[freeipa] 3.3.4-3 - Move ipa-otpd socket directory to /var/run/krb5kdc - Require krb5-server 1.11.5-3 supporti
Martin Kosek
mkosek at fedoraproject.org
Tue Feb 11 17:06:51 UTC 2014
commit 9ea7eb2ddf6b50df0bd48d87223f63e806a12fda
Author: Martin Kosek <mkosek at redhat.com>
Date: Tue Feb 11 18:05:03 2014 +0100
3.3.4-3
- Move ipa-otpd socket directory to /var/run/krb5kdc
- Require krb5-server 1.11.5-3 supporting the new directory
- ipa_lockout plugin did not work with users's without krbPwdPolicyReference
...ck-to-global-policy-in-ipa-lockout-plugin.patch | 108 ++++++++++++++++++++
...-do-not-fail-when-default-realm-cannot-be.patch | 66 ++++++++++++
0012-Move-ipa-otpd-socket-directory.patch | 84 +++++++++++++++
freeipa.spec | 12 ++-
4 files changed, 268 insertions(+), 2 deletions(-)
---
diff --git a/0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch b/0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
new file mode 100644
index 0000000..a1b60b0
--- /dev/null
+++ b/0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
@@ -0,0 +1,108 @@
+From 11ebbe3f27fdf18e2578b533eb2560e9f88eeede Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Thu, 30 Jan 2014 16:58:25 +0100
+Subject: [PATCH 10/11] Fallback to global policy in ipa-lockout plugin
+
+krbPwdPolicyReference is no longer filled default users. Instead, plugins
+fallback to hardcoded global policy reference.
+
+Fix ipa-lockout plugin to fallback to it instead of failing to apply
+the policy.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -49,6 +49,7 @@
+ #include <time.h>
+ #include "slapi-plugin.h"
+ #include "nspr.h"
++#include <krb5.h>
+
+ #include "util.h"
+
+@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
+
+ static struct ipa_context *global_ipactx = NULL;
+
++static char *ipa_global_policy = NULL;
++
+ #define GENERALIZED_TIME_LENGTH 15
+
+ /**
+@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ Slapi_Attr *attr = NULL;
+ char *dn = NULL;
+ char *basedn = NULL;
++ char *realm = NULL;
+ Slapi_DN *sdn;
+ Slapi_Entry *config_entry;
++ krb5_context krbctx = NULL;
++ krb5_error_code krberr;
+ int ret;
+
+ /* Get cn=config so we can get the default naming context */
+@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ goto done;
+ }
+
++ krberr = krb5_init_context(&krbctx);
++ if (krberr) {
++ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
++ krberr = krb5_get_default_realm(krbctx, &realm);
++ if (krberr) {
++ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
++ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
++ realm, basedn);
++ if (!ipa_global_policy) {
++ LOG_OOM();
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
+ ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+ if (ret == -1) {
+ LOG_OOM();
+@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ done:
+ if (config_entry)
+ slapi_entry_free(config_entry);
++ free(realm);
++ krb5_free_context(krbctx);
+ free(dn);
+ free(basedn);
+ return ret;
+@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
+ slapi_valueset_first_value(*values, &sv);
+ *policy_dn = slapi_value_get_string(sv);
+ }
++ } else {
++ *policy_dn = ipa_global_policy;
+ }
+
+ if (*policy_dn == NULL) {
+@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
+ {
+ LOG_TRACE( "--in-->\n");
+
++ slapi_ch_free_string(&ipa_global_policy);
++
+ LOG_TRACE("<--out--\n");
+
+ return EOK;
+--
+1.8.5.3
+
diff --git a/0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch b/0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
new file mode 100644
index 0000000..91b29e6
--- /dev/null
+++ b/0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
@@ -0,0 +1,66 @@
+From 43070359eb267c3eb3b290f5f601e9509a63389f Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek at redhat.com>
+Date: Tue, 4 Feb 2014 11:02:34 +0100
+Subject: [PATCH 11/11] ipa-lockout: do not fail when default realm cannot be
+ read
+
+When ipa-lockout plugin is started during FreeIPA server installation,
+the default realm may not be available and plugin should then not end
+with failure.
+
+Similarly to other plugins, start in degraded mode in this situation.
+Operation is fully restored during the final services restart.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 +++++++++++-----------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
+- }
+-
+- krberr = krb5_get_default_realm(krbctx, &realm);
+- if (krberr) {
+- LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
+- }
+-
+- ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+- realm, basedn);
+- if (!ipa_global_policy) {
+- LOG_OOM();
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
++ /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
++ * or is misconfigured. Start up in a degraded mode.
