mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
24afb10c30
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap Fixes: https://pagure.io/freeipa/issue/8923 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
1707 lines
59 KiB
RPMSpec
Executable File
1707 lines
59 KiB
RPMSpec
Executable File
# ipatests enabled by default, can be disabled with --without ipatests
|
||
%bcond_without ipatests
|
||
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
|
||
# On RHEL 8 we should use --with ipa_join_xml
|
||
%bcond_with ipa_join_xml
|
||
|
||
# Linting is disabled by default, needed for upstream testing
|
||
%bcond_with lint
|
||
|
||
# Build documentation with sphinx
|
||
%bcond_with doc
|
||
|
||
# Build Python wheels
|
||
%bcond_with wheels
|
||
|
||
# 389-ds-base 1.4 no longer supports i686 platform, build only client
|
||
# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
|
||
%ifarch %{ix86}
|
||
%{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
|
||
%endif
|
||
|
||
# Define ONLY_CLIENT to only make the ipa-client and ipa-python
|
||
# subpackages
|
||
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
|
||
%if %{ONLY_CLIENT}
|
||
%global enable_server_option --disable-server
|
||
%else
|
||
%global enable_server_option --enable-server
|
||
%endif
|
||
|
||
%if %{ONLY_CLIENT}
|
||
%global with_ipatests 0
|
||
%endif
|
||
|
||
# Whether to build ipatests
|
||
%if %{with ipatests}
|
||
%global with_ipatests_option --with-ipatests
|
||
%else
|
||
%global with_ipatests_option --without-ipatests
|
||
%endif
|
||
|
||
# Whether to use XML-RPC with ipa-join
|
||
%if %{with ipa_join_xml}
|
||
%global with_ipa_join_xml_option --with-ipa-join-xml
|
||
%else
|
||
%global with_ipa_join_xml_option --without-ipa-join-xml
|
||
%endif
|
||
|
||
# lint is not executed during rpmbuild
|
||
# %%global with_lint 1
|
||
%if %{with lint}
|
||
%global linter_options --enable-pylint --without-jslint --enable-rpmlint
|
||
%else
|
||
%global linter_options --disable-pylint --without-jslint --disable-rpmlint
|
||
%endif
|
||
|
||
# Include SELinux subpackage
|
||
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
|
||
%global with_selinux 1
|
||
%global selinuxtype targeted
|
||
%global modulename ipa
|
||
%endif
|
||
|
||
%if 0%{?rhel}
|
||
%global package_name ipa
|
||
%global alt_name freeipa
|
||
%global krb5_version 1.18.2-2
|
||
%global krb5_kdb_version 8.0
|
||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||
%global python_netaddr_version 0.7.19
|
||
# Require 4.7.0 which brings Python 3 bindings
|
||
%global samba_version 4.12.3-12
|
||
%global selinux_policy_version 3.14.3-52
|
||
%global slapi_nis_version 0.56.4
|
||
%global python_ldap_version 3.1.0-1
|
||
%if 0%{?rhel} < 9
|
||
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
|
||
%global ds_version 1.4.3.16-12
|
||
%else
|
||
%global ds_version 2.0.3-3
|
||
%endif
|
||
|
||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
||
%global httpd_version 2.4.37-21
|
||
%global bind_version 9.11.20-6
|
||
|
||
%else
|
||
# Fedora
|
||
%global package_name freeipa
|
||
%global alt_name ipa
|
||
# Fix for CVE-2020-28196
|
||
%global krb5_version 1.18.2-29
|
||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||
%global python_netaddr_version 0.7.16
|
||
# Require 4.7.0 which brings Python 3 bindings
|
||
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
|
||
%global samba_version 2:4.12.10
|
||
|
||
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
|
||
%global selinux_policy_version 3.14.5-45
|
||
%global slapi_nis_version 0.56.5
|
||
|
||
%global krb5_kdb_version 8.0
|
||
|
||
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
|
||
%global python_ldap_version 3.1.0-1
|
||
|
||
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
|
||
# and has DNA interval enabled
|
||
%if 0%{?fedora} < 34
|
||
%global ds_version 1.4.4.16-1
|
||
%else
|
||
%global ds_version 2.0.5-1
|
||
%endif
|
||
|
||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
||
%global httpd_version 2.4.41-9
|
||
|
||
%global bind_version 9.11.24-1
|
||
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
|
||
# Some packages don't provide new dist aliases.
|
||
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
|
||
%{?python_disable_dependency_generator}
|
||
# Fedora
|
||
%endif
|
||
|
||
# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
|
||
# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
|
||
%if 0%{?fedora} || 0%{?rhel} >= 9
|
||
%global openssl_pkcs11_version 0.4.10-6
|
||
%global softhsm_version 2.5.0-4
|
||
%else
|
||
%global with_bind_pkcs11 1
|
||
%endif
|
||
|
||
%if 0%{?rhel} == 8
|
||
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
|
||
%global pki_version 10.10.5
|
||
%else
|
||
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
|
||
%global pki_version 10.10.5
|
||
%endif
|
||
|
||
# RHEL 8.3+, F32+ has 0.79.13
|
||
%global certmonger_version 0.79.7-3
|
||
|
||
# RHEL 8.2+, F32+ has 3.58
|
||
%global nss_version 3.44.0-4
|
||
|
||
# RHEL 8.3+, F32+
|
||
%global sssd_version 2.4.0
|
||
|
||
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
|
||
%global kdcproxy_version 0.4-3
|
||
|
||
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
|
||
# systemd with resolved enabled
|
||
# see https://pagure.io/freeipa/issue/8275
|
||
%global systemd_version 246.6-3
|
||
%else
|
||
%global systemd_version 239
|
||
%endif
|
||
|
||
# augeas support for new chrony options
|
||
# see https://pagure.io/freeipa/issue/8676
|
||
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||
%if 0%{?fedora} >= 33
|
||
%global augeas_version 1.12.0-6
|
||
%else
|
||
%if 0%{?rhel} >= 9
|
||
%global augeas_version 1.12.1-0
|
||
%else
|
||
%global augeas_version 1.12.0-3
|
||
%endif
|
||
%endif
|
||
|
||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||
%global gettext_domain ipa
|
||
|
||
%define _hardened_build 1
|
||
|
||
# Work-around fact that RPM SPEC parser does not accept
|
||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||
%define IPA_VERSION @VERSION@
|
||
# Release candidate version -- uncomment with one percent for RC versions
|
||
#%%global rc_version rc1
|
||
%define AT_SIGN @
|
||
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
|
||
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
|
||
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
|
||
%endif
|
||
|
||
%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
|
||
|
||
Name: %{package_name}
|
||
Version: %{IPA_VERSION}
|
||
Release: 0%{?rc_version:.%rc_version}%{?dist}
|
||
Summary: The Identity, Policy and Audit system
|
||
|
||
License: GPLv3+
|
||
