+# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
+SAVE_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="-I/usr/include/nspr4"
+AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
+CPPFLAGS=$SAVE_CPPFLAGS
+
+if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
+	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
+fi
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for KRB5
+dnl ---------------------------------------------------------------------------
+
+KRB5_LIBS=
+AC_CHECK_HEADER(krb5.h)
+
+krb5_impl=mit
+
+if test "x$ac_cv_header_krb5_h" = "xyes" ; then
+  dnl lazy check for Heimdal Kerberos
+  AC_CHECK_HEADERS(heim_err.h)
+  if test $ac_cv_header_heim_err_h = yes ; then
+    krb5_impl=heimdal
+  else
+    krb5_impl=mit
+  fi
+
+  if test "x$krb5_impl" = "xmit"; then
+    AC_CHECK_LIB(k5crypto, main,
+      [krb5crypto=k5crypto],
+      [krb5crypto=crypto])
+
+    AC_CHECK_LIB(krb5, main,
+      [have_krb5=yes
+	KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"],
+      [have_krb5=no],
+      [-l$krb5crypto -lcom_err])
+
+  elif test "x$krb5_impl" = "xheimdal"; then
+    AC_CHECK_LIB(des, main,
+      [krb5crypto=des],
+      [krb5crypto=crypto])
+
+    AC_CHECK_LIB(krb5, main,
+      [have_krb5=yes
+	KRB5_LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err"],
+      [have_krb5=no],
+      [-l$krb5crypto -lasn1 -lroken -lcom_err])
+
+    AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1,
+      [define if you have HEIMDAL Kerberos])
+
+  else
+    have_krb5=no
+    AC_MSG_WARN([Unrecognized Kerberos5 Implementation])
+  fi
+
+  if test "x$have_krb5" = "xyes" ; then
+    ol_link_krb5=yes
+
+    AC_DEFINE(HAVE_KRB5, 1,
+      [define if you have Kerberos V])
+
+  else
+    AC_MSG_ERROR([Required Kerberos 5 support not available])
+  fi
+
+fi
+
+AC_SUBST(KRB5_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for Mozilla LDAP or OpenLDAP SDK
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_WITH(openldap, [  --with-openldap            Use OpenLDAP])
+
+dnl The mozldap libraries are always needed because ipa-slapi-plugins/dna/ 
+dnl will not build against OpenLDAP.
+SAVE_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="-I/usr/include/nspr4 -I/usr/include/nss3"
+AC_CHECK_HEADER(svrcore.h)
+if test "x$ac_cv_header_svrcore_h" = "xno" ; then
+	AC_MSG_ERROR([Required svrcore header not available (svrcore-devel)])
+fi
+CPPFLAGS=$SAVE_CPPFLAGS
+AC_CHECK_HEADER(mozldap/ldap.h)
+if test "x$ac_cv_header_mozldap_ldap_h" = "xno" ; then
+	AC_MSG_ERROR([Required MOZLDAP header not available (mozldap-devel)])
+fi
+PKG_CHECK_MODULES(MOZLDAP, mozldap > 6)
+
+if test x$with_openldap = xyes; then
+	AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+	dnl Check for other libraries we need to link with to get the main routines.
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+	test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+	dnl Recently, we need -lber even though the main routines are elsewhere,
+	dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on.  So just
+	dnl check for that (it's a variable not a fun but that doesn't seem to
+	dnl matter in these checks)  and stick in -lber if so.  Can't hurt (even to
+	dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+	dnl #### understands LDAP needs to fix this properly.
+	test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+	
+	if test "$with_ldap" = "yes"; then
+	  if test "$with_ldap_des" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -ldes"
+	  fi
+	  if test "$with_ldap_krb" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -lkrb"
+	  fi
+	  if test "$with_ldap_lber" = "yes" ; then
+	    LDAP_LIBS="${LDAP_LIBS} -llber"
+	  fi
+	  LDAP_LIBS="${LDAP_LIBS} -lldap"
+	else
+	  AC_MSG_ERROR([OpenLDAP not found])
+	fi
+	
+	AC_SUBST(LDAP_LIBS)
+
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_OPENLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+else
+	LDAP_LIBS="${MOZLDAP_LIBS}"
+	AC_SUBST(LDAP_LIBS)
+
+	LDAP_CFLAGS="${LDAP_CFLAGS} -DWITH_MOZLDAP"
+	AC_SUBST(LDAP_CFLAGS)
+fi
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for OpenSSL Crypto library
+dnl ---------------------------------------------------------------------------
+dnl This is a very simple check, we should probably check also for MD4_Init and
+dnl probably also the version we are using is recent enough
+SSL_LIBS=
+AC_CHECK_LIB(crypto, DES_set_key_unchecked, [SSL_LIBS="-lcrypto"])
+AC_SUBST(SSL_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for Python
+dnl ---------------------------------------------------------------------------
+
+AC_MSG_NOTICE([Checking for Python])
+have_python=no
+AM_PATH_PYTHON(2.3)
+
+if test "x$PYTHON" = "x" ; then
+  AC_MSG_ERROR([Python not found])
+fi
+
+dnl ---------------------------------------------------------------------------
+dnl - Set the data install directory since we don't use pkgdatadir
+dnl ---------------------------------------------------------------------------
+
+IPA_DATA_DIR="$datadir/ipa"
+AC_SUBST(IPA_DATA_DIR)
+
+dnl ---------------------------------------------------------------------------
+dnl Finish
+dnl ---------------------------------------------------------------------------
+
+# Turn on the additional warnings last, so -Werror doesn't affect other tests.
+
+AC_ARG_ENABLE(more-warnings,
+	[AC_HELP_STRING([--enable-more-warnings],
+	[Maximum compiler warnings])],
+	set_more_warnings="$enableval",[
+        	if test -d $srcdir/../.hg; then
+        		set_more_warnings=yes
+              	else
+                  	set_more_warnings=no
+              	fi
+        ])
+AC_MSG_CHECKING(for more warnings)
+if test "$GCC" = "yes" -a "$set_more_warnings" != "no"; then
+        AC_MSG_RESULT(yes)
+        CFLAGS="\
+        -Wall \
+        -Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes \
+        -Wnested-externs -Wpointer-arith \
+        -Wcast-align -Wsign-compare \
+        $CFLAGS"
+
+        for option in -Wno-strict-aliasing -Wno-sign-compare; do
+                SAVE_CFLAGS="$CFLAGS"
+                CFLAGS="$CFLAGS $option"
+                AC_MSG_CHECKING([whether gcc understands $option])
+                AC_TRY_COMPILE([], [],
+                        has_option=yes,
+                        has_option=no,)
+                if test $has_option = no; then
+                        CFLAGS="$SAVE_CFLAGS"
+                fi
+                AC_MSG_RESULT($has_option)
+                unset has_option
+                unset SAVE_CFLAGS
+        done
+        unset option
+else
+        AC_MSG_RESULT(no)
+fi
+
+# Flags
+
+AC_SUBST(CFLAGS)
+AC_SUBST(CPPFLAGS)
+AC_SUBST(LDFLAGS)
+
+# Files
+
+AC_CONFIG_FILES([
+    Makefile
+    ipa-kpasswd/Makefile
+    ipa-slapi-plugins/Makefile
+    ipa-slapi-plugins/dna/Makefile
+    ipa-slapi-plugins/ipa-memberof/Makefile
+    ipa-slapi-plugins/ipa-pwd-extop/Makefile
+    ipa-slapi-plugins/ipa-winsync/Makefile
+])
+
+AC_OUTPUT
+
+echo "
+                    IPA Server $VERSION
+                    ========================
+
+	prefix:                   ${prefix}
+	exec_prefix:              ${exec_prefix}
+        libdir:                   ${libdir}
+        bindir:                   ${bindir}
+        sbindir:                  ${sbindir}
+        sysconfdir:               ${sysconfdir}
+        localstatedir:            ${localstatedir}
+        datadir:                  ${datadir}
+	source code location:	  ${srcdir}
+	compiler:		  ${CC}
+	cflags:		          ${CFLAGS}
+        LDAP libs:                ${LDAP_LIBS}
+        KRB5 libs:                ${KRB5_LIBS}
+        OpenSSL libs:             ${SSL_LIBS}
+        Maintainer mode:          ${USE_MAINTAINER_MODE}
+"

