[freeipa] 3.3.4-1
Martin Kosek
mkosek at fedoraproject.org
Tue Jan 28 12:47:02 UTC 2014
commit 9d212321517c099446862dc86dc9c6063d059605
Author: Martin Kosek <mkosek at redhat.com>
Date: Tue Jan 28 13:37:46 2014 +0100
3.3.4-1
- Update to upstream 3.3.4
- Install CA anchor into standard location (#928478)
- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
- Remove mod_ssl workaround (RHEL bug #1029046)
- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
.gitignore | 1 +
0001-platform-Add-Fedora-19-platform-file.patch | 156 +++++++++++++++++
...install-Publish-CA-certificate-to-systemw.patch | 178 ++++++++++++++++++++
0003-Add-runas-option-to-run-function.patch | 106 ++++++++++++
0004-Switch-httpd-to-use-default-CCACHE.patch | 84 +++++++++
0005-httpd-should-destroy-all-CCACHEs.patch | 30 ++++
...o-Changelog-and-Content-Synchronization-D.patch | 124 ++++++++++++++
...rOf-and-refInt-DS-plugins-to-main-IPA-suf.patch | 73 ++++++++
...king-directory-for-bind-dyndb-ldap-plugin.patch | 93 ++++++++++
0009-Remove-mod_ssl-port-workaround.patch | 98 +++++++++++
freeipa.spec | 54 +++++-
sources | 2 +-
12 files changed, 988 insertions(+), 11 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index b529335..8f58a9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
/freeipa-3.3.0.tar.gz
/freeipa-3.3.1.tar.gz
/freeipa-3.3.3.tar.gz
+/freeipa-3.3.4.tar.gz
diff --git a/0001-platform-Add-Fedora-19-platform-file.patch b/0001-platform-Add-Fedora-19-platform-file.patch
new file mode 100644
index 0000000..c849b54
--- /dev/null
+++ b/0001-platform-Add-Fedora-19-platform-file.patch
@@ -0,0 +1,156 @@
+From 2a98701ea1745394b717c3f4be4e0e376ab1d658 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tomasbabej at gmail.com>
+Date: Mon, 11 Nov 2013 13:02:40 +0100
+Subject: [PATCH 1/9] platform: Add Fedora 19 platform file
+
+Part of: https://fedorahosted.org/freeipa/ticket/3504
+---
+ freeipa.spec.in | 15 ++++++++-
+ ipapython/platform/fedora19/__init__.py | 55 +++++++++++++++++++++++++++++++++
+ ipapython/setup.py.in | 1 +
+ 3 files changed, 70 insertions(+), 1 deletion(-)
+ create mode 100644 ipapython/platform/fedora19/__init__.py
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 138390ed729ac561504e41b44bb0e2c9041e7b94..8fd0a368ed02cfad120db6283e3899027d467bfc 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -326,6 +326,9 @@ export JAVA_STACK_SIZE="8m"
+ %endif
+ export CFLAGS="$CFLAGS %{optflags}"
+ export CPPFLAGS="$CPPFLAGS %{optflags}"
++%if 0%{?fedora} >= 19
++export SUPPORTED_PLATFORM=fedora19
++%else
+ %if 0%{?fedora} >= 18
+ # use fedora18 platform which is based on fedora16 platform with systemd
+ # support + fedora18 changes
+@@ -333,6 +336,7 @@ export SUPPORTED_PLATFORM=fedora18
+ %else
+ export SUPPORTED_PLATFORM=fedora16
+ %endif
++%endif
+ # Force re-generate of platform support
+ rm -f ipapython/services.py
+ make version-update
+@@ -350,6 +354,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
+
+ %install
+ rm -rf %{buildroot}
++%if 0%{?fedora} >= 19
++export SUPPORTED_PLATFORM=fedora19
++%else
+ %if 0%{?fedora} >= 18
+ # use fedora18 platform which is based on fedora16 platform with systemd
+ # support + fedora18 changes
+@@ -357,6 +364,7 @@ export SUPPORTED_PLATFORM=fedora18
+ %else
+ export SUPPORTED_PLATFORM=fedora16
+ %endif
++%endif
+ # Force re-generate of platform support
+ rm -f ipapython/services.py
+ %if ! %{ONLY_CLIENT}
+@@ -810,12 +818,14 @@ fi
+ %dir %{python_sitelib}/ipapython/platform/base
+ %dir %{python_sitelib}/ipapython/platform/fedora16
+ %dir %{python_sitelib}/ipapython/platform/fedora18
++%dir %{python_sitelib}/ipapython/platform/fedora19
+ %dir %{python_sitelib}/ipapython/platform/redhat
+ %{python_sitelib}/ipapython/*.py*
+ %{python_sitelib}/ipapython/platform/*.py*
+ %{python_sitelib}/ipapython/platform/base/*.py*
+ %{python_sitelib}/ipapython/platform/fedora16/*.py*
+ %{python_sitelib}/ipapython/platform/fedora18/*.py*
++%{python_sitelib}/ipapython/platform/fedora19/*.py*
+ %{python_sitelib}/ipapython/platform/redhat/*.py*
+ %dir %{python_sitelib}/ipalib
+ %{python_sitelib}/ipalib/*
+@@ -851,7 +861,10 @@ fi
+ %endif # ONLY_CLIENT
+
+ %changelog
+-* Fri Oct 25 2013 Martin Kosek <mkosek at redhat.com> - 3.3.2-1
++* Tue Nov 12 2013 Tomas Babej<tbabej at redhat.com> - 3.3.90-5
++- Add Fedora 19 platform files
++
++* Fri Oct 25 2013 Martin Kosek <mkosek at redhat.com> - 3.3.90-4
+ - Remove mod_ssl conflict, it can now live with mod_nss installed
+
+ * Wed Sep 4 2013 Ana Krivokapic <akrivoka at redhat.com> - 3.3.0-3
+diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
+new file mode 100644
+index 0000000000000000000000000000000000000000..80356d65f4d07483000d57e16b193a857d0988ca
+--- /dev/null
++++ b/ipapython/platform/fedora19/__init__.py
+@@ -0,0 +1,55 @@
++# Author: Tomas Babej <tbabej at redhat.com>
++#
++# Copyright (C) 2013 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++from ipapython.platform import fedora18, base
