[freeipa/f19] Update to upstream 3.2.0 GA

rcritten rcritten at fedoraproject.org
Fri May 10 16:34:40 UTC 2013 

commit 4b4cee1bb31322b24e89cd231ddf2ce1dc0d837a
Author: Rob Crittenden <rcritten at redhat.com>
Date:   Fri May 10 11:58:46 2013 -0400

    Update to upstream 3.2.0 GA
    
    - ipa-client-install fails if /etc/ipa does not exist (#961483)
    - Certificate status is not visible in Service and Host page (#956718)
    - ipa-client-install removes needed options from ldap.conf (#953991)
    - Handle socket.gethostbyaddr() exceptions when verifying hostnames
      (#953957)
    - Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
    - Require nss 3.14.3-12.0 to address certutil certificate import
      errors (#953485)
    - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
      environments. (#953464)
    - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
    - ipa-server-install --uninstall doesn't stop dirsrv instances
      (#953432)
    - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
      behavior for socket based connections (#960222)
    - Require libsss_nss_idmap-python
    - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember
      to member is now done automatically and having it in the config file
      raises an error.
    - Add backup and restore tools, directory.
    - require at least systemd 38 which provides the journal (we no longer
      need to require syslog.target)
    - Update Requires on policycoreutils to 2.1.14-37
    - Update Requires on selinux-policy to 3.12.1-42
    - Update Requires on 389-ds-base to 1.3.1.0
    - Remove a Requires for java-atk-wrapper

 .gitignore   |    1 +
 freeipa.spec |  106 ++++++++++++++++++++++++++++++++++++++++++++++++----------
 sources      |    2 +-
 3 files changed, 90 insertions(+), 19 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 8a2a37e..dee4e78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@
 /freeipa-3.1.2.tar.gz
 /freeipa-3.2.0.pre1.tar.gz
 /freeipa-3.2.0.beta1.tar.gz
+/freeipa-3.2.0.tar.gz
diff --git a/freeipa.spec b/freeipa.spec
index 9ab7034..b9def08 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -2,13 +2,13 @@
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
 %global plugin_dir %{_libdir}/dirsrv/plugins
-%global POLICYCOREUTILSVER 2.1.12-5
+%global POLICYCOREUTILSVER 2.1.14-37
 %global gettext_domain ipa
-%global VERSION 3.2.0.beta1
+%global VERSION 3.2.0
 
 Name:           freeipa
 Version:        3.2.0
-Release:        0.4.beta1%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -18,7 +18,7 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.0
+BuildRequires:  389-ds-base-devel >= 1.3.1.0
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -94,10 +94,10 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.0.5
-Requires: openldap-clients
-Requires: nss
-Requires: nss-tools
+Requires: 389-ds-base >= 1.3.1.0
+Requires: openldap-clients > 2.4.35-4
+Requires: nss >= 3.14.3-12.0
+Requires: nss-tools >= 3.14.3-12.0
 %if 0%{?krb5_dal_version} >= 4
 Requires: krb5-server >= 1.11.2-1
 %else
@@ -129,10 +129,10 @@ Requires: python-memcached
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.11.1-86
+Requires: selinux-policy >= 3.12.1-42
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.0-0.54.b3
+Requires: pki-ca >= 10.0.2-5
 Requires: dogtag-pki-server-theme
 %if 0%{?rhel}
 Requires: subscription-manager
@@ -145,10 +145,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
-
-# Temporary requires until dogtag fixes its dependencies
-Requires: java-atk-wrapper
+Requires(pre): 389-ds-base >= 1.3.1.0
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -160,6 +157,10 @@ Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
 Conflicts: bind < 9.8.2-0.4.rc2
 
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
 # mod_proxy provides a single API to communicate over SSL. If mod_ssl
 # is even loaded into Apache then it grabs this interface.
 Conflicts: mod_ssl
@@ -206,6 +207,7 @@ Requires: samba4
 Requires: samba4-winbind
 %endif
 Requires: libsss_idmap
+Requires: libsss_nss_idmap-python
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
 # IPA AD trusts cannot be used at the same time with the locator plugin
@@ -227,9 +229,9 @@ Requires(post): %{name}-server = %{version}-%{release}
 Requires(postun): %{name}-server = %{version}-%{release}
 
