websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
debian/TODO vendored
View File

@@ -1,5 +0,0 @@
4.1 needs
- softhsm 2.x
- dnssec patch in bind9

3
debian/autoreconf vendored
View File

@@ -1,4 +1,3 @@
asn1
client
ipa-client
daemons
install

128
debian/changelog vendored
View File

@@ -1,130 +1,8 @@
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium
freeipa (4.0.5-6~numeezy) jessie; urgency=medium
* Sync from Debian.
* Non-maintainer upload.
-- Timo Aaltonen <tjaalton@debian.org> Tue, 19 Apr 2016 00:15:05 +0300
freeipa (4.3.1-1) unstable; urgency=medium
* New upstream release. (Closes: #781607, #786411) (LP: #1449304)
- drop no-test-lang.diff, obsolete
* fix-match-hostname.diff, control: Drop the patch and python-openssl
deps, not needed anymore
* rules, platform, server.dirs, server.install:
Add support for DNSSEC.
* control, rules: Add support for kdcproxy.
* control, server: Migrate to mod-auth-gssapi.
* control, rules, fix-ipa-conf.diff: Add support for custodia.
* control:
- Add python-cryptography to build-deps and python-freeipa deps.
- Add libp11-kit-dev to build-deps, p11-kit to server deps.
- Depend on python-gssapi instead of python-kerberos/-krbV.
- Add libini-config-dev and python-dbus to build-deps, replace wget
with curl.
- Bump libkrb5-dev build-dep.
- Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
version.
- Drop python-m2crypto from deps, obsolete.
- Bump sssd deps to 1.13.1.
- Add python-six to build-deps and python-freeipa deps.
- Split python stuff from server, client, tests to python-
ipa{server,client,tests}, rename python-freeipa to match and move
translations to freeipa-common. Mark them Arch:all where possible,
and add Breaks/Replaces.
- Add oddjob to server and oddjob-mkhomedir to client deps.
- Add python-setuptools to python-ipalib deps.
- Bump 389-ds-base* deps.
- Bump server and python-ipaserver dependency on python-ldap to 2.4.22
to fix a bug on ipa-server-upgrade.
- Add pki-tools to python-ipaserver deps.
- Add zip to python-ipaserver depends.
- Add python-systemd to server depends.
- Add opendnssec to freeipa-server-dns depends.
- Add python-cffi to python-ipalib depends.
- Bump dep on bind9-dyndb-ldap.
- Bump certmonger dependency to version that has helpers in the correct
place.
* patches:
- prefix.patch: Fix ipalib install too.
- Drop bits of platform.diff and other patches that are now upstream.
- fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
- fix-oddjobs.diff: Fix paths and uids in oddjob configs.
- fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
- fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
exporter units.
- create-sysconfig-ods.diff: Create an empty file for opendnssec
daemons, until opendnssec itself is fixed.
- purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
- enable-mod-nss-during-setup.diff: Split from platform.diff, call
a2enmod/a2dismod from httpinstance.py.
- fix-memcached.diff: Split from platform.diff, debianize memcached
conf & unit.
- hack-libarch.diff: Don't use fedora libpaths.
* add-debian-platform.diff:
- Update paths.py to include all variables, comment out ones we don't
modify.
- Use systemwide certificate store; put ipa-ca.crt in
/usr/local/share/ca-certificates, and run update-ca-certificates
- Map smb service to smbd (LP: #1543230)
- Don't ship /var/cache/bind/data, fix named.conf a bit.
- Use DebianNoService() for dbus. (LP: #1564981)
- Add more constants
* Split freeipa-server-dns from freeipa-server, add -dns to -server
Recommends.
* server.postinst: Use ipa-server-upgrade.
* admintools: Use the new location for bash completions.
* rules: Remove obsolete configure.jar, preferences.html.
* platform: Fix ipautil.run stdout handling, add support for systemd.
* server.postinst, tmpfile: Create state directories for
mod_auth_gssapi.
* rules, server.install: Install scripts under /usr/lib instead of
multiarch path to avoid hacking the code too much.
* fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in
/usr/lib/ipa instead of directly under multiarch lib path.
* control, server*.install: Move dirsrv plugins from server-trust-ad
to server, needed on upgrades even if trust-ad isn't set up.
* server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable
on postrm.
* rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean.
* rules: Don't enable systemd units on install.
* client: Don't create /etc/pki/nssdb on postinst, it's not used
anymore.
* platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind
already generates the keyfile.
-- Timo Aaltonen <tjaalton@debian.org> Mon, 18 Apr 2016 17:40:32 +0300
freeipa (4.1.4-1) experimental; urgency=medium
* New upstream release. (LP: #1492226)
- Refresh patches
- platform-support.diff: Added NAMED_VAR_DIR.
- fix-bind-conf.diff: Dropped, obsolete with above.
- disable-dnssec-support.patch: Disable DNSSEC-support as we're
missing the dependencies for now.
* control: Add python-usb to build-depends and to python-freeipa
depends.
* control: Bump SSSD dependencies.
* control: Add libsofthsm2-dev to build-depends and softhsm2 to server
depends.
* freeipa-{server,client}.install: Add new files.
* control: Bump Depends on slapi-nis for CVE fixes.
* control: Bump 389-ds-base, pki-ca depends.
* control: Drop dogtag-pki-server-theme from server depends, it's not
needed.
* control: Server needs newer python-ldap, bump build-dep too.
* control: Bump certmonger depends.
* control: Bump python-nss depends.
* freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
* platform: Add DebianNamedService.
* platform, disable-dnssec-support.patch: Fix named.conf template.
* server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
* Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
* server.postrm: Clean logs on purge and disable apache modules on
remove/purge.
-- Timo Aaltonen <tjaalton@debian.org> Fri, 25 Sep 2015 14:07:40 +0300
-- Alexandre Ellert <aellert@numeezy.com> Wed, 17 Feb 2016 15:07:45 +0100
freeipa (4.0.5-6) unstable; urgency=medium

