pvoborni pushed to freeipa (f22). "replace mod_auth-kerb with mod_auth_gssapi"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Mar 30 15:12:36 UTC 2015
>From 55ca0a4c2491ff06bf1b6293ab54492385b5111b Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni at redhat.com>
Date: Mon, 30 Mar 2015 15:50:37 +0200
Subject: replace mod_auth-kerb with mod_auth_gssapi
diff --git a/0002-Make-lint-work-on-Fedora-22.patch b/0002-Make-lint-work-on-Fedora-22.patch
new file mode 100644
index 0000000..c91ddbc
--- /dev/null
+++ b/0002-Make-lint-work-on-Fedora-22.patch
@@ -0,0 +1,78 @@
+From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka at redhat.com>
+Date: Fri, 27 Mar 2015 07:14:27 -0400
+Subject: [PATCH] Make lint work on Fedora 22.
+
+pylint added 'confidence' parameter to 'add_message' method of PyLinter.
+To be compatible with both, pre- and post- 1.4 IPALinter must accept
+the parameter but not pass it over.
+Also python3 checker was added and enabled by default. FreeIPA is still
+not ready for python3.
+Additionally few false-positives was marked.
+---
+ ipalib/plugins/otptoken.py | 1 +
+ ipapython/dnssec/ldapkeydb.py | 1 +
+ ipaserver/install/ipa_otptoken_import.py | 1 +
+ make-lint | 3 ++-
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
+index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644
+--- a/ipalib/plugins/otptoken.py
++++ b/ipalib/plugins/otptoken.py
+@@ -547,6 +547,7 @@ class otptoken_sync(Local):
+ query = urllib.urlencode(query)
+
+ # Sync the token.
++ # pylint: disable=E1101
+ handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
+ cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=ssl.PROTOCOL_TLSv1)
+diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
+index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644
+--- a/ipapython/dnssec/ldapkeydb.py
++++ b/ipapython/dnssec/ldapkeydb.py
+@@ -23,6 +23,7 @@ def uri_escape(val):
+ assert len(val) > 0, "zero-length URI component detected"
+ hexval = hexlify(val)
+ out = '%'
++ # pylint: disable=E1127
+ out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
+ return out
+
+diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
+index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644
+--- a/ipaserver/install/ipa_otptoken_import.py
++++ b/ipaserver/install/ipa_otptoken_import.py
+@@ -60,6 +60,7 @@ def convertDate(value):
+
+ dt = dateutil.parser.parse(value)
+
++ # pylint: disable=E1101
+ if dt.tzinfo is None:
+ dt = datetime.datetime(*dt.timetuple()[0:6],
+ tzinfo=dateutil.tz.tzlocal())
+diff --git a/make-lint b/make-lint
+index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755
+--- a/make-lint
++++ b/make-lint
+@@ -143,7 +143,7 @@ class IPALinter(PyLinter):
+ return
+ super(IPALinter, self).register_checker(checker)
+
+- def add_message(self, msg_id, line=None, node=None, args=None):
++ def add_message(self, msg_id, line=None, node=None, args=None, confidence=None):
+ if line is None and node is not None:
+ line = node.fromlineno
+
+@@ -235,6 +235,7 @@ def main():
+ '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})')
+ linter.set_option('reports', False)
+ linter.set_option('persistent', False)
++ linter.set_option('disable', 'python3')
+
+ linter.check(files)
+
+--
+2.1.0
+
diff --git a/0002-Timeout-when-performing-time-sync-during-client-inst.patch b/0002-Timeout-when-performing-time-sync-during-client-inst.patch
deleted file mode 100644
index 82fa470..0000000
--- a/0002-Timeout-when-performing-time-sync-during-client-inst.patch
+++ /dev/null
@@ -1,105 +0,0 @@
->From 8c6aaa8a9b2829f9cfff402dc65f2b5a9a93813b Mon Sep 17 00:00:00 2001
-From: Nathan Kinder <nkinder at redhat.com>
-Date: Wed, 25 Feb 2015 15:19:47 -0800
-Subject: [PATCH 2/2] Timeout when performing time sync during client install
-
-We use ntpd now to sync time before fetching a TGT during client
-install. Unfortuantely, ntpd will hang forever if it is unable to
-reach the NTP server.