install/Makefile.am

@@ -0,0 +1,50 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+SUBDIRS =			\
+        conf			\
+        html			\
+        share			\
+        tools			\
+        updates			\
+	$(NULL)
+
+install-exec-local:
+	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
+	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
+	mkdir -p $(DESTDIR)$(localstatedir)/cache/ipa/sessions
+	chmod 700 $(DESTDIR)$(localstatedir)/cache/ipa/sessions
+
+uninstall-local:
+	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
+	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa
+	-rmdir $(DESTDIR)$(localstatedir)/cache/ipa/sessions
+	-rmdir $(DESTDIR)$(localstatedir)/cache/ipa
+
+DISTCLEANFILES =		\
+	$(NULL)
+
+MAINTAINERCLEANFILES =		\
+	*~			\
+	intltool-*.in		\
+	compile			\
+	configure		\
+	COPYING			\
+	INSTALL			\
+	install-sh		\
+	missing			\
+	mkinstalldirs		\
+	config.guess		\
+	ltmain.sh		\
+	config.sub		\
+	depcomp			\
+	Makefile.in		\
+	config.h.*		\
+	aclocal.m4		\
+	version.m4		\
+	ipa-client.spec		\
+	py-compile		\
+	$(NULL)

install/autogen.sh

@@ -0,0 +1,202 @@
+#!/bin/sh
+# Run this to generate all the initial makefiles, etc.
+set -e
+
+PACKAGE=freeipa-server
+
+LIBTOOLIZE=${LIBTOOLIZE-libtoolize}
+LIBTOOLIZE_FLAGS="--copy --force"
+AUTOHEADER=${AUTOHEADER-autoheader}
+AUTOMAKE_FLAGS="--add-missing --gnu"
+AUTOCONF=${AUTOCONF-autoconf}
+
+# automake 1.8 requires autoconf 2.58
+# automake 1.7 requires autoconf 2.54
+automake_min_vers=1.7
+aclocal_min_vers=$automake_min_vers
+autoconf_min_vers=2.54
+libtoolize_min_vers=1.4
+
+# The awk-based string->number conversion we use needs a C locale to work 
+# as expected. Setting LC_ALL overrides whether the user set LC_ALL,
+# LC_NUMERIC, or LANG.
+LC_ALL=C
+
+ARGV0=$0
+
+# Allow invocation from a separate build directory; in that case, we change
+# to the source directory to run the auto*, then change back before running configure
+srcdir=`dirname $ARGV0`
+test -z "$srcdir" && srcdir=.
+
+ORIGDIR=`pwd`
+
+cd $srcdir
+
+# Usage:
+#     compare_versions MIN_VERSION ACTUAL_VERSION
+# returns true if ACTUAL_VERSION >= MIN_VERSION
+compare_versions() {
+    ch_min_version=$1
+    ch_actual_version=$2
+    ch_status=0
+    IFS="${IFS=         }"; ch_save_IFS="$IFS"; IFS="."
+    set $ch_actual_version
+    for ch_min in $ch_min_version; do
+        ch_cur=`echo $1 | sed 's/[^0-9].*$//'`; shift # remove letter suffixes
+        if [ -z "$ch_min" ]; then break; fi
+        if [ -z "$ch_cur" ]; then ch_status=1; break; fi
+        if [ $ch_cur -gt $ch_min ]; then break; fi
+        if [ $ch_cur -lt $ch_min ]; then ch_status=1; break; fi
+    done
+    IFS="$ch_save_IFS"
+    return $ch_status
+}
+
+if ($AUTOCONF --version) < /dev/null > /dev/null 2>&1 ; then
+    if ($AUTOCONF --version | head -n 1 | awk 'NR==1 { if( $(NF) >= '$autoconf_min_vers') \
+			       exit 1; exit 0; }');
+    then
+       echo "$ARGV0: ERROR: \`$AUTOCONF' is too old."
+       $AUTOCONF --version
+       echo "           (version $autoconf_min_vers or newer is required)"
+       DIE="yes"
+    fi
+else
+    echo $AUTOCONF: command not found
+    echo
+    echo "$ARGV0: ERROR: You must have \`autoconf' installed to compile $PACKAGE."
+    echo "           (version $autoconf_min_vers or newer is required)"
+    DIE="yes"
+fi
+
+#
+# Hunt for an appropriate version of automake and aclocal; we can't
+# assume that 'automake' is necessarily the most recent installed version
+#
+# We check automake first to allow it to be a newer version than we know about.
+#
+if test x"$AUTOMAKE" = x || test x"$ACLOCAL" = x ; then
+  am_ver=""
+  for ver in "" "-1.9" "-1.8" "-1.7" ; do
+    am="automake$ver"
+    if ($am --version) < /dev/null > /dev/null 2>&1 ; then
+      if ($am --version | head -n 1 | awk 'NR==1 { if( $(NF) >= '$automake_min_vers') \
+	  		 exit 1; exit 0; }'); then : ; else
+         am_ver=$ver
+         break;
+      fi
+    fi
+  done
+
+  AUTOMAKE=${AUTOMAKE-automake$am_ver}
+  ACLOCAL=${ACLOCAL-aclocal$am_ver}
+fi
+
+#
+# Now repeat the tests with the copies we decided upon and error out if they
+# aren't sufficiently new.
+#
+if ($AUTOMAKE --version) < /dev/null > /dev/null 2>&1 ; then
+      automake_actual_version=`$AUTOMAKE --version | head -n 1 | \
+                               sed 's/^.*[ 	]\([0-9.]*[a-z]*\).*$/\1/'`
+      if ! compare_versions $automake_min_vers $automake_actual_version; then
+	  echo "$ARGV0: ERROR: \`$AUTOMAKE' is too old."
+	  $AUTOMAKE --version
+	  echo "           (version $automake_min_vers or newer is required)"
+	  DIE="yes"
+      fi
+  if ($ACLOCAL --version) < /dev/null > /dev/null 2>&1; then
+      aclocal_actual_version=`$ACLOCAL --version | head -n 1 | \
+                               sed 's/^.*[ 	]\([0-9.]*[a-z]*\).*$/\1/'`
+
+      if ! compare_versions $aclocal_min_vers $aclocal_actual_version; then
+	  echo "$ARGV0: ERROR: \`$ACLOCAL' is too old."
+	  $ACLOCAL --version
+	  echo "           (version $aclocal_min_vers or newer is required)"
+	  DIE="yes"
+      fi
+  else
+    echo $ACLOCAL: command not found
+    echo
+    echo "$ARGV0: ERROR: Missing \`$ACLOCAL'"
+    echo "           The version of $AUTOMAKE installed doesn't appear recent enough."
+    DIE="yes"
+  fi
+else
+    echo $AUTOMAKE: command not found
+    echo
+    echo "$ARGV0: ERROR: You must have \`automake' installed to compile $PACKAGE."
+    echo "           (version $automake_min_vers or newer is required)"
+    DIE="yes"
+fi
+
+if ($LIBTOOLIZE --version) < /dev/null > /dev/null 2>&1 ; then
+    if ($LIBTOOLIZE --version | awk 'NR==1 { if( $4 >= '$libtoolize_min_vers') \
+			       exit 1; exit 0; }');
+    then
+       echo "$ARGV0: ERROR: \`$LIBTOOLIZE' is too old."
+       echo "           (version $libtoolize_min_vers or newer is required)"
+       DIE="yes"
+    fi
+else
+    echo $LIBTOOLIZE: command not found
+    echo
+    echo "$ARGV0: ERROR: You must have \`libtoolize' installed to compile $PACKAGE."
+    echo "           (version $libtoolize_min_vers or newer is required)"
+    DIE="yes"
+fi
+
+if test -z "$ACLOCAL_FLAGS"; then
+    acdir=`$ACLOCAL --print-ac-dir`
+    if [ ! -f $acdir/pkg.m4 ]; then
+	echo "$ARGV0: Error: Could not find pkg-config macros."
+	echo "        (Looked in $acdir/pkg.m4)"
+	echo "        If pkg.m4 is available in /another/directory, please set"
+	echo "        ACLOCAL_FLAGS=\"-I /another/directory\""
+	echo "        Otherwise, please install pkg-config."
+	echo ""
+	echo "pkg-config is available from:"
+	echo "http://www.freedesktop.org/software/pkgconfig/"
+	DIE=yes
+    fi
+fi
+
+if test "X$DIE" != X; then
+  exit 1
+fi
+
+
+if test -z "$*"; then
+  echo "$ARGV0:	Note: \`./configure' will be run with no arguments."
+  echo "		If you wish to pass any to it, please specify them on the"
+  echo "		\`$0' command line."
+  echo
+fi
+
+do_cmd() {
+    echo "$ARGV0: running \`$@'"
+    $@
+}
+
+# I don't want autotools dictating what files I have
+touch NEWS README AUTHORS ChangeLog
+
+do_cmd $LIBTOOLIZE $LIBTOOLIZE_FLAGS
+
+do_cmd $ACLOCAL $ACLOCAL_FLAGS
+
+do_cmd $AUTOHEADER
+
+do_cmd $AUTOMAKE $AUTOMAKE_FLAGS
+
+do_cmd $AUTOCONF
+
+# I don't want autotools dictating what files I have
+touch NEWS README AUTHORS ChangeLog
+
+cd $ORIGDIR || exit 1
+
+rm -f config.cache
+
+do_cmd $srcdir/configure --cache-file=config.cache --disable-static --enable-maintainer-mode --enable-gtk-doc ${1+"$@"} && echo "Now type \`make' to compile" || exit 1

install/conf/Makefile.am

@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)
+app_DATA =                              \
+	ipa.conf			\
+	ipa-rewrite.conf		\
+	$(NULL)
+
+EXTRA_DIST =                            \
+        $(app_DATA)                     \
+        $(NULL)
+
+MAINTAINERCLEANFILES =                  \
+        *~                              \
+        Makefile.in

install/conf/ipa.conf

@@ -4,6 +4,7 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
+PythonImport ipaserver main_interpreter
 
 # ipa-rewrite.conf is loaded separately
 
@@ -34,16 +35,13 @@ AddType application/java-archive        jar
 ProxyPass /ipa/ui http://localhost:8080/ipa/ui
 ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui
 
-# Configure the XML-RPC service
-Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"
-
 # This is where we redirect on failed auth
 Alias /ipa/errors "/usr/share/ipa/html"
 
 # For the MIT Windows config files
 Alias /ipa/config "/usr/share/ipa/html"
 
-<Directory "/usr/share/ipa/ipaserver">
+<Location "/ipa/xml">
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
@@ -55,16 +53,17 @@ Alias /ipa/config "/usr/share/ipa/html"
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
-  SetHandler mod_python
+  SetHandler python-program
-  PythonHandler ipaxmlrpc
+  PythonInterpreter main_interpreter
-  
+  PythonHandler ipaserver::xmlrpc
+
   PythonDebug Off
 
