Commit Graph

672 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
a425448914 Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db

The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.

Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Alexander Bokovoy
b7533d9c5f Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-14 14:52:29 -04:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Christian Heimes
3f9e23f125 Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Christian Heimes
f847d7756f Use new pki_ipaca.ini to spawn instances
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Fraser Tweedale
98b7fbec5f Fix installation when CA subject DN has escapes
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.

  CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US

The package versions containing relevant fixes are:

- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)

With this change, installation will now work.  Integration tests are
left for a subsequent commit.

Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-29 10:23:32 +01:00
Florence Blanc-Renaud
0d23fa9278 CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
Christian Heimes
d4d0b8a046 Update build requirements on twine
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 13:21:18 +01:00
Christian Heimes
0b17ae905a Require 389-ds 1.4.0.21
1.4.0.21 fixes a problem with create_suffix_entry and uses
os.path.expanduser() instead of getenv('HOME').

See: https://pagure.io/389-ds-base/pull-request/50121
See: https://pagure.io/389-ds-base/issue/49984
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-04 14:24:15 -05:00
Christian Heimes
c26cb5afde Require krb5 with fix for CVE-2018-20217
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.

1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.

See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 12:00:31 +01:00
Christian Heimes
8276caf865 Don't use Python dependency generator yet
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.

https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-10 12:57:14 +01:00
Christian Heimes
670bcc0113 Require 389-DS = 1.4.0.16
CI is failing with 389-DS 1.4.0.20-1. Pin dependency to 1.4.0.16 for
now.

Note: RPM/DNF don't like a pin with dash. Therefore I had to change
ds_version from 1.4.0.16-1 to 1.4.0.16.

Fixes: https://github.com/freeipa/freeipa/pull/2731
See: https://pagure.io/389-ds-base/pull-request/50121
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-01-08 17:25:56 +01:00
Christian Heimes
d710734247 Require 3.41.0-3 on Fedora 28
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.

nss-3.41.0-1.fc29 is available in F29 stable.

See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-12-17 13:35:13 +01:00
Christian Heimes
07e6d5148e Require Dogtag PKI 10.6.8-3
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.

Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.

Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:35:45 +01:00
Florence Blanc-Renaud
1ec404fafe freeipa.spec.in: add BuildRequires for python3-lib389
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.

Fixes https://pagure.io/freeipa/issue/7767

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-16 09:22:48 +01:00
Christian Heimes
3abfaa5754 Require pylint 2.1.1-2
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:

  is_subclass_of fails with AttributeError: 'NoneType' object has no
  attribute 'name'

pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.

See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
a606b44f3a Drop dependency on 389-ds-base-legacy-tools
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
ed955d14d3 Move lib389 imports to module scope
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Christian Heimes
ec208e9719 Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.

See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Fraser Tweedale
4b920df483 Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.

Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Florence Blanc-Renaud
3eac88a433 Bump requires 389-ds-base
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
 [error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.

Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-15 10:20:25 +02:00
Christian Heimes
4b60bc3814 Lint yaml and RPM spec
Let's catch broken YAML files (Travis, PR-CI) and spec file early.

- Use rpmlint to detect syntax errors in spec file early
- Attempt to parse all YAML files with PyYAML

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-01 08:30:10 +02:00
Christian Heimes
78c722d4c3 Require sssd-ipa instead of sssd meta pkg
The sssd meta package pulls in additional dependencies that are not
required by IPA clients. Only depend on sssd-ipa.

Also update SSSD to 1.16.3-2 with fixes with support for One-Way Trust
authenticated by trust secret.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1345975
See: https://pagure.io/freeipa/issue/7710
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-27 15:35:35 +02:00
Stanislav Levin
30bcad4ce3 Clean up reset_password.js file from project
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Rob Crittenden
7da50cf461 Update required version of dogtag to detect when FIPS is available
When it was checking for FIPS it assumed that /proc/sys/crypto
existed which it doesn't in some containers and on Ubuntu.

This was updated in dogtag, this change is just to pull in the
fix.

https://pagure.io/freeipa/issue/7608

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-09-12 10:37:57 +02:00
Christian Heimes
21f14e9893 Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.

See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 17:39:00 +02:00
Thomas Woerner
1d3c308bf1 Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug
New autoreconf -ivf call before configure

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-05 11:46:31 +02:00
Michal Reznik
90203fb044
Add "389-ds-base-legacy-tools" to requires.
"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-08-31 12:30:46 +02:00
Stanislav Levin
9f6d5322dd Clean up migration "error" and "invalid" pages from project
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.

Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
2018-08-27 17:10:32 +02:00
Thomas Woerner
f6fa2e94e4 Do not install ipa-replica-prepare
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.

See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-08-13 12:35:06 +02:00
Christian Heimes
34fe4b1dd4 Remove needless use of %defatt
Original patch by Jason Tibbitts <tibbs@math.uh.edu>
See: 9cdadfb7d0
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-17 16:52:31 +02:00
Christian Heimes
653f327b6a Add more RHEL customizations to spec file
- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
  are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
  the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-17 16:52:31 +02:00
Christian Heimes
7dadedc16b Use python2_sitelib in spec file
%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-17 16:52:31 +02:00
Christian Heimes
6a2e6864fa Fedora 29: No longer build python2-ipaserver
Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.

On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-16 12:23:48 +02:00
Petr Vobornik
df95ba5983 WebUI build: use NodeJS instead of Rhino
Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.

The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).

Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.

Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.

Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-12 15:38:01 +02:00
Petr Vobornik
ca7cece133 WebUI build: replace uglifyjs with system package
UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.

On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.

Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-12 15:38:01 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Christian Heimes
a7627a7d8a Require JSS 4.4.5 with replication fixes
JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.

See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Florence Blanc-Renaud
0b794cd43b fix dependency for *-domainname.service file
FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.

Fixes:
https://pagure.io/freeipa/issue/7591

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-19 18:06:56 +02:00
Christian Heimes
7d12bbb99b Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.

python2-lesscpy was the last Python 2 dependency.

Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-14 09:04:06 +02:00
Christian Heimes
390251d3dd
Always build Python 3 packages
Remove with_python3 checks and always build Python 3 packages.

Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
ed52baba0d
Make Python 2 build dependency optional
The specfile now uses three variables to determinate how to handle
Python support.

with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages

"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.

The patch also cleans up and fixes additional issues:

* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
  were packages with Python 2 RPMs although they had a Python 3 shebang.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Christian Heimes
fb16bc933c Require JSS 4.4.4 with fix for sub CA replication
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.

Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version

See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-05-30 08:18:40 +02:00
Christian Heimes
8e165480ac Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
dbc3788405 Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
59ea580046 Require python-ldap >= 3.1.0
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 20:44:01 +02:00
Christian Heimes
c17ba11cba Require Dogtag 10.6.1
Dogtag 10.6.1 contains fixes for external CA support.

See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-07 16:21:10 +02:00
Christian Heimes
880d9b4134 Require nss with fix for nickname bug
nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.

Partly revert commit ad2eb3d09b with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.

See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-04 12:03:43 +02:00
Christian Heimes
1c1089c44d ipa-client package needs sssd-tool
Commit ccec8c6c41 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.

See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-03 14:25:36 +02:00