URL: http://www.freeipa.org/
|
||
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
|
||
# Only use detached signature for the distribution builds. If it is a developer build, skip it
|
||
%if %{NON_DEVELOPER_BUILD}
|
||
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
|
||
%endif
|
||
|
||
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
|
||
# product-name.png
|
||
# RHEL spec file only: END: Change branding to IPA and Identity Management
|
||
|
||
# RHEL spec file only: START
|
||
%if %{NON_DEVELOPER_BUILD}
|
||
%if 0%{?rhel} == 8
|
||
Patch0001: 0001_util_Fix_client-only_build-upstream_5273.patch
|
||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||
Patch1002: 1002-4.8.0-Remove-csrgen.patch
|
||
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
|
||
%endif
|
||
%if 0%{?rhel} == 9
|
||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||
%endif
|
||
%endif
|
||
# RHEL spec file only: END
|
||
|
||
# For the timestamp trick in patch application
|
||
BuildRequires: diffstat
|
||
|
||
BuildRequires: openldap-devel
|
||
# For KDB DAL version, make explicit dependency so that increase of version
|
||
# will cause the build to fail due to unsatisfied dependencies.
|
||
# DAL version change may cause code crash or memory leaks, it is better to fail early.
|
||
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
|
||
BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
|
||
BuildRequires: krb5-devel >= %{krb5_version}
|
||
BuildRequires: pkgconfig(krb5)
|
||
%if %{with ipa_join_xml}
|
||
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
|
||
BuildRequires: xmlrpc-c-devel >= 1.27.4
|
||
%else
|
||
BuildRequires: libcurl-devel
|
||
BuildRequires: jansson-devel
|
||
%endif
|
||
BuildRequires: popt-devel
|
||
BuildRequires: gcc
|
||
BuildRequires: make
|
||
BuildRequires: pkgconfig
|
||
BuildRequires: pkgconf
|
||
BuildRequires: autoconf
|
||
BuildRequires: automake
|
||
BuildRequires: make
|
||
BuildRequires: libtool
|
||
BuildRequires: gettext
|
||
BuildRequires: gettext-devel
|
||
BuildRequires: python3-devel
|
||
BuildRequires: python3-setuptools
|
||
BuildRequires: systemd >= %{systemd_version}
|
||
# systemd-tmpfiles which is executed from make install requires apache user
|
||
BuildRequires: httpd
|
||
BuildRequires: nspr-devel
|
||
BuildRequires: openssl-devel
|
||
BuildRequires: libini_config-devel
|
||
BuildRequires: cyrus-sasl-devel
|
||
%if ! %{ONLY_CLIENT}
|
||
BuildRequires: 389-ds-base-devel >= %{ds_version}
|
||
BuildRequires: samba-devel >= %{samba_version}
|
||
BuildRequires: libtalloc-devel
|
||
BuildRequires: libtevent-devel
|
||
BuildRequires: libuuid-devel
|
||
BuildRequires: libpwquality-devel
|
||
BuildRequires: libsss_idmap-devel
|
||
BuildRequires: libsss_certmap-devel
|
||
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
|
||
BuildRequires: nodejs(abi)
|
||
# use old dependency on RHEL 8 for now
|
||
%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
|
||
BuildRequires: python3-rjsmin
|
||
%else
|
||
BuildRequires: uglify-js
|
||
%endif
|
||
BuildRequires: libverto-devel
|
||
BuildRequires: libunistring-devel
|
||
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
|
||
# 0.13.0-2: fix for missing dependency on python-six
|
||
BuildRequires: python3-lesscpy >= 0.13.0-2
|
||
BuildRequires: cracklib-dicts
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
#
|
||
# Build dependencies for makeapi/makeaci
|
||
#
|
||
BuildRequires: python3-cffi
|
||
BuildRequires: python3-dns
|
||
BuildRequires: python3-ldap >= %{python_ldap_version}
|
||
BuildRequires: python3-libsss_nss_idmap
|
||
BuildRequires: python3-netaddr >= %{python_netaddr_version}
|
||
BuildRequires: python3-pyasn1
|
||
BuildRequires: python3-pyasn1-modules
|
||
BuildRequires: python3-six
|
||
BuildRequires: python3-psutil
|
||
|
||
#
|
||
# Build dependencies for wheel packaging and PyPI upload
|
||
#
|
||
%if %{with wheels}
|
||
BuildRequires: dbus-glib-devel
|
||
BuildRequires: libffi-devel
|
||
BuildRequires: python3-tox
|
||
%if 0%{?fedora} <= 28
|
||
BuildRequires: python3-twine
|
||
%else
|
||
BuildRequires: twine
|
||
%endif
|
||
BuildRequires: python3-wheel
|
||
# with_wheels
|
||
%endif
|
||
|
||
%if %{with doc}
|
||
BuildRequires: python3-sphinx
|
||
BuildRequires: python3-m2r
|
||
%endif
|
||
|
||
#
|
||
# Build dependencies for lint and fastcheck
|
||
#
|
||
%if %{with lint}
|
||
BuildRequires: git
|
||
%if 0%{?fedora} < 34
|
||
# jsl is orphaned in Fedora 34+
|
||
BuildRequires: jsl
|
||
%endif
|
||
BuildRequires: nss-tools
|
||
BuildRequires: rpmlint
|
||
BuildRequires: softhsm
|
||
|
||
BuildRequires: keyutils
|
||
BuildRequires: python3-augeas
|
||
BuildRequires: python3-cffi
|
||
BuildRequires: python3-cryptography >= 1.6
|
||
BuildRequires: python3-dateutil
|
||
BuildRequires: python3-dbus
|
||
BuildRequires: python3-dns >= 1.15
|
||
BuildRequires: python3-docker
|
||
BuildRequires: python3-gssapi >= 1.2.0
|
||
BuildRequires: python3-jinja2
|
||
BuildRequires: python3-jwcrypto >= 0.4.2
|
||
BuildRequires: python3-ldap >= %{python_ldap_version}
|
||
BuildRequires: python3-ldap >= %{python_ldap_version}
|
||
BuildRequires: python3-lib389 >= %{ds_version}
|
||
BuildRequires: python3-libipa_hbac
|
||
BuildRequires: python3-libsss_nss_idmap
|
||
BuildRequires: python3-lxml
|
||
BuildRequires: python3-netaddr >= %{python_netaddr_version}
|
||
BuildRequires: python3-netifaces
|
||
BuildRequires: python3-paste
|
||
BuildRequires: python3-pexpect
|
||
BuildRequires: python3-pki >= %{pki_version}
|
||
BuildRequires: python3-polib
|
||
BuildRequires: python3-pyasn1
|
||
BuildRequires: python3-pyasn1-modules
|
||
BuildRequires: python3-pycodestyle
|
||
# .wheelconstraints.in limits pylint version in Azure and tox tests
|
||
BuildRequires: python3-pylint
|
||
BuildRequires: python3-pytest-multihost
|
||
BuildRequires: python3-pytest-sourceorder
|
||
BuildRequires: python3-qrcode-core >= 5.0.0
|
||
BuildRequires: python3-samba
|
||
BuildRequires: python3-six
|
||
BuildRequires: python3-sss
|
||
BuildRequires: python3-sss-murmur
|
||
BuildRequires: python3-sssdconfig >= %{sssd_version}
|
||
BuildRequires: python3-systemd
|
||
BuildRequires: python3-yaml
|
||
BuildRequires: python3-yubico
|
||
# with_lint
|
||
%endif
|
||
|
||
#
|
||
# Build dependencies for unit tests
|
||
#
|
||
%if ! %{ONLY_CLIENT}
|
||
BuildRequires: libcmocka-devel
|
||
# Required by ipa_kdb_tests
|
||
BuildRequires: krb5-server >= %{krb5_version}
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
# Build dependencies for SELinux policy
|
||
%if %{with selinux}
|
||
BuildRequires: selinux-policy-devel >= %{selinux_policy_version}