-
-This patch adds the ability for commands run via ipautil.run() to
-have an optional timeout. This capability is used by the NTP sync
-code that is run during ipa-client-install.
-
-Ticket: https://fedorahosted.org/freeipa/ticket/4842
----
- ipa-client/ipaclient/ntpconf.py | 8 +++++++-
- ipaplatform/base/paths.py | 1 +
- ipapython/ipautil.py | 12 +++++++++++-
- 3 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
-index e1ac55a..99e43a6 100644
---- a/ipa-client/ipaclient/ntpconf.py
-+++ b/ipa-client/ipaclient/ntpconf.py
-@@ -18,6 +18,7 @@
- #
-
- from ipapython import ipautil
-+from ipapython.ipa_log_manager import root_logger
- import shutil
- import os
- from ipaplatform.tasks import tasks
-@@ -149,7 +150,12 @@ def synconce_ntp(server_fqdn):
-
- tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn)
- try:
-- ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name])
-+ # The ntpd command will never exit if it is unable to reach the
-+ # server, so timeout after 15 seconds.
-+ timeout = 15
-+ root_logger.info('Attempting to sync time using ntpd. '
-+ 'Will timeout after %s seconds' % timeout)
-+ ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout)
- return True
- except ipautil.CalledProcessError:
- return False
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 7922e3b..11c7e92 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -186,6 +186,7 @@ class BasePathNamespace(object):
- SSLGET = "/usr/bin/sslget"
- SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
- SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
-+ BIN_TIMEOUT = "/usr/bin/timeout"
- UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
- BIN_WGET = "/usr/bin/wget"
- ZIP = "/usr/bin/zip"
-diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
-index 4116d97..6a06a8e 100644
---- a/ipapython/ipautil.py
-+++ b/ipapython/ipautil.py
-@@ -249,7 +249,7 @@ def shell_quote(string):
-
- def run(args, stdin=None, raiseonerr=True,
- nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
-- runas=None):
-+ runas=None, timeout=None):
- """
- Execute a command and return stdin, stdout and the process return code.
-
-@@ -277,6 +277,8 @@ def run(args, stdin=None, raiseonerr=True,
- :param cwd: Current working directory
- :param runas: Name of a user that the command shold be run as. The spawned
- process will have both real and effective UID and GID set.
-+ :param timeout: Timeout if the command hasn't returned within the specified
-+ number of seconds.
- """
- p_in = None
- p_out = None
-@@ -302,6 +304,11 @@ def run(args, stdin=None, raiseonerr=True,
- p_out = subprocess.PIPE
- p_err = subprocess.PIPE
-
-+ if timeout:
-+ # If a timeout was provided, use the timeout command
-+ # to execute the requested command.
-+ args[0:0] = [paths.BIN_TIMEOUT, str(timeout)]
-+
- arg_string = nolog_replace(' '.join(shell_quote(a) for a in args), nolog)
- root_logger.debug('Starting external process')
- root_logger.debug('args=%s' % arg_string)
-@@ -332,6 +339,9 @@ def run(args, stdin=None, raiseonerr=True,
- if skip_output:
- p_out.close() # pylint: disable=E1103
-
-+ if timeout and p.returncode == 124:
-+ root_logger.debug('Process did not complete before timeout')
-+
- root_logger.debug('Process finished, return code=%s', p.returncode)
-
- # The command and its output may include passwords that we don't want
---
-1.9.3
-
diff --git a/0003-Remove-unused-part-of-ipa.conf.patch b/0003-Remove-unused-part-of-ipa.conf.patch
new file mode 100644
index 0000000..89d10f2
--- /dev/null
+++ b/0003-Remove-unused-part-of-ipa.conf.patch
@@ -0,0 +1,40 @@
+From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka at redhat.com>
+Date: Mon, 30 Mar 2015 04:11:19 -0400
+Subject: [PATCH 1/3] Remove unused part of ipa.conf.
+
+Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
+IPA 1.0.
