Commit Graph

803 Commits

Author SHA1 Message Date
Mark Reynolds
cbe1873591 IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet

Fixes: https://pagure.io/freeipa/issue/3656

signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 15:49:42 -04:00
Florence Blanc-Renaud
677d308066 ipa-backup: adapt for 389ds switch to LMDB
ipa-backup is relying on the presence of the directory
/var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca/
to detect if the CA is installed on the server and backup
the ipaca backend.

With the switch to LMDB, this directory does not exist and the
backup is missing ipaca information.

Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check if ipaca backend is present (this method has been
introduced in 389ds 2.1.0 and works with Berkeley DB and LMDB).

Fixes: https://pagure.io/freeipa/issue/9516
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2024-01-30 18:25:10 +01:00
Miro Hrončok
d2ed490ff4 Use ssl.match_hostname from urllib3 as it was removed from Python 3.12
Based on upstream freeipa rawhide patch by Miro Hrončok

See https://github.com/python/cpython/pull/94224#issuecomment-1621097418

Fixes: https://pagure.io/freeipa/issue/9409

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Miro Hroncok <miro@hroncok.cz>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-07-19 08:27:30 +02:00
Rob Crittenden
2a605c5d07 Revert "Use the OpenSSL certificate parser in cert-find"
This reverts commit 191880bc9f.

The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.

Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-16 11:15:48 -04:00
Florence Blanc-Renaud
665227e437 Spec file: bump SSSD version for passkey support
SSSD 2.9.0 provides support for passkey in rawhide.
Note that f37 and f38 ship 2.9.0 without the passkey feature
but this is not an issue as IPA has a "Recommends: sssd-passkey"
definition, not a "Requires:"

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
31b70ee324 Passkey: add a weak dependency on sssd-passkey
The package sssd-passkey provides the executable
/usr/libexec/sssd/passkey_child
which is not mandatory but recommended.

Add a weak dependency from ipa client package on sssd-passkey.

TBD: when a new version of sssd is released with passkey
support, bump the SSSD version.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Jerry James
da65cc35bd Change fontawesome-fonts requires to match fontawesome 4.x
fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.

This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.

Signed-off-by: Jerry James <loganjerry@gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-23 09:26:58 -04:00
Florence Blanc-Renaud
2c41b49bfc spec file: force nodejs < 20 on fedora < 39
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.

Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.

Fixes: https://pagure.io/freeipa/issue/9374

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-04 13:37:58 +02:00
Timo Aaltonen
a83ae63578 Drop duplicate includedir from krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.

Add also a dependency on sssd-krb5 for freeipa-client.

https://pagure.io/freeipa/issue/9267

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-27 08:52:51 +02:00
Rob Crittenden
191880bc9f Use the OpenSSL certificate parser in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136

The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.

It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.

Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.

pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

CLI times from before and after:

original:

-------------------------------
Number of entries returned 5011
-------------------------------
real    0m21.155s
user    0m0.835s
sys     0m0.159s

using OpenSSL:

real    0m5.747s
user    0m0.864s
sys     0m0.148s

OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests.  See ipaserver/wsgi.py for the gory details.

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-04-26 14:21:33 -04:00
Todd Zullinger
4f9e6b1bed spec: silence krb5 pkgconf errors in %krb5_base_version
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:

    Package krb5 was not found in the pkg-config search path.
    Perhaps you should add the directory containing `krb5.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'krb5', required by 'virtual:world', not found

`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build.  It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-18 08:32:54 +02:00
Todd Zullinger
0d72a6cf5c spec: verify upstream source signature
Per the Fedora packaging guidelines¹.

The GPG key was generated using details found on the wiki².  The
following commands can be used to fetch the signing key via fingerprint
and extract it:

    fpr=0E63D716D76AC080A4A33513F40800B6298EB963
    gpg --keyserver keys.openpgp.org --receive-keys $fpr
    gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc

¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-18 08:32:54 +02:00
Rafael Guterres Jeffman
02b0e46b7f Migrated to SPDX license.
According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.

[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1

Fixes: https://pagure.io/freeipa/issue/9342

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-03-02 05:03:41 +01:00
Stanislav Levin
a5c99a6b04 spec: Drop no longer used build dependency on paste
With ff6e701b00 it was replaced
with `werkzeug`.

https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
  github. Patches are accepted to keep it on life support, but for the
  most part, please consider using other options.

Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-01-31 09:57:24 -05:00
Florence Blanc-Renaud
295b4e23b4 Spec file: use %autosetup instead of %setup
This change fixes rpminspect issues reported when building
for RHEL, like the following one:

Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.

Waiver Authorization: Anyone

Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file.  It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros.  You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section).  The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file.  So Patch47
is applied with a %patch47 macro.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-01-24 16:50:31 +01:00
Florence Blanc-Renaud
6ab93f8be3 Spec file: unify with RHEL9 spec
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-01-24 16:50:31 +01:00
Florence Blanc-Renaud
be21cabad4 Spec file: bump krb5_kdb_version on rawhide
fedora 38 now uses krb5 1.20.1 which provides
krb5_kdb_version 9.0 instead of 8.0

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-19 15:38:05 +01:00
Florence Blanc-Renaud
827dc9afc9 Spec file: ipa-client depends on krb5-pkinit-openssl
Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.