|
||
%endif
|
||
|
||
%description
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
|
||
|
||
%if ! %{ONLY_CLIENT}
|
||
|
||
%package server
|
||
Summary: The IPA authentication server
|
||
Requires: %{name}-server-common = %{version}-%{release}
|
||
Requires: %{name}-client = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
Requires: python3-ipaserver = %{version}-%{release}
|
||
Requires: python3-ldap >= %{python_ldap_version}
|
||
Requires: 389-ds-base >= %{ds_version}
|
||
Requires: openldap-clients > 2.4.35-4
|
||
Requires: nss-tools >= %{nss_version}
|
||
Requires(post): krb5-server >= %{krb5_version}
|
||
Requires(post): krb5-server >= %{krb5_base_version}
|
||
Requires: krb5-kdb-version = %{krb5_kdb_version}
|
||
Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||
Requires: chrony
|
||
Requires: httpd >= %{httpd_version}
|
||
Requires(preun): python3
|
||
Requires(postun): python3
|
||
Requires: python3-gssapi >= 1.2.0-5
|
||
Requires: python3-systemd
|
||
Requires: python3-mod_wsgi
|
||
Requires: mod_auth_gssapi >= 1.5.0
|
||
Requires: mod_ssl >= %{httpd_version}
|
||
Requires: mod_session >= %{httpd_version}
|
||
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
|
||
Requires: mod_lookup_identity >= 0.9.9
|
||
Requires: acl
|
||
Requires: systemd-units >= %{systemd_version}
|
||
Requires(pre): systemd-units >= %{systemd_version}
|
||
Requires(post): systemd-units >= %{systemd_version}
|
||
Requires(preun): systemd-units >= %{systemd_version}
|
||
Requires(postun): systemd-units >= %{systemd_version}
|
||
Requires(pre): shadow-utils
|
||
Requires: selinux-policy >= %{selinux_policy_version}
|
||
Requires(post): selinux-policy-base >= %{selinux_policy_version}
|
||
Requires: slapi-nis >= %{slapi_nis_version}
|
||
Requires: pki-ca >= %{pki_version}
|
||
Requires: pki-kra >= %{pki_version}
|
||
# pki-acme package was split out in pki-10.10.0
|
||
Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
|
||
Requires: policycoreutils >= 2.1.12-5
|
||
Requires: tar
|
||
Requires(pre): certmonger >= %{certmonger_version}
|
||
Requires(pre): 389-ds-base >= %{ds_version}
|
||
Requires: fontawesome-fonts
|
||
Requires: open-sans-fonts
|
||
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
|
||
# https://pagure.io/freeipa/issue/8632
|
||
Requires: openssl > 1.1.1i
|
||
%else
|
||
Requires: openssl
|
||
%endif
|
||
Requires: softhsm >= 2.0.0rc1-1
|
||
Requires: p11-kit
|
||
Requires: %{etc_systemd_dir}
|
||
Requires: gzip
|
||
Requires: oddjob
|
||
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
|
||
Requires: gssproxy >= 0.7.0-2
|
||
Requires: sssd-dbus >= %{sssd_version}
|
||
Requires: libpwquality
|
||
Requires: cracklib-dicts
|
||
|
||
Provides: %{alt_name}-server = %{version}
|
||
Conflicts: %{alt_name}-server
|
||
Obsoletes: %{alt_name}-server < %{version}
|
||
|
||
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
|
||
# entire SELinux policy is stored in the system policy
|
||
Obsoletes: freeipa-server-selinux < 3.3.0
|
||
|
||
# upgrade path from monolithic -server to -server + -server-dns
|
||
Obsoletes: %{name}-server <= 4.2.0
|
||
|
||
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
|
||
# member.
|
||
Conflicts: nss-pam-ldapd < 0.8.4
|
||
|
||
# RHEL spec file only: START: Do not build tests
|
||
%if 0%{?rhel} == 8
|
||
# ipa-tests subpackage was moved to separate srpm
|
||
Conflicts: ipa-tests < 3.3.3-9
|
||
%endif
|
||
# RHEL spec file only: END: Do not build tests
|
||
|
||
%description server
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If you are installing an IPA server, you need to install this package.
|
||
|
||
|
||
%package -n python3-ipaserver
|
||
Summary: Python libraries used by IPA server
|
||
BuildArch: noarch
|
||
%{?python_provide:%python_provide python3-ipaserver}
|
||
Requires: %{name}-server-common = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
# we need pre-requires since earlier versions may break upgrade
|
||
Requires(pre): python3-ldap >= %{python_ldap_version}
|
||
Requires: python3-augeas
|
||
Requires: augeas-libs >= %{augeas_version}
|
||
Requires: python3-dbus
|
||
Requires: python3-dns >= 1.15
|
||
Requires: python3-gssapi >= 1.2.0
|
||
Requires: python3-ipaclient = %{version}-%{release}
|
||
Requires: python3-kdcproxy >= %{kdcproxy_version}
|
||
Requires: python3-lxml
|
||
Requires: python3-pki >= %{pki_version}
|
||
Requires: python3-pyasn1 >= 0.3.2-2
|
||
Requires: python3-sssdconfig >= %{sssd_version}
|
||
Requires: python3-psutil
|
||
Requires: rpm-libs
|
||
# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
|
||
%if 0%{?rhel}
|
||
Requires: python3-urllib3 >= 1.24.2-3
|
||
%else
|
||
Requires: python3-urllib3 >= 1.25.7
|
||
%endif
|
||
|
||
%description -n python3-ipaserver
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If you are installing an IPA server, you need to install this package.
|
||
|
||
|
||
%package server-common
|
||
Summary: Common files used by IPA server
|
||
BuildArch: noarch
|
||
Requires: %{name}-client-common = %{version}-%{release}
|
||
Requires: httpd >= %{httpd_version}
|
||
Requires: systemd-units >= %{systemd_version}
|
||
%if 0%{?rhel} >= 8 && ! 0%{?eln}
|
||
Requires: system-logos-ipa >= 80.4
|
||
%endif
|
||
|
||
Provides: %{alt_name}-server-common = %{version}
|
||
Conflicts: %{alt_name}-server-common
|
||
Obsoletes: %{alt_name}-server-common < %{version}
|
||
|
||
%description server-common
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If you are installing an IPA server, you need to install this package.
|
||
|
||
|
||
%package server-dns
|
||
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
|
||
BuildArch: noarch
|
||
Requires: %{name}-server = %{version}-%{release}
|
||
Requires: bind-dyndb-ldap >= 11.2-2
|
||
Requires: bind >= %{bind_version}
|
||
Requires: bind-utils >= %{bind_version}
|
||
%if %{with bind_pkcs11}
|
||
Requires: bind-pkcs11 >= %{bind_version}
|
||
Requires: bind-pkcs11-utils >= %{bind_version}
|
||
%else
|
||
Requires: softhsm >= %{softhsm_version}
|
||
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
|
||
%endif
|
||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
|
||
# RHEL 8.3+ and Fedora 32+ have 2.1
|
||
Requires: opendnssec >= 2.1.6-5
|
||
%{?systemd_requires}
|
||
|
||
Provides: %{alt_name}-server-dns = %{version}
|
||
Conflicts: %{alt_name}-server-dns
|
||
Obsoletes: %{alt_name}-server-dns < %{version}
|
||
|
||
# upgrade path from monolithic -server to -server + -server-dns
|
||
Obsoletes: %{name}-server <= 4.2.0
|
||
|
||
%description server-dns
|
||
IPA integrated DNS server with support for automatic DNSSEC signing.
