Merge branch 'master' into master-exp

debian/autoreconf

@@ -0,0 +1,3 @@
+ipa-client
+daemons
+install

debian/changelog

@@ -0,0 +1,56 @@
+freeipa (3.3.4-1) UNRELEASED; urgency=low
+
+  [ Michele Baldessari ]
+  * Initial release (Closes: #734703)
+  * New upstream
+  * Dropped 10_ipa_kpasswd patch, applied upstream
+
+  [ Timo Aaltonen ]
+  * New upstream release.
+  * Remove radius subpackages.
+  * Migrate to source format 3.0 (quilt).
+  * Migrate to dh.
+  * Fix dependencies.
+  * Add no-testcert.patch to not fail make-testcert.
+  * Bump compat and debhelper build-depends to 9.
+  * Add missing files to freeipa.install.
+  * Add --fail-missing for dh_install.
+  * copyright: Updated, with OpenSSL exception.
+  * control: Add python-libipa-hbac to build-depends.
+  * control: Add ${shlibs:Depends} to python-freeipa depends.
+  * rules: Strip the executable bit from translation files.
+  * Use dh_python2.
+  * Add DEP-3 compliant headers to the patches.
+  * control: client; Move libpam-krb5 to Suggests.
+  * control: Update the maintainer address and repo location.
+  * control: Fix package descriptions.
+  * control: Add python-krbv, python-dnspython, keyutils to client depends.
+  * Add no-test-lang.diff, test_lang is gone.
+  * correct-python-path.diff: Fallback on the correct path if rpm query
+    fails.
+  * dont-search-platform-path.diff: Don't use Python.h from the
+    platform specific path.
+  * fix-install-layout.diff: Pass an option to setup-client.py to
+    install the python bits to the correct path.
+  * fix-ntpdate-opts.diff: Drop -U from nptdate opts, we don't have
+    that.
+  * Add support for Debian platform.
+  * port-ipa-client-automount.diff: Patch i-c-a so it works on Debian.
+  * rules: Don't run tests on server either, would never work during package
+    build.
+
+  [ Nick Hatch ]
+  * Added three patches
+    - fix-symlink-exclusion.diff: Don't exclude symlinks when loading
+      plugins
+    - fix-ldap-conf-path.diff: Patch client installer to use correct LDAP
+      conf path.
+    - check-dbus-before-starting.diff: Check to see if dbus is running
+      before attempting to start it
+
+  [ Timo Aaltonen ]
+  * use-new-nssdb.diff: Use sqlite-based nssdb's instead of old.
+  * control: Add python-dnspython and python-ldap to python-freeipa
+    Depends.
+
+ -- Timo Aaltonen <tjaalton@ubuntu.com>  Tue, 01 Nov 2011 10:52:25 -0400