232
debian/control vendored
View File

@@ -4,7 +4,7 @@ Priority: extra
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Uploaders: Timo Aaltonen <tjaalton@debian.org>
Build-Depends:
389-ds-base-dev (>= 1.3.4.0),
389-ds-base-dev (>= 1.3.3.2),
check,
debhelper (>= 9),
dh-autoreconf,
@@ -14,9 +14,8 @@ Build-Depends:
krb5-user,
libcmocka-dev,
libcurl4-nss-dev,
libini-config-dev,
libkrad-dev,
libkrb5-dev (>= 1.13),
libkrb5-dev (>= 1.12),
libldap2-dev,
libnspr4-dev,
libnss3-dev,
@@ -25,65 +24,60 @@ Build-Depends:
libsasl2-dev,
libssl-dev,
libsss-idmap-dev,
libsss-nss-idmap-dev (>= 1.13.1),
libsss-nss-idmap-dev,
libsvrcore-dev,
libtalloc-dev,
libtevent-dev,
libunistring-dev,
libverto-dev,
libxmlrpc-core-c3-dev (>= 1.33.06),
pki-base (>= 10.2.6),
python-all-dev,
python-cryptography,
python-dbus,
python-dnspython (>= 1.11.1),
python-gssapi,
python-kdcproxy,
python-ldap (>= 2.4.15),
python-kerberos,
python-krbv,
python-ldap,
python-lesscpy,
python-libipa-hbac,
python-lxml,
python-memcache,
python-netaddr,
python-nose,
python-nss (>= 0.16.0),
python-nss,
python-openssl,
python-polib,
python-pyasn1,
python-qrcode (>= 5.0.0),
python-setuptools,
python-six,
python-sss (>= 1.13.1),
python-usb (>= 1.0.0~b2),
python-sss (>= 1.8.0),
python-yubico,
rhino,
samba-dev,
systemd,
uuid-dev
Standards-Version: 3.9.6
Vcs-Git: https://anonscm.debian.org/git/pkg-freeipa/freeipa.git
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-freeipa/freeipa.git
Vcs-Git: git://anonscm.debian.org/pkg-freeipa/freeipa.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-freeipa/freeipa.git
Homepage: http://www.freeipa.org
Package: freeipa-server
Architecture: any
Breaks: freeipa-server-trust-ad (<< 4.3.0-1)
Replaces: freeipa-server-trust-ad (<< 4.3.0-1)
Depends:
389-ds-base (>= 1.3.4.0),
389-ds-base (>= 1.3.3.5-2~),
acl,
apache2,
certmonger (>= 0.78.6-3),
custodia,
bind9,
bind9-dyndb-ldap (>= 6.0-4~),
certmonger (>= 0.75.14),
dogtag-pki-server-theme,
fonts-font-awesome,
freeipa-admintools (= ${source:Version}),
freeipa-admintools (= ${binary:Version}),
freeipa-client (= ${binary:Version}),
freeipa-common (= ${source:Version}),
krb5-admin-server,
krb5-kdc,
krb5-kdc-ldap,
krb5-pkinit,
ldap-utils,
libapache2-mod-auth-gssapi (>= 1.3.0),
libapache2-mod-auth-kerb (>= 5.4-2.2~),
libapache2-mod-nss (>= 1.0.10-2~),
libapache2-mod-wsgi,
libjs-dojo-core,
@@ -92,23 +86,17 @@ Depends:
libsasl2-modules-gssapi-mit,
memcached,
ntp,
oddjob (>= 0.34.3-2),
p11-kit,
pki-ca (>= 10.2.6),
pki-kra (>= 10.2.6),
pki-ca,
python-dateutil,
python-ipaserver (= ${source:Version}),
python-gssapi,
python-ldap (>= 2.4.22),
python-systemd,
slapi-nis (>= 0.54.2),
softhsm2,
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
python-pyasn1,
slapi-nis (>= 0.54),
systemd-sysv,
${misc:Depends},
${python:Depends},
${shlibs:Depends}
Recommends:
freeipa-server-dns,
Description: FreeIPA centralized identity framework -- server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -117,32 +105,12 @@ Description: FreeIPA centralized identity framework -- server
.
This is the server package.
Package: freeipa-server-dns
Architecture: all
Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.10.3.dfsg.P4-8),
bind9-dyndb-ldap (>= 8.0-4),
opendnssec (>= 1:1.4.9-2),
${misc:Depends},
${python:Depends},
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- IPA DNS integration
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package adds DNS integration with BIND 9.
Package: freeipa-server-trust-ad
Architecture: any
Depends:
freeipa-common (= ${source:Version}),
freeipa-server (= ${binary:Version}),
python-ipaserver (= ${source:Version}),
python-libsss-nss-idmap,
python-m2crypto,
python-samba,
samba,
winbind,
@@ -159,40 +127,24 @@ Description: FreeIPA centralized identity framework -- AD trust installer
installation. This package is provided for convenience to install all required
dependencies at once.
Package: freeipa-common
Architecture: all
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
${misc:Depends},
Description: FreeIPA centralized identity framework -- common files