|
||
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
|
||
|
||
|
||
%package server-trust-ad
|
||
Summary: Virtual package to install packages required for Active Directory trusts
|
||
Requires: %{name}-server = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
|
||
Requires: samba >= %{samba_version}
|
||
Requires: samba-winbind
|
||
Requires: sssd-winbind-idmap
|
||
Requires: libsss_idmap
|
||
%if 0%{?rhel}
|
||
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
|
||
%endif
|
||
Requires(post): python3
|
||
Requires: python3-samba
|
||
Requires: python3-libsss_nss_idmap
|
||
Requires: python3-sss
|
||
|
||
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
|
||
# on the installes where server-trust-ad subpackage is installed because
|
||
# IPA AD trusts cannot be used at the same time with the locator plugin
|
||
# since Winbindd will be configured in a different mode
|
||
Requires(post): %{_sbindir}/update-alternatives
|
||
Requires(postun): %{_sbindir}/update-alternatives
|
||
Requires(preun): %{_sbindir}/update-alternatives
|
||
|
||
Provides: %{alt_name}-server-trust-ad = %{version}
|
||
Conflicts: %{alt_name}-server-trust-ad
|
||
Obsoletes: %{alt_name}-server-trust-ad < %{version}
|
||
|
||
%description server-trust-ad
|
||
Cross-realm trusts with Active Directory in IPA require working Samba 4
|
||
installation. This package is provided for convenience to install all required
|
||
dependencies at once.
|
||
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
|
||
%package client
|
||
Summary: IPA authentication for use on clients
|
||
Requires: %{name}-client-common = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
Requires: python3-gssapi >= 1.2.0-5
|
||
Requires: python3-ipaclient = %{version}-%{release}
|
||
Requires: python3-ldap >= %{python_ldap_version}
|
||
Requires: python3-sssdconfig >= %{sssd_version}
|
||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||
Requires: chrony
|
||
Requires: krb5-workstation >= %{krb5_version}
|
||
Requires: authselect >= 0.4-2
|
||
Requires: curl
|
||
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
|
||
# All Fedora 28+ and RHEL8+ contain the service in hostname package
|
||
Requires: hostname
|
||
Requires: libcurl >= 7.21.7-2
|
||
%if %{with ipa_join_xml}
|
||
Requires: xmlrpc-c >= 1.27.4
|
||
%else
|
||
Requires: jansson
|
||
%endif
|
||
Requires: sssd-ipa >= %{sssd_version}
|
||
Requires: certmonger >= %{certmonger_version}
|
||
Requires: nss-tools >= %{nss_version}
|
||
Requires: bind-utils
|
||
Requires: oddjob-mkhomedir
|
||
Requires: libsss_autofs
|
||
Requires: autofs
|
||
Requires: libnfsidmap
|
||
Requires: nfs-utils
|
||
Requires: sssd-tools >= %{sssd_version}
|
||
Requires(post): policycoreutils
|
||
|
||
# https://pagure.io/freeipa/issue/8530
|
||
Recommends: libsss_sudo
|
||
Recommends: sudo
|
||
Requires: (libsss_sudo if sudo)
|
||
|
||
Provides: %{alt_name}-client = %{version}
|
||
Conflicts: %{alt_name}-client
|
||
Obsoletes: %{alt_name}-client < %{version}
|
||
|
||
Provides: %{alt_name}-admintools = %{version}
|
||
Conflicts: %{alt_name}-admintools
|
||
Obsoletes: %{alt_name}-admintools < 4.4.1
|
||
|
||
Obsoletes: %{name}-admintools < 4.4.1
|
||
Provides: %{name}-admintools = %{version}-%{release}
|
||
|
||
%if 0%{?rhel} == 8
|
||
# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
|
||
Conflicts: crypto-policies < 20200629-1
|
||
%endif
|
||
|
||
%description client
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If your network uses IPA for authentication, this package should be
|
||
installed on every client machine.
|
||
This package provides command-line tools for IPA administrators.
|
||
|
||
%package client-samba
|
||
Summary: Tools to configure Samba on IPA client
|
||
Group: System Environment/Base
|
||
Requires: %{name}-client = %{version}-%{release}
|
||
Requires: python3-samba
|
||
Requires: samba-client
|
||
Requires: samba-winbind
|
||
Requires: samba-common-tools
|
||
Requires: samba
|
||
Requires: sssd-winbind-idmap
|
||
Requires: tdb-tools
|
||
Requires: cifs-utils
|
||
|
||
%description client-samba
|
||
This package provides command-line tools to deploy Samba domain member
|
||
on the machine enrolled into a FreeIPA environment
|
||
|
||
%package client-epn
|
||
Summary: Tools to configure Expiring Password Notification in IPA
|
||
Group: System Environment/Base
|
||
Requires: %{name}-client = %{version}-%{release}
|
||
Requires: systemd-units >= %{systemd_version}
|
||
Requires(post): systemd-units >= %{systemd_version}
|
||
Requires(preun): systemd-units >= %{systemd_version}
|
||
Requires(postun): systemd-units >= %{systemd_version}
|
||
|
||
%description client-epn
|
||
This package provides a service to collect and send expiring password
|
||
notifications via email (SMTP).
|
||
|
||
%package -n python3-ipaclient
|
||
Summary: Python libraries used by IPA client
|
||
BuildArch: noarch
|
||
%{?python_provide:%python_provide python3-ipaclient}
|
||
Requires: %{name}-client-common = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
Requires: python3-ipalib = %{version}-%{release}
|
||
Requires: python3-augeas
|
||
Requires: augeas-libs >= %{augeas_version}
|
||
Requires: python3-dns >= 1.15
|
||
Requires: python3-jinja2
|
||
|
||
%description -n python3-ipaclient
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If your network uses IPA for authentication, this package should be
|
||
installed on every client machine.
|
||
|
||
%package client-common
|
||
Summary: Common files used by IPA client
|
||
BuildArch: noarch
|
||
|
||
Provides: %{alt_name}-client-common = %{version}
|
||
Conflicts: %{alt_name}-client-common
|
||
Obsoletes: %{alt_name}-client-common < %{version}
|
||
# python2-ipa* packages are no longer available in 4.8.
|
||
Obsoletes: python2-ipaclient < 4.8.0-1
|
||
Obsoletes: python2-ipalib < 4.8.0-1
|
||
Obsoletes: python2-ipaserver < 4.8.0-1
|
||
Obsoletes: python2-ipatests < 4.8.0-1
|
||
|
||
|
||
%description client-common
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If your network uses IPA for authentication, this package should be
|
||
installed on every client machine.
|
||
|
||
|
||
%package python-compat
|
||
Summary: Compatiblity package for Python libraries used by IPA
|
||
BuildArch: noarch
|
||
Obsoletes: %{name}-python < 4.2.91
|
||
Provides: %{name}-python = %{version}-%{release}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
Requires: python3-ipalib = %{version}-%{release}
|
||
|
||
Provides: %{alt_name}-python-compat = %{version}
|
||
Conflicts: %{alt_name}-python-compat
|
||
Obsoletes: %{alt_name}-python-compat < %{version}
|
||
|
||
Obsoletes: %{alt_name}-python < 4.2.91
|
||
Provides: %{alt_name}-python = %{version}
|
||
|
||
%description python-compat
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
This is a compatibility package to accommodate %{name}-python split into
|
||
python3-ipalib and %{name}-common. Packages still depending on
|
||
%{name}-python should be fixed to depend on python2-ipaclient or
|
||
%{name}-common instead.
