Commit Graph

790 Commits

Author SHA1 Message Date
Stanislav Levin
a5c99a6b04 spec: Drop no longer used build dependency on paste
With ff6e701b00 it was replaced
with `werkzeug`.

https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
  github. Patches are accepted to keep it on life support, but for the
  most part, please consider using other options.

Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-01-31 09:57:24 -05:00
Florence Blanc-Renaud
295b4e23b4 Spec file: use %autosetup instead of %setup
This change fixes rpminspect issues reported when building
for RHEL, like the following one:

Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.

Waiver Authorization: Anyone

Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file.  It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros.  You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section).  The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file.  So Patch47
is applied with a %patch47 macro.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-01-24 16:50:31 +01:00
Florence Blanc-Renaud
6ab93f8be3 Spec file: unify with RHEL9 spec
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-01-24 16:50:31 +01:00
Florence Blanc-Renaud
be21cabad4 Spec file: bump krb5_kdb_version on rawhide
fedora 38 now uses krb5 1.20.1 which provides
krb5_kdb_version 9.0 instead of 8.0

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-19 15:38:05 +01:00
Florence Blanc-Renaud
827dc9afc9 Spec file: ipa-client depends on krb5-pkinit-openssl
Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.

Fixes: https://pagure.io/freeipa/issue/9290

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-02 11:32:51 +01:00
Florence Blanc-Renaud
5a23d8ec3f spec file: bump sssd version
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.

No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.

Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-22 08:49:09 +01:00
Florence Blanc-Renaud
dface55b1f Spec file: bump bind version on f37+
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.

Fixes: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-21 14:24:17 +01:00
Florence Blanc-Renaud
fbda6ea4d3 Spec file: bump the selinux-policy version
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test@IPA.TEST instead of admin principal.

The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107

Bump the selinux-policy version to install the fix.

Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-20 15:42:05 -04:00
Nikola Knazekova
7b855c602e Exclude installed policy module file from RPM verification
selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Fixes: https://pagure.io/freeipa/issue/9254

Signed-off-by: Nikola Knazekova <nknazeko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-10-17 15:57:10 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Florence Blanc-Renaud
571b6b81c3 Installer: add --subid option to select the sssd profile with-subid
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Alexander Bokovoy
c2e79fa0b6 freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.

SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.

SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.

Fixes:https://pagure.io/freeipa/issue/9155

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-11 13:17:17 +03:00
Alexander Bokovoy
543040a71d freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.

Fixes: https://pagure.io/freeipa/issue/8805

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Alexander Bokovoy
4a7cc3467c docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.

The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-04 09:36:40 +03:00
Alexander Bokovoy
7d25eead99 freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-08 12:54:47 +01:00
Rob Crittenden
56708d6070 Set the mode on ipaupgrade.log during RPM %post snipppet
The IPA tools will create /var/log/ipaupgrade.log with mode
0600. If for some reason this file doesn't exist during
upgrade then it will be created by the RPM transaction with
mode 0644 (because of umask).

So always set the mode once the snippets are done. This
will ensure that a newly created log will have the expected
mode and also fix any previous incorrectly set mode.

Fixes: https://pagure.io/freeipa/issue/8899

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-02-22 14:49:31 +01:00
François Cami
20f68d817d freeipa.spec: depend on bind-dnssec-utils
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.

With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.

Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Antonio Torres Moríñigo <atorresm@protonmail.com>
2021-11-25 16:49:00 +01:00
Alexander Bokovoy
aed5fd871a freeipa.spec.in: -server subpackage should require samba-client-libs
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.

There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-18 18:07:42 +01:00
Florence Blanc-Renaud
ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
François Cami
099a7a24d0 freeipa.spec.in: update 389-DS version
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2021-08-20 14:37:22 +02:00
François Cami
ad06c75b08 freeipa.spec.in: remove python3-pexpect from Requires
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.

Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2021-08-02 22:32:39 +02:00
Florence Blanc-Renaud
24afb10c30 spec file: Trust controller role should pull sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-15 16:28:30 +02:00
Christian Heimes
51035d9354 Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Florence Blanc-Renaud
8d83ebde3a augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.

Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-07-08 11:06:49 +02:00
Florence Blanc-Renaud
10676f644b Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.

Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-05 11:09:01 +02:00
Christian Heimes
c27233e3a0 Remove more unused Custodia code
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-16 10:28:17 -04:00
Florence Blanc-Renaud
25f42c3289 freeipa.spec: bump 389-ds version
IPA depends on the 389-ds version with the fix for
https://github.com/389ds/389-ds-base/issues/4700
Regression in winsync replication agreement

The same 389-ds version also fixes
https://github.com/389ds/389-ds-base/issues/4670
389ds coredump in IPA nightly test
test_caless.py::TestReplicaInstall::test_wildcard_http

Fixes: https://pagure.io/freeipa/issue/8691
Fixes: https://pagure.io/freeipa/issue/8756
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-09 17:54:01 -04:00
Alexander Bokovoy
26fc0bcadd Depend on system-logos-ipa on RHEL/CentOS Stream
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.

This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.

Fixes: https://pagure.io/freeipa/issue/8874

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-04 12:11:35 +03:00
Alexander Bokovoy
a8fd65be65 freeipa.spec: do not use jsl for linting on Fedora 34+
jsl package is orphaned in Fedora 34+ as it cannot be built.

Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Florence Blanc-Renaud
d8f246d8e3 Spec file: bump augeas-libs version
Older augeas does not support new options provided by chrony:
 sourcedir /run/chrony-dhcp
 ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.

Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise

Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-05-06 15:38:39 -04:00
Christian Heimes
6d0d1c7088 Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.

Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-03 09:16:14 +02:00
Florence Blanc-Renaud
bd84796a70 Bumps openssl requires
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.

On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.

Fixes: https://pagure.io/freeipa/issue/8632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-06 08:40:00 +02:00
Stanislav Levin
83e16a4e47 Azure: Run rpmlint on Fedora
Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Alexander Bokovoy
fed2e399d4 freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
  operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609

- Dogtag PKI adopted to work with 389-ds with the fix,
  https://github.com/dogtagpki/pki/issues/3458

FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.

RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.

In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.

Fixes: https://pagure.io/freeipa/issue/8705

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-10 09:28:18 +02:00
Florence Blanc-Renaud
f3cd85ea81 freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11

Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.

Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-25 14:42:01 +01:00
Troy Dawson
d11acaf4d3 platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-23 11:54:30 -05:00
Rob Crittenden
146db28e50 Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Stanislav Levin
778ef95916 rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Rob Crittenden
bf06579895 Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-09 09:49:22 -05:00
François Cami
fcfefe0a26 freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
Sergey Orlov
7363c4b203 ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00
Rob Crittenden
767232b478 Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Alexander Bokovoy
29f9041b1d Correct SELinux policy requirements
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.

Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-04 22:17:43 +02:00
Rob Crittenden
469274fafa Enable the ccache sweep systemd timer
The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Rob Crittenden
c6644b8566 Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Alexander Bokovoy
5ef2d717fc freeipa.spec.in: unify spec files across upstream RHEL, and Fedora
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.

This gives us an opportunity to:

- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
  policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
  it is better to have macro support in the common spec file.

There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-12-03 12:58:55 -05:00
Rob Crittenden
6816de0892 Require PKI 10.10+ for KRA profile and ACME support
https://pagure.io/freeipa/issue/8545
https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-12-01 12:56:03 +01:00
Alexander Bokovoy
39d0dd332c spec: use pkgconf to find out krb5 version
In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).

Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
2e382cdd02 Drop upper bound on krb5 version in freeipa.spec
This check is no longer needed now that krb5 exports the KDB version.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00