++
++# All what we allow exporting directly from this module
++
++# Everything else is made available through these symbols when they are
++# directly imported into ipapython.services:
++
++# authconfig -- class reference for platform-specific implementation of
++# authconfig(8)
++# service -- class reference for platform-specific implementation of a
++# PlatformService class
++# knownservices -- factory instance to access named services IPA cares about,
++# names are ipapython.services.wellknownservices
++# backup_and_replace_hostname -- platform-specific way to set hostname and
++# make it persistent over reboots
++# restore_network_configuration -- platform-specific way of restoring network
++# configuration (e.g. static hostname)
++# restore_context -- platform-sepcific way to restore security context, if
++# applicable
++# check_selinux_status -- platform-specific way to see if SELinux is enabled
++# and restorecon is installed.
++
++__all__ = ['authconfig', 'service', 'knownservices',
++ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
++ 'restore_network_configuration', 'timedate_services']
++
++# Just copy a referential list of timedate services
++timedate_services = list(base.timedate_services)
++
++backup_and_replace_hostname = fedora18.backup_and_replace_hostname
++restore_network_configuration = fedora18.restore_network_configuration
++authconfig = fedora18.authconfig
++service = fedora18.service
++knownservices = fedora18.knownservices
++restore_context = fedora18.restore_context
++check_selinux_status = fedora18.check_selinux_status
+diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in
+index d3bbcaf1e46528d50731ca18a96a3384f6b49548..108c95d0ccb74e1cec5167759243f428f4ecf21a 100644
+--- a/ipapython/setup.py.in
++++ b/ipapython/setup.py.in
+@@ -70,6 +70,7 @@ def setup_package():
+ "ipapython.platform.base",
+ "ipapython.platform.fedora16",
+ "ipapython.platform.fedora18",
++ "ipapython.platform.fedora19",
+ "ipapython.platform.redhat" ],
+ )
+ finally:
+--
+1.8.5.3
+
diff --git a/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch b/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
new file mode 100644
index 0000000..2fdef0e
--- /dev/null
+++ b/0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
@@ -0,0 +1,178 @@
+From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej at redhat.com>
+Date: Tue, 24 Sep 2013 10:54:57 +0200
+Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide
+ store
+
+During the installation, copy the CA certificate to the systemwide
+store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
+systemwide CA database.
+
+This allows browsers to access IPA WebUI without warning out of the
+box.
+
+https://fedorahosted.org/freeipa/ticket/3504
+---
+ ipa-client/ipa-install/ipa-client-install | 13 +++++-
+ ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++-
+ ipapython/services.py.in | 11 ++++-
+ 3 files changed, 88 insertions(+), 3 deletions(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -651,6 +651,9 @@ def uninstall(options, env):
+ root_logger.warning('Please remove /etc/ipa/default.conf manually, '
+ 'as it can cause subsequent installation to fail.')
+
++ # Remove the CA cert from the systemwide certificate store
++ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
++
+ # Remove the CA cert
+ try:
+ os.remove(CACERT)
+@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore):
+ return CLIENT_INSTALL_ERROR
+ root_logger.info("Configured /etc/sssd/sssd.conf")
+
++ # Add the CA to the platform-dependant systemwide CA store
++ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
++
+ # Add the CA to the default NSS database and trust it
+ try:
+- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
++ root_logger.debug("Attempting to add CA directly to the "
++ "default NSS database.")
++ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
++ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+ except CalledProcessError, e:
+ root_logger.info("Failed to add CA to the default NSS database.")
+ return CLIENT_INSTALL_ERROR
++ else:
++ root_logger.info('Added the CA to the default NSS database.')
+
+ host_principal = 'host/%s@%s' % (hostname, cli_realm)
+ if options.on_master:
+diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
+index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
+--- a/ipapython/platform/fedora19/__init__.py
++++ b/ipapython/platform/fedora19/__init__.py
+@@ -17,6 +17,14 @@
+ # along with this program. If not, see <http://www.gnu.org/licenses/>.
+ #
+
++import shutil
++import os
++
++from subprocess import CalledProcessError
++
++from ipapython.ipa_log_manager import root_logger
++from ipapython.ipautil import run
++
+ from ipapython.platform import fedora18, base
+
+ # All what we allow exporting directly from this module
+@@ -38,10 +46,19 @@
+ # applicable
+ # check_selinux_status -- platform-specific way to see if SELinux is enabled
+ # and restorecon is installed.
++# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
++# CA certificate into the systemwide
++# CA store
++# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
++# CA certificate from the systemwide
++# CA store
++
+
+ __all__ = ['authconfig', 'service', 'knownservices',
+ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
+- 'restore_network_configuration', 'timedate_services']
++ 'restore_network_configuration', 'timedate_services',
++ 'insert_ca_cert_into_systemwide_ca_store',
++ 'remove_ca_cert_from_systemwide_ca_store']
+
+ # Just copy a referential list of timedate services
+ timedate_services = list(base.timedate_services)
+@@ -53,3 +70,51 @@
+ knownservices = fedora18.knownservices
+ restore_context = fedora18.restore_context
+ check_selinux_status = fedora18.check_selinux_status
++
++systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
++
++
++def insert_ca_cert_into_systemwide_ca_store(cacert_path):
++ # Add the 'ipa-' prefix to cert name to avoid name collisions
++ cacert_name = os.path.basename(cacert_path)
++ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
++
++ # Add the CA to the systemwide CA trust database
++ try:
++ shutil.copy(cacert_path, new_cacert_path)
++ run(['/usr/bin/update-ca-trust'])
++ except OSError, e:
++ root_logger.info("Failed to copy %s to %s" % (cacert_path,
++ new_cacert_path))
++ except CalledProcessError, e:
++ root_logger.info("Failed to add CA to the systemwide "
++ "CA trust database: %s" % str(e))
++ else:
++ root_logger.info('Added the CA to the systemwide CA trust database.')
++ return True
++
++ return False
++
++
++def remove_ca_cert_from_systemwide_ca_store(cacert_path):
++ # Derive the certificate name in the store
++ cacert_name = os.path.basename(cacert_path)
++ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
++
++ # Remove CA cert from systemwide store
++ if os.path.exists(new_cacert_path):
++ try:
++ os.remove(new_cacert_path)
++ run(['/usr/bin/update-ca-trust'])
++ except OSError, e:
++ root_logger.error('Could not remove: %s, %s'
++ % (new_cacert_path, str(e)))
++ return False
++ except CalledProcessError, e:
++ root_logger.error('Could not update systemwide CA trust '
++ 'database: %s' % str(e))
++ return False
++ else:
++ root_logger.info('Systemwide CA database updated.')
++
++ return True
+diff --git a/ipapython/services.py.in b/ipapython/services.py.in
+index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
+--- a/ipapython/services.py.in
++++ b/ipapython/services.py.in
+@@ -21,7 +21,7 @@
+ authconfig = None
+
+ # knownservices is an entry point to known platform services
+-# (instance of ipapython.platform.base.KnownServices)
++# (instance of ipapython.platform.base.KnownServices)
+ knownservices = None
+
+ # service is a class to instantiate ipapython.platform.base.PlatformService
+@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
+ def get_svc_list_file():
+ return SVC_LIST_FILE
+
++def insert_ca_cert_into_systemwide_ca_store_default(path):
++ return True
++
++def remove_ca_cert_from_systemwide_ca_store_default(path):
++ return True
++
++insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
++remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
++
+ from ipapython.platform.SUPPORTED_PLATFORM import *
+--
+1.8.5.3
+
diff --git a/0003-Add-runas-option-to-run-function.patch b/0003-Add-runas-option-to-run-function.patch
new file mode 100644
index 0000000..a470d1a
--- /dev/null
+++ b/0003-Add-runas-option-to-run-function.patch
@@ -0,0 +1,106 @@
+From b4791862852770711be87ca63ed85b23e72baea3 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Thu, 16 Jan 2014 14:10:42 +0100
+Subject: [PATCH 3/9] Add runas option to run function
+
+Run function can now run the specified command as different user by
+setting the both real and effective UID and GID for executed process.
+
+Add both the missing run function attribute doc strings as well as
+a doc string for the runas attribute.
+---
+ ipapython/ipautil.py | 59 +++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
+index 92569c3b487bdbbfc4f0033813fda56c8928f20c..f7a2443af940a695321da7989457a392d6451d44 100644
+--- a/ipapython/ipautil.py
++++ b/ipapython/ipautil.py
+@@ -42,6 +42,7 @@
+ import netaddr
+ import time
+ import krbV
++import pwd
+ from dns import resolver, rdatatype
+ from dns.exception import DNSException
+
+@@ -246,29 +247,35 @@ def shell_quote(string):
+ return "'" + string.replace("'", "'\\''") + "'"
+
+ def run(args, stdin=None, raiseonerr=True,
+- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
++ nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
++ runas=None):
+ """
+ Execute a command and return stdin, stdout and the process return code.
+
+- args is a list of arguments for the command
+-
+- stdin is used if you want to pass input to the command
+-
+- raiseonerr raises an exception if the return code is not zero
+-
+- nolog is a tuple of strings that shouldn't be logged, like passwords.
+- Each tuple consists of a string to be replaced by XXXXXXXX.
+-
+- For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+-
+- We don't want to log the password so nolog would be set to:
+- ('Secret123',)
+-
+- The resulting log output would be:
+-
+- /usr/bin/setpasswd --password XXXXXXXX someuser
+-
+- If an value isn't found in the list it is silently ignored.
++ :param args: List of arguments for the command
++ :param stdin: Optional input to the command
++ :param raiseonerr: If True, raises an exception if the return code is
++ not zero
++ :param nolog: Tuple of strings that shouldn't be logged, like passwords.
