Commit Graph

95 Commits

Author SHA1 Message Date
Peter Keresztes Schmidt
f6940772dd ipa-join: select {JSON,XML}-RPC at build time
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
25205f44a1 ipa-join: switch to jansson for json handling
Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Alexandre Mulatinho
6e414d2291 ipa-join: allowing call with jsonrpc into freeipa API
Adding JSON-C and LibCURL library into configure.ac and Makefile.am

Creating a API call with option '-j' or '--jsonrpc' to make host join
on FreeIPA with JSONRPC and libCURL.

Related: https://pagure.io/freeipa/issue/7966
Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Christian Heimes
a18d406b56 Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.

It's necesary to run pre/post installation hooks to make systemd aware
of new files.

Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-11 17:27:31 +02:00
Christian Heimes
be47ec9799 libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.

Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 20:04:18 +03:00
Alexander Bokovoy
23a49538f1 ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.

1. Direct ticket acquisition

In direct ticket acquisition mode the utility first does one of the
following actions:
 - obtain a TGT ticket for a user principal using supplied password
 - import existing TGT from a default credentials cache

Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.

If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.

2. S4U2Self protocol transition

In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.

If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.

If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Christian Heimes
e00dc40fea Create ipasphinx package for Sphinx plugins
Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 20:03:21 +02:00
Christian Heimes
e881e35783 Fix various OpenDNSSEC 2.1 issues
Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)

Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.

Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.

Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-04-21 21:37:06 +02:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
Vit Mojzis
0c9949e898 selinux: move BUILD_SELINUX_POLICY definition
BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.

Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-05 09:57:00 +01:00
Christian Heimes
9288901f9b Integrate SELinux policy into build system
Hook up the new policy to autoconf and automake.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-05 09:57:00 +01:00
Robbie Harwood
179c8f4009 Add a skeleton kdcpolicy plugin
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Christian Hermann
9a440ae885 configure.ac: don't rely on bashisms
93fb037d84 introduced unportable shell
syntax, which led to erros like
./configure: 3179: ./configure: CFLAGS+= -D__STDC_WANT_LIB_EXT1__=1: not found
in case a posix shell is used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-07 08:18:59 +02:00
Christian Heimes
ac86707de3 Increase default debug level of certmonger
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.

Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-24 10:00:37 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Christian Heimes
93fb037d84 Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
  Samba's ZERO_STRUCT() macro, see
  https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
  http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
  see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
  instead of generic __typeof__().

Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 12:33:45 +01:00
Christian Heimes
21f14e9893 Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.

See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 17:39:00 +02:00
Christian Heimes
e4a3942e89 Detect and prefer platform Python
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.

Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-23 14:49:06 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Christian Heimes
fa94ef0412 autoconf prefers Python 3 over 2
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.

See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-15 12:57:00 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Christian Heimes
7fbbf6689e Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.

Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.

Fast testing execute all unit tests that do not depend on ipalib.api.

In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Alexander Bokovoy
78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Jan Cholasta
4322b57e31 configure: fix AC_CHECK_LIB usage
Replace empty string with a single space in the third argument of
`AC_CHECK_LIB` (`action-if-found`) where applicable.

Empty string in the argument causes `AC_CHECK_LIB` to use the default
action when a library is found which includes adding the library to `LIBS`,
which specifies libraries to be linked in every binary and library in the
project.

This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to
every binary and library in IPA, even where unused.

https://pagure.io/freeipa/issue/6846

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-19 13:56:23 +00:00
Christian Heimes
3a5b3be8b9 tox testing support for client wheel packages
Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-12 16:53:22 +02:00
Timo Aaltonen
076eb409a0
ipa-otpd.socket.in: Use a platform specific value for KDC service file
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:17:51 +02:00
Christian Heimes
ae1c2086db Add an option to build ipaserver wheels
To create a wheel bundle with ipaserver and its dependencies:

    make wheel_bundle IPA_SERVER_WHEELS=1

To include additional dependencies:

    make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Christian Heimes
e357133fd7 Add make devcheck for developers
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 13:48:47 +02:00
Sumit Bose
0ba0c07813 ipa-kdb: do not depend on certauth_plugin.h
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Sumit Bose
054f1bd78b configure: fix --disable-server with certauth plugin
Resolves https://pagure.io/freeipa/issue/6816

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Timo Aaltonen
44a3e0fe1d configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
These are platform specific, add values for Debian and default values
for Fedora/RHEL.

Also, use prettier output when checking the extra python install options.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-22 13:39:18 +01:00
Lukas Slebodnik
2a4f7f2cfa CONFIGURE: Improve detection of xmlrpc_c flags
The pkg-config files for xmlrpc_c libraries are shipped just
in fedora/rhel due to downstream patch. Debian does not have
pkg-config files for xmlrpc_c. Therefore we need to fallback to older
method of detection XMLRPC_*FLAGS which was reverted
by the commit 1e0143c159

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:13:00 +01:00
Christian Heimes
b280c7bb01 Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb
Debian packages should be installed under dist-packages, not
site-packages. Debian has patched distutils and setuptools to add a new
flag '--install-layout'. For --with-ipaplatform=debian,
PYTHON_INSTALL_EXTRA_OPTIONS is set to '--install-layout=deb'.

https://pagure.io/freeipa/issue/6764

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-15 13:48:23 +01:00
Christian Heimes
f1f63506ca Make pylint and jsl optional
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-15 12:42:36 +00:00
Lukas Slebodnik
4fe9166ac9 CONFIGURE: Properly detect libpopt on el7
libpopt added pkg-config file in 1.16 but there are still distributions
which has older version of library (el6, el7). And new features from
libpopt are not used anywhere. Configure should try to detect as much as
possible and users should not use workarounds with explicitely enabled
variables as parameters e.g.
   ./configure POPT_LIBS="-lpopt "

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 08:55:44 +00:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Christian Heimes
acdd1f5978 Add placeholders for ipaplatform, ipaserver and ipatests
I also renamed the base directory to pypi and added a new build target
pypi_packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-02 14:43:37 +01:00
Christian Heimes
2e784336b0 Packaging: Add placeholder packages
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-02 14:43:37 +01:00
Christian Heimes
2828a2b92b C compilation fixes and hardening
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.

Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.

Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 10:38:01 +01:00
Christian Heimes
2747f2ad78 Add --without-ipatests option
--without-ipatests skips building and installation of the ipatests
package. By default the ipatests package is always build and installed
by make install.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-22 15:48:36 +01:00
Christian Heimes
70554938d4 Client-only builds with --disable-server
https://fedorahosted.org/freeipa/ticket/6517

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-22 15:48:36 +01:00
Alexander Bokovoy
593ea7da9a ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-02-15 14:24:05 +01:00
Simo Sorce
38c66896de Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
David Kupka
f4088b3a00 build: Add missing dependency on libxmlrpc{,_util}
Change in libxmlrpc packaging uncovered missing linking  dependency in our
build system.

https://fedorahosted.org/freeipa/ticket/6637

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-02-06 17:18:26 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Lukas Slebodnik
3f91469f32 CONFIGURE: Update help message for jslint
Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Lukas Slebodnik
5c18feaa20 CONFIGURE: Fix detection of pylint
If configure script was executed with --enable-pylint then
it behaved the same as --disable-pylint. It does not make
any sense.

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Simo Sorce
2bc01ec5b4 Use the tar Posix option for tarballs
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.

tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.

https://fedorahosted.org/freeipa/ticket/6418

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-21 14:54:08 +01:00