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,187 @@
+Source: freeipa
+Section: net
+Priority: extra
+Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
+Uploaders: Timo Aaltonen <tjaalton@ubuntu.com>
+Build-Depends: quilt, debhelper (>= 9), dh-autoreconf,
+# client
+ gettext,
+ krb5-user,
+ libcurl4-nss-dev,
+ libkrb5-dev (>= 1.12),
+ libldap2-dev,
+ libnss3-dev,
+ libnspr4-dev,
+ libpopt-dev,
+ libsasl2-dev,
+ libssl-dev,
+ libtalloc-dev,
+ libxmlrpc-core-c3-dev,
+ python-all-dev,
+ python-dnspython,
+ python-kerberos,
+ python-krbv,
+ python-ldap,
+ python-libipa-hbac,
+ python-memcache,
+ python-netaddr,
+ python-nss,
+ python-openssl,
+ python-polib,
+ python-setuptools,
+ python-sss (>= 1.8.0),
+ python-support,
+# server
+ 389-ds-base-dev (>= 1.1.3),
+ libkrad-dev,
+ libsss-idmap-dev,
+ libsss-nss-idmap-dev,
+ libsvrcore-dev,
+ libtevent-dev,
+ libunistring-dev,
+ libverto-dev,
+ rhino,
+ samba-dev,
+ selinux-policy-dev,
+ uuid-dev,
+# tests
+ check,
+ libcmocka-dev,
+ python-lxml,
+ python-nose,
+Standards-Version: 3.9.3
+Vcs-Git: git://git.debian.org/git/pkg-freeipa/freeipa.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-freeipa/freeipa.git
+Homepage: http://www.freeipa.org
+
+Package: freeipa-server
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends},
+ freeipa-client (= ${binary:Version}),
+ freeipa-admintools (= ${binary:Version}),
+ python-freeipa (= ${binary:Version}),
+ 389-ds-base,
+ acl,
+ apache2,
+ dogtag-pki-common-theme,
+ dogtag-pki-ca-theme,
+ krb5-kdc,
+ krb5-kdc-ldap,
+ krb5-pkinit,
+ ldap-utils,
+ libnss3-tools,
+ libsasl2-modules-gssapi-mit,
+ libapache2-mod-wsgi,
+ libapache2-mod-auth-kerb,
+ libapache2-mod-nss,
+ ntp,
+ pki-ca,
+ pki-setup,
+ pki-silent,
+ python-ldap,
+ python-krbv,
+ python-pyasn1,
+Description: FreeIPA centralized identity framework -- server
+ FreeIPA is an integrated solution to provide centrally managed Identity
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof).
+ .
+ This is the server package.
+
+Package: freeipa-server-trust-ad
+Architecture: any
+Depends: ${misc:Depends}, ${python:Depends},
+ freeipa-server (= ${binary:Version}),
+ python-libsss-nss-idmap,
+ python-m2crypto,
+ python-samba,
+ samba,
+ winbind,
+Description: FreeIPA centralized identity framework -- AD trust installer
+ FreeIPA is an integrated solution to provide centrally managed Identity
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof).
+ .
+ Cross-realm trusts with Active Directory in IPA require working Samba 4
+ installation. This package is provided for convenience to install all required
+ dependencies at once.
+
+Package: freeipa-client
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends},
+ python-freeipa (= ${binary:Version}),
+ bind9utils,
+ certmonger,
+ krb5-user,
+ libcurl3 (>= 7.22.0),
+ libnss3-tools,
+ libsasl2-modules-gssapi-mit,
+ libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
+ ntp,
+ python-dnspython,
+ python-ldap,
+ python-krbv,
+ sssd (>= 1.9.2),
+ wget,
+Suggests:
+ libpam-krb5,
+Description: FreeIPA centralized identity framework -- client
+ FreeIPA is an integrated solution to provide centrally managed Identity 
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof). 
+ .
+ This is the client package.
+
+Package: freeipa-admintools
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends},
+ freeipa-client (= ${binary:Version}),
+ python-freeipa (= ${binary:Version}),
+ python-krbv,
+ python-ldap,
+Description: FreeIPA centralized identity framework -- admintools
+ FreeIPA is an integrated solution to provide centrally managed Identity
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof).
+ .
+ This package contains some tools for administrators.
+
+Package: freeipa-tests
+Architecture: any
+Depends: ${misc:Depends}, ${python:Depends},
+ tar,
+ xz,
+Description: FreeIPA centralized identity framework -- tests
+ FreeIPA is an integrated solution to provide centrally managed Identity
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof).
+ .
+ This package contains tests that verify IPA functionality.
+
+Package: python-freeipa
+Architecture: any
+Section: python
+Depends: ${shlibs:Depends}, ${python:Depends}, ${misc:Depends},
+ gnupg,
+ iproute,
+ keyutils,
+ python-dnspython,
+ python-kerberos,
+ python-ldap,
+ python-libipa-hbac,
+ python-lxml,
+ python-netaddr,
+ python-nss,
+ python-openssl,
+Description: FreeIPA centralized identity framework -- python modules
+ FreeIPA is an integrated solution to provide centrally managed Identity 
+ (machine, user, virtual machines, groups, authentication credentials), Policy
+ (configuration settings, access control information) and Audit (events,
+ logs, analysis thereof). 
+ .
+ This Python module is used by other FreeIPA packages.

debian/copyright

@@ -0,0 +1,51 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-name: freeipa
+Source: http://freeipa.org/downloads/src/
+
+Files: *
+Copyright: 1999-2011 Red Hat, Inc.
+License: GPL-3+
+
+Files: daemons/ipa-slapi-plugins/*/*.c
+       daemons/ipa-slapi-plugins/*/*.h
+Copyright: 2005-2010 Red Hat, Inc.
+License: GPL-3+ with OpenSSL exception
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ Additional permission under GPLv3 section 7:
+ .
+ In the following paragraph, "GPL" means the GNU General Public
+ License, version 3 or any later version, and "Non-GPL Code" means
+ code that is governed neither by the GPL nor a license
+ compatible with the GPL.
+ .
+ You may link the code of this Program with Non-GPL Code and convey
+ linked combinations including the two, provided that such Non-GPL
+ Code only links to the code of this Program through those well
+ defined interfaces identified in the file named EXCEPTION found in
+ the source code files (the "Approved Interfaces"). The files of
+ Non-GPL Code may instantiate templates or use macros or inline
+ functions from the Approved Interfaces without causing the resulting
+ work to be covered by the GPL. Only the copyright holders of this
+ Program may make changes or additions to the list of Approved
+ Interfaces.
+
+Files: debian/*
+Copyright: Michele Baldessari michele@pupazzo.org>
+           Timo Aaltonen <tjaalton@ubuntu.com>
+License: GPL-3+
+
+License: GPL-3+
+ On Debian machines the full text of the GNU General Public License 
+ can be found in the file /usr/share/common-licenses/GPL-3.

debian/freeipa-admintools.install

@@ -0,0 +1,3 @@
+etc/bash_completion.d/ipa
+usr/bin/ipa
+usr/share/man/man1/ipa.1

debian/freeipa-client.dirs

@@ -0,0 +1,2 @@
+etc/ipa
+var/lib/ipa-client/sysrestore

debian/freeipa-client.install

@@ -0,0 +1,14 @@
+usr/sbin/ipa-client-automount
+usr/sbin/ipa-client-install
+usr/sbin/ipa-getkeytab
+usr/sbin/ipa-rmkeytab
+usr/sbin/ipa-join
+usr/share/ipa/ipaclient/ipa.cfg
+usr/share/ipa/ipaclient/ipa.js
+usr/lib/python*/dist-packages/ipaclient/*.py
+usr/share/man/man1/ipa-client-automount.1.gz
+usr/share/man/man1/ipa-client-install.1.gz
+usr/share/man/man1/ipa-getkeytab.1.gz
+usr/share/man/man1/ipa-rmkeytab.1.gz
+usr/share/man/man1/ipa-join.1.gz
+usr/share/man/man5/default.conf.5.gz