|
||
|
||
|
||
%package -n python3-ipalib
|
||
Summary: Python3 libraries used by IPA
|
||
BuildArch: noarch
|
||
%{?python_provide:%python_provide python3-ipalib}
|
||
Provides: python3-ipapython = %{version}-%{release}
|
||
%{?python_provide:%python_provide python3-ipapython}
|
||
Provides: python3-ipaplatform = %{version}-%{release}
|
||
%{?python_provide:%python_provide python3-ipaplatform}
|
||
Requires: %{name}-common = %{version}-%{release}
|
||
# we need pre-requires since earlier versions may break upgrade
|
||
Requires(pre): python3-ldap >= %{python_ldap_version}
|
||
Requires: gnupg2
|
||
Requires: keyutils
|
||
Requires: python3-cffi
|
||
Requires: python3-cryptography >= 1.6
|
||
Requires: python3-dateutil
|
||
Requires: python3-dbus
|
||
Requires: python3-dns >= 1.15
|
||
Requires: python3-gssapi >= 1.2.0
|
||
Requires: python3-jwcrypto >= 0.4.2
|
||
Requires: python3-libipa_hbac
|
||
Requires: python3-netaddr >= %{python_netaddr_version}
|
||
Requires: python3-netifaces >= 0.10.4
|
||
Requires: python3-pyasn1 >= 0.3.2-2
|
||
Requires: python3-pyasn1-modules >= 0.3.2-2
|
||
Requires: python3-pyusb
|
||
Requires: python3-qrcode-core >= 5.0.0
|
||
Requires: python3-requests
|
||
Requires: python3-six
|
||
Requires: python3-sss-murmur
|
||
Requires: python3-yubico >= 1.3.2-7
|
||
%if 0%{?rhel} && 0%{?rhel} == 8
|
||
Requires: platform-python-setuptools
|
||
%else
|
||
Requires: python3-setuptools
|
||
%endif
|
||
|
||
%description -n python3-ipalib
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If you are using IPA with Python 3, you need to install this package.
|
||
|
||
|
||
%package common
|
||
Summary: Common files used by IPA
|
||
BuildArch: noarch
|
||
Conflicts: %{name}-python < 4.2.91
|
||
|
||
Provides: %{alt_name}-common = %{version}
|
||
Conflicts: %{alt_name}-common
|
||
Obsoletes: %{alt_name}-common < %{version}
|
||
|
||
Conflicts: %{alt_name}-python < %{version}
|
||
|
||
%if %{with selinux}
|
||
# This ensures that the *-selinux package and all it’s dependencies are not
|
||
# pulled into containers and other systems that do not use SELinux. The
|
||
# policy defines types and file contexts for client and server.
|
||
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||
%endif
|
||
|
||
%description common
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
If you are using IPA, you need to install this package.
|
||
|
||
|
||
%if %{with ipatests}
|
||
|
||
%package -n python3-ipatests
|
||
Summary: IPA tests and test tools
|
||
BuildArch: noarch
|
||
%{?python_provide:%python_provide python3-ipatests}
|
||
Requires: python3-ipaclient = %{version}-%{release}
|
||
Requires: python3-ipaserver = %{version}-%{release}
|
||
Requires: iptables
|
||
Requires: python3-cryptography >= 1.6
|
||
Requires: python3-pexpect
|
||
%if 0%{?fedora}
|
||
# These packages do not exist on RHEL and for ipatests use
|
||
# they are installed on the controller through other means
|
||
Requires: ldns-utils
|
||
# update-crypto-policies
|
||
Requires: crypto-policies-scripts
|
||
Requires: python3-polib
|
||
Requires: python3-pytest >= 3.9.1
|
||
Requires: python3-pytest-multihost >= 0.5
|
||
Requires: python3-pytest-sourceorder
|
||
Requires: sshpass
|
||
%endif
|
||
Requires: python3-sssdconfig >= %{sssd_version}
|
||
Requires: tar
|
||
Requires: xz
|
||
Requires: openssh-clients
|
||
%if 0%{?rhel}
|
||
AutoReqProv: no
|
||
%endif
|
||
|
||
%description -n python3-ipatests
|
||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||
(host access control, SELinux user roles, services). The solution provides
|
||
features for further integration with Linux based clients (SUDO, automount)
|
||
and integration with Active Directory based infrastructures (Trusts).
|
||
This package contains tests that verify IPA functionality under Python 3.