   PythonOption IPADebug Off
 
   # this is pointless to use since it would just reload ipaxmlrpc.py
   PythonAutoReload Off
-</Directory>
+</Location>
 
 # Do no authentication on the directory that contains error messages
 <Directory "/usr/share/ipa/html">

install/configure.ac

@@ -0,0 +1,43 @@
+AC_PREREQ(2.59)
+m4_include(../version.m4)
+AC_INIT([ipa-server],
+        IPA_VERSION,
+        [https://hosted.fedoraproject.org/projects/freeipa/newticket])
+
+#AC_CONFIG_SRCDIR([ipaserver/ipaldap.py])
+AC_CONFIG_HEADERS([config.h])
+
+AM_INIT_AUTOMAKE
+
+AM_MAINTAINER_MODE
+#AC_PROG_CC
+#AC_STDC_HEADERS
+#AC_DISABLE_STATIC
+#AC_PROG_LIBTOOL
+
+#AC_HEADER_STDC
+
+AC_SUBST(VERSION)
+
+dnl ---------------------------------------------------------------------------
+dnl - Set the data install directory since we don't use pkgdatadir
+dnl ---------------------------------------------------------------------------
+
+IPA_DATA_DIR="$datadir/ipa"
+IPA_SYSCONF_DIR="$sysconfdir/ipa"
+AC_SUBST(IPA_DATA_DIR)
+AC_SUBST(IPA_SYSCONF_DIR)
+
+# Files
+
+AC_CONFIG_FILES([
+    Makefile
+    conf/Makefile
+    html/Makefile
+    share/Makefile
+    tools/Makefile
+    tools/man/Makefile
+    updates/Makefile
+])
+
+AC_OUTPUT

install/html/Makefile.am

@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_SYSCONF_DIR)/html
+app_DATA =                              \
+	ssbrowser.html			\
+	unauthorized.html		\
+	$(NULL)
+
+EXTRA_DIST =                            \
+        $(app_DATA)                     \
+        $(NULL)
+
+MAINTAINERCLEANFILES =                  \
+        *~                              \
+        Makefile.in

install/tools/Makefile.am

@@ -1,9 +1,8 @@
 NULL =
 
-SUBDIRS =			\
+SUBDIRS = 			\
-	share			\
+        man			\
-	updates			\
+        $(NULL)
-	$(NULL)
 
 sbin_SCRIPTS =			\
 	ipa-server-install	\
@@ -12,6 +11,10 @@ sbin_SCRIPTS =			\
 	ipa-replica-manage	\
  	ipa-server-certinstall  \
 	ipactl			\
+	ipa-compat-manage	\
+	ipa-fix-CVE-2008-3274	\
+	ipa-ldap-updater	\
+	ipa-upgradeconfig	\
 	$(NULL)
 
 EXTRA_DIST =			\

install/tools/ipa-server-install

@@ -37,15 +37,15 @@ import glob
 import traceback
 from optparse import OptionParser
 
-import ipaserver.dsinstance
+from ipaserver.install import dsinstance
-import ipaserver.krbinstance
+from ipaserver.install import krbinstance
-import ipaserver.bindinstance
+from ipaserver.install import bindinstance
-import ipaserver.httpinstance
+from ipaserver.install import httpinstance
-import ipaserver.ntpinstance
+from ipaserver.install import ntpinstance
 
-from ipaserver import service
+from ipaserver.install import service
 from ipa import version
-from ipaserver.installutils import *
+from ipaserver.install.installutils import *
 
 from ipa import sysrestore
 from ipa.ipautil import *
@@ -119,7 +119,7 @@ def signal_handler(signum, frame):
         print "Removing configuration for %s instance" % ds.serverid
         ds.stop()
         if ds.serverid:
-            ipaserver.dsinstance.erase_ds_instance_data (ds.serverid)
+            dsinstance.erase_ds_instance_data (ds.serverid)
     sys.exit(1)
 
 def read_host_name(host_default,no_host_dns=False):
@@ -269,7 +269,7 @@ def read_admin_password():
     return admin_password
 
 def check_dirsrv(unattended):
-    serverids = ipaserver.dsinstance.check_existing_installation()
+    serverids = dsinstance.check_existing_installation()
     if serverids:
         print ""
         print "An existing Directory Server has been detected."
@@ -285,9 +285,9 @@ def check_dirsrv(unattended):
             pass
 
         for serverid in serverids:
-            ipaserver.dsinstance.erase_ds_instance_data(serverid)
+            dsinstance.erase_ds_instance_data(serverid)
 
-    (ds_unsecure, ds_secure) = ipaserver.dsinstance.check_ports()
+    (ds_unsecure, ds_secure) = dsinstance.check_ports()
     if not ds_unsecure or not ds_secure:
         print "IPA requires ports 389 and 636 for the Directory Server."
         print "These are currently in use:"
@@ -305,12 +305,11 @@ def uninstall():
         print "ipa-client-install returned: " + str(e)
         pass
 
-    ipaserver.ntpinstance.NTPInstance(fstore).uninstall()
+    ntpinstance.NTPInstance(fstore).uninstall()
-    ipaserver.bindinstance.BindInstance(fstore).uninstall()
+    bindinstance.BindInstance(fstore).uninstall()
-    ipaserver.httpinstance.WebGuiInstance().uninstall()
+    httpinstance.HTTPInstance(fstore).uninstall()
-    ipaserver.httpinstance.HTTPInstance(fstore).uninstall()
+    krbinstance.KrbInstance(fstore).uninstall()
-    ipaserver.krbinstance.KrbInstance(fstore).uninstall()
+    dsinstance.DsInstance().uninstall()
-    ipaserver.dsinstance.DsInstance().uninstall()
     fstore.restore_all_files()
     return 0
 
@@ -487,7 +486,7 @@ def main():
 
     # Configure ntpd
     if options.conf_ntp:
-        ntp = ipaserver.ntpinstance.NTPInstance(fstore)
+        ntp = ntpinstance.NTPInstance(fstore)
         ntp.create_instance()
 
     if options.dirsrv_pin:
@@ -496,7 +495,7 @@ def main():
         os.close(pw_fd)
 
     # Create a directory server instance
-    ds = ipaserver.dsinstance.DsInstance()
+    ds = dsinstance.DsInstance()
     if options.dirsrv_pkcs12:
         pkcs12_info = (options.dirsrv_pkcs12, pw_name)
         ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info)
@@ -505,7 +504,7 @@ def main():
         ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
 
     # Create a kerberos instance
-    krb = ipaserver.krbinstance.KrbInstance(fstore)
+    krb = krbinstance.KrbInstance(fstore)
     krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
 