debian/freeipa-server-trust-ad.install

@@ -0,0 +1,9 @@
+usr/sbin/ipa-adtrust-install
+usr/lib/*/dirsrv/plugins/libipa_extdom_extop.so
+usr/lib/*/dirsrv/plugins/libipa_sidgen.so
+usr/lib/*/dirsrv/plugins/libipa_sidgen_task.so
+usr/lib/*/samba/pdb/ipasam.so
+usr/lib/python*/dist-packages/ipaserver/dcerpc
+usr/lib/python*/dist-packages/ipaserver/install/adtrustinstance*
+usr/share/ipa/smb.conf.empty
+usr/share/man/man1/ipa-adtrust-install.1

debian/freeipa-server.docs

@@ -0,0 +1 @@
+README

debian/freeipa-server.install

@@ -0,0 +1,70 @@
+etc/ipa/html/*
+lib/systemd/system/ipa-otpd@.service
+lib/systemd/system/ipa-otpd.socket
+usr/lib/*/dirsrv/plugins/libipa_cldap.so
+usr/lib/*/dirsrv/plugins/libipa_dns.so
+usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
+usr/lib/*/dirsrv/plugins/libipa_lockout.so
+usr/lib/*/dirsrv/plugins/libipa_modrdn.so
+usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so
+usr/lib/*/dirsrv/plugins/libipa_range_check.so
+usr/lib/*/dirsrv/plugins/libipa_repl_version.so
+usr/lib/*/dirsrv/plugins/libipa_uuid.so
+usr/lib/*/dirsrv/plugins/libipa_winsync.so
+usr/lib/*/ipa/certmonger/*
+usr/lib/*/ipa-otpd
+usr/lib/*/krb5/plugins/kdb/*.so
+usr/lib/python*/dist-packages/ipaserver/*
+
+usr/sbin/ipa-advise
+usr/sbin/ipa-backup
+usr/sbin/ipa-ca-install
+usr/sbin/ipa-compat-manage
+usr/sbin/ipa-csreplica-manage
+usr/sbin/ipa-dns-install
+usr/sbin/ipa-ldap-updater
+usr/sbin/ipa-managed-entries
+usr/sbin/ipa-nis-manage
+usr/sbin/ipa-replica-conncheck
+usr/sbin/ipa-replica-install
+usr/sbin/ipa-replica-manage
+usr/sbin/ipa-replica-prepare
+usr/sbin/ipa-restore
+usr/sbin/ipa-server-certinstall
+usr/sbin/ipa-server-install
+usr/sbin/ipa-upgradeconfig
+usr/sbin/ipactl
+usr/share/ipa/advise/legacy/*.template
+usr/share/ipa/copy-schema-to-ca.py
+usr/share/ipa/ca_renewal
+usr/share/ipa/ffextension/*
+usr/share/ipa/ipa.conf
+usr/share/ipa/ipa-pki-proxy.conf
+usr/share/ipa/ipa-rewrite.conf
+usr/share/ipa/*.ldif
+usr/share/ipa/migration/*
+usr/share/ipa/*.template
+usr/share/ipa/ui/*
+usr/share/ipa/*.uldif
+usr/share/ipa/updates/*
+usr/share/ipa/wsgi.py
+usr/share/ipa/wsgi/*
+usr/share/man/man1/ipa-advise.1
+usr/share/man/man1/ipa-backup.1.gz
+usr/share/man/man1/ipa-ca-install.1.gz
+usr/share/man/man1/ipa-compat-manage.1.gz
+usr/share/man/man1/ipa-csreplica-manage.1.gz
+usr/share/man/man1/ipa-dns-install.1.gz
+usr/share/man/man1/ipa-ldap-updater.1.gz
+usr/share/man/man1/ipa-managed-entries.1.gz
+usr/share/man/man1/ipa-nis-manage.1.gz
+usr/share/man/man1/ipa-replica-conncheck.1.gz
+usr/share/man/man1/ipa-replica-install.1.gz
+usr/share/man/man1/ipa-replica-manage.1.gz
+usr/share/man/man1/ipa-replica-prepare.1.gz
+usr/share/man/man1/ipa-restore.1.gz
+usr/share/man/man1/ipa-server-certinstall.1.gz
+usr/share/man/man1/ipa-server-install.1.gz
+usr/share/man/man8/ipactl.8.gz
+usr/share/man/man8/ipa-upgradeconfig.8.gz
+var/lib/ipa/sysrestore

debian/freeipa-server.links

@@ -0,0 +1,3 @@
+/usr/share/javascript/prototype/prototype.js       	/usr/share/ipa/ipagui/static/javascript/prototype.js
+/usr/share/javascript/scriptaculous/scriptaculous.js	/usr/share/ipa/ipagui/static/javascript/scriptaculous.js
+/usr/share/javascript/scriptaculous/effects.js		/usr/share/ipa/ipagui/static/javascript/effects.js

debian/freeipa-tests.install

@@ -0,0 +1,7 @@
+usr/bin/ipa-run-tests
+usr/bin/ipa-test-config
+usr/bin/ipa-test-task
+usr/lib/python*/ipatests/*
+usr/share/man/man1/ipa-run-tests.1
+usr/share/man/man1/ipa-test-config.1
+usr/share/man/man1/ipa-test-task.1