|
||
|
||
# with ipatests
|
||
%endif
|
||
|
||
|
||
%if %{with selinux}
|
||
# SELinux subpackage
|
||
%package selinux
|
||
Summary: FreeIPA SELinux policy
|
||
BuildArch: noarch
|
||
Requires: selinux-policy-%{selinuxtype}
|
||
Requires(post): selinux-policy-%{selinuxtype}
|
||
%{?selinux_requires}
|
||
|
||
%description selinux
|
||
Custom SELinux policy module for FreeIPA
|
||
# with selinux
|
||
%endif
|
||
|
||
|
||
%prep
|
||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||
# is the patch prefix option (e.g. -p1)
|
||
# Taken from specfile for sssd and python-simplejson
|
||
UpdateTimestamps() {
|
||
Level=$1
|
||
PatchFile=$2
|
||
|
||
# Locate the affected files:
|
||
for f in $(diffstat $Level -l $PatchFile); do
|
||
# Set the files to have the same timestamp as that of the patch:
|
||
touch -c -r $PatchFile $f
|
||
done
|
||
}
|
||
|
||
%setup -n freeipa-%{version}%{?rc_version} -q
|
||
|
||
# To allow proper application patches to the stripped po files, strip originals
|
||
pushd po
|
||
for i in *.po ; do
|
||
msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1
|
||
mv $i.tmp $i || exit 1
|
||
done
|
||
popd
|
||
|
||
for p in %patches ; do
|
||
%__patch -p1 -i $p
|
||
UpdateTimestamps -p1 $p
|
||
done
|
||
|
||
%build
|
||
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
|
||
export PATH=/usr/bin:/usr/sbin:$PATH
|
||
|
||
export PYTHON=%{__python3}
|
||
autoreconf -ivf
|
||
%configure --with-vendor-suffix=-%{release} \
|
||
%{enable_server_option} \
|
||
%{with_ipatests_option} \
|
||
%{with_ipa_join_xml_option} \
|
||
%{linter_options}
|
||
|
||
# run build in default dir
|
||
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
|
||
%make_build -Onone
|
||
|
||
|
||
%check
|
||
make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
|
||
|
||
|
||
%install
|
||
# Please put as much logic as possible into make install. It allows:
|
||
# - easier porting to other distributions
|
||
# - rapid devel & install cycle using make install
|
||
# (instead of full RPM build and installation each time)
|
||
#
|
||
# All files and directories created by spec install should be marked as ghost.
|
||
# (These are typically configuration files created by IPA installer.)
|
||
# All other artifacts should be created by make install.
|
||
|
||
%make_install
|
||
|
||
# don't package ipasphinx for now
|
||
rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*
|
||
|
||
%if %{with ipatests}
|
||
mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
|
||
mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
|
||
mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
|
||
ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
|
||
ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
|
||
ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
|
||
ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
|
||
ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
|
||
ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
|
||
# with_ipatests
|
||
%endif
|
||
|
||
# remove files which are useful only for make uninstall
|
||
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
|
||
|
||
%if 0%{?rhel}
|
||
# RHEL spec file only: START
|
||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
|
||
# product-name.png
|
||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
|
||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
|
||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
|
||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
|
||
%endif
|
||
# RHEL spec file only: END
|
||
|
||
%find_lang %{gettext_domain}
|
||
|
||
%if ! %{ONLY_CLIENT}
|
||
# Remove .la files from libtool - we don't want to package
|
||
# these files
|
||
rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_dns.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
|
||
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
|
||
rm %{buildroot}/%{plugin_dir}/libtopology.la
|
||
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
|
||
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
|
||
|
||
# So we can own our Apache configuration
|
||
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
|
||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
|
||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
|
||
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
|
||
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
|
||
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
|
||
|
||
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
||
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
|
||
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
|
||
|
||
%if ! %{ONLY_CLIENT}
|
||
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
%if ! %{ONLY_CLIENT}
|
||
|
||
%post server
|
||
# NOTE: systemd specific section
|
||
/bin/systemctl --system daemon-reload 2>&1 || :
|
||
# END
|
||
if [ $1 -gt 1 ] ; then
|
||
/bin/systemctl condrestart certmonger.service 2>&1 || :
|
||
fi
|
||
/bin/systemctl reload-or-try-restart dbus
|
||
/bin/systemctl reload-or-try-restart oddjobd
|
||
|
||
%tmpfiles_create ipa.conf
|
||
|
||
%posttrans server
|
||
# don't execute upgrade and restart of IPA when server is not installed
|
||
%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
|
||
|
||
if [ $? -eq 0 ]; then
|
||
# This is necessary for Fedora system upgrades which by default
|
||
# work with the network being offline
|
||
/bin/systemctl start network-online.target
|
||
|
||
# Restart IPA processes. This must be also run in postrans so that plugins
|
||
# and software is in consistent state. This will also perform the
|
||
# system upgrade.
|
||
# NOTE: systemd specific section
|
||
|
||
/bin/systemctl is-enabled ipa.service >/dev/null 2>&1
|
||
if [ $? -eq 0 ]; then
|
||
/bin/systemctl restart ipa.service >/dev/null
|
||
fi
|
||
|
||
/bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
|
||
if [ $? -eq 1 ]; then
|
||
/bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
|
||
fi
|
||
fi
|
||
# END
|
||
|
||
|
||
%preun server
|
||
if [ $1 = 0 ]; then
|
||
# NOTE: systemd specific section
|
||
/bin/systemctl --quiet stop ipa.service || :
|
||
/bin/systemctl --quiet disable ipa.service || :
|
||
/bin/systemctl reload-or-try-restart dbus
|
||
/bin/systemctl reload-or-try-restart oddjobd
|
||
# END
|
||
fi
|
||
|
||
|
||
%pre server
|
||
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
|
||
# zombie process when we're done.
|
||
if [ -e /usr/sbin/ipa_kpasswd ]; then
|
||
# NOTE: systemd specific section
|
||
/bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
|
||
# END
|
||
fi
|
||
|
||
|
||
%pre server-common
|
||
# create users and groups
|
||
# create kdcproxy group and user
|
||
getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
|
||
getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
|
||
# create ipaapi group and user
|
||
getent group ipaapi >/dev/null || groupadd -f -r ipaapi
|
||
getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
|
||
# add apache to ipaaapi group
|
||
id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
|
||
|
||
|
||
%post server-dns
|
||
%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
|
||
|
||
%preun server-dns
|
||
%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
|
||
|
||
%postun server-dns
|
||
%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
|
||
|
||
|
||
%postun server-trust-ad
|
||
if [ "$1" -ge "1" ]; then
|
||
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
|
||
%{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
|
||
fi
|
||
fi
|
||
|
||
|
||
%post server-trust-ad
|
||
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
|
||
winbind_krb5_locator.so /dev/null 90
|
||
/bin/systemctl reload-or-try-restart dbus
|
||
/bin/systemctl reload-or-try-restart oddjobd
|
||
|
||
|
||
%posttrans server-trust-ad
|
||
%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
|
||
if [ $? -eq 0 ]; then
|
||
# NOTE: systemd specific section
|
||
/bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
|
||
# END
|
||
fi
|
||
|
||
|
||
%preun server-trust-ad
|
||
if [ $1 -eq 0 ]; then
|
||
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
|
||
/bin/systemctl reload-or-try-restart dbus
|
||
/bin/systemctl reload-or-try-restart oddjobd
|
||
fi
|
||
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
%preun client-epn
|
||
%systemd_preun ipa-epn.service
|
||
%systemd_preun ipa-epn.timer
|
||
|
||
%postun client-epn
|
||
%systemd_postun ipa-epn.service
|
||
%systemd_postun ipa-epn.timer
|
||
|
||
%post client-epn
|
||
%systemd_post ipa-epn.service
|
||
%systemd_post ipa-epn.timer
|
||
|
||
%post client
|
||
if [ $1 -gt 1 ] ; then
|
||
# Has the client been configured?
|
||
restore=0
|
||
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||
|
||
if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
|
||
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
|
||
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
|
||
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
|
||
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
|
||
fi
|
||
fi
|
||
|
||
if [ $restore -ge 2 ]; then
|
||
if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
|
||
sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
|
||
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
|
||
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
|
||
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
|
||
fi
|
||
|
||
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
|
||
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
|
||
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
|
||
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
|
||
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
|
||
fi
|
||
fi
|
||
fi
|
||
|
||
|
||
%if %{with selinux}
|
||
# SELinux contexts are saved so that only affected files can be
|
||
# relabeled after the policy module installation
|
||
%pre selinux
|
||
%selinux_relabel_pre -s %{selinuxtype}
|
||
|
||
%post selinux
|
||
semodule -d ipa_custodia &> /dev/null || true;
|
||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||
|
||
%postun selinux
|
||
if [ $1 -eq 0 ]; then
|
||
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
|
||
semodule -e ipa_custodia &> /dev/null || true;
|
||
fi
|
||
|
||
%posttrans selinux
|
||
%selinux_relabel_post -s %{selinuxtype}
|
||
# with_selinux
|
||
%endif
|
||
|
||
|
||
%triggerin client -- openssh-server < 8.2
|
||
# Has the client been configured?
|
||
restore=0
|
||
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||
|
||
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
||
if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
|
||
sed -r '
|
||
/^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
|
||
' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
|
||
|
||
if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
|
||
sed -ri '
|
||
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
|
||
' /etc/ssh/sshd_config.ipanew
|
||
elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
|
||
sed -ri '
|
||
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
|
||
' /etc/ssh/sshd_config.ipanew
|
||
elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
|
||
sed -ri '
|
||
s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
|
||
s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
|
||
' /etc/ssh/sshd_config.ipanew
|
||
fi
|
||
|
||
mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||
chmod 600 /etc/ssh/sshd_config
|
||
|
||
/bin/systemctl condrestart sshd.service 2>&1 || :