++ Each tuple consists of a string to be replaced by XXXXXXXX.
++
++ Example:
++ We have a command
++ ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
++ and we don't want to log the password so nolog would be set to:
++ ('Secret123',)
++ The resulting log output would be:
++
++ /usr/bin/setpasswd --password XXXXXXXX someuser
++
++ If a value isn't found in the list it is silently ignored.
++ :param env: Dictionary of environment variables passed to the command.
++ When None, current environment is copied
++ :param capture_output: Capture stderr and stdout
++ :param skip_output: Redirect the output to /dev/null and do not capture it
++ :param cwd: Current working directory
++ :param runas: Name of a user that the command shold be run as. The spawned
++ process will have both real and effective UID and GID set.
+ """
+ p_in = None
+ p_out = None
+@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
+ root_logger.debug('Starting external process')
+ root_logger.debug('args=%s' % arg_string)
+
++ preexec_fn = None
++ if runas is not None:
++ pent = pwd.getpwnam(runas)
++ root_logger.debug('runas=%s (UID %d, GID %s)', runas,
++ pent.pw_uid, pent.pw_gid)
++
++ preexec_fn = lambda: (os.setregid(pent.pw_gid, pent.pw_gid),
++ os.setreuid(pent.pw_uid, pent.pw_uid))
++
+ try:
+ p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
+- close_fds=True, env=env, cwd=cwd)
++ close_fds=True, env=env, cwd=cwd,
++ preexec_fn=preexec_fn)
+ stdout,stderr = p.communicate(stdin)
+ stdout,stderr = str(stdout), str(stderr) # Make pylint happy
+ except KeyboardInterrupt:
+--
+1.8.5.3
+
diff --git a/0004-Switch-httpd-to-use-default-CCACHE.patch b/0004-Switch-httpd-to-use-default-CCACHE.patch
new file mode 100644
index 0000000..dd8cf44
--- /dev/null
+++ b/0004-Switch-httpd-to-use-default-CCACHE.patch
@@ -0,0 +1,84 @@
+From 97d3a2420f5b29d3777c1661c27a7cc6b157a2d5 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Thu, 16 Jan 2014 14:12:29 +0100
+Subject: [PATCH 4/9] Switch httpd to use default CCACHE
+
+Stock httpd no longer uses systemd EnvironmentFile option which is
+making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
+to debug problems during subsequent ipa-server-install's where HTTP
+may use a stale CCACHE in the default kernel keyring CCACHE.
+
+Avoid forcing custom CCACHE and switch to system one, just make sure
+that it is properly cleaned by kdestroy run as "apache" user during
+FreeIPA server installation process.
+
+https://fedorahosted.org/freeipa/ticket/4084
+---
+ install/tools/ipa-upgradeconfig | 7 ++++++-
+ ipaserver/install/httpinstance.py | 22 +++-------------------
+ 2 files changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
+index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
+--- a/install/tools/ipa-upgradeconfig
++++ b/install/tools/ipa-upgradeconfig
+@@ -1043,10 +1043,15 @@ def main():
+ update_dbmodules(api.env.realm)
+ uninstall_ipa_kpasswd()
+
++ removed_sysconfig_file = '/etc/sysconfig/httpd'
++ if fstore.has_file(removed_sysconfig_file):
++ root_logger.info('Restoring %s as it is no longer required',
++ removed_sysconfig_file)
++ fstore.restore_file(removed_sysconfig_file)
++
+ http = httpinstance.HTTPInstance(fstore)
+ http.remove_httpd_ccache()
+ http.configure_selinux_for_httpd()
+- http.configure_httpd_ccache()
+ http.change_mod_nss_port_to_http()
+
+ ds = dsinstance.DsInstance()
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 689e657e291b93d90038937a61f67915c0d582ec..9c9205883b38dfb854fb2885d3692a7053866b63 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -126,7 +126,6 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None,
+ self.step("creating a keytab for httpd", self.__create_http_keytab)
+ self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+ self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+- self.step("configure httpd ccache", self.configure_httpd_ccache)
+ self.step("restarting httpd", self.__start)
+ self.step("configuring httpd to start on boot", self.__enable)
+
+@@ -217,24 +216,9 @@ def __create_http_keytab(self):
+
+ def remove_httpd_ccache(self):
+ # Clean up existing ccache
+- pent = pwd.getpwnam("apache")
+- installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
+-
+- def configure_httpd_ccache(self):
+- pent = pwd.getpwnam("apache")
+- ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+- filepath = '/etc/sysconfig/httpd'
+- if not os.path.exists(filepath):
+- # file doesn't exist; create it with correct ownership & mode
+- open(filepath, 'a').close()
+- os.chmod(filepath,
+- stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+- os.chown(filepath, 0, 0)
+-
+- replacevars = {'KRB5CCNAME': ccache}
+- old_values = ipautil.backup_config_and_replace_variables(
+- self.fstore, filepath, replacevars=replacevars)
+- ipaservices.restore_context(filepath)
++ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
++ # current env
++ ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
+
+ def __configure_http(self):
+ target_fname = '/etc/httpd/conf.d/ipa.conf'
+--
+1.8.5.3
+
diff --git a/0005-httpd-should-destroy-all-CCACHEs.patch b/0005-httpd-should-destroy-all-CCACHEs.patch
new file mode 100644
index 0000000..3c3e5f8
--- /dev/null
+++ b/0005-httpd-should-destroy-all-CCACHEs.patch
@@ -0,0 +1,30 @@
+From d134f591c9250f38d170a937ec221637d09b58bc Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Wed, 22 Jan 2014 16:08:51 +0100
+Subject: [PATCH 5/9] httpd should destroy all CCACHEs
+
+Use "kdestroy -A" command to destroy all CCACHEs, both the primary
+and the non-primary ones to make sure that the non-primary ones are
+not used later.