++ */
++ } else {
++ krberr = krb5_get_default_realm(krbctx, &realm);
++ if (krberr) {
++ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
++ } else {
++ ipa_global_policy =
++ slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
++ realm, basedn);
++ if (!ipa_global_policy) {
++ LOG_OOM();
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++ }
+ }
+
+ ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+--
+1.8.5.3
+
diff --git a/0012-Move-ipa-otpd-socket-directory.patch b/0012-Move-ipa-otpd-socket-directory.patch
new file mode 100644
index 0000000..cec590c
--- /dev/null
+++ b/0012-Move-ipa-otpd-socket-directory.patch
@@ -0,0 +1,84 @@
+From 6c500ccf05103566ca888bc8d67187ab81621328 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum at redhat.com>
+Date: Fri, 7 Feb 2014 11:56:33 -0500
+Subject: [PATCH] Move ipa-otpd socket directory
+
+https://fedorahosted.org/freeipa/ticket/4167
+Reviewed-By: Martin Kosek <mkosek at redhat.com>
+---
+ daemons/configure.ac | 6 +++---
+ daemons/ipa-otpd/Makefile.am | 2 +-
+ daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++--
+ freeipa.spec.in | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e57dad27614f268d3e5bbafc99b739a5cfa2589b..5646c3873beee996999e4f1d87aea653f4b5dd1b 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto])
+ AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
+ KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"
+ KRAD_LIBS="-lkrad"
+-krb5kdcdir="${localstatedir}/kerberos/krb5kdc"
++krb5rundir="${localstatedir}/run/krb5kdc"
+ AC_SUBST(KRB5_LIBS)
+ AC_SUBST(KRAD_LIBS)
+-AC_SUBST(krb5kdcdir)
++AC_SUBST(krb5rundir)
+
+ dnl ---------------------------------------------------------------------------
+ dnl - Check for Mozilla LDAP and OpenLDAP SDK
+@@ -337,7 +337,7 @@ echo "
+ sysconfdir: ${sysconfdir}
+ localstatedir: ${localstatedir}
+ datadir: ${datadir}
+- krb5kdcdir: ${krb5kdcdir}
++ krb5rundir: ${krb5rundir}
+ systemdsystemunitdir: ${systemdsystemunitdir}
+ source code location: ${srcdir}
+ compiler: ${CC}
+diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
+index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644
+--- a/daemons/ipa-otpd/Makefile.am
++++ b/daemons/ipa-otpd/Makefile.am
+@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd at .service
+ ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c
+
+ %.socket: %.socket.in
+- @sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \
++ @sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \
+ -e 's|@UNLINK[@]|@UNLINK@|g' \
+ $< > $@
+
+diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
+index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644
+--- a/daemons/ipa-otpd/ipa-otpd.socket.in
++++ b/daemons/ipa-otpd/ipa-otpd.socket.in
+@@ -2,8 +2,8 @@
+ Description=ipa-otpd socket
+
+ [Socket]
+-ListenStream=@krb5kdcdir@/DEFAULT.socket
+-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket
++ListenStream=@krb5rundir@/DEFAULT.socket
++ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
+ SocketMode=0600
+ Accept=true
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index c28928c1c5c2d20e2dfe6112750c70bfb0b55894..a908adfc2b2f1bef90c051c86dcd1fdecb61daa4 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -107,7 +107,7 @@ Requires: nss >= 3.14.3-12.0
+ Requires: nss-tools >= 3.14.3-12.0
+ %endif
+ %if 0%{?krb5_dal_version} >= 4
+-Requires: krb5-server >= 1.11.2-1
++Requires: krb5-server >= 1.11.5-3
+ %else
+ %if 0%{krb5_dal_version} == 3
+ # krb5 1.11 bumped DAL interface major version, a rebuild is needed
+--
+1.8.5.3
+
diff --git a/freeipa.spec b/freeipa.spec
index 01090d8..86b94e8 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -12,7 +12,7 @@
Name: freeipa
Version: 3.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -30,6 +30,9 @@ Patch0006: 0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
Patch0007: 0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
Patch0008: 0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
Patch0009: 0009-Remove-mod_ssl-port-workaround.patch
+Patch0010: 0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
+Patch0011: 0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
+Patch0012: 0012-Move-ipa-otpd-socket-directory.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1.3
@@ -116,7 +119,7 @@ Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
%endif
%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.5-3
%else
%if 0%{krb5_dal_version} == 3
# krb5 1.11 bumped DAL interface major version, a rebuild is needed
@@ -925,6 +928,11 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Tue Feb 11 2014 Martin Kosek <mkosek at redhat.com> - 3.3.4-3
+- Move ipa-otpd socket directory to /var/run/krb5kdc
+- Require krb5-server 1.11.5-3 supporting the new directory
+- ipa_lockout plugin did not work with users's without krbPwdPolicyReference
+
* Wed Jan 29 2014 Martin Kosek <mkosek at redhat.com> - 3.3.4-2
- Fix hardened build
More information about the scm-commits
mailing list