Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use only python3 dependencies when building server-trust-ad for python3.
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When building the package with for python3, use only python3
dependencies. Changed:
python -> python2 / python3
python-gssapi -> python2-gssapi / python3-gssapi
python-ldap -> python-ldap / python3-pyldap
systemd-python -> python2-systemd / python3-systemd
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To avoid insidious bug during server installation on Fedora 27,
the dependency of 389-ds-base is bumped.
https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.
This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.
Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.
Relaxing permissions is is needed to run the tests as the jenkins user.
Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.
https://pagure.io/freeipa/issue/7157
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Until DNSSEC is ready for Python3, we should run DNSSEC with Python 2.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When building for Fedora, we have with_python3 set to 1 by
default. Therefore, when such build is performed, have the
scripts depend on python3 packages instead of python2 (the
previous state was the scripts depended on both Python versions).
https://pagure.io/freeipa/issue/4985
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.
This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.
This partially reverts commit 38c66896de.
https://pagure.io/freeipa/issue/7053
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
During recent refactoring, a workaround was added to make it
possible for OpenSSL backend of python-cryptography to read PEM
certificates returned by dogtag-ipa-renew-agent-submit. This was
fixed in latest certmonger version.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Bumping the requirements for the python-yubikey package. This is
unfortunately most probably fixed only in Fedora because there was no
upstream release for about a year and a half now. That also means
bumping the version in ipasetup.py.in would be pointless.
https://pagure.io/freeipa/issue/7121
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Set python3-mod_wsgi as a requirement for FreeIPA in the spec file
if with_python3 is specified so that httpd runs IPA server under
Python 3.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is a commit which expands current scripts being run under
python3 by default. We set the -bb option so that any Bytes/Str
error breaks execution.
This commit shall be reverted before reaching production.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
bytes/str fixes for LDAP data, JSON encoding and temp files.
Require jwcrpyto 0.4.2 with fix for RHBZ #1476150https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fedora system upgrades don't necessary require the network to be up.
However, we do, so we have to make sure the network is online before
performing an upgrade.
https://pagure.io/freeipa/issue/7039
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
To prevent regressions in py3, all ported scripts should be run by py3
by default.
This is temporary and will be removed once porting to py3 is done
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We are slowly migrating python scripts to py3 and setting py3 as default
for them. Thus we need to depend on both py2 and py3 packages until
everything is migrated.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load. Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.
Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.
This commit changes only dependencies that are available in both F25 and
F26
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Complete fixing of the bug requires fix on python-gssapi side.
That fix is included in version 1.2.0-5.
Fixes: https://pagure.io/freeipa/issue/6796
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
F26 defaults to python3 with pylint package, we have to explicitly ask
for python2 version of pylint
https://pagure.io/freeipa/issue/6986
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Subdirectories of remote plugins were forgotten in previous fix
d22ac59828cc4339d509804ddb3e2e1da9cfaa20 .
https://pagure.io/freeipa/issue/6927
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
python-custodia matches python3-custodia, but for py2 installations we
need python2-custodia explicitly
https://pagure.io/freeipa/issue/6962
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Package name is python2-cryptography and even that it Provides
python-cryptography package, it causes problems during update of IPA
on RHEL - python2-cryptography is not updated. After changing required package
name to python2-cryptography upgrade on RHEL works well.
Fixes: https://pagure.io/freeipa/issue/6749
Reviewed-By: Martin Basti <mbasti@redhat.com>
Introduce new IPAKrb5 lens to handle krb5.conf and kdc.conf changes using
Augeas. The stock Krb5 lens does not work on our krb5.conf and kdc.conf.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
FreeIPA package should own all subdirectories to work properly with
3rd party packages/plugins.
https://pagure.io/freeipa/issue/6927
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
KDC proxy tests are using iptables, but this is optional package in at
least Fedora cloud image, thus we must have it in dependencies
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.
Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.
https://pagure.io/freeipa/issue/6370
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Commit dfd560a190 started to use
ssl symbols like ssl.OP_NO_SSLv2 that were introduced in Python 2.7.9.
Related https://pagure.io/freeipa/issue/6920
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Bump krb5-* Requires to the version which includes the final version of
certauth support.
https://pagure.io/freeipa/issue/4905
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Bump python-netaddr Requires to the version which has correct private and
reserved IPv4 address ranges.
This fixes DNS server install failure when 0.0.0.0 is entered as a
forwarder.
https://pagure.io/freeipa/issue/6894
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.
Resolves: https://pagure.io/freeipa/issue/6834
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
To create a wheel bundle with ipaserver and its dependencies:
make wheel_bundle IPA_SERVER_WHEELS=1
To include additional dependencies:
make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Bump BuildRequires on libsss_nss_idmap-devel to the version which
introduces the sss_nss_getlistbycert function.
This fixes RPM build failure when an older version of
libsss_nss_idmap-devel was installed.
https://pagure.io/freeipa/issue/6828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bump BuildRequires on krb5-devel to the version which introduces the
certauth pluggable interface.
This fixes RPM build failure when an older version of krb5-devel was
installed.
https://pagure.io/freeipa/issue/4905
Reviewed-By: David Kupka <dkupka@redhat.com>
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.
Related to https://pagure.io/freeipa/issue/4905
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Provide python-ipa* aliases for python2-ipa* subpackages when the
python_provide RPM macro is not available.
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
nspr-devel, nss-devel and openssl-devel are required for client-only build,
move their respective BuildRequires from the server-specific BuildRequires
section to the main BuildRequires section.
Pass --enable-server or --disable-server to ./configure based on the value
of %{ONLY_CLIENT}.
Remove the `make client-check` call from %check, as the client-check target
does not exist anymore. Always call `make check` instead.
Do not package the /usr/share/ipa directory in freeipa-client-common, as it
is not created in client-only build.
https://pagure.io/freeipa/issue/6517
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Build ipatests only if %with_ipatests RPM macro is specified.
By default the macro is specified if ONLY_CLIENT is not specified.
https://pagure.io/freeipa/issue/6517
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.
Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.
It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
python-setuptools is required not only for lint, but to make the build
possible at all.
Move the python-setuptools BuildRequires from the lint section to the main
section.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there
https://pagure.io/freeipa/issue/6540
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.
https://pagure.io/freeipa/issue/6714
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.
https://fedorahosted.org/freeipa/ticket/6646
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
So that it will be nicely formatted on FreeIPA Pagure landing page.
https://pagure.io/freeipa
Some links were updated as other projects also moved to Pagure.io.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
Use explicit KDB version dependency in Fedora 26+ via BuildRequires.
With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.
https://fedorahosted.org/freeipa/ticket/6619
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since we started using 'Certificate.serial_number' instead of
'.serial' from python-cryptography, bump the required version
to the one where the above mentioned transition happened.
https://fedorahosted.org/freeipa/ticket/6631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.
Source: cheimes@redhat.comhttps://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
FreeIPA server modules requires pki module
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Neither pylint nor jsl is installed by default because rpm macro with_lint
is not defined in spec file. However, configure script tried to
find pylint/jsl anyway.
checking for Pylint... /usr/bin/python2: No module named pylint
configure: error: cannot find pylint for /usr/bin/python2
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
Resolves:
https://fedorahosted.org/freeipa/ticket/6604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.
https://fedorahosted.org/freeipa/ticket/5935
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.
Escape the percent sign in '%global' in the comment to prevent this.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
python3-samba is intentionally ommited because it is not in Fedora repos.
Pylint somehow magically ignores this missing package.
Keep in mind that server will not work until this this solved.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.
After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.
For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python-pyasn1-modules is needed because of this import:
from pyasn1_modules import rfc2459
in ipalib/x509.py.
Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.
https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Christian Heimes <cheimes@redhat.com>
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.
Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.
Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.
Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>