+
+https://fedorahosted.org/freeipa/ticket/4084
+---
+ ipaserver/install/httpinstance.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 9c9205883b38dfb854fb2885d3692a7053866b63..5d37926ddcaa17ce2eab839cd6aecdab0159a8ee 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -218,7 +218,7 @@ def remove_httpd_ccache(self):
+ # Clean up existing ccache
+ # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+ # current env
+- ipautil.run(['kdestroy'], runas='apache', raiseonerr=False, env={})
++ ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+
+ def __configure_http(self):
+ target_fname = '/etc/httpd/conf.d/ipa.conf'
+--
+1.8.5.3
+
diff --git a/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch b/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
new file mode 100644
index 0000000..34af3bd
--- /dev/null
+++ b/0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
@@ -0,0 +1,124 @@
+From ada54e7e836d13ccede3fe74f1cd30300a242c6e Mon Sep 17 00:00:00 2001
+From: Ana Krivokapic <akrivoka at redhat.com>
+Date: Fri, 25 Oct 2013 12:41:25 +0200
+Subject: [PATCH 6/9] Enable Retro Changelog and Content Synchronization DS
+ plugins
+
+Enable Retro Changelog and Content Synchronization DS plugins which are required
+for SyncRepl support.
+
+Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
+
+https://fedorahosted.org/freeipa/ticket/3967
+---
+ freeipa.spec.in | 1 +
+ install/tools/ipa-upgradeconfig | 5 ++++-
+ install/updates/20-syncrepl.update | 9 +++++++++
+ install/updates/Makefile.am | 1 +
+ ipaserver/install/bindinstance.py | 13 +++++++++++++
+ 5 files changed, 28 insertions(+), 1 deletion(-)
+ create mode 100644 install/updates/20-syncrepl.update
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 8fd0a368ed02cfad120db6283e3899027d467bfc..4f60be6ccd623de4574c7627e0ffc4ff0829e701 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -764,6 +764,7 @@ fi
+ %{_mandir}/man1/ipa-backup.1.gz
+ %{_mandir}/man1/ipa-restore.1.gz
+ %{_mandir}/man1/ipa-advise.1.gz
++%ghost %{_localstatedir}/named/ipa
+
+ %files server-trust-ad
+ %{_sbindir}/ipa-adtrust-install
+diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
+index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..5bcef1ac827da296c6a35e8fc29a1c6f0a04f808 100644
+--- a/install/tools/ipa-upgradeconfig
++++ b/install/tools/ipa-upgradeconfig
+@@ -1084,6 +1084,10 @@ def main():
+ setup_firefox_extension(fstore)
+ add_ca_dns_records()
+
++ bind = bindinstance.BindInstance(fstore)
++ if bind.is_configured():
++ bind.create_dir('/var/named/ipa', 0700)
++
+ # Any of the following functions returns True iff the named.conf file
+ # has been altered
+ named_conf_changes = (
+@@ -1097,7 +1101,6 @@ def main():
+ if any(named_conf_changes):
+ # configuration has changed, restart the name server
+ root_logger.info('Changes to named.conf have been made, restart named')
+- bind = bindinstance.BindInstance(fstore)
+ try:
+ bind.restart()
+ except ipautil.CalledProcessError, e:
+diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..c4158a1634410acd323f04f442bbbd2f69c24708
+--- /dev/null
++++ b/install/updates/20-syncrepl.update
+@@ -0,0 +1,9 @@
++# Enable Retro changelog
++dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
++only:nsslapd-pluginEnabled: on
++add:nsslapd-attribute: nsuniqueid:targetUniqueId
++add:nsslapd-changelogmaxage: 2d
++
++# Enable SyncRepl
++dn: cn=Content Synchronization,cn=plugins,cn=config
++only:nsslapd-pluginEnabled: on
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 40c3b3c8916faa267254a29d0f458ca53201950c..09965ff9885fce93f3d15dc73b11fa210f68b163 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -22,6 +22,7 @@ app_DATA = \
+ 20-indices.update \
+ 20-nss_ldap.update \
+ 20-replication.update \
++ 20-syncrepl.update \
+ 20-user_private_groups.update \
+ 20-winsync_index.update \
+ 21-replicas_container.update \
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -22,6 +22,7 @@
+ import pwd
+ import netaddr
+ import re
++import errno
+
+ import ldap
+
+@@ -509,6 +510,16 @@ def create_sample_bind_zone(self):
+ os.close(bind_fd)
+ print "Sample zone file for bind has been created in "+bind_name
+
++ def create_dir(self, path, mode):
++ try:
++ os.makedirs(path, mode)
++ except OSError as e:
++ if e.errno != errno.EEXIST:
++ raise e
++
++ pent = pwd.getpwnam(self.named_user or 'named')
++ os.chown(path, pent.pw_uid, pent.pw_gid)
++
+ def create_instance(self):
+
+ try:
+@@ -519,6 +530,8 @@ def create_instance(self):
+ # get a connection to the DS
+ self.ldap_connect()
+
++ self.create_dir('/var/named/ipa', 0700)
++
+ if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
+ installutils.add_record_to_hosts(self.ip_address, self.fqdn)
+
+--
+1.8.5.3
+
diff --git a/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch b/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
new file mode 100644
index 0000000..d1510f4
--- /dev/null
+++ b/0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
@@ -0,0 +1,73 @@
+From 031d08b13cec4c6c538a9c344576d349481ceeea Mon Sep 17 00:00:00 2001
+From: Petr Spacek <pspacek at redhat.com>
+Date: Thu, 23 Jan 2014 12:22:38 +0100
+Subject: [PATCH 7/9] Limit memberOf and refInt DS plugins to main IPA suffix.