     # Create a HTTP instance
@@ -515,7 +514,7 @@ def main():
         os.write(pw_fd, options.http_pin)
         os.close(pw_fd)
 
-    http = ipaserver.httpinstance.HTTPInstance(fstore)
+    http = httpinstance.HTTPInstance(fstore)
     if options.http_pkcs12:
         pkcs12_info = (options.http_pkcs12, pw_name)
         http.create_instance(realm_name, host_name, domain_name, autoconfig=False, pkcs12_info=pkcs12_info)
@@ -532,11 +531,7 @@ def main():
     fd.write("domain=" + domain_name + "\n")
     fd.close()
 
-    # Create a Web Gui instance
+    bind = bindinstance.BindInstance(fstore)
-    webgui = ipaserver.httpinstance.WebGuiInstance()
-    webgui.create_instance()
-
-    bind = ipaserver.bindinstance.BindInstance(fstore)
     bind.setup(host_name, ip_address, realm_name, domain_name)
     if options.setup_bind:
         bind.create_instance()
@@ -594,8 +589,8 @@ def main():
 
     print ""
     if not options.dirsrv_pkcs12:
-        print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12"
+        print "Be sure to back up the CA certificate stored in " + dsinstance.config_dirname(ds.serverid) + "cacert.p12"
-        print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
+        print "The password for this file is in " + dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
     else:
         print "In order for Firefox autoconfiguration to work you will need to"
         print "use a SSL signing certificate. See the IPA documentation for more details."

install/tools/man/Makefile.am

@@ -16,7 +16,7 @@ man1_MANS = 				\
 man8_MANS =				\
 	ipactl.8			\
 	ipa_kpasswd.8			\
-	ipa_webgui.8
+        $(NULL)
 
 install-data-hook:
 	@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done

install/tools/man/ipa_webgui.8

@@ -1,37 +0,0 @@
-.\" A man page for ipa_webgui
-.\" Copyright (C) 2008 Red Hat, Inc.
-.\" 
-.\" This is free software; you can redistribute it and/or modify it under
-.\" the terms of the GNU Library General Public License as published by
-.\" the Free Software Foundation; version 2 only
-.\" 
-.\" This program is distributed in the hope that it will be useful, but
-.\" WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\" General Public License for more details.
-.\" 
-.\" You should have received a copy of the GNU Library General Public
-.\" License along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\" 
-.\" Author: Rob Crittenden <rcritten@redhat.com>
-.\" 
-.TH "ipa_webgui" "8" "Mar 14 2008" "freeipa" ""
-.SH "NAME"
-ipa_webgui \- Start the IPA Web User Interface
-.SH "SYNOPSIS"
-ipa_webgui [\fIOPTION\fR]...
-
-.SH "DESCRIPTION"
-Used to start the TurboGears web user interface for IPA
-.SH "OPTIONS"
-.TP 
-\fB\-f\fR, \fB\-\-foreground\fR
-Remain in the foreground instead of becoming a daemon.
-.TP 
-\fB\-d\fR, \fB\-\-debug\fR
-.TP 
-Increase the amount of logging and print it to stdout instead of logging to /var/log/ipa_error.log
-
-.SH "EXIT STATUS"
-1 if an error occurred