|
||
fi
|
||
fi
|
||
|
||
|
||
%triggerin client -- openssh-server >= 8.2
|
||
# Has the client been configured?
|
||
restore=0
|
||
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||
|
||
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
||
# If the snippet already exists, skip
|
||
if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
|
||
# Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
|
||
grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
|
||
# Remove the values from sshd_conf
|
||
sed -ri '
|
||
/^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
|
||
' /etc/ssh/sshd_config
|
||
|
||
/bin/systemctl condrestart sshd.service 2>&1 || :
|
||
fi
|
||
# If the snippet has been created, ensure that it is included
|
||
# either by /etc/ssh/sshd_config.d/*.conf or directly
|
||
if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
|
||
if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
|
||
if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
|
||
# Include the snippet
|
||
echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew
|
||
cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew
|
||
mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||
fi
|
||
fi
|
||
fi
|
||
fi
|
||
|
||
|
||
%if ! %{ONLY_CLIENT}
|
||
|
||
%files server
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{_sbindir}/ipa-backup
|
||
%{_sbindir}/ipa-restore
|
||
%{_sbindir}/ipa-ca-install
|
||
%{_sbindir}/ipa-kra-install
|
||
%{_sbindir}/ipa-server-install
|
||
%{_sbindir}/ipa-replica-conncheck
|
||
%{_sbindir}/ipa-replica-install
|
||
%{_sbindir}/ipa-replica-manage
|
||
%{_sbindir}/ipa-csreplica-manage
|
||
%{_sbindir}/ipa-server-certinstall
|
||
%{_sbindir}/ipa-server-upgrade
|
||
%{_sbindir}/ipa-ldap-updater
|
||
%{_sbindir}/ipa-otptoken-import
|
||
%{_sbindir}/ipa-compat-manage
|
||
%{_sbindir}/ipa-nis-manage
|
||
%{_sbindir}/ipa-managed-entries
|
||
%{_sbindir}/ipactl
|
||
%{_sbindir}/ipa-advise
|
||
%{_sbindir}/ipa-cacert-manage
|
||
%{_sbindir}/ipa-winsync-migrate
|
||
%{_sbindir}/ipa-pkinit-manage
|
||
%{_sbindir}/ipa-crlgen-manage
|
||
%{_sbindir}/ipa-cert-fix
|
||
%{_sbindir}/ipa-acme-manage
|
||
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
||
%{_libexecdir}/certmonger/ipa-server-guard
|
||
%dir %{_libexecdir}/ipa
|
||
%{_libexecdir}/ipa/ipa-ccache-sweeper
|
||
%{_libexecdir}/ipa/ipa-custodia
|
||
%{_libexecdir}/ipa/ipa-custodia-check
|
||
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
|
||
%{_libexecdir}/ipa/ipa-httpd-pwdreader
|
||
%{_libexecdir}/ipa/ipa-pki-retrieve-key
|
||
%{_libexecdir}/ipa/ipa-pki-wait-running
|
||
%{_libexecdir}/ipa/ipa-otpd
|
||
%{_libexecdir}/ipa/ipa-print-pac
|
||
%{_libexecdir}/ipa/ipa-subids
|
||
%dir %{_libexecdir}/ipa/custodia
|
||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
|
||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
|
||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
|
||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
|
||
%dir %{_libexecdir}/ipa/oddjob
|
||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
|
||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
|
||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
|
||
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
|
||
%dir %{_libexecdir}/ipa/certmonger
|
||
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
|
||
# NOTE: systemd specific section
|
||
%attr(644,root,root) %{_unitdir}/ipa.service
|
||
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
|
||
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
|
||
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
|
||
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
|
||
# END
|
||
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
|
||
%attr(755,root,root) %{plugin_dir}/libtopology.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
|
||
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
|
||
%{_mandir}/man1/ipa-replica-conncheck.1*
|
||
%{_mandir}/man1/ipa-replica-install.1*
|
||
%{_mandir}/man1/ipa-replica-manage.1*
|
||
%{_mandir}/man1/ipa-csreplica-manage.1*
|
||
%{_mandir}/man1/ipa-server-certinstall.1*
|
||
%{_mandir}/man1/ipa-server-install.1*
|
||
%{_mandir}/man1/ipa-server-upgrade.1*
|
||
%{_mandir}/man1/ipa-ca-install.1*
|
||
%{_mandir}/man1/ipa-kra-install.1*
|
||
%{_mandir}/man1/ipa-compat-manage.1*
|
||
%{_mandir}/man1/ipa-nis-manage.1*
|
||
%{_mandir}/man1/ipa-managed-entries.1*
|
||
%{_mandir}/man1/ipa-ldap-updater.1*
|
||
%{_mandir}/man8/ipactl.8*
|
||
%{_mandir}/man1/ipa-backup.1*
|
||
%{_mandir}/man1/ipa-restore.1*
|
||
%{_mandir}/man1/ipa-advise.1*
|
||
%{_mandir}/man1/ipa-otptoken-import.1*
|
||
%{_mandir}/man1/ipa-cacert-manage.1*
|
||
%{_mandir}/man1/ipa-winsync-migrate.1*
|
||
%{_mandir}/man1/ipa-pkinit-manage.1*
|
||
%{_mandir}/man1/ipa-crlgen-manage.1*
|
||
%{_mandir}/man1/ipa-cert-fix.1*
|
||
%{_mandir}/man1/ipa-acme-manage.1*
|
||
|
||
|
||
%files -n python3-ipaserver
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{python3_sitelib}/ipaserver
|
||
%{python3_sitelib}/ipaserver-*.egg-info
|
||
|
||
|
||
%files server-common
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
|
||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
|
||
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
|
||
# NOTE: systemd specific section
|
||
%{_tmpfilesdir}/ipa.conf
|
||
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
|
||
%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
|
||
# END
|
||
%{_usr}/share/ipa/wsgi.py*
|
||
%{_usr}/share/ipa/kdcproxy.wsgi
|
||
%{_usr}/share/ipa/ipaca*.ini
|
||
%{_usr}/share/ipa/*.ldif
|
||
%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
|
||
%{_usr}/share/ipa/*.uldif
|
||
%{_usr}/share/ipa/*.template
|
||
%dir %{_usr}/share/ipa/advise
|
||
%dir %{_usr}/share/ipa/advise/legacy
|
||
%{_usr}/share/ipa/advise/legacy/*.template
|
||
%dir %{_usr}/share/ipa/profiles
|
||
%{_usr}/share/ipa/profiles/README
|
||
%{_usr}/share/ipa/profiles/*.cfg
|
||
%dir %{_usr}/share/ipa/html
|
||
%{_usr}/share/ipa/html/ssbrowser.html
|
||
%{_usr}/share/ipa/html/unauthorized.html
|
||
%dir %{_usr}/share/ipa/migration
|
||
%{_usr}/share/ipa/migration/index.html
|
||
%{_usr}/share/ipa/migration/migration.py*
|
||
%dir %{_usr}/share/ipa/ui
|
||
%{_usr}/share/ipa/ui/index.html
|
||
%{_usr}/share/ipa/ui/reset_password.html
|
||
%{_usr}/share/ipa/ui/sync_otp.html
|
||
%{_usr}/share/ipa/ui/*.ico
|
||
%{_usr}/share/ipa/ui/*.css
|
||
%dir %{_usr}/share/ipa/ui/css
|
||
%{_usr}/share/ipa/ui/css/*.css
|
||
%dir %{_usr}/share/ipa/ui/js
|
||
%dir %{_usr}/share/ipa/ui/js/dojo
|
||
%{_usr}/share/ipa/ui/js/dojo/dojo.js
|
||
%dir %{_usr}/share/ipa/ui/js/libs
|
||
%{_usr}/share/ipa/ui/js/libs/*.js
|
||
%dir %{_usr}/share/ipa/ui/js/freeipa
|
||
%{_usr}/share/ipa/ui/js/freeipa/app.js
|
||
%{_usr}/share/ipa/ui/js/freeipa/core.js
|
||
%dir %{_usr}/share/ipa/ui/js/plugins
|
||
%dir %{_usr}/share/ipa/ui/images
|
||
%if 0%{?rhel}
|
||
%{_usr}/share/ipa/ui/images/facet-*.png
|
||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
|
||
# product-name.png
|
||
%else
|
||
%{_usr}/share/ipa/ui/images/*.jpg
|
||
%{_usr}/share/ipa/ui/images/*.png
|
||
%endif
|
||
%dir %{_usr}/share/ipa/wsgi
|
||
%{_usr}/share/ipa/wsgi/plugins.py*
|
||
%dir %{_sysconfdir}/ipa
|
||