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package includes common files.
Package: freeipa-client
Architecture: any
Depends:
bind9utils,
certmonger (>= 0.78.6-3),
curl,
certmonger,
dnsutils,
freeipa-common (= ${source:Version}),
krb5-user,
libcurl3 (>= 7.22.0),
libnss3-tools,
libsasl2-modules-gssapi-mit,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
ntp,
oddjob-mkhomedir,
python-dnspython,
python-ipaclient (= ${source:Version}),
python-gssapi,
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
sssd (>= 1.13.1),
sssd (>= 1.11.1),
wget,
${misc:Depends},
${python:Depends},
${shlibs:Depends}
@@ -206,14 +158,15 @@ Description: FreeIPA centralized identity framework -- client
This is the client package.
Package: freeipa-admintools
Architecture: all
Architecture: any
Depends:
freeipa-client (>= ${source:Version}),
python-ipalib (>= ${source:Version}),
python-gssapi,
freeipa-client (= ${binary:Version}),
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
${misc:Depends},
${python:Depends},
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- admintools
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -223,15 +176,21 @@ Description: FreeIPA centralized identity framework -- admintools
This package contains some tools for administrators.
Package: freeipa-tests
Architecture: all
Architecture: any
Depends:
freeipa-client (>= ${source:Version}),
python-ipalib (>= ${source:Version}),
python-ipatests (>= ${source:Version}),
python-pytest,
freeipa-client (= ${binary:Version}),
libnss3-tools,
python-coverage,
python-freeipa (= ${binary:Version}),
python-nose,
python-paramiko,
python-paste,
python-polib,
xz-utils,
${misc:Depends},
${python:Depends}
Recommends: python-yaml
Recommends:
python-yaml,
Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -240,116 +199,35 @@ Description: FreeIPA centralized identity framework -- tests
.
This package contains tests that verify IPA functionality.
Package: python-ipaclient
Architecture: all
Section: python
Breaks: freeipa-client (<< 4.3.0-1)
Replaces: freeipa-client (<< 4.3.0-1)
Depends:
freeipa-common (= ${binary:Version}),
python-dnspython,
python-ipalib (>= ${source:Version}),
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for ipaclient
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA client.
Package: python-ipalib
Package: python-freeipa
Architecture: any
Section: python
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
freeipa-common (= ${source:Version}),
gnupg2,
gnupg-agent,
iproute,
keyutils,
python-cffi,
python-cryptography,
python-dbus,
python-dnspython,
python-gssapi,
python-jwcrypto,
python-kerberos,
python-krbv,
python-ldap,
python-libipa-hbac,
python-lxml,
python-memcache,
python-netaddr,
python-nss (>= 0.16.0),
python-nss,
python-openssl,
python-pyasn1,
python-qrcode (>= 5.0.0),
python-setuptools,
python-six,
python-usb (>= 1.0.0~b2),
python-yubico,
${misc:Depends},
${python:Depends},
${shlibs:Depends},
Description: FreeIPA centralized identity framework -- shared Python modules
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- Python modules
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by other FreeIPA packages.
Package: python-ipaserver
Architecture: all
Section: python
Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-common (= ${binary:Version}),
pki-tools (>= 10.2.6-3),
python-dbus,
python-dnspython,
python-gssapi,
python-ipaclient (= ${binary:Version}),
python-ipalib (>= ${source:Version}),
python-kdcproxy,
python-ldap (>= 2.4.22),
python-libsss-nss-idmap,
python-pyasn1,
zip,
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA server.
Package: python-ipatests
Architecture: all
Section: python
Breaks: freeipa-tests (<< 4.3.0-1)
Replaces: freeipa-tests (<< 4.3.0-1)
Depends:
libnss3-tools,
python-coverage,
python-ipalib (>= ${source:Version}),
python-nose,
python-paramiko,
python-paste,
python-polib,
python-pytest-multihost,
python-pytest-sourceorder,
xz-utils,
${misc:Depends},
${python:Depends}
Recommends: python-yaml
Description: FreeIPA centralized identity framework -- Python modules for tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA tests.