+
+This drastically improves performance of retro changelog trimming.
+
+https://fedorahosted.org/freeipa/ticket/3967
+---
+ freeipa.spec.in | 6 +++---
+ install/updates/20-syncrepl.update | 13 ++++++++++++-
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 4f60be6ccd623de4574c7627e0ffc4ff0829e701..ef96c7c271ebba33b15d9b35891092e4151c3aae 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
+ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+ %if ! %{ONLY_CLIENT}
+-BuildRequires: 389-ds-base-devel >= 1.3.1.3
++BuildRequires: 389-ds-base-devel >= 1.3.2.10
+ BuildRequires: svrcore-devel
+ BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
+ BuildRequires: systemd-units
+@@ -95,7 +95,7 @@ Group: System Environment/Base
+ Requires: %{name}-python = %{version}-%{release}
+ Requires: %{name}-client = %{version}-%{release}
+ Requires: %{name}-admintools = %{version}-%{release}
+-Requires: 389-ds-base >= 1.3.1.3
++Requires: 389-ds-base >= 1.3.2.10
+ Requires: openldap-clients > 2.4.35-4
+ %if 0%{?fedora} == 18
+ Requires: nss >= 3.14.3-2
+@@ -150,7 +150,7 @@ Requires: zip
+ Requires: policycoreutils >= %{POLICYCOREUTILSVER}
+ Requires: tar
+ Requires(pre): certmonger >= 0.65
+-Requires(pre): 389-ds-base >= 1.3.1.3
++Requires(pre): 389-ds-base >= 1.3.2.10
+
+ # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
+ # entire SELinux policy is stored in the system policy
+diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
+index c4158a1634410acd323f04f442bbbd2f69c24708..e1184bf48285fb216dfb0c82e5e97bb8cc35539c 100644
+--- a/install/updates/20-syncrepl.update
++++ b/install/updates/20-syncrepl.update
+@@ -1,9 +1,20 @@
+-# Enable Retro changelog
++# Enable Retro changelog - it is necessary for SyncRepl
+ dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
+ only:nsslapd-pluginEnabled: on
++# Remember original nsuniqueid for objects referenced from cn=changelog
+ add:nsslapd-attribute: nsuniqueid:targetUniqueId
+ add:nsslapd-changelogmaxage: 2d
+
++# Keep memberOf and referential integrity plugins away from cn=changelog.
++# It is necessary for performance reasons because we don't have appropriate
++# indices for cn=changelog.
++dn: cn=MemberOf Plugin,cn=plugins,cn=config
++add:memberofentryscope: '$SUFFIX'
++
++dn: cn=referential integrity postoperation,cn=plugins,cn=config
++add:nsslapd-plugincontainerscope: '$SUFFIX'
++add:nsslapd-pluginentryscope: '$SUFFIX'
++
+ # Enable SyncRepl
+ dn: cn=Content Synchronization,cn=plugins,cn=config
+ only:nsslapd-pluginEnabled: on
+--
+1.8.5.3
+
diff --git a/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch b/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
new file mode 100644
index 0000000..2a2113f
--- /dev/null
+++ b/0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
@@ -0,0 +1,93 @@
+From 916437b391739ea3ee48dfcd9f0d164536ca9ead Mon Sep 17 00:00:00 2001
+From: Petr Spacek <pspacek at redhat.com>
+Date: Mon, 27 Jan 2014 14:47:10 +0100
+Subject: [PATCH 8/9] Remove working directory for bind-dyndb-ldap plugin.
+
+The working directory will be provided directly
+by bind-dyndb-ldap package.
+
+This partially reverts commit 689382dc833e687d30349b10a8fd7dc740d54d08.
