diff --git a/debian/changelog b/debian/changelog index a758cfd7a..13bab6bfb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,15 +1,21 @@ freeipa (4.5.2-1) UNRELEASED; urgency=medium * New upstream release. - - Remove upstreamed patches: add-debian-platform.diff, + - Remove upstreamed patches: + add-debian-platform.diff, ipa-kdb-support-dal-version-5-and-6.diff, - purge-firefox-extension.diff, fix-ipa-otpd-install.diff, - fix-ipa-otpd-service.diff, purge-firefox-extension.diff, - prefix.patch, fix-kdcproxy-path.diff, fix-is-running.diff + purge-firefox-extension.diff, + fix-ipa-otpd-install.diff, + fix-ipa-otpd-service.diff, + purge-firefox-extension.diff, + prefix.patch, + fix-kdcproxy-path.diff, + fix-is-running.diff, + fix-pkcs11-helper.diff, + fix-dnssec-services.diff - Remove obsolete patches: fix-memcached.diff, fix-oddjobs.diff - - Refresh patches: fix-dnssec-services.diff, - fix-ipa-conf.diff, fix-replicainstall.diff + - Refresh rest of the patches * control et al: Memcached is not used anymore. * control, server.install: Depend on gssproxy. * control: Build-depend on python-jinja2, add CSR files to python- diff --git a/debian/patches/create-sysconfig-ods.diff b/debian/patches/create-sysconfig-ods.diff index 652c0fc0a..c9eb96434 100644 --- a/debian/patches/create-sysconfig-ods.diff +++ b/debian/patches/create-sysconfig-ods.diff @@ -1,6 +1,6 @@ --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py -@@ -206,6 +206,9 @@ class OpenDNSSECInstance(service.Service +@@ -195,6 +195,9 @@ class OpenDNSSECInstance(service.Service if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) diff --git a/debian/patches/enable-mod-nss-during-setup.diff b/debian/patches/enable-mod-nss-during-setup.diff index 0be9d4fc2..ac2a90864 100644 --- a/debian/patches/enable-mod-nss-during-setup.diff +++ b/debian/patches/enable-mod-nss-during-setup.diff @@ -1,14 +1,14 @@ --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -183,6 +183,7 @@ class HTTPInstance(service.Service): - self.step("create KDC proxy user", create_kdcproxy_user) + if not self.is_kdcproxy_configured(): self.step("create KDC proxy config", self.create_kdcproxy_conf) self.step("enable KDC proxy", self.enable_kdcproxy) + ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True) - self.step("restarting httpd", self.__start) + self.step("starting httpd", self.start) self.step("configuring httpd to start on boot", self.__enable) self.step("enabling oddjobd", self.enable_and_start_oddjobd) -@@ -508,6 +509,8 @@ class HTTPInstance(service.Service): +@@ -529,6 +530,8 @@ class HTTPInstance(service.Service): except Exception: pass diff --git a/debian/patches/fix-dnssec-services.diff b/debian/patches/fix-dnssec-services.diff deleted file mode 100644 index f226c4147..000000000 --- a/debian/patches/fix-dnssec-services.diff +++ /dev/null @@ -1,100 +0,0 @@ -From 40026185382efaed65b6ad604b21d8790f38aa33 Mon Sep 17 00:00:00 2001 -From: Timo Aaltonen -Date: Wed, 15 Mar 2017 16:41:50 +0200 -Subject: [PATCH] configure: Use ODS_USER and NAMED_GROUP in - daemons/dnssec/*.service.in - -These are platform specific, add values for Debian and default values -for Fedora/RHEL. - -Also, use prettier output when checking the extra python install options. ---- - configure.ac | 20 +++++++++++++++++++- - daemons/dnssec/Makefile.am | 