3
debian/freeipa-admintools.install vendored
View File

@@ -1,3 +0,0 @@
usr/bin/ipa
usr/share/bash-completion/completions/ipa
usr/share/man/man1/ipa.1

2
debian/freeipa-admintools.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# lintian is lying
python-script-but-no-python-dep

1
debian/freeipa-client.dirs vendored
View File

@@ -1,4 +1,3 @@
etc/ipa
etc/ipa/nssdb
etc/pki/nssdb
var/lib/ipa-client/sysrestore

3
debian/freeipa-client.install vendored
View File

@@ -1,10 +1,9 @@
usr/sbin/ipa-certupdate
usr/lib/python*/dist-packages/ipaclient/*.py
usr/sbin/ipa-client-automount
usr/sbin/ipa-client-install
usr/sbin/ipa-getkeytab
usr/sbin/ipa-join
usr/sbin/ipa-rmkeytab
usr/share/man/man1/ipa-certupdate.1.gz
usr/share/man/man1/ipa-client-automount.1.gz
usr/share/man/man1/ipa-client-install.1.gz
usr/share/man/man1/ipa-getkeytab.1.gz

14
debian/freeipa-client.postinst vendored
View File

@@ -2,15 +2,13 @@
set -e
if [ "$1" = configure ]; then
if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
if [ ! -e /etc/pki/nssdb ]; then
tmp=$(mktemp) || exit
if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
fi
rm -f "$tmp"
printf "\n" > $tmp
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb -f $tmp
chmod 644 /etc/pki/nssdb/*
rm $tmp
fi
fi

8
debian/freeipa-client.postrm vendored
View File

@@ -7,14 +7,6 @@ if [ "$1" = purge ]; then
rm -f /etc/pki/nssdb/cert8.db \
/etc/pki/nssdb/key3.db \
/etc/pki/nssdb/secmod.db
rm -f /etc/ipa/nssdb/cert8.db \
/etc/ipa/nssdb/key3.db \
/etc/ipa/nssdb/pwdfile.txt \
/etc/ipa/nssdb/secmod.db \
/etc/ipa/nssdb/*.orig
rmdir /etc/pki/nssdb || true
rmdir /etc/ipa/nssdb || true
rmdir /etc/ipa || true
fi
#DEBHELPER#