+---
+ install/conf/ipa.conf | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644
+--- a/install/conf/ipa.conf
++++ b/install/conf/ipa.conf
+@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
+ AddHandler wsgi-script .py
+ </Directory>
+
+-# Protect our CGIs
+-<Directory /var/www/cgi-bin>
+- AuthType Kerberos
+- AuthName "Kerberos Login"
+- KrbMethodNegotiate on
+- KrbMethodK5Passwd off
+- KrbServiceName HTTP
+- KrbAuthRealms $REALM
+- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+- KrbSaveCredentials on
+- Require valid-user
+- ErrorDocument 401 /ipa/errors/unauthorized.html
+-</Directory>
+-
+-
+ # migration related pages
+ Alias /ipa/migration "/usr/share/ipa/migration"
+ <Directory "/usr/share/ipa/migration">
+--
+2.3.4
+
diff --git a/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
new file mode 100644
index 0000000..dc9e998
--- /dev/null
+++ b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
@@ -0,0 +1,184 @@
+From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka at redhat.com>
+Date: Mon, 30 Mar 2015 04:17:55 -0400
+Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
+
+https://fedorahosted.org/freeipa/ticket/4190
+---
+ freeipa.spec.in | 4 +++-
+ init/systemd/ipa.conf.tmpfiles | 1 +
+ install/conf/ipa.conf | 16 +++++-----------
+ ipalib/session.py | 20 ++++++++++----------
+ ipaserver/rpcserver.py | 2 +-
+ 5 files changed, 20 insertions(+), 23 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: ntp
+ Requires: httpd >= 2.4.6-6
+ Requires: mod_wsgi
+-Requires: mod_auth_kerb >= 5.4-16
++Requires: mod_auth_gssapi >= 1.1.0-2
+ Requires: mod_nss >= 1.0.8-26
+ Requires: python-ldap >= 2.4.15
+ Requires: python-krbV
+@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
+ mkdir -p %{buildroot}%{_localstatedir}/run/
+ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
+ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
++install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+
+ mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+@@ -680,6 +681,7 @@ fi
+ %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
+ %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
+ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
++%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+ # NOTE: systemd specific section
+ %{_tmpfilesdir}/%{name}.conf
+ %attr(644,root,root) %{_unitdir}/ipa.service
+diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
+index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
+--- a/init/systemd/ipa.conf.tmpfiles
++++ b/init/systemd/ipa.conf.tmpfiles
+@@ -1,2 +1,3 @@
+ d /var/run/ipa_memcached 0700 apache apache
+ d /var/run/ipa 0700 root root
++d /var/run/httpd/clientcaches 0700 apache apache
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
+--- a/install/conf/ipa.conf
++++ b/install/conf/ipa.conf
+@@ -3,7 +3,6 @@
+ #
+ # This file may be overwritten on upgrades.
+ #
+-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+ ProxyRequests Off
+
+@@ -61,19 +60,14 @@ WSGIScriptReloading Off
+ SetHandler None
+ </Location>
+
+-KrbConstrainedDelegationLock ipa
+-
+ # Protect /ipa and everything below it in webspace with Apache Kerberos auth
+ <Location "/ipa">
+- AuthType Kerberos
++ AuthType GSSAPI
+ AuthName "Kerberos Login"
+- KrbMethodNegotiate on
+- KrbMethodK5Passwd off
+- KrbServiceName HTTP
+- KrbAuthRealms $REALM
+- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+- KrbSaveCredentials on
+- KrbConstrainedDelegation on
++ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
++ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
++ GssapiDelegCcacheDir /var/run/httpd/clientcaches
++ GssapiUseS4U2Proxy on
+ Require valid-user
+ ErrorDocument 401 /ipa/errors/unauthorized.html
+ </Location>
+diff --git a/ipalib/session.py b/ipalib/session.py
+index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
+--- a/ipalib/session.py
++++ b/ipalib/session.py
+@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
+ There are 4 major players:
+
+ 1. client
+- 2. mod_auth_kerb (in Apache process)
++ 2. mod_auth_gssapi (in Apache process)
+ 3. wsgi handler (in IPA wsgi python process)
+ 4. ds (directory server)
+
+@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
+
+ 2. Client sends post to /ipa/json.
+
+- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
++ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
+ authenticate negotiate.
+
+ 4. Client resends with credentials
+
+- 5. mod_auth_kerb validates credentials
++ 5. mod_auth_gssapi validates credentials
+
+ a. if invalid replies 403 access denied (stops here)
+
+@@ -550,7 +550,7 @@ A few notes about the session implementation.