ipa.spec.in

@@ -0,0 +1,637 @@
+%define httpd_conf /etc/httpd/conf.d
+%define plugin_dir %{_libdir}/dirsrv/plugins
+%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%define POLICYCOREUTILSVER 1.33.12-1
+
+Name:           ipa
+Version:        __VERSION__
+Release:        __RELEASE__%{?dist}
+Summary:        The Identity, Policy and Audit system
+
+Group:          System Environment/Base
+License:        GPLv2
+URL:            http://www.freeipa.org/
+Source0:        freeipa-%{version}.tar.gz
+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildRequires:  fedora-ds-base-devel >= 1.1.3
+BuildRequires:  mozldap-devel
+BuildRequires:  svrcore-devel
+BuildRequires:  nspr-devel
+BuildRequires:  openssl-devel
+BuildRequires:  openldap-devel
+BuildRequires:  e2fsprogs-devel
+BuildRequires:  krb5-devel
+BuildRequires:  nss-devel
+BuildRequires:  libcap-devel
+BuildRequires:  python-devel
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  popt-devel
+BuildRequires:  /usr/share/selinux/devel/Makefile
+BuildRequires:  m4
+BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires:  TurboGears
+
+%description
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof).
+
+%package server
+Summary: The IPA authentication server
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-client = %{version}-%{release}
+Requires: %{name}-admintools = %{version}-%{release}
+Requires(post): %{name}-server-selinux = %{version}-%{release}
+Requires: fedora-ds-base >= 1.1.3
+Requires: openldap-clients
+Requires: nss
+Requires: nss-tools
+%{?fc8:Requires: krb5-server >= 1.6.2-11}
+%if 0%{?fedora} >= 9
+Requires: krb5-server
+%endif
+Requires: krb5-server-ldap
+Requires: cyrus-sasl-gssapi
+Requires: ntp
+Requires: httpd
+Requires: mod_python
+Requires: mod_auth_kerb
+%{?fc8:Requires: mod_nss >= 1.0.7-2}
+%{?fc9:Requires: mod_nss >= 1.0.7-5}
+%{?fc10:Requires: mod_nss >= 1.0.7-4}
+%if 0%{?fedora} >= 10
+Requires: mod_nss
+%endif
+Requires: python-ldap
+Requires: python-krbV
+Requires: TurboGears
+Requires: python-tgexpandingformwidget
+Requires: acl
+Requires: python-pyasn1
+Requires: libcap
+%{?fc8:Requires: selinux-policy >= 3.0.8-117}
+%{?fc9:Requires: selinux-policy >= 3.3.1-99}
+%{?fc10:Requires: selinux-policy >= 3.5.13-11}
+%if 0%{?fedora} >= 10
+Requires: selinux-policy
+%endif
+Requires(post): selinux-policy-base
+Requires: slapi-nis
+Conflicts: mod_ssl
+
+%description server
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If you are installing an IPA server you need
+to install this package (in other words, most people should NOT install
+this package).
+
+
+%package server-selinux
+Summary: SELinux rules for ipa-server daemons
+Group: System Environment/Base
+Requires: %{name}-server = %{version}-%{release}
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage
+
+%description server-selinux
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). This package provides SELinux rules for the
+daemons included in ipa-server
+
+
+%package client
+Summary: IPA authentication for use on clients
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: python-ldap
+Requires: python-krbV
+Requires: cyrus-sasl-gssapi
+Requires: ntp
+Requires: krb5-workstation
+Requires: krb5-libs
+Requires: authconfig
+Requires: pam_krb5
+Requires: nss_ldap
+
+%description client
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If your network uses IPA for authentication,
+this package should be installed on every client machine.
+
+
+%package admintools
+Summary: IPA administrative tools
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: python-krbV
+Requires: python-ldap
+Requires: python-configobj
+
+%description admintools
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). This package provides command-line tools for
+IPA administrators.
+
+%package python
+Summary: Python libraries used by IPA
+Group: System Environment/Libraries
+%{?fc8:Requires: python-kerberos >= 1.0}
+%if 0%{?fedora} >= 9
+Requires: python-kerberos >= 1.1-3
+%endif
+Requires: authconfig
+Requires: gnupg
+
+%description python
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If you are using IPA you need to install this
+package.
+
+%package radius-server
+Summary: IPA authentication server - radius plugin
+Group: System Environment/Base
+Requires: freeradius
+Requires: freeradius-ldap
+Requires: %{name}-python = %{version}-%{release}
+
+%description radius-server
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). This plugin enables radius support.
+
+%package radius-admintools
+Summary: IPA authentication server - radius administration tools
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-admintools = %{version}-%{release}
+Requires: python-krbV
+
+%description radius-admintools
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). This package provides command-line tools for
+administering radius authentication settings in IPA.
+
+
+%prep
+%setup -n freeipa-%{version} -q
+
+%build
+export CFLAGS="$CFLAGS %{optflags}"
+export CPPFLAGS="$CPPFLAGS %{optflags}"
+make version-update
+cd ipa-client; ./autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+cd daemons; ./autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+cd install; ./autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+
+make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} version-update all
+cd selinux
+# This isn't multi-process make capable yet
+make all
+
+%install
+rm -rf %{buildroot}
+make install DESTDIR=%{buildroot}
+cd selinux
+make install DESTDIR=%{buildroot}
+
+# Remove .la files from libtool - we don't want to package
+# these files
+rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa-memberof-plugin.la
+rm %{buildroot}/%{plugin_dir}/libipa-dna-plugin.la
+rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
+
+# Some user-modifiable HTML files are provided. Move these to /etc
+# and link back.
+mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
+mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
+mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
+#mv %{buildroot}/%{_usr}/share/ipa/html/ssbrowser.html %{buildroot}/%{_sysconfdir}/ipa/html
+#mv %{buildroot}/%{_usr}/share/ipa/html/unauthorized.html %{buildroot}/%{_sysconfdir}/ipa/html
+mkdir %{buildroot}%{_usr}/share/ipa/html/
+ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \
+    %{buildroot}%{_usr}/share/ipa/html/ssbrowser.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
+    %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
+ln -s ../../../..%{python_sitelib}/ipaserver/mod_python_xmlrpc.py \
+    %{buildroot}%{_usr}/share/ipa/ipaserver/mod_python_xmlrpc.py
+
+%clean
+rm -rf %{buildroot}
+
+%post server
+if [ $1 = 1 ]; then
+    /sbin/chkconfig --add ipa_kpasswd
+fi