debian/patches/add-debian-platform.diff

@@ -0,0 +1,208 @@
+commit b076743f2cdd3a3cb9e8d0e8be7be8c90160fc21
+Author: Timo Aaltonen <tjaalton@ubuntu.com>
+Date:   Fri Mar 1 12:21:00 2013 +0200
+
+    add debian platform support
+
+--- /dev/null
++++ b/ipapython/platform/debian/__init__.py
+@@ -0,0 +1,43 @@
++import os
++
++from ipapython.platform import base, redhat, fedora18
++from ipapython.platform.debian.auth import DebianAuthConfig
++from ipapython.platform.debian.service import debian_service, DebianServices
++
++# All what we allow exporting directly from this module
++# Everything else is made available through these symbols when they are
++# directly imported into ipapython.services:
++#
++# authconfig -- class reference for platform-specific implementation of
++#               authconfig(8)
++# service    -- class reference for platform-specific implementation of a
++#               PlatformService class
++# knownservices -- factory instance to access named services IPA cares about,
++#                  names are ipapython.services.wellknownservices
++# backup_and_replace_hostname -- platform-specific way to set hostname and
++#                                make it persistent over reboots
++# restore_network_configuration -- platform-specific way of restoring network
++#                                  configuration (e.g. static hostname)
++# restore_context -- platform-sepcific way to restore security context, if
++#                    applicable
++# check_selinux_status -- platform-specific way to see if SELinux is enabled
++#                         and restorecon is installed.
++__all__ = ['authconfig', 'service', 'knownservices',
++    'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
++    'restore_network_configuration', 'timedate_services']
++
++# Just copy a referential list of timedate services
++timedate_services = list(base.timedate_services)
++
++def restore_network_configuration(fstore, statestore):
++    filepath = '/etc/hostname'
++    if fstore.has_file(filepath):
++        fstore.restore_file(filepath)
++        hostname_was_configured = True
++
++authconfig = DebianAuthConfig
++service = debian_service
++knownservices = DebianServices()
++backup_and_replace_hostname = fedora18.backup_and_replace_hostname
++restore_context = redhat.restore_context
++check_selinux_status = redhat.check_selinux_status
+--- /dev/null
++++ b/ipapython/platform/debian/auth.py
+@@ -0,0 +1,33 @@
++from ipapython import ipautil
++from ipapython.platform import base
++
++class DebianAuthConfig(base.AuthConfig):
++    """
++    Debian implementation of the AuthConfig class.
++
++    Debian doesn't provide a single application for changing both
++    nss and pam configuration. PAM can be configured using debconf but there
++    is currently no such solution for updating NSS database and every package
++    does it by itself.
++
++    We'll have to play a catch-up game with the rest of the FreeIPA project
++    filtering out .enable() and .disable() calls that are useless for us,
++    and making the best out of the rest of them.
++    """
++
++    def __build_args(self):
++        args = ['--force',  '--package']
++        for (option, value) in self.parameters.items():
++            if option == "sssdauth":
++                option = "sss"
++            if type(value) is bool and not value:
++               if not any("remove" in s for s in args):
++                    args.append("--remove")
++               args.append("%s" % (option))
++        return args
++
++    def execute(self):
++        env = {"DEBCONF_FRONTEND" : "noninteractive"}
++        args = self.__build_args()
++        ipautil.run(["/usr/sbin/pam-auth-update"] + args, env = env)
++
+--- /dev/null
++++ b/ipapython/platform/debian/service.py
+@@ -0,0 +1,107 @@
++import time
++
++from ipapython import ipautil
++from ipapython.ipa_log_manager import root_logger
++from ipapython.platform import base
++from ipalib import api
++
++class DebianService(base.PlatformService):
++    def __wait_for_open_ports(self, instance_name=""):
++        """
++        If this is a service we need to wait for do so.
++        """
++        ports = None
++        if instance_name in base.wellknownports:
++            ports = base.wellknownports[instance_name]
++        else:
++            if self.service_name in base.wellknownports:
++                ports = base.wellknownports[self.service_name]
++        if ports:
++            ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
++    def stop(self, instance_name='', capture_output=True):
++        ipautil.run(["/usr/sbin/service", self.service_name, "stop",
++                     instance_name], capture_output=capture_output)
++        if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
++            update_service_list = True
++        else:
++            update_service_list = False
++        super(DebianService, self).stop(instance_name)
++
++    def start(self, instance_name='', capture_output=True, wait=True):
++        ipautil.run(["/usr/sbin/service", self.service_name, "start",
++                     instance_name], capture_output=capture_output)
++        if 'context' in api.env and api.env.context in ['ipactl', 'installer']:
++            update_service_list = True
++        else:
++            update_service_list = False
++        if wait and self.is_running(instance_name):
++            self.__wait_for_open_ports(instance_name)
++        super(DebianService, self).start(instance_name)
++
++    def restart(self, instance_name='', capture_output=True, wait=True):
++        ipautil.run(["/usr/sbin/service", self.service_name, "restart",
++                     instance_name], capture_output=capture_output)
++        if wait and self.is_running(instance_name):
++            self.__wait_for_open_ports(instance_name)
++
++    def is_running(self, instance_name=""):
++        ret = True
++        try:
++            (sout, serr, rcode) = ipautil.run(["/usr/sbin/service",
++                                              self.service_name, "status",
++                                              instance_name])
++            if sout.find("NOT running") >= 0:
++                ret = False
++            if sout.find("stop") >= 0:
++                ret = False
++        except ipautil.CalledProcessError:
++                ret = False
++        return ret
++
++    def is_installed(self):
++        installed = True
++        try:
++            ipautil.run(["/usr/sbin/service", self.service_name, "status"])
++        except ipautil.CalledProcessError, e:
++            if e.returncode == 1:
++                # service is not installed or there is other serious issue
++                installed = False
++        return installed
++
++    def is_enabled(self, instance_name=""):
++        # Services are always assumed to be enabled when installed
++        return True
++
++    def enable(self):
++        return True
++
++    def disable(self):
++        return True
++
++    def install(self):
++        return True
++
++    def remove(self):
++        return True
++
++class DebianSSHService(DebianService):
++    def get_config_dir(self, instance_name=""):
++        return '/etc/ssh'
++
++def debian_service(name):
++    if name == 'sshd':
++        return DebianSSHService(name)
++    return DebianService(name)
++
++class DebianServices(base.KnownServices):
++    def __init__(self):
++        services = dict()
++        for s in base.wellknownservices:
++            if s == "messagebus":
++                services[s] = debian_service("dbus")
++            elif s == "ntpd":
++                services[s] = debian_service("ntp")
++            else:
++                services[s] = debian_service(s)
++        # Call base class constructor. This will lock services to read-only
++        super(DebianServices, self).__init__(services)
+--- a/ipapython/setup.py.in
++++ b/ipapython/setup.py.in
+@@ -68,6 +68,7 @@ def setup_package():
+             packages = [ "ipapython",
+                          "ipapython.platform",
+                          "ipapython.platform.base",
++                         "ipapython.platform.debian",
+                          "ipapython.platform.fedora16",
+                          "ipapython.platform.fedora18",
+                          "ipapython.platform.redhat" ],