+ Changes to Apache's resource protection
+ ---------------------------------------
+
+- * /ipa/json is no longer protected by mod_auth_kerb. This is
++ * /ipa/json is no longer protected by mod_auth_gssapi. This is
+ necessary to avoid the negotiate expense in steps 3,4,5
+ above. Instead the /ipa/json resource will be protected in our wsgi
+ handler via the session cookie.
+@@ -583,15 +583,15 @@ The new sequence is:
+
+ 5. client sends request to /ipa/login to obtain session credentials
+
+- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
++ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
+
+ 7. client sends credentials to /ipa/login
+
+- 8. mod_auth_kerb validates credentials
++ 8. mod_auth_gssapi validates credentials
+
+ a. if valid
+
+- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
++ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
+ invoked and does the following:
+
+ * establishes session for client
+@@ -600,7 +600,7 @@ The new sequence is:
+
+ a. if invalid
+
+- - mod_auth_kerb sends 403 access denied (processing stops)
++ - mod_auth_gssapi sends 403 access denied (processing stops)
+
+ 9. client now posts the same data again to /ipa/json including
+ session cookie. Processing repeats starting at step 2 and since
+@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
+ calls are marshalled and unmarshalled.
+
+ Under the new scheme /ipa/xml will continue to be Kerberos protected
+-at all times. Apache's mod_auth_kerb will continue to require the
++at all times. Apache's mod_auth_gssapi will continue to require the
+ client provides valid Kerberos credentials.
+
+ When the WSGI handler routes to /ipa/xml the Kerberos credentials will
+ be extracted from the KRB5CCNAME environment variable as provided by
+-mod_auth_kerb. Everything else remains the same.
++mod_auth_gssapi. Everything else remains the same.
+
+ '''
+
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
+ def __call__(self, environ, start_response):
+ self.debug('WSGI login_kerberos.__call__:')
+
+- # Get the ccache created by mod_auth_kerb
++ # Get the ccache created by mod_auth_gssapi
+ user_ccache_name=environ.get('KRB5CCNAME')
+ if user_ccache_name is None:
+ return self.internal_error(environ, start_response,
+--
+2.3.4
+
diff --git a/0005-Bump-ipa.conf-version-to-17.patch b/0005-Bump-ipa.conf-version-to-17.patch
new file mode 100644
index 0000000..7329417
--- /dev/null
+++ b/0005-Bump-ipa.conf-version-to-17.patch
@@ -0,0 +1,23 @@
+From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka at redhat.com>
+Date: Mon, 30 Mar 2015 04:18:11 -0400
+Subject: [PATCH 3/3] Bump ipa.conf version to 17.
+
+---
+ install/conf/ipa.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
+index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644
+--- a/install/conf/ipa.conf
++++ b/install/conf/ipa.conf
+@@ -1,5 +1,5 @@
+ #
+-# VERSION 16 - DO NOT REMOVE THIS LINE
++# VERSION 17 - DO NOT REMOVE THIS LINE
+ #
+ # This file may be overwritten on upgrades.
+ #
+--
+2.3.4
+
diff --git a/freeipa.spec b/freeipa.spec
index ac2e9ae..e1e21e9 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -25,7 +25,7 @@
Name: freeipa
Version: %{VERSION}
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -35,6 +35,10 @@ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch
+Patch0002: 0002-Make-lint-work-on-Fedora-22.patch
+Patch0003: 0003-Remove-unused-part-of-ipa.conf.patch
+Patch0004: 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
+Patch0005: 0005-Bump-ipa.conf-version-to-17.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.3.8
@@ -120,7 +124,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
@@ -492,6 +496,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -708,6 +713,7 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -941,6 +947,9 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Mon Mar 30 2015 Petr Vobornik <pvoborni at redhat.com> - 4.1.4-2
+- Replace mod_auth_kerb usage with mod_auth_gssapi
+
* Thu Mar 26 2015 Alexander Bokovoy <abokovoy at redhat.com> - 4.1.4-1
- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4
- fix CVE-2015-1827 (#1206047)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/freeipa.git/commit/?h=f22&id=55ca0a4c2491ff06bf1b6293ab54492385b5111b
More information about the scm-commits
mailing list