1
debian/freeipa-common.install vendored
View File

@@ -1 +0,0 @@
usr/share/locale

3
debian/freeipa-server-dns.install vendored
View File

@@ -1,3 +0,0 @@
usr/sbin/ipa-dns-install
usr/share/man/man1/ipa-dns-install.1*

3
debian/freeipa-server-dns.lintian-overrides vendored
View File

@@ -1,3 +0,0 @@
# lintian is lying
python-script-but-no-python-dep

9
debian/freeipa-server-trust-ad.install vendored
View File

@@ -1,9 +0,0 @@
etc/dbus-1/system.d/oddjob-ipa-trust.conf
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
usr/lib/*/samba/pdb/ipasam.so
usr/lib/python*/dist-packages/ipaserver/dcerpc.py
usr/lib/python*/dist-packages/ipaserver/install/adtrustinstance*
usr/lib/ipa/oddjob/com.redhat.idm.trust-fetch-domains
usr/sbin/ipa-adtrust-install
usr/share/ipa/smb.conf.empty
usr/share/man/man1/ipa-adtrust-install.1*

2
debian/freeipa-server-trust-ad.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# lintian is lying
python-script-but-no-python-dep

3
debian/freeipa-server.dirs vendored
View File

@@ -1,3 +0,0 @@
etc/ipa/custodia
etc/ipa/dnssec
var/lib/ipa/backup

1
debian/freeipa-server.docs vendored
View File

@@ -1 +0,0 @@
README

98
debian/freeipa-server.install vendored
View File

@@ -1,98 +0,0 @@
etc/default/ipa_memcached
etc/default/ipa-dnskeysyncd
etc/default/ipa-ods-exporter
etc/ipa/html/*
etc/ipa/kdcproxy
etc/dbus-1/system.d/org.freeipa.server.conf
etc/oddjobd.conf.d/ipa-server.conf
lib/systemd/system/*
usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
usr/lib/*/dirsrv/plugins/libipa_extdom_extop.so
usr/lib/*/dirsrv/plugins/libipa_lockout.so
usr/lib/*/dirsrv/plugins/libipa_modrdn.so
usr/lib/*/dirsrv/plugins/libipa_otp_counter.so
usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so
usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so
usr/lib/*/dirsrv/plugins/libipa_range_check.so
usr/lib/*/dirsrv/plugins/libipa_repl_version.so
usr/lib/*/dirsrv/plugins/libipa_sidgen.so
usr/lib/*/dirsrv/plugins/libipa_sidgen_task.so
usr/lib/*/dirsrv/plugins/libipa_uuid.so
usr/lib/*/dirsrv/plugins/libipa_winsync.so
usr/lib/*/dirsrv/plugins/libtopology.so
usr/lib/*/krb5/plugins/kdb/*.so
usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit
usr/lib/certmonger/ipa-server-guard
usr/lib/ipa/certmonger/*
usr/lib/ipa/ipa-dnskeysync-replica
usr/lib/ipa/ipa-dnskeysyncd
usr/lib/ipa/ipa-httpd-kdcproxy
usr/lib/ipa/ipa-ods-exporter
usr/lib/ipa/ipa-otpd
usr/lib/ipa/oddjob/org.freeipa.server.conncheck
usr/sbin/ipa-advise
usr/sbin/ipa-backup
usr/sbin/ipa-ca-install
usr/sbin/ipa-cacert-manage
usr/sbin/ipa-compat-manage
usr/sbin/ipa-csreplica-manage
usr/sbin/ipa-kra-install
usr/sbin/ipa-ldap-updater
usr/sbin/ipa-managed-entries
usr/sbin/ipa-nis-manage
usr/sbin/ipa-otptoken-import
usr/sbin/ipa-replica-conncheck
usr/sbin/ipa-replica-install
usr/sbin/ipa-replica-manage
usr/sbin/ipa-replica-prepare
usr/sbin/ipa-restore
usr/sbin/ipa-server-certinstall
usr/sbin/ipa-server-install
usr/sbin/ipa-server-upgrade
usr/sbin/ipa-upgradeconfig
usr/sbin/ipa-winsync-migrate
usr/sbin/ipactl
usr/share/ipa/*.ldif
usr/share/ipa/*.template
usr/share/ipa/*.uldif
usr/share/ipa/advise/legacy/*.template
usr/share/ipa/copy-schema-to-ca.py
usr/share/ipa/html/*
usr/share/ipa/ipa-pki-proxy.conf
usr/share/ipa/ipa-rewrite.conf
usr/share/ipa/ipa.conf
usr/share/ipa/ipa-httpd.conf
usr/share/ipa/kdcproxy.conf
usr/share/ipa/migration/*
usr/share/ipa/profiles/*.cfg
usr/share/ipa/ui/*
usr/share/ipa/updates/*
usr/share/ipa/wsgi.py
usr/share/ipa/wsgi/*
usr/share/man/man1/ipa-advise.1*
usr/share/man/man1/ipa-backup.1*
usr/share/man/man1/ipa-ca-install.1*
usr/share/man/man1/ipa-cacert-manage.1*
usr/share/man/man1/ipa-compat-manage.1*
usr/share/man/man1/ipa-csreplica-manage.1*
usr/share/man/man1/ipa-kra-install.1*
usr/share/man/man1/ipa-ldap-updater.1*
usr/share/man/man1/ipa-managed-entries.1*
usr/share/man/man1/ipa-nis-manage.1*
usr/share/man/man1/ipa-otptoken-import.1*
usr/share/man/man1/ipa-replica-conncheck.1*
usr/share/man/man1/ipa-replica-install.1*
usr/share/man/man1/ipa-replica-manage.1*
usr/share/man/man1/ipa-replica-prepare.1*
usr/share/man/man1/ipa-restore.1*
usr/share/man/man1/ipa-server-certinstall.1*
usr/share/man/man1/ipa-server-install.1*
usr/share/man/man1/ipa-server-upgrade.1*
usr/share/man/man1/ipa-winsync-migrate.1*
usr/share/man/man8/ipa-upgradeconfig.8*
usr/share/man/man8/ipactl.8*
var/lib/ipa/pki-ca
var/lib/ipa/sysrestore
var/lib/ipa/sysupgrade