+
+https://fedorahosted.org/freeipa/ticket/3967
+---
+ freeipa.spec.in | 1 -
+ install/tools/ipa-upgradeconfig | 5 +----
+ ipaserver/install/bindinstance.py | 13 -------------
+ 3 files changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index ef96c7c271ebba33b15d9b35891092e4151c3aae..eb9afbb4bfa1a11caf1282d5b76c2e138735386c 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -764,7 +764,6 @@ fi
+ %{_mandir}/man1/ipa-backup.1.gz
+ %{_mandir}/man1/ipa-restore.1.gz
+ %{_mandir}/man1/ipa-advise.1.gz
+-%ghost %{_localstatedir}/named/ipa
+
+ %files server-trust-ad
+ %{_sbindir}/ipa-adtrust-install
+diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
+index 5bcef1ac827da296c6a35e8fc29a1c6f0a04f808..cf9fe0e040e56bb75ca8d53e28586911caeffb2b 100644
+--- a/install/tools/ipa-upgradeconfig
++++ b/install/tools/ipa-upgradeconfig
+@@ -1084,10 +1084,6 @@ def main():
+ setup_firefox_extension(fstore)
+ add_ca_dns_records()
+
+- bind = bindinstance.BindInstance(fstore)
+- if bind.is_configured():
+- bind.create_dir('/var/named/ipa', 0700)
+-
+ # Any of the following functions returns True iff the named.conf file
+ # has been altered
+ named_conf_changes = (
+@@ -1101,6 +1097,7 @@ def main():
+ if any(named_conf_changes):
+ # configuration has changed, restart the name server
+ root_logger.info('Changes to named.conf have been made, restart named')
++ bind = bindinstance.BindInstance(fstore)
+ try:
+ bind.restart()
+ except ipautil.CalledProcessError, e:
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 4baeb4e077c64a7abebd1c071012f6c1e02dc1ae..6d5a1d44d30c89278c24fe7ab5278355cb65b0b4 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -22,7 +22,6 @@
+ import pwd
+ import netaddr
+ import re
+-import errno
+
+ import ldap
+
+@@ -510,16 +509,6 @@ def create_sample_bind_zone(self):
+ os.close(bind_fd)
+ print "Sample zone file for bind has been created in "+bind_name
+
+- def create_dir(self, path, mode):
+- try:
+- os.makedirs(path, mode)
+- except OSError as e:
+- if e.errno != errno.EEXIST:
+- raise e
+-
+- pent = pwd.getpwnam(self.named_user or 'named')
+- os.chown(path, pent.pw_uid, pent.pw_gid)
+-
+ def create_instance(self):
+
+ try:
+@@ -530,8 +519,6 @@ def create_instance(self):
+ # get a connection to the DS
+ self.ldap_connect()
+
+- self.create_dir('/var/named/ipa', 0700)
+-
+ if installutils.record_in_hosts(self.ip_address, self.fqdn) is None:
+ installutils.add_record_to_hosts(self.ip_address, self.fqdn)
+
+--
+1.8.5.3
+
diff --git a/0009-Remove-mod_ssl-port-workaround.patch b/0009-Remove-mod_ssl-port-workaround.patch
new file mode 100644
index 0000000..3e28fd3
--- /dev/null
+++ b/0009-Remove-mod_ssl-port-workaround.patch
@@ -0,0 +1,98 @@
+From a24f83b833eb515e60a6e5b8144834bae7a78f70 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast at redhat.com>
+Date: Tue, 26 Nov 2013 08:53:34 +0000
+Subject: [PATCH 9/9] Remove mod_ssl port workaround.
+
+https://fedorahosted.org/freeipa/ticket/4021
+---
+ freeipa.spec.in | 8 ++++++--
+ install/tools/ipa-upgradeconfig | 2 +-
+ ipaserver/install/httpinstance.py | 17 ++++++++---------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index eb9afbb4bfa1a11caf1282d5b76c2e138735386c..1f2ca11cb04d3e2f3a02d7a77cad1763c85e63cb 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -118,14 +118,14 @@ Requires: krb5-server >= 1.10
+ Requires: krb5-pkinit-openssl
+ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: ntp
+-Requires: httpd
++Requires: httpd >= 2.4.6-6
+ Requires: mod_wsgi
+ %if 0%{?fedora} >= 18
+ Requires: mod_auth_kerb >= 5.4-16
+ %else
+ Requires: mod_auth_kerb >= 5.4-8
+ %endif
+-Requires: mod_nss >= 1.0.8-24
++Requires: mod_nss >= 1.0.8-26
+ Requires: python-ldap
+ Requires: python-krbV
+ Requires: acl
+@@ -861,6 +861,10 @@ fi
+ %endif # ONLY_CLIENT
+
+ %changelog
++* Tue Nov 26 2013 Jan Cholasta <jcholast at redhat.com> - 3.3.90-6
++- Set minimum version of httpd to 2.4.6-6
++- Set minimum version of mod_nss to 1.0.8-26
++
+ * Tue Nov 12 2013 Tomas Babej<tbabej at redhat.com> - 3.3.90-5
+ - Add Fedora 19 platform files
+
+diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
+index cf9fe0e040e56bb75ca8d53e28586911caeffb2b..a31f7d092981c33694268f420892a781e9b02b3f 100644
+--- a/install/tools/ipa-upgradeconfig
++++ b/install/tools/ipa-upgradeconfig
+@@ -1052,7 +1052,7 @@ def main():
+ http = httpinstance.HTTPInstance(fstore)
+ http.remove_httpd_ccache()
+ http.configure_selinux_for_httpd()
+- http.change_mod_nss_port_to_http()
++ http.change_mod_nss_port_from_http()
+
+ ds = dsinstance.DsInstance()
+ ds.configure_dirsrv_ccache()
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 5d37926ddcaa17ce2eab839cd6aecdab0159a8ee..34e58fbb845c91c42a37d94a172e167cfb6f1790 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -237,25 +237,24 @@ def __configure_http(self):
+ http_fd.close()
+ os.chmod(target_fname, 0644)
+
+- def change_mod_nss_port_to_http(self):
++ def change_mod_nss_port_from_http(self):
+ # mod_ssl enforces SSLEngine on for vhost on 443 even though
+ # the listener is mod_nss. This then crashes the httpd as mod_nss
+ # listened port obviously does not match mod_ssl requirements.