2 ++ - daemons/dnssec/ipa-dnskeysyncd.service.in | 6 +++--- - daemons/dnssec/ipa-ods-exporter.service.in | 2 +- - 4 files changed, 25 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 81f74f1..a590e3e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -291,13 +291,31 @@ AC_SUBST([IPAPLATFORM]) - AC_MSG_RESULT([${IPAPLATFORM}]) - - if test "x${IPAPLATFORM}" == "xdebian"; then -+ NAMED_GROUP="bind" -+ ODS_USER="opendnssec" - # see https://www.debian.org/doc/packaging-manuals/python-policy/ap-packaging_tools.html - PYTHON_INSTALL_EXTRA_OPTIONS="--install-layout=deb" - else -+ NAMED_GROUP="named" -+ ODS_USER="ods" - PYTHON_INSTALL_EXTRA_OPTIONS="" - fi -+ -+AC_MSG_CHECKING([NAMED_GROUP]) -+AC_SUBST([NAMED_GROUP]) -+AC_MSG_RESULT([${NAMED_GROUP}]) -+ -+AC_MSG_CHECKING([ODS_USER]) -+AC_SUBST([ODS_USER]) -+AC_MSG_RESULT([${ODS_USER}]) -+ -+AC_MSG_CHECKING([python setup.py install extra options]) - AC_SUBST([PYTHON_INSTALL_EXTRA_OPTIONS]) --AC_MSG_RESULT([python setup.py install extra options ${PYTHON_INSTALL_EXTRA_OPTIONS}]) -+if test "x${PYTHON_INSTALL_EXTRA_OPTIONS}" == "x"; then -+ AC_MSG_RESULT([none]) -+else -+ AC_MSG_RESULT([${PYTHON_INSTALL_EXTRA_OPTIONS}]) -+fi - - dnl --------------------------------------------------------------------------- - dnl Version information from VERSION.m4 and command line -diff --git a/daemons/dnssec/Makefile.am b/daemons/dnssec/Makefile.am -index 37a0dcf..b0db4e1 100644 ---- a/daemons/dnssec/Makefile.am -+++ b/daemons/dnssec/Makefile.am -@@ -25,6 +25,8 @@ CLEANFILES = $(systemdsystemunit_DATA) - -e 's|@libexecdir[@]|$(libexecdir)|g' \ - -e 's|@localstatedir[@]|$(localstatedir)|g' \ - -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \ -+ -e 's|@ODS_USER[@]|$(ODS_USER)|g' \ -+ -e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \ - '$(srcdir)/$@.in' >$@ - - dnssecconfdir = $(IPA_SYSCONF_DIR)/dnssec -diff --git a/daemons/dnssec/ipa-dnskeysyncd.service.in b/daemons/dnssec/ipa-dnskeysyncd.service.in -index f39c3ce..38c6f92 100644 ---- a/daemons/dnssec/ipa-dnskeysyncd.service.in -+++ b/daemons/dnssec/ipa-dnskeysyncd.service.in -@@ -4,9 +4,9 @@ Description=IPA key daemon - [Service] - EnvironmentFile=@sysconfenvdir@/ipa-dnskeysyncd - ExecStart=@libexecdir@/ipa/ipa-dnskeysyncd --User=ods --Group=named --SupplementaryGroups=ods -+User=@ODS_USER@ -+Group=@NAMED_GROUP@ -+SupplementaryGroups=@ODS_USER@ - PrivateTmp=yes - Restart=on-failure - RestartSec=60s -diff --git a/daemons/dnssec/ipa-ods-exporter.service.in b/daemons/dnssec/ipa-ods-exporter.service.in -index 5ec7317..ef74287 100644 ---- a/daemons/dnssec/ipa-ods-exporter.service.in -+++ b/daemons/dnssec/ipa-ods-exporter.service.in -@@ -6,7 +6,7 @@ After=ipa-ods-exporter.socket - [Service] - EnvironmentFile=@sysconfenvdir@/ipa-ods-exporter - ExecStart=@libexecdir@/ipa/ipa-ods-exporter --User=ods -+User=@ODS_USER@ - PrivateTmp=yes - Restart=on-failure - RestartSec=60s --- -2.7.4 - diff --git a/debian/patches/fix-ipa-conf.diff b/debian/patches/fix-ipa-conf.diff index 2f5d8b178..23eba3c36 100644 --- a/debian/patches/fix-ipa-conf.diff +++ b/debian/patches/fix-ipa-conf.diff @@ -1,7 +1,7 @@ Description: Fix paths --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf -@@ -37,7 +37,7 @@ FileETag None +@@ -47,7 +47,7 @@ FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: @@ -10,16 +10,16 @@ Description: Fix paths # Configure mod_wsgi handler for /ipa -@@ -68,7 +68,7 @@ WSGIScriptReloading Off +@@ -129,7 +129,7 @@ Alias /ipa/session/cookie "/usr/share/ip SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:/etc/apache2/ipasession.key - GssapiDelegCcacheDir /var/run/ipa/ccaches - GssapiDelegCcachePerms mode:0660 gid:ipaapi -@@ -112,7 +112,7 @@ Alias /ipa/session/cookie "/usr/share/ip + Header unset Set-Cookie + +@@ -149,7 +149,7 @@ Alias /ipa/session/cookie "/usr/share/ip # Custodia stuff is redirected to the custodia daemon # after authentication @@ -28,7 +28,7 @@ Description: Fix paths RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s -@@ -146,8 +146,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH" +@@ -183,8 +183,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH" # List explicitly only the fonts we want to serve diff --git a/debian/patches/fix-opendnssec-setup.diff b/debian/patches/fix-opendnssec-setup.diff index b0d1f1cf4..916c7b060 100644 --- a/debian/patches/fix-opendnssec-setup.diff +++ b/debian/patches/fix-opendnssec-setup.diff @@ -11,7 +11,7 @@ Description: Fix ODS setup with 2.0.x --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py -@@ -304,7 +304,7 @@ class OpenDNSSECInstance(service.Service +@@ -293,7 +293,7 @@ class OpenDNSSECInstance(service.Service else: # initialize new kasp.db command = [ @@ -22,7 +22,7 @@ Description: Fix ODS setup with 2.0.x --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py -@@ -171,7 +171,7 @@ class BasePathNamespace(object): +@@ -168,7 +168,7 @@ class BasePathNamespace(object): NET = "/usr/bin/net" BIN_NISDOMAINNAME = "/usr/bin/nisdomainname" NSUPDATE = "/usr/bin/nsupdate" @@ -31,9 +31,9 @@ Description: Fix ODS setup with 2.0.x ODS_SIGNER = "/usr/sbin/ods-signer" OPENSSL = "/usr/bin/openssl" PK12UTIL = "/usr/bin/pk12util" ---- a/ipapython/dnssec/odsmgr.py -+++ b/ipapython/dnssec/odsmgr.py -@@ -125,7 +125,7 @@ class ODSMgr(object): +--- a/ipaserver/dnssec/odsmgr.py ++++ b/ipaserver/dnssec/odsmgr.py +@@ -133,7 +133,7 @@ class ODSMgr(object): Raises CalledProcessError if returncode != 0. """ diff --git a/debian/patches/fix-pkcs11-helper.diff b/debian/patches/fix-pkcs11-helper.diff deleted file mode 100644 index 54821bc4a..000000000 --- a/debian/patches/fix-pkcs11-helper.diff +++ /dev/null @@ -1,399 +0,0 @@ -commit 07df61b7814db08d81e1ff92f58b24e5d852fdf8 -Author: Martin Basti -Date: Wed Mar 29 18:53:11 2017 +0200 - - Fix PKCS11 helper - - Slots in HSM are not assigned statically, we have to chose proper - slot from token label. - - Softhsm i2.2.0 changed this behavior and now slots can change over - time (it is allowed by pkcs11 standard). - - Changelog: - * created method get_slot() that returns slot number from - used label - * replaces usage of slot in __init__ method of P11_Helper - with label - * slot is dynamically detected from token label before - session is opened - * pkcs11-util --init-token now uses '--free' instead '--slot' - which uses first free slot (we don't care about slot numbers - anymore) - - https://pagure.io/freeipa/issue/6692 - - Reviewed-By: Stanislav Laznicka - -diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica -index 69a3a68..3714163 100755 ---- a/daemons/dnssec/ipa-dnskeysync-replica -+++ b/daemons/dnssec/ipa-dnskeysync-replica -@@ -15,6 +15,7 @@ import os - import sys - - import ipalib -+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL - from ipapython.dn import DN - from ipapython.ipa_log_manager import root_logger, standard_logging_setup - from ipapython import ipaldap -@@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap, - DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, - ipalib.api.env.basedn)) - --# TODO: slot number could be configurable --localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, -+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, - open(paths.DNSSEC_SOFTHSM_PIN).read()) - - ldap2replica_master_keys_sync(log, ldapkeydb, localhsm) -diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter -index 385764a..77f8c4d 100755 ---- a/daemons/dnssec/ipa-ods-exporter -+++ b/daemons/dnssec/ipa-ods-exporter -@@ -32,6 +32,7 @@ import sqlite3 - import traceback - - import ipalib -+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL - from ipapython.dn import DN - from ipapython import ipaldap - from ipapython import ipautil -@@ -645,7 +646,7 @@ log.debug('Connected') - ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), - ipalib.api.env.container_dns, - ipalib.api.env.basedn)) --localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, -+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, - open(paths.DNSSEC_SOFTHSM_PIN).read()) - - ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) -diff --git a/ipalib/constants.py b/ipalib/constants.py -index c423117..43f1f3c 100644 ---- a/ipalib/constants.py -+++ b/ipalib/constants.py -@@ -279,3 +279,5 @@ RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' - - # regexp definitions - PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' -+ -+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' -diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py -index 8f18a45..73511e9 100755 ---- a/ipapython/dnssec/localhsm.py -+++ b/ipapython/dnssec/localhsm.py -@@ -89,10 +89,11 @@ class Key(collections.MutableMapping): - def __repr__(self): - return self.__str__() - -+ - class LocalHSM(AbstractHSM): -- def __init__(self, library, slot, pin): -+ def __init__(self, library, label, pin): - self.cache_replica_pubkeys = None -- self.p11 = _ipap11helper.P11_Helper(slot, pin, library) -+ self.p11 = _ipap11helper.P11_Helper(label, pin, library) - self.log = logging.getLogger() - - def __del__(self): -diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py -index 5ff9ccc..f193ea7 100644 ---- a/ipapython/p11helper.py -+++ b/ipapython/p11helper.py -@@ -30,6 +30,7 @@ struct _CK_VERSION - }; - - typedef unsigned long CK_SLOT_ID; -+typedef CK_SLOT_ID *CK_SLOT_ID_PTR; - - typedef unsigned long CK_SESSION_HANDLE; - -@@ -43,6 +44,13 @@ typedef unsigned long CK_KEY_TYPE; - - typedef unsigned long CK_ATTRIBUTE_TYPE; - -+typedef unsigned long ck_flags_t; -+ -+typedef unsigned char CK_BBOOL; -+ -+typedef unsigned long int CK_ULONG; -+typedef CK_ULONG *CK_ULONG_PTR; -+ - struct _CK_ATTRIBUTE - { - CK_ATTRIBUTE_TYPE type; -@@ -59,6 +67,31 @@ struct _CK_MECHANISM - unsigned long ulParameterLen; - }; - -+struct _CK_TOKEN_INFO -+{ -+ unsigned char label[32]; -+ unsigned char manufacturer_id[32]; -+ unsigned char model[16]; -+ unsigned char serial_number[16]; -+ ck_flags_t flags; -+ unsigned long max_session_count; -+ unsigned long session_count; -+ unsigned long max_rw_session_count; -+ unsigned long rw_session_count; -+ unsigned long max_pin_len; -+ unsigned long min_pin_len; -+ unsigned long total_public_memory; -+ unsigned long free_public_memory; -+ unsigned long total_private_memory; -+ unsigned long free_private_memory; -+ struct _CK_VERSION hardware_version; -+ struct _CK_VERSION firmware_version; -+ unsigned char utc_time[16]; -+}; -+ -+typedef struct _CK_TOKEN_INFO CK_TOKEN_INFO; -+typedef CK_TOKEN_INFO *CK_TOKEN_INFO_PTR; -+ - typedef unsigned long CK_RV; - - typedef ... *CK_NOTIFY; -@@ -70,9 +103,12 @@ typedef CK_RV (*CK_C_Finalize) (void *pReserved); - typedef ... *CK_C_GetInfo; - typedef ... *CK_C_GetFunctionList; - CK_RV C_GetFunctionList (struct _CK_FUNCTION_LIST **function_list); --typedef ... *CK_C_GetSlotList; -+typedef CK_RV (*CK_C_GetSlotList) (CK_BBOOL tokenPresent, -+ CK_SLOT_ID_PTR pSlotList, -+ CK_ULONG_PTR pulCount); - typedef ... *CK_C_GetSlotInfo; --typedef ... *CK_C_GetTokenInfo; -+typedef CK_RV (*CK_C_GetTokenInfo) (CK_SLOT_ID slotID, -+ CK_TOKEN_INFO_PTR pInfo); - typedef ... *CK_C_WaitForSlotEvent; - typedef ... *CK_C_GetMechanismList; - typedef ... *CK_C_GetMechanismInfo; -@@ -255,10 +291,7 @@ struct _CK_FUNCTION_LIST - - typedef unsigned char CK_BYTE; - typedef unsigned char CK_UTF8CHAR; --typedef unsigned char CK_BBOOL; --typedef unsigned long int CK_ULONG; - typedef CK_BYTE *CK_BYTE_PTR; --typedef CK_ULONG *CK_ULONG_PTR; - - typedef CK_OBJECT_HANDLE *CK_OBJECT_HANDLE_PTR; - -@@ -387,6 +420,7 @@ CKM_AES_KEY_GEN = 0x1080 - CKR_OK = 0 - CKR_ATTRIBUTE_TYPE_INVALID = 0x12 - CKR_USER_NOT_LOGGED_IN = 0x101 -+CKR_BUFFER_TOO_SMALL = 0x150 - - CK_BYTE = _ffi.typeof('CK_BYTE') - CK_BBOOL = _ffi.typeof('CK_BBOOL') -@@ -403,6 +437,10 @@ CK_MECHANISM = _ffi.typeof('CK_MECHANISM') - - CK_FUNCTION_LIST_PTR = _ffi.typeof('CK_FUNCTION_LIST_PTR') - -+CK_SLOT_ID = _ffi.typeof('CK_SLOT_ID') -+ -+CK_TOKEN_INFO = _ffi.typeof('CK_TOKEN_INFO') -+ - NULL_PTR = NULL - - -@@ -796,11 +834,10 @@ class P11_Helper(object): - # Object not found - return False - -- def __init__(self, slot, user_pin, library_path): -+ def __init__(self, token_label, user_pin, library_path): - self.p11_ptr = new_ptr(CK_FUNCTION_LIST_PTR) - self.session_ptr = new_ptr(CK_SESSION_HANDLE) - -- self.slot = 0 - self.session_ptr[0] = 0 - self.p11_ptr[0] = NULL - self.module_handle = None -@@ -808,7 +845,7 @@ class P11_Helper(object): - # Parse method args - if isinstance(user_pin, unicode): - user_pin = user_pin.encode() -- self.slot = slot -+ self.token_label = token_label - - try: - pGetFunctionList, module_handle = loadLibrary(library_path) -@@ -829,9 +866,16 @@ class P11_Helper(object): - check_return_value(rv, "initialize") - - # -+ # Get Slot -+ # -+ slot = self.get_slot() -+ if slot is None: -+ raise Error("No slot for label {} found".format(self.token_label)) -+ -+ # - # Start session - # -- rv = self.p11.C_OpenSession(self.slot, -+ rv = self.p11.C_OpenSession(slot, - CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, - NULL, self.session_ptr) - check_return_value(rv, "open session") -@@ -842,6 +886,49 @@ class P11_Helper(object): - rv = self.p11.C_Login(self.session, CKU_USER, user_pin, len(user_pin)) - check_return_value(rv, "log in") - -+ def get_slot(self): -+ """Get