+if [ -e /usr/share/ipa/serial ]; then
+    mv /usr/share/ipa/serial /var/lib/ipa/ca_serialno
+fi
+/bin/touch /var/log/ipa_error.log
+/bin/chown apache /var/log/ipa_error.log
+/bin/chmod 600 /var/log/ipa_error.log
+restorecon /var/log/ipa_error.log
+/usr/sbin/ipa-upgradeconfig || :
+if [ -e /etc/httpd/conf.d/ipa.conf ]; then
+    echo ""
+    echo "Run /usr/sbin/ipa-ldap-updater to complete the upgrade process."
+    echo ""
+fi
+
+%preun server
+if [ $1 = 0 ]; then
+    /sbin/chkconfig --del ipa_kpasswd
+    /sbin/service ipa_kpasswd stop >/dev/null 2>&1 || :
+fi
+
+%postun server
+if [ "$1" -ge "1" ]; then
+    /sbin/service ipa_kpasswd condrestart >/dev/null 2>&1 || :
+    /sbin/service httpd condrestart >/dev/null 2>&1 || :
+    /sbin/service dirsrv condrestart >/dev/null 2>&1 || :
+fi
+
+%pre server-selinux
+if [ -s /etc/selinux/config ]; then
+       . %{_sysconfdir}/selinux/config
+       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
+       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
+               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
+       fi
+fi
+
+%post server-selinux
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
+. %{_sysconfdir}/selinux/config
+FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
+selinuxenabled
+if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
+       fixfiles -C ${FILE_CONTEXT}.%{name} restore
+       rm -f ${FILE_CONTEXT}.%name
+fi
+
+%preun server-selinux
+if [ $1 = 0 ]; then
+if [ -s /etc/selinux/config ]; then
+       . %{_sysconfdir}/selinux/config
+       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
+       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
+               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
+       fi
+fi
+fi
+
+%postun server-selinux
+if [ $1 = 0 ]; then
+semodule -s targeted -r ipa_webgui ipa_kpasswd
+. %{_sysconfdir}/selinux/config
+FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
+selinuxenabled
+if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
+       fixfiles -C ${FILE_CONTEXT}.%{name} restore
+       rm -f ${FILE_CONTEXT}.%name
+fi
+fi
+
+
+%files server
+%doc LICENSE README
+%defattr(-,root,root,-)
+%{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-install
+%{_sbindir}/ipa-replica-prepare
+%{_sbindir}/ipa-replica-manage
+%{_sbindir}/ipa-server-certinstall
+%{_sbindir}/ipa_kpasswd
+%{_sbindir}/ipactl
+%{_sbindir}/ipa-upgradeconfig
+%attr(755,root,root) %{_initrddir}/ipa_kpasswd
+%{_bindir}/ipa
+%{python_sitelib}/ipalib/*
+%{python_sitelib}/ipaserver/*
+%{python_sitelib}/ipawebui/*
+%{python_sitelib}/*.egg-info
+%dir %{_usr}/share/ipa
+%{_usr}/share/ipa/*.ldif
+%{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/html
+%{_usr}/share/ipa/html/ssbrowser.html
+%{_usr}/share/ipa/html/unauthorized.html
+%dir %{_sysconfdir}/ipa
+%dir %{_sysconfdir}/ipa/html
+%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
+%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
+%{_usr}/share/ipa/ipa.conf
+%{_usr}/share/ipa/ipa-rewrite.conf
+%dir %{_usr}/share/ipa/ipaserver
+%{_usr}/share/ipa/ipaserver/*
+%dir %{_usr}/share/ipa/updates/
+%{_usr}/share/ipa/updates/*
+%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa-memberof-plugin.so
+%attr(755,root,root) %{plugin_dir}/libipa-dna-plugin.so
+%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
+%dir %{_localstatedir}/lib/ipa
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
+%dir %{_localstatedir}/cache/ipa
+%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
+%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
+%{_mandir}/man1/ipa-replica-install.1.gz
+%{_mandir}/man1/ipa-replica-manage.1.gz
+%{_mandir}/man1/ipa-replica-prepare.1.gz
+%{_mandir}/man1/ipa-server-certinstall.1.gz
+%{_mandir}/man1/ipa-server-install.1.gz
+%{_mandir}/man8/ipa_kpasswd.8.gz
+%{_mandir}/man8/ipactl.8.gz
+%{_mandir}/man1/ipa-compat-manage.1.gz
+%{_mandir}/man1/ipa-ldap-updater.1.gz
+
+%files server-selinux
+%{_usr}/share/selinux/targeted/ipa_webgui.pp
+%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
+
+%files client
+%doc LICENSE README
+%{_sbindir}/ipa-client-install
+%{_sbindir}/ipa-getkeytab
+%dir %{_usr}/share/ipa
+%dir %{_usr}/share/ipa/ipaclient
+%dir %{_localstatedir}/lib/ipa-client
+%dir %{_localstatedir}/lib/ipa-client/sysrestore
+%{_usr}/share/ipa/ipaclient/ipa.cfg
+%{_usr}/share/ipa/ipaclient/ipa.js
+%dir %{python_sitelib}/ipaclient
+%{python_sitelib}/ipaclient/*.py*
+%{_mandir}/man1/ipa-getkeytab.1.gz
+%{_mandir}/man1/ipa-client-install.1.gz
+
+%files admintools
+%doc LICENSE README
+%defattr(-,root,root,-)
+#%{_sbindir}/ipa-adddelegation
+#%{_sbindir}/ipa-addgroup
+#%{_sbindir}/ipa-addservice
+#%{_sbindir}/ipa-adduser
+#%{_sbindir}/ipa-defaultoptions
+#%{_sbindir}/ipa-deldelegation
+#%{_sbindir}/ipa-delgroup
+#%{_sbindir}/ipa-delservice
+#%{_sbindir}/ipa-deluser
+#%{_sbindir}/ipa-findgroup
+#%{_sbindir}/ipa-findservice
+#%{_sbindir}/ipa-finduser
+#%{_sbindir}/ipa-listdelegation
+#%{_sbindir}/ipa-lockuser
+#%{_sbindir}/ipa-modgroup
+#%{_sbindir}/ipa-moddelegation
+#%{_sbindir}/ipa-passwd
+#%{_sbindir}/ipa-moduser
+#%{_sbindir}/ipa-pwpolicy
+#%{_sbindir}/ipa-change-master-key
+%{_sbindir}/ipa-fix-CVE-2008-3274
+%{_sbindir}/ipa-ldap-updater
+%{_sbindir}/ipa-compat-manage
+#%{_mandir}/man1/ipa-adddelegation.1.gz
+#%{_mandir}/man1/ipa-addgroup.1.gz
+#%{_mandir}/man1/ipa-addservice.1.gz
+#%{_mandir}/man1/ipa-adduser.1.gz
+#%{_mandir}/man1/ipa-defaultoptions.1.gz
+#%{_mandir}/man1/ipa-deldelegation.1.gz
+#%{_mandir}/man1/ipa-delgroup.1.gz
+#%{_mandir}/man1/ipa-delservice.1.gz
+#%{_mandir}/man1/ipa-deluser.1.gz
+#%{_mandir}/man1/ipa-findgroup.1.gz
+#%{_mandir}/man1/ipa-findservice.1.gz
+#%{_mandir}/man1/ipa-finduser.1.gz
+#%{_mandir}/man1/ipa-modgroup.1.gz
+#%{_mandir}/man1/ipa-listdelegation.1.gz
+#%{_mandir}/man1/ipa-lockuser.1.gz
+#%{_mandir}/man1/ipa-moddelegation.1.gz
+#%{_mandir}/man1/ipa-passwd.1.gz
+#%{_mandir}/man1/ipa-moduser.1.gz
+#%{_mandir}/man1/ipa-pwpolicy.1.gz
+#%{_mandir}/man1/ipa-ldap-updater.1.gz
+#%{_mandir}/man1/ipa-compat-manage.1.gz
+
+%files python
+%doc LICENSE README
+%defattr(-,root,root,-)
+%dir %{python_sitelib}/ipa
+%{python_sitelib}/ipa/*.py*
+%if 0%{?fedora} >= 9
+%{python_sitelib}/ipa-*.egg-info
+%endif
+%config(noreplace) %{_sysconfdir}/ipa/ipa.conf
+
+%files radius-server
+%doc LICENSE README
+%{_sbindir}/ipa-radius-install
+%{_usr}/share/ipa/ipaserver/plugins/*
+%dir %{_usr}/share/ipa/plugins
+%{_usr}/share/ipa/plugins/radius.radiusd.conf.template
+
+%files radius-admintools
+%doc LICENSE README
+%{_sbindir}/ipa-addradiusclient
+%{_sbindir}/ipa-addradiusprofile
+%{_sbindir}/ipa-delradiusclient
+%{_sbindir}/ipa-delradiusprofile
+%{_sbindir}/ipa-findradiusclient
+%{_sbindir}/ipa-findradiusprofile