 # Specific requires
-Requires(pre): 389-ds-base = 1.3.0.5
+Requires(pre): 389-ds-base = 1.3.1.0
 Requires: krb5-server = 1.11.2
-Requires: pki-ca = 10.0.1
+Requires: pki-ca = 10.0.2
 
 %description server-strict
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -451,6 +453,9 @@ mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
 
+# Web UI plugin dir
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+
 # NOTE: systemd specific section
 mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
 install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_sysconfdir}/tmpfiles.d/ipa.conf
@@ -625,6 +630,42 @@ if [ $1 -gt 1 ] ; then
     fi
 fi
 
+%triggerin -n freeipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+        sed -r '
+            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+            sed -ri '
+                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        fi
+
+        mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+        /sbin/restorecon /etc/ssh/sshd_config
+        chmod 600 /etc/ssh/sshd_config
+
+        /bin/systemctl condrestart sshd.service 2>&1 || :
+    fi
+fi
+
 %if ! %{ONLY_CLIENT}
 %files server -f server-python.list
 %defattr(-,root,root,-)
@@ -707,17 +748,18 @@ fi
 %{_usr}/share/ipa/ui/*.svg
 %{_usr}/share/ipa/ui/*.ttf
 %{_usr}/share/ipa/ui/*.woff
-%dir %{_usr}/share/ipa/ui/ext
-%config(noreplace) %{_usr}/share/ipa/ui/ext/extension.js
 %dir %{_usr}/share/ipa/ui/js/dojo
 %{_usr}/share/ipa/ui/js/dojo/dojo.js
 %dir %{_usr}/share/ipa/ui/js/libs
 %{_usr}/share/ipa/ui/js/libs/*.js
 %dir %{_usr}/share/ipa/ui/js/freeipa
 %{_usr}/share/ipa/ui/js/freeipa/app.js
+%dir %{_usr}/share/ipa/ui/js/plugins
 %dir %{_usr}/share/ipa/ui/images
 %{_usr}/share/ipa/ui/images/*.png
 %{_usr}/share/ipa/ui/images/*.gif
+%dir %{_usr}/share/ipa/wsgi
+%{_usr}/share/ipa/wsgi/plugins.py*
 %dir %{_sysconfdir}/ipa
 %dir %{_sysconfdir}/ipa/html
 %config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
@@ -859,10 +901,38 @@ fi
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/freeipa-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Fri May 10 2013 Rob Crittenden <rcritten at redhat.com> - 3.2.0-1
+- Update to upstream 3.2.0 GA
+- ipa-client-install fails if /etc/ipa does not exist (#961483)
+- Certificate status is not visible in Service and Host page (#956718)
+- ipa-client-install removes needed options from ldap.conf (#953991)
+- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
+- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
+- Require nss 3.14.3-12.0 to address certutil certificate import
+  errors (#953485)
+- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
+  environments. (#953464)
+- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
+- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
+- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
+  socket based connections (#960222)
+- Require libsss_nss_idmap-python
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+  member is now done automatically and having it in the config file raises
+  an error.
+- Add backup and restore tools, directory.
+- require at least systemd 38 which provides the journal (we no longer
+  need to require syslog.target)
+- Update Requires on policycoreutils to 2.1.14-37
+- Update Requires on selinux-policy to 3.12.1-42
+- Update Requires on 389-ds-base to 1.3.1.0
+- Remove a Requires for java-atk-wrapper
+
 * Tue Apr 23 2013 Rob Crittenden <rcritten at redhat.com> - 3.2.0-0.4.beta1
 - Remove release from krb5-server in strict sub-package to allow for rebuilds.
 
diff --git a/sources b/sources
index c0328ce..3eb0015 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-fb2ec5e9c744f8177cb3cd40c4063bf5  freeipa-3.2.0.beta1.tar.gz
+e1ce2b1957e4248212de9ac3e95057f9  freeipa-3.2.0.tar.gz

More information about the scm-commits mailing list