+ #
+- # Change port to http to workaround the mod_ssl check, the SSL is
+- # enforced in the vhost later, so it is benign.
++ # The workaround for this was to change port to http. It is no longer
++ # necessary, as mod_nss now ships with default configuration which
++ # sets SSLEngine off when mod_ssl is installed.
+ #
+- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
+- # is fixed.
+- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
+- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
++ # Remove the workaround.
++ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
++ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
++ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
+
+ def __set_mod_nss_port(self):
+ self.fstore.backup_file(NSS_CONF)
+ if installutils.update_file(NSS_CONF, '8443', '443') != 0:
+ print "Updating port in %s failed." % NSS_CONF
+- self.change_mod_nss_port_to_http()
+
+ def __set_mod_nss_nickname(self, nickname):
+ installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+--
+1.8.5.3
+
diff --git a/freeipa.spec b/freeipa.spec
index b682914..588ea5b 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -4,11 +4,11 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.14-37
%global gettext_domain ipa
-%global VERSION 3.3.3
+%global VERSION 3.3.4
Name: freeipa
-Version: 3.3.3
-Release: 5%{?dist}
+Version: 3.3.4
+Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -17,9 +17,15 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
-Patch0002: 0002-Fix-Wformat-security-warnings.patch
-Patch0003: 0003-Increase-stack-size-for-Web-UI-builder.patch
+Patch0001: 0001-platform-Add-Fedora-19-platform-file.patch
+Patch0002: 0002-ipa-client-install-Publish-CA-certificate-to-systemw.patch
+Patch0003: 0003-Add-runas-option-to-run-function.patch
+Patch0004: 0004-Switch-httpd-to-use-default-CCACHE.patch
+Patch0005: 0005-httpd-should-destroy-all-CCACHEs.patch
+Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
+Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
+Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
+Patch0009: 0009-Remove-mod_ssl-port-workaround.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1.3
@@ -96,7 +102,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.10
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -119,14 +125,14 @@ Requires: krb5-server >= 1.10
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
%else
Requires: mod_auth_kerb >= 5.4-8
%endif
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -151,7 +157,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.3
+Requires(pre): 389-ds-base >= 1.3.2.10
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
@@ -372,6 +378,9 @@ export JAVA_STACK_SIZE="8m"
%endif
export CFLAGS="$CFLAGS %{optflags}"
export CPPFLAGS="$CPPFLAGS %{optflags}"
+%if 0%{?fedora} >= 19
+export SUPPORTED_PLATFORM=fedora19
+%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
@@ -379,6 +388,7 @@ export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
+%endif
# Force re-generate of platform support
rm -f ipapython/services.py
make version-update
@@ -396,6 +406,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
%install
rm -rf %{buildroot}
+%if 0%{?fedora} >= 19
+export SUPPORTED_PLATFORM=fedora19
+%else
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
@@ -403,6 +416,7 @@ export SUPPORTED_PLATFORM=fedora18
%else
export SUPPORTED_PLATFORM=fedora16
%endif
+%endif
# Force re-generate of platform support
rm -f ipapython/services.py
%if ! %{ONLY_CLIENT}
@@ -595,6 +609,16 @@ if [ $1 -gt 1 ] ; then
/sbin/restorecon /etc/krb5.conf
fi
fi
+
+ if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
+ if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
+ sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
+ mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
+ /sbin/restorecon /etc/sysconfig/ntpd
+
+ /bin/systemctl condrestart ntpd.service 2>&1 || :
+ fi
+ fi
fi
%triggerin -n freeipa-client -- openssh-server
@@ -719,6 +743,7 @@ fi
%{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff
+%dir %{_usr}/share/ipa/ui/js
%dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js
%dir %{_usr}/share/ipa/ui/js/libs
@@ -853,12 +878,14 @@ fi
%dir %{python_sitelib}/ipapython/platform/base
%dir %{python_sitelib}/ipapython/platform/fedora16
%dir %{python_sitelib}/ipapython/platform/fedora18
+%dir %{python_sitelib}/ipapython/platform/fedora19
%dir %{python_sitelib}/ipapython/platform/redhat
%{python_sitelib}/ipapython/*.py*
%{python_sitelib}/ipapython/platform/*.py*
%{python_sitelib}/ipapython/platform/base/*.py*
%{python_sitelib}/ipapython/platform/fedora16/*.py*
%{python_sitelib}/ipapython/platform/fedora18/*.py*
+%{python_sitelib}/ipapython/platform/fedora19/*.py*
%{python_sitelib}/ipapython/platform/redhat/*.py*
%dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/*
@@ -894,6 +921,13 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Jan 28 2014 Martin Kosek <mkosek at redhat.com> - 3.3.4-1
+- Update to upstream 3.3.4
+- Install CA anchor into standard location (#928478)
+- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
+- Remove mod_ssl workaround (RHEL bug #1029046)
+- Enable syncrepl plugin to support bind-dyndb-ldap 4.0
+
* Fri Jan 3 2014 Martin Kosek <mkosek at redhat.com> - 3.3.3-5
- Build crashed with rhino exception on s390 architectures (#1040576)
diff --git a/sources b/sources
index 39e8e00..b6a1d95 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-ba4546b837c5129524e2d1020986400f freeipa-3.3.3.tar.gz
+2ad49c60abada8a328ddd825481d9e9c freeipa-3.3.4.tar.gz
More information about the scm-commits
mailing list