slot where then token is located -+ :return: slot number or None when slot not found -+ """ -+ object_count_ptr = new_ptr(CK_ULONG) -+ -+ # get slots ID -+ slots = None -+ for _i in range(0, 10): -+ # try max N times, then die to avoid infinite iteration -+ rv = self.p11.C_GetSlotList(CK_TRUE, NULL, object_count_ptr) -+ check_return_value(rv, "get slots IDs - prepare") -+ -+ result_ids_ptr = new_array(CK_SLOT_ID, object_count_ptr[0]) -+ -+ rv = self.p11.C_GetSlotList( -+ CK_TRUE, result_ids_ptr, object_count_ptr) -+ if rv == CKR_BUFFER_TOO_SMALL: -+ continue -+ check_return_value(rv, "get slots IDs") -+ slots = result_ids_ptr -+ break # we have slots !!! -+ -+ if slots is None: -+ raise Error("Failed to get slots") -+ -+ for slot in slots: -+ token_info_ptr = new_ptr(CK_TOKEN_INFO) -+ rv = self.p11.C_GetTokenInfo(slot, token_info_ptr) -+ check_return_value(rv, 'get token info') -+ -+ # softhsm always returns label 32 bytes long with padding made of -+ # white spaces (#32), so we have to rstrip() padding and compare -+ # Label was created by softhsm-util so it is not our fault that -+ # there are #32 as padding (cffi initializes structures with -+ # zeroes) -+ # In case that this is not valid anymore, keep in mind backward -+ # compatibility -+ -+ if self.token_label == char_array_to_unicode( -+ token_info_ptr[0].label, 32).rstrip(): -+ return slot -+ - def finalize(self): - """ - Finalize operations with pkcs11 library -@@ -868,7 +955,6 @@ class P11_Helper(object): - - self.p11_ptr[0] = NULL - self.session_ptr[0] = 0 -- self.slot = 0 - self.module_handle = None - - ################################################################# -diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py -index fadaf21..d9dfda9 100644 ---- a/ipaserver/install/dnskeysyncinstance.py -+++ b/ipaserver/install/dnskeysyncinstance.py -@@ -26,10 +26,9 @@ from ipaplatform.constants import constants - from ipaplatform.paths import paths - from ipalib import errors, api - from ipalib.constants import CACERT -+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL - from ipaserver.install.bindinstance import dns_container_exists - --softhsm_token_label = u'ipaDNSSEC' --softhsm_slot = 0 - replica_keylabel_template = u"dnssec-replica:%s" - - -@@ -289,8 +288,8 @@ class DNSKeySyncInstance(service.Service): - command = [ - paths.SOFTHSM2_UTIL, - '--init-token', -- '--slot', str(softhsm_slot), -- '--label', softhsm_token_label, -+ '--free', # use random free slot -+ '--label', SOFTHSM_DNSSEC_TOKEN_LABEL, - '--pin', pin, - '--so-pin', pin_so, - ] -@@ -309,7 +308,8 @@ class DNSKeySyncInstance(service.Service): - pin = f.read() - - os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -- p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) -+ p11 = _ipap11helper.P11_Helper( -+ SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) - - try: - # generate replica keypair -diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py -index f0c512b..1aac24a 100644 ---- a/ipaserver/install/opendnssecinstance.py -+++ b/ipaserver/install/opendnssecinstance.py -@@ -18,10 +18,9 @@ from ipaplatform import services - from ipaplatform.constants import constants - from ipaplatform.paths import paths - from ipalib import errors, api --from ipaserver.install import dnskeysyncinstance -+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL - - KEYMASTER = u'dnssecKeyMaster' --softhsm_slot = 0 - - - def get_dnssec_key_masters(conn): -@@ -72,7 +71,7 @@ class OpenDNSSECInstance(service.Service): - self.ods_gid = None - self.conf_file_dict = { - 'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO, -- 'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label, -+ 'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL, - 'KASP_DB': paths.OPENDNSSEC_KASP_DB, - 'ODS_USER': constants.ODS_USER, - 'ODS_GROUP': constants.ODS_GROUP, -@@ -247,7 +246,8 @@ class OpenDNSSECInstance(service.Service): - pin = f.read() - - os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF -- p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) -+ p11 = p11helper.P11_Helper( -+ SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO) - try: - # generate master key - root_logger.debug("Creating master key") -diff --git a/ipatests/test_ipapython/test_ipap11helper.py b/ipatests/test_ipapython/test_ipap11helper.py -index 2c8fd28..5659d60 100644 ---- a/ipatests/test_ipapython/test_ipap11helper.py -+++ b/ipatests/test_ipapython/test_ipap11helper.py -@@ -55,12 +55,12 @@ def p11(request): - with open('softhsm2.conf', 'w') as cfg: - cfg.write(CONFIG_DATA % token_path) - os.environ['SOFTHSM2_CONF'] = os.path.join(token_path, 'softhsm2.conf') -- subprocess.check_call([SOFTHSM2_UTIL, '--init-token', '--slot', '0', -+ subprocess.check_call([SOFTHSM2_UTIL, '--init-token', '--free', - '--label', 'test', '--pin', '1234', '--so-pin', - '1234']) - - try: -- p11 = _ipap11helper.P11_Helper(0, "1234", LIBSOFTHSM) -+ p11 = _ipap11helper.P11_Helper('test', "1234", LIBSOFTHSM) - except _ipap11helper.Error: - pytest.fail('Failed to initialize the helper object.', pytrace=False) - -@@ -70,6 +70,8 @@ def p11(request): - except _ipap11helper.Error: - pytest.fail('Failed to finalize the helper object.', pytrace=False) - finally: -+ subprocess.call( -+ [SOFTHSM2_UTIL, '--delete-token', '--label', 'test']) - del os.environ['SOFTHSM2_CONF'] - - request.addfinalizer(fin) diff --git a/debian/patches/fix-replicainstall.diff b/debian/patches/fix-replicainstall.diff index 50d410334..86c5ec402 100644 --- a/debian/patches/fix-replicainstall.diff +++ b/debian/patches/fix-replicainstall.diff @@ -1,6 +1,6 @@ --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -768,7 +768,7 @@ def install_check(installer): +@@ -760,7 +760,7 @@ def install_check(installer): finally: shutil.rmtree(tmp_db_dir) diff --git a/debian/patches/hack-libarch.diff b/debian/patches/hack-libarch.diff index 5e577c1ca..8c94cc264 100644 --- a/debian/patches/hack-libarch.diff +++ b/debian/patches/hack-libarch.diff @@ -1,6 +1,6 @@ --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py -@@ -334,9 +334,9 @@ class LDAPUpdate: +@@ -329,9 +329,9 @@ class LDAPUpdate(object): bits = platform.architecture()[0] if bits == "64bit": diff --git a/debian/patches/series b/debian/patches/series index 84b249cdb..b22e97ed6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,4 @@ # upstreamed -fix-pkcs11-helper.diff # not upstreamable hack-libarch.diff @@ -9,7 +8,6 @@ enable-mod-nss-during-setup.diff fix-ipa-conf.diff fix-kdcproxy-paths.diff fix-replicainstall.diff -fix-dnssec-services.diff create-sysconfig-ods.diff fix-named-conf-template.diff fix-opendnssec-setup.diff