debian/patches/check-dbus-before-starting.diff

@@ -0,0 +1,34 @@
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -372,10 +372,11 @@ def uninstall(options, env):
+     # Always start certmonger. We can't untrack something if it isn't
+     # running
+     messagebus = ipaservices.knownservices.messagebus
+-    try:
+-        messagebus.start()
+-    except Exception, e:
+-        log_service_error(messagebus.service_name, 'start', e)
++    if not messagebus.is_running():
++        try:
++            messagebus.start()
++        except Exception, e:
++            log_service_error(messagebus.service_name, 'start', e)
+ 
+     cmonger = ipaservices.knownservices.certmonger
+     try:
+@@ -970,10 +971,11 @@ def configure_certmonger(fstore, subject
+     principal = 'host/%s@%s' % (hostname, cli_realm)
+ 
+     messagebus = ipaservices.knownservices.messagebus
+-    try:
+-        messagebus.start()
+-    except Exception, e:
+-        log_service_error(messagebus.service_name, 'start', e)
++    if not messagebus.is_running():
++        try:
++            messagebus.start()
++        except Exception, e:
++            log_service_error(messagebus.service_name, 'start', e)
+ 
+     # Ensure that certmonger has been started at least once to generate the
+     # cas files in /var/lib/certmonger/cas.

debian/patches/correct-python-path.diff

@@ -0,0 +1,11 @@
+--- a/Makefile
++++ b/Makefile
+@@ -50,7 +50,7 @@ ifneq ($(DEVELOPER_MODE),0)
+ LINT_OPTIONS=--no-fail
+ endif
+ 
+-PYTHON ?= $(shell rpm -E %__python)
++PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python)
+ 
+ # Uncomment to increase Java stack size for Web UI build in case it fails
+ # because of stack overflow exception. Default should be OK for most platforms.

debian/patches/dont-check-for-systemd-pc.diff

@@ -0,0 +1,15 @@
+avoid build-dependency on systemd, which doesn't exist on ubuntu
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e57dad2..9ca5198 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -232,7 +232,7 @@ PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap])
+ dnl ---------------------------------------------------------------------------
+ dnl - Check for systemd unit directory
+ dnl ---------------------------------------------------------------------------
+-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
++dnl PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
+ AC_ARG_WITH([systemdsystemunitdir],
+             AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
+             [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)])

debian/patches/dont-search-platform-path.diff

@@ -0,0 +1,11 @@
+--- a/ipapython/py_default_encoding/setup.py
++++ b/ipapython/py_default_encoding/setup.py
+@@ -22,7 +22,7 @@ from distutils.sysconfig import get_pyth
+ import sys
+ import os
+ 
+-python_header = os.path.join(get_python_inc(plat_specific=1), 'Python.h')
++python_header = os.path.join(get_python_inc(plat_specific=0), 'Python.h')
+ if not os.path.exists(python_header):
+     sys.exit("Cannot find Python development packages that provide Python.h")
+ 

debian/patches/fix-install-layout.diff

@@ -0,0 +1,14 @@
+--- a/Makefile
++++ b/Makefile
+@@ -82,9 +82,9 @@ client-install: client client-dirs
+ 	done
+ 	cd install/po && $(MAKE) install || exit 1;
+ 	if [ "$(DESTDIR)" = "" ]; then \
+-		$(PYTHON) setup-client.py install; \
++		$(PYTHON) setup-client.py install --install-layout=deb; \
+ 	else \
+-		$(PYTHON) setup-client.py install --root $(DESTDIR); \
++		$(PYTHON) setup-client.py install --install-layout=deb --root $(DESTDIR); \
+ 	fi
+ 
+ client-dirs:

debian/patches/fix-ldap-conf-path.diff

@@ -0,0 +1,11 @@
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -854,7 +854,7 @@ def configure_openldap_conf(fstore, cli_
+             {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option',
+                 'value':CACERT},]
+ 
+-    target_fname = '/etc/openldap/ldap.conf'
++    target_fname = '/etc/ldap/ldap.conf'
+     fstore.backup_file(target_fname)
+ 
+     error_msg = "Configuring {path} failed with: {err}"

debian/patches/fix-ntpdate-opts.diff

@@ -0,0 +1,13 @@
+Our ntp isn't patched to drop privileges.
+
+--- a/ipa-client/ipaclient/ntpconf.py
++++ b/ipa-client/ipaclient/ntpconf.py
+@@ -147,7 +147,7 @@ def synconce_ntp(server_fqdn):
+     if os.path.exists(ntpdate):
+         # retry several times -- logic follows /etc/init.d/ntpdate
+         # implementation
+-        cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn]
++        cmd = [ntpdate, "-s", "-b", "-v", server_fqdn]
+         for retry in range(0, 3):
+             try:
+                 ipautil.run(cmd)

debian/patches/fix-portability-of-nss.diff

@@ -0,0 +1,74 @@
+From 2d9e290970e71d373b91cd0cd1db52b991636889 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 28 Nov 2013 15:32:07 +0100
+Subject: [PATCH] BUILD: Fix portability of NSS in file ipa_pwd.c
+
+---
+ daemons/ipa-kdb/Makefile.am                         | 4 +++-
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 +
+ util/ipa_pwd.c                                      | 8 ++++----
+ 3 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
+index dc543dd..b3d6a1b 100644
+--- a/daemons/ipa-kdb/Makefile.am
++++ b/daemons/ipa-kdb/Makefile.am
+@@ -21,6 +21,7 @@ AM_CPPFLAGS =						\
+ 	$(KRB5_CFLAGS)					\
+ 	$(WARN_CFLAGS)					\
+ 	$(NDRPAC_CFLAGS)				\
++	$(NSS_CFLAGS)					\
+ 	$(NULL)
+ 
+ plugindir = $(libdir)/krb5/plugins/kdb
+@@ -51,6 +52,7 @@ ipadb_la_LIBADD = 		\
+ 	$(LDAP_LIBS)		\
+ 	$(NDRPAC_LIBS)		\
+ 	$(UNISTRING_LIBS)	\
++	$(NSS_LIBS)             \
+ 	$(NULL)
+ 
+ if HAVE_CHECK
+@@ -77,7 +79,7 @@ ipa_kdb_tests_LDADD =          \
+        $(KRB5_LIBS)            \
+        $(LDAP_LIBS)            \
+        $(NDRPAC_LIBS)          \
+-       -lnss3                  \
++       $(NSS_LIBS)             \
+        -lkdb5                  \
+        -lsss_idmap             \
+        $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+index b53b2e1..3323d72 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+@@ -22,6 +22,7 @@ AM_CPPFLAGS =							\
+ 	$(LDAP_CFLAGS)					\
+ 	$(KRB5_CFLAGS)						\
+ 	$(SSL_CFLAGS)						\
++	$(NSS_CFLAGS)						\
+ 	$(WARN_CFLAGS)						\
+ 	$(NULL)
+ 	
+diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
+index 761d1ef..f6564c8 100644
+--- a/util/ipa_pwd.c
++++ b/util/ipa_pwd.c
+@@ -27,10 +27,10 @@
+ #include <stdio.h>
+ #include <time.h>
+ #include <ctype.h>
+-#include <nss3/nss.h>
+-#include <nss3/nssb64.h>
+-#include <nss3/hasht.h>
+-#include <nss3/pk11pub.h>
++#include <nss.h>
++#include <nssb64.h>
++#include <hasht.h>
++#include <pk11pub.h>
+ #include <errno.h>
+ #include "ipa_pwd.h"
+ 
+-- 
+1.8.4.2
+

debian/patches/fix-pykerberos-api.diff

@@ -0,0 +1,11 @@
+--- a/ipalib/rpc.py
++++ b/ipalib/rpc.py
+@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
+         service = "HTTP@" + host.split(':')[0]
+ 
+         try:
+-            (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
++            (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
+         except kerberos.GSSError, e:
+             self._handle_exception(e)
+ 

debian/patches/fix-symlink-exclusion.diff

@@ -0,0 +1,22 @@
+Description: Don't exclude symlinks when loading plugins
+ FreeIPA uses custom helpers to enumerate and load plugins. These plugins,
+ provided by the ipalib module, are excluded due to being symlinked in from
+ /usr/lib/pyshared as part of the dh_python2 installation process.
+ .
+ This change can probably be submitted upstream, but I have no idea why the
+ original author would exclude symlinks in the first place, nor why a custom
+ loader is being used.
+Author: Nick Hatch <nicholas.hatch@gmail.com>
+Last-Update: 2013-03-20
+
+--- freeipa.orig/ipalib/util.py
++++ freeipa/ipalib/util.py
+@@ -81,7 +81,7 @@
+         if not name.endswith(suffix):
+             continue
+         pyfile = os.path.join(src_dir, name)
+-        if os.path.islink(pyfile) or not os.path.isfile(pyfile):
++        if not os.path.isfile(pyfile):
+             continue
+         module = name[:-len(suffix)]
+         if module == '__init__':