+%{_sbindir}/ipa-modradiusclient
+%{_sbindir}/ipa-modradiusprofile
+
+%changelog
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
+- rebuild with new openssl
+
+* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
+- Fix SELinux code
+
+* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
+- Fix breakage caused by python-kerberos update to 1.1
+
+* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
+- New upstream release 1.2.1
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
+- Rebuild for Python 2.6
+
+* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
+- Respin after the tarball has been re-released upstream
+  New hash is 506c9c92dcaf9f227cba5030e999f177
+
+* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
+- Conditionally restart also dirsrv and httpd when upgrading
+
+* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
+- Update to upstream version 1.2.0
+- Set fedora-ds-base minimum version to 1.1.3 for winsync header
+- Set the minimum version for SELinux policy
+- Remove references to Fedora 7
+
+* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
+- Fix for CVE-2008-3274
+- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
+- Add fix for bug #453185
+- Rebuild against openldap libraries, mozldap ones do not work properly
+- TurboGears is currently broken in rawhide. Added patch to not build
+  the UI locales and removed them from the ipa-server files section.
+
+* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
+- Add call to /usr/sbin/upgradeconfig to post install
+
+* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
+- Update to upstream version 1.1.0
+- Patch for indexing memberof attribute
+- Patch for indexing uidnumber and gidnumber
+- Patch to change DNA default values for replicas
+- Patch to fix uninitialized variable in ipa-getkeytab
+
+* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
+- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
+  version to 1.0.7-4 so we pick up the NSS fixes.
+- Add selinux-policy-base(post) to Requires (446496)
+
+* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
+- Add missing entry for /var/cache/ipa/kpasswd (444624)
+- Added patch to fix permissions problems with the Apache NSS database.
+- Added patch to fix problem with DNS querying where the query could be
+  returned as the answer.
+- Fix spec error where patch1 was in the wrong section
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
+- Added patch to fix problem reported by ldapmodify
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
+- Fix Requires for krb5-server that was missing for Fedora versions > 9
+- Remove quotes around test for fedora version to package egg-info
+
+* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
+- Update to upstream version 1.0.0
+
+* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
+- Pull upstream changelog 722
+- Add Conflicts mod_ssl (435360)
+
+* Thu Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
+- Pull upstream changelog 698
+- Fix ownership of /var/log/ipa_error.log during install (435119)
+- Add pwpolicy command and man page
+
+* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
+- Pull upstream changelog 678
+- Add new subpackage, ipa-server-selinux
+- Add Requires: authconfig to ipa-python (bz #433747)
+- Package i18n files
+
+* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
+- Pull upstream changelog 641
+- Require minimum version of krb5-server on F-7 and F-8
+- Package some new files
+
+* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
+- Marked with wrong license. IPA is GPLv2.
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
+- Ensure that /etc/ipa exists before moving user-modifiable html files there
+- Put html files into /etc/ipa/html instead of /etc/ipa
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
+- Pull upstream changelog 608 which renamed several files
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
+- package the sessions dir /var/cache/ipa/sessions
+- Pull upstream changelog 597
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
+- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
+  UI to not start.
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
+- Included LICENSE and README in all packages for documentation
+- Move user-modifiable content to /etc/ipa and linked back to 
+  /usr/share/ipa/html
+- Changed some references to /usr to the {_usr} macro and /etc
+  to {_sysconfdir}
+- Added popt-devel to BuildRequires for Fedora 8 and higher and
+  popt for Fedora 7
+- Package the egg-info for Fedora 9 and higher for ipa-python
+
+* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
+- Added auto* BuildRequires
+
+* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
+- Unified spec file
+
+* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
+- Fixed License in specfile
+- Include files from /usr/lib/python*/site-packages/ipaserver
+
+* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
+- Version bump for release
+
+* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
+- Preverse mode on ipa-keytab-util
+- Version bump for relase and rpm name change
+
+* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
+- Broke invididual Requires and BuildRequires onto separate lines and
+  reordered them
+- Added python-tgexpandingformwidget as a dependency
+- Require at least fedora-ds-base 1.1
+
+* Thu Nov  1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
+- Version bump for release
+
+* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
+- Add dep for freeipa-admintools and acl
+
+* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
+- Add dependency for python-krbV
+
+* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
+- Require mod_nss-1.0.7-2 for mod_proxy fixes
+
+* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
+- Convert to autotools-based build
+
+* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
+  
+* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
+- Added support for libipa-dna-plugin
+
+* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
+- Added support for ipa_kpasswd and ipa_pwd_extop
+
+* Mon Aug  5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
+- Abstracted client class to work directly or over RPC
+
+* Wed Aug  1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
+- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
+- Remove references to admin server in ipa-server-setupssl
+- Generate a client certificate for the XML-RPC server to connect to LDAP with
+- Create a keytab for Apache
+- Create an ldif with a test user
+- Provide a certmap.conf for doing SSL client authentication
+
+* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
+- Initial rpm version