Fixes: https://pagure.io/freeipa/issue/9290

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-02 11:32:51 +01:00
Florence Blanc-Renaud
5a23d8ec3f spec file: bump sssd version
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.

No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.

Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-22 08:49:09 +01:00
Florence Blanc-Renaud
dface55b1f Spec file: bump bind version on f37+
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.

Fixes: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-21 14:24:17 +01:00
Florence Blanc-Renaud
fbda6ea4d3 Spec file: bump the selinux-policy version
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test@IPA.TEST instead of admin principal.

The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107

Bump the selinux-policy version to install the fix.

Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-20 15:42:05 -04:00
Nikola Knazekova
7b855c602e Exclude installed policy module file from RPM verification
selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Fixes: https://pagure.io/freeipa/issue/9254

Signed-off-by: Nikola Knazekova <nknazeko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-10-17 15:57:10 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Florence Blanc-Renaud
571b6b81c3 Installer: add --subid option to select the sssd profile with-subid
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Alexander Bokovoy
c2e79fa0b6 freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.

SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.

SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.

Fixes:https://pagure.io/freeipa/issue/9155

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-11 13:17:17 +03:00
Alexander Bokovoy
543040a71d freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.

Fixes: https://pagure.io/freeipa/issue/8805

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Alexander Bokovoy
4a7cc3467c docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.

The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-04 09:36:40 +03:00
Alexander Bokovoy
7d25eead99 freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-08 12:54:47 +01:00
Rob Crittenden
56708d6070 Set the mode on ipaupgrade.log during RPM %post snipppet
The IPA tools will create /var/log/ipaupgrade.log with mode
0600. If for some reason this file doesn't exist during
upgrade then it will be created by the RPM transaction with
mode 0644 (because of umask).

So always set the mode once the snippets are done. This
will ensure that a newly created log will have the expected
mode and also fix any previous incorrectly set mode.

Fixes: https://pagure.io/freeipa/issue/8899

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-02-22 14:49:31 +01:00
François Cami
20f68d817d freeipa.spec: depend on bind-dnssec-utils
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.

With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.

Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Antonio Torres Moríñigo <atorresm@protonmail.com>
2021-11-25 16:49:00 +01:00
Alexander Bokovoy
aed5fd871a freeipa.spec.in: -server subpackage should require samba-client-libs
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.

There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-18 18:07:42 +01:00
Florence Blanc-Renaud
ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
François Cami
099a7a24d0 freeipa.spec.in: update 389-DS version
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2021-08-20 14:37:22 +02:00
François Cami
ad06c75b08 freeipa.spec.in: remove python3-pexpect from Requires
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.

Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2021-08-02 22:32:39 +02:00
Florence Blanc-Renaud
24afb10c30 spec file: Trust controller role should pull sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-15 16:28:30 +02:00
Christian Heimes
51035d9354 Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Florence Blanc-Renaud
8d83ebde3a augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.

Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-07-08 11:06:49 +02:00
Florence Blanc-Renaud
10676f644b Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.

Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-05 11:09:01 +02:00
Christian Heimes
c27233e3a0 Remove more unused Custodia code
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-16 10:28:17 -04:00
Florence Blanc-Renaud
25f42c3289 freeipa.spec: bump 389-ds version
IPA depends on the 389-ds version with the fix for
https://github.com/389ds/389-ds-base/issues/4700
Regression in winsync replication agreement

The same 389-ds version also fixes
https://github.com/389ds/389-ds-base/issues/4670
389ds coredump in IPA nightly test
test_caless.py::TestReplicaInstall::test_wildcard_http

Fixes: https://pagure.io/freeipa/issue/8691
Fixes: https://pagure.io/freeipa/issue/8756
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-09 17:54:01 -04:00
Alexander Bokovoy
26fc0bcadd Depend on system-logos-ipa on RHEL/CentOS Stream
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.

This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.

Fixes: https://pagure.io/freeipa/issue/8874

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-04 12:11:35 +03:00
Alexander Bokovoy
a8fd65be65 freeipa.spec: do not use jsl for linting on Fedora 34+
jsl package is orphaned in Fedora 34+ as it cannot be built.

Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Florence Blanc-Renaud
d8f246d8e3 Spec file: bump augeas-libs version
Older augeas does not support new options provided by chrony:
 sourcedir /run/chrony-dhcp
 ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.

Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise

Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-05-06 15:38:39 -04:00
Christian Heimes
6d0d1c7088 Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.

Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-03 09:16:14 +02:00
Florence Blanc-Renaud
bd84796a70 Bumps openssl requires
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.

On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.

Fixes: https://pagure.io/freeipa/issue/8632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-06 08:40:00 +02:00
Stanislav Levin
83e16a4e47 Azure: Run rpmlint on Fedora
Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Alexander Bokovoy
fed2e399d4 freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
  operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609

- Dogtag PKI adopted to work with 389-ds with the fix,
  https://github.com/dogtagpki/pki/issues/3458

FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.

RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.

In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.

Fixes: https://pagure.io/freeipa/issue/8705

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-10 09:28:18 +02:00
Florence Blanc-Renaud
f3cd85ea81 freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11

Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.

Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-25 14:42:01 +01:00
Troy Dawson
d11acaf4d3 platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-23 11:54:30 -05:00