%dir %{_sysconfdir}/ipa/html
|
||
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
|
||
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||
%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
|
||
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
|
||
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf
|
||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
|
||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
|
||
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
|
||
%dir %{_usr}/share/ipa/updates/
|
||
%{_usr}/share/ipa/updates/*
|
||
%dir %{_localstatedir}/lib/ipa
|
||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
|
||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
|
||
%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
|
||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
|
||
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
|
||
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
|
||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
|
||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
|
||
%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
|
||
%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
|
||
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
|
||
%dir %{_usr}/share/ipa/schema.d
|
||
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
|
||
%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login
|
||
%{_usr}/share/ipa/ipakrb5.aug
|
||
|
||
%files server-dns
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
|
||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
|
||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
|
||
%{_libexecdir}/ipa/ipa-dnskeysyncd
|
||
%{_libexecdir}/ipa/ipa-dnskeysync-replica
|
||
%{_libexecdir}/ipa/ipa-ods-exporter
|
||
%{_sbindir}/ipa-dns-install
|
||
%{_mandir}/man1/ipa-dns-install.1*
|
||
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
|
||
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
|
||
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
|
||
|
||
%files server-trust-ad
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{_sbindir}/ipa-adtrust-install
|
||
%{_usr}/share/ipa/smb.conf.empty
|
||
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
|
||
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
|
||
%{_datadir}/ipa/ipa-cldap-conf.ldif
|
||
%{_mandir}/man1/ipa-adtrust-install.1*
|
||
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
|
||
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
|
||
%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
|
||
|
||
# ONLY_CLIENT
|
||
%endif
|
||
|
||
|
||
%files client
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{_sbindir}/ipa-client-install
|
||
%{_sbindir}/ipa-client-automount
|
||
%{_sbindir}/ipa-certupdate
|
||
%{_sbindir}/ipa-getkeytab
|
||
%{_sbindir}/ipa-rmkeytab
|
||
%{_sbindir}/ipa-join
|
||
%{_bindir}/ipa
|
||
%config %{_sysconfdir}/bash_completion.d
|
||
%config %{_sysconfdir}/sysconfig/certmonger
|
||
%{_mandir}/man1/ipa.1*
|
||
%{_mandir}/man1/ipa-getkeytab.1*
|
||
%{_mandir}/man1/ipa-rmkeytab.1*
|
||
%{_mandir}/man1/ipa-client-install.1*
|
||
%{_mandir}/man1/ipa-client-automount.1*
|
||
%{_mandir}/man1/ipa-certupdate.1*
|
||
%{_mandir}/man1/ipa-join.1*
|
||
%dir %{_libexecdir}/ipa/acme
|
||
%{_libexecdir}/ipa/acme/certbot-dns-ipa
|
||
|
||
%files client-samba
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{_sbindir}/ipa-client-samba
|
||
%{_mandir}/man1/ipa-client-samba.1*
|
||
|
||
|
||
%files client-epn
|
||
%doc README.md Contributors.txt
|
||
%dir %{_sysconfdir}/ipa/epn
|
||
%license COPYING
|
||
%{_sbindir}/ipa-epn
|
||
%{_mandir}/man1/ipa-epn.1*
|
||
%{_mandir}/man5/epn.conf.5*
|
||
%attr(644,root,root) %{_unitdir}/ipa-epn.service
|
||
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
|
||
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
|
||
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
|
||
|
||
%files -n python3-ipaclient
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%dir %{python3_sitelib}/ipaclient
|
||
%{python3_sitelib}/ipaclient/*.py
|
||
%{python3_sitelib}/ipaclient/__pycache__/*.py*
|
||
%dir %{python3_sitelib}/ipaclient/install
|
||
%{python3_sitelib}/ipaclient/install/*.py
|
||
%{python3_sitelib}/ipaclient/install/__pycache__/*.py*
|
||
%dir %{python3_sitelib}/ipaclient/plugins
|
||
%{python3_sitelib}/ipaclient/plugins/*.py
|
||
%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
|
||
%dir %{python3_sitelib}/ipaclient/remote_plugins
|
||
%{python3_sitelib}/ipaclient/remote_plugins/*.py
|
||
%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
|
||
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
|
||
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
|
||
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
|
||
%{python3_sitelib}/ipaclient-*.egg-info
|
||
|
||
|
||
%files client-common
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
|
||
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
|
||
# old dbm format
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
|
||
# new sql format
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
|
||
%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
|
||
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
|
||
%dir %{_localstatedir}/lib/ipa-client
|
||
%dir %{_localstatedir}/lib/ipa-client/pki
|
||
%dir %{_localstatedir}/lib/ipa-client/sysrestore
|
||
%{_mandir}/man5/default.conf.5*
|
||
%dir %{_usr}/share/ipa/client
|
||
%{_usr}/share/ipa/client/*.template
|
||
|
||
|
||
%files python-compat
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
|
||
|
||
%files common -f %{gettext_domain}.lang
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%dir %{_usr}/share/ipa
|
||
%dir %{_libexecdir}/ipa
|
||
|
||
%files -n python3-ipalib
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
|
||
%{python3_sitelib}/ipapython/
|
||
%{python3_sitelib}/ipalib/
|
||
%{python3_sitelib}/ipaplatform/
|
||
%{python3_sitelib}/ipapython-*.egg-info
|
||
%{python3_sitelib}/ipalib-*.egg-info
|
||
%{python3_sitelib}/ipaplatform-*.egg-info
|
||
|
||
|
||
%if %{with ipatests}
|
||
|
||
|
||
%files -n python3-ipatests
|
||
%doc README.md Contributors.txt
|
||
%license COPYING
|
||
%{python3_sitelib}/ipatests
|
||
%{python3_sitelib}/ipatests-*.egg-info
|
||
%{_bindir}/ipa-run-tests-3
|
||
%{_bindir}/ipa-test-config-3
|
||
%{_bindir}/ipa-test-task-3
|
||
%{_bindir}/ipa-run-tests-%{python3_version}
|
||
%{_bindir}/ipa-test-config-%{python3_version}
|
||
%{_bindir}/ipa-test-task-%{python3_version}
|
||
%{_bindir}/ipa-run-tests
|
||
%{_bindir}/ipa-test-config
|
||
%{_bindir}/ipa-test-task
|
||
%{_mandir}/man1/ipa-run-tests.1*
|
||
%{_mandir}/man1/ipa-test-config.1*
|
||
%{_mandir}/man1/ipa-test-task.1*
|
||
|
||
# with ipatests
|
||
%endif
|
||
|
||
|
||
%if %{with selinux}
|
||
%files selinux
|
||
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
|
||
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||
# with selinux
|
||
%endif
|
||
|
||
%changelog
|
||
* Tue Nov 26 2013 Petr Viktorin <pviktori@redhat.com> - @VERSION@-@VENDOR_SUFFIX@
|
||
- Remove changelog. The history is kept in Git, downstreams have own logs.
|
||
# note, this entry is here to placate tools that expect a non-empty changelog
|