debian/patches/include-ldflags-otpd.diff

@@ -0,0 +1,21 @@
+commit 75dadc1d8ffc3ac84c4b1988c266ef60de1a6cfe
+Author: Jan Cholasta <jcholast@redhat.com>
+Date:   Wed Dec 4 18:39:44 2013 +0100
+
+    Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.
+    
+    Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.
+    
+    https://fedorahosted.org/freeipa/ticket/3896
+
+diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
+index f0b7528..ed99c3e 100644
+--- a/daemons/ipa-otpd/Makefile.am
++++ b/daemons/ipa-otpd/Makefile.am
+@@ -1,5 +1,5 @@
+ AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
+-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
++AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
+ 
+ noinst_HEADERS = internal.h
+ libexec_PROGRAMS = ipa-otpd

debian/patches/no-test-lang.diff

@@ -0,0 +1,11 @@
+--- a/Makefile
++++ b/Makefile
+@@ -98,7 +98,7 @@ client-dirs:
+ 
+ lint: bootstrap-autogen
+ 	./make-lint $(LINT_OPTIONS)
+-	$(MAKE) -C install/po validate-src-strings
++#	$(MAKE) -C install/po validate-src-strings
+ 
+ 
+ test:

debian/patches/no-testcert.patch

@@ -0,0 +1,18 @@
+Author: Timo Aaltonen <tjaalton@ubuntu.com>
+Date:   Tue Nov 1 11:48:27 2011 -0400
+
+    Add no-testcert.patch to not fail make-testcert.
+
+they need a working certificate server running
+
+--- a/Makefile
++++ b/Makefile
+@@ -102,7 +102,7 @@ lint: bootstrap-autogen
+ 
+ 
+ test:
+-	./make-testcert
++#	./make-testcert
+ 	./make-test
+ 
+ release-update:

debian/patches/port-ipa-client-automount.diff

@@ -0,0 +1,26 @@
+diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
+index 3952642..e7b843e 100755
+--- a/ipa-client/ipa-install/ipa-client-automount
++++ b/ipa-client/ipa-install/ipa-client-automount
+@@ -39,10 +39,10 @@ from ipapython.ipa_log_manager import *
+ from ipapython.dn import DN
+ from ipapython import services as ipaservices
+ 
+-AUTOFS_CONF = '/etc/sysconfig/autofs'
++AUTOFS_CONF = '/etc/default/autofs'
+ NSSWITCH_CONF = '/etc/nsswitch.conf'
+ AUTOFS_LDAP_AUTH = '/etc/autofs_ldap_auth.conf'
+-NFS_CONF = '/etc/sysconfig/nfs'
++NFS_CONF = '/etc/default/nfs-common'
+ IDMAPD_CONF = '/etc/idmapd.conf'
+ 
+ def parse_options():
+@@ -309,7 +309,7 @@ def configure_nfs(fstore, statestore):
+     Configure secure NFS
+     """
+     replacevars = {
+-        'SECURE_NFS': 'yes',
++        'NEED_GSSD': 'yes',
+     }
+     ipautil.backup_config_and_replace_variables(fstore,
+         NFS_CONF, replacevars=replacevars)

debian/patches/prefix.patch

@@ -0,0 +1,38 @@
+Author: Timo Aaltonen <tjaalton@ubuntu.com>
+Date:   Mon Jan 2 16:09:40 2012 +0200
+
+use the debian layout when installing python modules
+
+--- a/Makefile
++++ b/Makefile
+@@ -153,7 +153,7 @@ server-install: server
+ 	if [ "$(DESTDIR)" = "" ]; then \
+ 		$(PYTHON) setup.py install; \
+ 	else \
+-		$(PYTHON) setup.py install --root $(DESTDIR); \
++		$(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
+ 	fi
+ 
+ tests: version-update tests-man-autogen
+--- a/ipapython/Makefile
++++ b/ipapython/Makefile
+@@ -14,7 +14,7 @@ install:
+ 	if [ "$(DESTDIR)" = "" ]; then \
+ 		python setup.py install; \
+ 	else \
+-		python setup.py install --root $(DESTDIR); \
++		python setup.py install --root $(DESTDIR) --install-layout=deb; \
+ 	fi
+ 	@for subdir in $(SUBDIRS); do \
+ 		(cd $$subdir && $(MAKE) $@) || exit 1; \
+--- a/ipapython/py_default_encoding/Makefile
++++ b/ipapython/py_default_encoding/Makefile
+@@ -9,7 +9,7 @@ install:
+ 	if [ "$(DESTDIR)" = "" ]; then \
+ 		python setup.py install; \
+ 	else \
+-		python setup.py install --root $(DESTDIR); \
++		python setup.py install --root $(DESTDIR) --install-layout=deb; \
+ 	fi
+ 
+ clean:

debian/patches/series

@@ -0,0 +1,21 @@
+# not upstreamable
+no-testcert.patch
+prefix.patch
+no-test-lang.diff
+fix-install-layout.diff
+fix-ntpdate-opts.diff
+fix-ldap-conf-path.diff
+port-ipa-client-automount.diff
+dont-check-for-systemd-pc.diff
+fix-portability-of-nss.diff
+
+# send upstream
+correct-python-path.diff
+dont-search-platform-path.diff
+fix-symlink-exclusion.diff
+check-dbus-before-starting.diff
+add-debian-platform.diff
+use-new-nssdb.diff
+
+include-ldflags-otpd.diff
+fix-pykerberos-api.diff

