When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
Use explicit KDB version dependency in Fedora 26+ via BuildRequires.
With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.
https://fedorahosted.org/freeipa/ticket/6619
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since we started using 'Certificate.serial_number' instead of
'.serial' from python-cryptography, bump the required version
to the one where the above mentioned transition happened.
https://fedorahosted.org/freeipa/ticket/6631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.
Source: cheimes@redhat.comhttps://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
FreeIPA server modules requires pki module
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Neither pylint nor jsl is installed by default because rpm macro with_lint
is not defined in spec file. However, configure script tried to
find pylint/jsl anyway.
checking for Pylint... /usr/bin/python2: No module named pylint
configure: error: cannot find pylint for /usr/bin/python2
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
Resolves:
https://fedorahosted.org/freeipa/ticket/6604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.
https://fedorahosted.org/freeipa/ticket/5935
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.
Escape the percent sign in '%global' in the comment to prevent this.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
python3-samba is intentionally ommited because it is not in Fedora repos.
Pylint somehow magically ignores this missing package.
Keep in mind that server will not work until this this solved.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.
After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.
For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python-pyasn1-modules is needed because of this import:
from pyasn1_modules import rfc2459
in ipalib/x509.py.
Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.
https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Christian Heimes <cheimes@redhat.com>
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.
Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.
Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.
Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We now use standard framework generatedby "gettextize" utility.
It has two limitations which I do not consider sufficiently important
to invest into hand-made solution:
1. It can automatically gather strings only from files which have some
file extension like .c or .py. Right now we do not have any
translatable strings in Python files without extensions. Given that these
files will be removed from source tree and replaced with entry points
from setuptools I do not see a reason to invest into supporting this.
2. It does not automatically strip untranslated strings from po files.
This is a manual step in mainteiner's in workflow anyway so I will
add separate Makefile target for it later on.
This commit contains gettextize instrastructure + filled-in files
Makevars and POTFILES.in.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
The module ipapython.dnssec.odsmgr is the only module in ipalib,
ipaclient, ipapython and ipaplatform that uses lxml.etree.
https://fedorahosted.org/freeipa/ticket/6469
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use type(None) rather than bool to define knobs which are represented as
command line flags. This allows declaring both "--option" and
"--option={0,1}"-style command line options.
Use enum.Enum subclasses instead of set literals to declare enumerations.
Use typing.List[T] instead of (list, T) to declare lists. (Note that a
minimal reimplementation of typing.List is used instead of the Python 2
backport of the typing module due to non-technical reasons.)
Use CheckedIPAddress instead of 'ip' and 'ip-local' to declare IP
addresses.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit only moves the code from ipa-client-install to module
ipaclient/install/client.py and fixes PEP8.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The only useful file is /etc/ipa/kdcproxy/kdcproxy.conf so I've removed
the other copy of the file in /usr.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
These directories were not used at all.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
At the time of this writting
https://fedoraproject.org/wiki/Packaging:Guidelines#Manpages
says this:
When installing man pages, note that they should be installed uncompressed
as the build system will compress them as needed. The compression method
may change, so it is important to reference the pages in the %files section
with a pattern that takes this into account:
%{_mandir}/man1/foo.1*
Removing the compression also allows to remove several install-data-hook
targets from Makefile.am files.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Directory creating was moved from SPEC file to install-data-hook.
At the same time, it is using systemd-tmpfiles to create the directories
so we do not risk any inconsistency between SPEC file and tmpfilesd
configuration.
systemd-tmpfiles call is non-critical on purpose: The build would fail
when run under unprivileged user because systemd-tmpfiles tries to
change ownership. Luckily it creates all the files and just do not
change ownership so it works even under unprivileged user.
Interestingly, systemd-tmpfiles continues if user does not have
sufficient permissions to change ownership but fails if target username
does not exist at all. For this reason there is BuildRequires on httpd.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
At the same time, I've renamed tmpfilesd config file to static name
"ipa.conf" instead of using package-specific name. It had no purpose
and just complicated build and packaging.
Variable substitution into configuration has to be done in Makefile
and not in Autoconf as documented in:
Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables:
... Most of these variables have values that rely on prefix or
exec_prefix. ... Similarly, you should not rely on AC_CONFIG_FILES
to replace bindir and friends in your shell scripts and other files;
instead, let make manage their replacement.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
BASH completion is now installed by make install.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The name from configure.ac is used when generating tarball.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.
dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.
Currently VPATH builds do not work for various reasons.
This should be fixed later on.
Most credit goes to these guys:
Christian Heimes <cheimes@redhat.com>
Petr Viktorin <pviktori@redhat.com>
Kevin Brown <kevin@kevin-brown.com>
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The neither build nor dist targets work completely. This is temporary
breakage enabling further work.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.
This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On pwpolicy module import, "klist -V" is run to determine if the installed
krb5 version supports account lockout (>= 1.8).
Remove the check, as we require a krb5 version which does support account
lockout (1.12).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The configure script checks for libcurl, but it is never actually used
anywhere.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