ipalib/plugins/b_xmlrpc.py

@@ -86,7 +86,10 @@ class KerbTransport(xmlrpclib.SafeTransport):
         service = "HTTP@" + hostinfo[0]
 
         try:
-            rc, vc = kerberos.authGSSClientInit(service);
+            rc, vc = kerberos.authGSSClientInit(service,
+                                                kerberos.GSS_C_DELEG_FLAG |
+                                                kerberos.GSS_C_MUTUAL_FLAG |
+                                                kerberos.GSS_C_SEQUENCE_FLAG)
         except kerberos.GSSError, e:
             raise kerberos.GSSError(e)
 

ipalib/rpc.py

@@ -187,7 +187,10 @@ class KerbTransport(SafeTransport):
         service = "HTTP@" + host.split(':')[0]
 
         try:
-            (rc, vc) = kerberos.authGSSClientInit(service)
+            (rc, vc) = kerberos.authGSSClientInit(service,
+                                                kerberos.GSS_C_DELEG_FLAG |
+                                                kerberos.GSS_C_MUTUAL_FLAG |
+                                                kerberos.GSS_C_SEQUENCE_FLAG)
         except kerberos.GSSError, e:
             raise e  # FIXME: raise a PublicError
 

ipaserver/install/dsinstance.py

@@ -35,7 +35,7 @@ import service
 import installutils
 import certs
 import ipaldap, ldap
-from ipaserver import ldapupdate
+from ipaserver.install import ldapupdate
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"

ipaserver/install/ldapupdate.py

@@ -25,7 +25,7 @@
 UPDATES_DIR="/usr/share/ipa/updates/"
 
 import sys
-from ipaserver import ipaldap, installutils
+from ipaserver.install import ipaldap, installutils
 from ipa import entity, ipaerror, ipautil
 import ldap
 import logging

ipaserver/mod_python_xmlrpc.py

@@ -46,7 +46,6 @@ try:
 except ImportError:
     pass
 
-
 # Global list of available functions
 gfunctions = {}
 

setup.py

@@ -36,6 +36,7 @@ setup(
         'ipalib.plugins',
         'ipaserver',
         'ipaserver.plugins',
+        'ipaserver.install',
         'ipawebui',
         'ipawebui.templates',
     ],