debian/patches/use-new-nssdb.diff

@@ -0,0 +1,49 @@
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -201,7 +201,7 @@ def log_service_error(name, action, erro
+     root_logger.error("%s failed to %s: %s", name, action, str(error))
+ 
+ def nickname_exists(nickname):
+-        (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
++        (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "sql:/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
+ 
+         if returncode == 0:
+             return True
+@@ -365,7 +365,7 @@ def uninstall(options, env):
+     # Remove our host cert and CA cert
+     if nickname_exists("IPA CA"):
+         try:
+-            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
++            run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA"])
+         except Exception, e:
+             root_logger.error(
+                 "Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e))
+@@ -393,7 +393,7 @@ def uninstall(options, env):
+ 
+     if nickname_exists(client_nss_nickname):
+         try:
+-            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname])
++            run(["/usr/bin/certutil", "-D", "-d", "sql:/etc/pki/nssdb", "-n", client_nss_nickname])
+         except Exception, e:
+             root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s",
+                 client_nss_nickname, str(e))
+@@ -2297,7 +2297,7 @@ def install(options, env, fstore, states
+ 
+     # Add the CA to the default NSS database and trust it
+     try:
+-        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
++        run(["/usr/bin/certutil", "-A", "-d", "sql:/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+     except CalledProcessError, e:
+         root_logger.info("Failed to add CA to the default NSS database.")
+         return CLIENT_INSTALL_ERROR
+--- a/ipalib/rpc.py
++++ b/ipalib/rpc.py
+@@ -322,7 +322,7 @@ class SSLTransport(LanguageAwareTranspor
+             if self._connection and host == self._connection[0]:
+                 return self._connection[1]
+ 
+-        dbdir = '/etc/pki/nssdb'
++        dbdir = 'sql:/etc/pki/nssdb'
+         no_init = self.__nss_initialized(dbdir)
+         if sys.version_info < (2, 7):
+             conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)

debian/python-freeipa.install

@@ -0,0 +1,9 @@
+usr/lib/python*/dist-packages/ipalib/*
+usr/lib/python*/dist-packages/ipapython/*.py
+usr/lib/python*/dist-packages/ipapython/platform/*.py
+usr/lib/python*/dist-packages/ipapython/platform/*/*.py
+usr/lib/python*/dist-packages/default_encoding_utf8.so
+usr/lib/python*/dist-packages/freeipa-*.egg-info
+usr/lib/python*/dist-packages/ipapython-*.egg-info
+usr/lib/python*/dist-packages/python_default_encoding-*.egg-info
+usr/share/locale

debian/rules

@@ -0,0 +1,73 @@
+#!/usr/bin/make -f 
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+ONLY_CLIENT=0
+DESTDIR=$(CURDIR)/debian/tmp
+
+PLATFORM="SUPPORTED_PLATFORM=debian"
+
+override_dh_auto_clean:
+	for i in daemons install ipapython ipaserver ipa-client; do \
+		(cd $$i && [ ! -f Makefile ] || $(MAKE) distclean); \
+		(cd $$i && rm -f COPYING INSTALL depcomp install-sh missing py-compile config.guess config.sub aclocal.m4 config.h.in version.m4); \
+	done
+	find . -name "*.pyo" -o -name "*.pyc" -type f -exec rm -f "{}" \;
+	find . -name "ltmain.sh" -exec rm -f "{}" \;
+	find . -name "configure" -exec rm -f "{}" \;
+	rm -rf daemons/ipa-version.h freeipa.spec freeipa.egg-info ipa-client/ipa-client.spec version.m4
+	rm -rf ipapython/build RELEASE build
+	dh_clean 
+	rm -rf $(DESTDIR)
+
+override_dh_autoreconf:
+	make IPA_VERSION_IS_GIT_SNAPSHOT=no version-update
+	dh_autoreconf; cd ..
+
+override_dh_auto_configure:
+	dh_auto_configure -Dipa-client
+ifneq ($(ONLY_CLIENT), 1)
+	dh_auto_configure -Ddaemons -- \
+		--with-openldap \
+		--with-systemdsystemunitdir=/lib/systemd/system
+
+	dh_auto_configure -Dinstall
+endif
+
+override_dh_auto_build:
+ifneq ($(ONLY_CLIENT), 1)
+	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no all
+#	cd selinux ; make all
+else
+	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client
+endif
+
+# tests would just fail, they need a proper environment with 389 running et al
+override_dh_auto_test:
+
+override_dh_auto_install:
+ifneq ($(ONLY_CLIENT), 1)
+	# Force re-generate of platform support
+	rm -f ipapython/services.py
+	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
+#	cd selinux
+#	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
+	cd ..
+
+	install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa
+else
+	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client-install DESTDIR=$(DESTDIR)
+endif
+
+	# purge .la files
+	find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \;
+	# purge precompiled .pyc/.pyo files
+	find $(CURDIR)/debian/tmp -name '*.py[c,o]' -exec rm '{}' ';'
+	# fix permissions
+	find $(CURDIR)/debian/tmp -name "*.mo" -type f -exec chmod -x "{}" \;
+
+	dh_install --list-missing
+
+%:
+	dh $@ --with quilt,autoreconf,python2

debian/source/format

@@ -0,0 +1,2 @@
+3.0 (quilt)
+

debian/watch

@@ -0,0 +1,2 @@
+version=3
+http://freeipa.org/page/Downloads http://freeipa.org/downloads/src/freeipa-(.+).tar.gz