[freeipa/f19] Update to upstream 3.2.0 GA
rcritten
rcritten at fedoraproject.org
Fri May 10 16:34:40 UTC 2013
commit 4b4cee1bb31322b24e89cd231ddf2ce1dc0d837a
Author: Rob Crittenden <rcritten at redhat.com>
Date: Fri May 10 11:58:46 2013 -0400
Update to upstream 3.2.0 GA
- ipa-client-install fails if /etc/ipa does not exist (#961483)
- Certificate status is not visible in Service and Host page (#956718)
- ipa-client-install removes needed options from ldap.conf (#953991)
- Handle socket.gethostbyaddr() exceptions when verifying hostnames
(#953957)
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
- Require nss 3.14.3-12.0 to address certutil certificate import
errors (#953485)
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
environments. (#953464)
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
- ipa-server-install --uninstall doesn't stop dirsrv instances
(#953432)
- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
behavior for socket based connections (#960222)
- Require libsss_nss_idmap-python
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember
to member is now done automatically and having it in the config file
raises an error.
- Add backup and restore tools, directory.
- require at least systemd 38 which provides the journal (we no longer
need to require syslog.target)
- Update Requires on policycoreutils to 2.1.14-37
- Update Requires on selinux-policy to 3.12.1-42
- Update Requires on 389-ds-base to 1.3.1.0
- Remove a Requires for java-atk-wrapper
.gitignore | 1 +
freeipa.spec | 106 ++++++++++++++++++++++++++++++++++++++++++++++++----------
sources | 2 +-
3 files changed, 90 insertions(+), 19 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 8a2a37e..dee4e78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@
/freeipa-3.1.2.tar.gz
/freeipa-3.2.0.pre1.tar.gz
/freeipa-3.2.0.beta1.tar.gz
+/freeipa-3.2.0.tar.gz
diff --git a/freeipa.spec b/freeipa.spec
index 9ab7034..b9def08 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -2,13 +2,13 @@
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
%global plugin_dir %{_libdir}/dirsrv/plugins
-%global POLICYCOREUTILSVER 2.1.12-5
+%global POLICYCOREUTILSVER 2.1.14-37
%global gettext_domain ipa
-%global VERSION 3.2.0.beta1
+%global VERSION 3.2.0
Name: freeipa
Version: 3.2.0
-Release: 0.4.beta1%{?dist}
+Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -18,7 +18,7 @@ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.0
+BuildRequires: 389-ds-base-devel >= 1.3.1.0
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
@@ -94,10 +94,10 @@ Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.0.5
-Requires: openldap-clients
-Requires: nss
-Requires: nss-tools
+Requires: 389-ds-base >= 1.3.1.0
+Requires: openldap-clients > 2.4.35-4
+Requires: nss >= 3.14.3-12.0
+Requires: nss-tools >= 3.14.3-12.0
%if 0%{?krb5_dal_version} >= 4
Requires: krb5-server >= 1.11.2-1
%else
@@ -129,10 +129,10 @@ Requires: python-memcached
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.11.1-86
+Requires: selinux-policy >= 3.12.1-42
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.0-0.54.b3
+Requires: pki-ca >= 10.0.2-5
Requires: dogtag-pki-server-theme
%if 0%{?rhel}
Requires: subscription-manager
@@ -145,10 +145,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
-
-# Temporary requires until dogtag fixes its dependencies
-Requires: java-atk-wrapper
+Requires(pre): 389-ds-base >= 1.3.1.0
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -160,6 +157,10 @@ Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
%endif
Conflicts: bind < 9.8.2-0.4.rc2
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
# mod_proxy provides a single API to communicate over SSL. If mod_ssl
# is even loaded into Apache then it grabs this interface.
Conflicts: mod_ssl
@@ -206,6 +207,7 @@ Requires: samba4
Requires: samba4-winbind
%endif
Requires: libsss_idmap
+Requires: libsss_nss_idmap-python
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
# on the installes where server-trust-ad subpackage is installed because
# IPA AD trusts cannot be used at the same time with the locator plugin
@@ -227,9 +229,9 @@ Requires(post): %{name}-server = %{version}-%{release}
Requires(postun): %{name}-server = %{version}-%{release}
# Specific requires
-Requires(pre): 389-ds-base = 1.3.0.5
+Requires(pre): 389-ds-base = 1.3.1.0
Requires: krb5-server = 1.11.2
-Requires: pki-ca = 10.0.1
+Requires: pki-ca = 10.0.2
%description server-strict
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -451,6 +453,9 @@ mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
+# Web UI plugin dir
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+
# NOTE: systemd specific section
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf
@@ -625,6 +630,42 @@ if [ $1 -gt 1 ] ; then
fi
fi
+%triggerin -n freeipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+ sed -r '
+ /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+ ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+ if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+ sed -ri '
+ s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ fi
+
+ mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ /sbin/restorecon /etc/ssh/sshd_config
+ chmod 600 /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+fi
+
%if ! %{ONLY_CLIENT}
%files server -f server-python.list
%defattr(-,root,root,-)
@@ -707,17 +748,18 @@ fi
%{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff
-%dir %{_usr}/share/ipa/ui/ext
-%config(noreplace) %{_usr}/share/ipa/ui/ext/extension.js
%dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js
%dir %{_usr}/share/ipa/ui/js/libs
%{_usr}/share/ipa/ui/js/libs/*.js
%dir %{_usr}/share/ipa/ui/js/freeipa
%{_usr}/share/ipa/ui/js/freeipa/app.js
+%dir %{_usr}/share/ipa/ui/js/plugins
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.png
%{_usr}/share/ipa/ui/images/*.gif
+%dir %{_usr}/share/ipa/wsgi
+%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
%dir %{_sysconfdir}/ipa/html
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
@@ -859,10 +901,38 @@ fi
%{python_sitelib}/ipapython-*.egg-info
%{python_sitelib}/freeipa-*.egg-info
%{python_sitearch}/python_default_encoding-*.egg-info
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Fri May 10 2013 Rob Crittenden <rcritten at redhat.com> - 3.2.0-1
+- Update to upstream 3.2.0 GA
+- ipa-client-install fails if /etc/ipa does not exist (#961483)
+- Certificate status is not visible in Service and Host page (#956718)
+- ipa-client-install removes needed options from ldap.conf (#953991)
+- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
+- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
+- Require nss 3.14.3-12.0 to address certutil certificate import
+ errors (#953485)
+- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
+ environments. (#953464)
+- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
+- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
+- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
+ socket based connections (#960222)
+- Require libsss_nss_idmap-python
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+ member is now done automatically and having it in the config file raises
+ an error.
+- Add backup and restore tools, directory.
+- require at least systemd 38 which provides the journal (we no longer
+ need to require syslog.target)
+- Update Requires on policycoreutils to 2.1.14-37
+- Update Requires on selinux-policy to 3.12.1-42
+- Update Requires on 389-ds-base to 1.3.1.0
+- Remove a Requires for java-atk-wrapper
+
* Tue Apr 23 2013 Rob Crittenden <rcritten at redhat.com> - 3.2.0-0.4.beta1
- Remove release from krb5-server in strict sub-package to allow for rebuilds.
diff --git a/sources b/sources
index c0328ce..3eb0015 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-fb2ec5e9c744f8177cb3cd40c4063bf5 freeipa-3.2.0.beta1.tar.gz
+e1ce2b1957e4248212de9ac3e95057f9 freeipa-3.2.0.tar.gz
More information about the scm-commits
mailing list