8
debian/freeipa-server.links vendored
View File

@@ -1,8 +0,0 @@
/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html
/etc/ipa/html/ffconfig.js usr/share/ipa/html/ffconfig.js
/etc/ipa/html/ffconfig_page.js usr/share/ipa/html/ffconfig_page.js
/etc/ipa/html/ssbrowser.html usr/share/ipa/html/ssbrowser.html
/etc/ipa/html/unauthorized.html usr/share/ipa/html/unauthorized.html
/usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js
/usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js
/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js

9
debian/freeipa-server.lintian-overrides vendored
View File

@@ -1,9 +0,0 @@
# lintian is lying
python-script-but-no-python-dep
# we really need apache2
web-application-should-not-depend-unconditionally-on-apache2
# embedded versions used for better performance and function
embedded-javascript-library
# this is how we need them
non-standard-dir-perm var/cache/bind/data/ *
non-standard-dir-perm var/lib/ipa/backup/ *

63
debian/freeipa-server.postinst vendored
View File

@@ -1,63 +0,0 @@
#!/bin/sh
set -e
if [ "$1" = configure ]; then
if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
. /usr/share/apache2/apache2-maintscript-helper
if [ ! -e /etc/apache2/mods-enabled/auth_gssapi.load ]; then
apache2_invoke enmod auth_gssapi || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/authz_user.load ]; then
apache2_invoke enmod authz_user || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/deflate.load ]; then
apache2_invoke enmod deflate || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/expires.load ]; then
apache2_invoke enmod expires || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/headers.load ]; then
apache2_invoke enmod headers || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke enmod proxy || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
apache2_invoke enmod proxy_ajp || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/proxy_http.load ]; then
apache2_invoke enmod proxy_http || exit $?
fi
if [ ! -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke enmod rewrite || exit $?
fi
fi
# check if IPA is set up
is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
if [ $is_configured = yes ]; then
echo "Running ipa-server-upgrade..."
ipa-server-upgrade --quiet >/dev/null
fi
fi
if [ ! -e /run/ipa_memcached ]; then
mkdir -m 0700 /run/ipa_memcached
chown www-data:www-data /run/ipa_memcached
fi
if [ ! -e /run/apache2/ipa ]; then
mkdir -m 0700 /run/apache2/ipa
chown www-data:www-data /run/apache2/ipa
if [ ! -e /run/apache2/ipa/clientcaches ]; then
mkdir -m 0700 /run/apache2/ipa/clientcaches
chown www-data:www-data /run/apache2/ipa/clientcaches
fi
if [ ! -e /run/apache2/ipa/krbcache ]; then
mkdir -m 0700 /run/apache2/ipa/krbcache
chown www-data:www-data /run/apache2/ipa/krbcache
fi
fi
#DEBHELPER#

53
debian/freeipa-server.postrm vendored
View File

@@ -1,53 +0,0 @@
#!/bin/sh
set -e
case "$1" in
remove|purge)
if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
. /usr/share/apache2/apache2-maintscript-helper
if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
apache2_invoke dismod auth_kerb || exit $?
fi
if [ -e /etc/apache2/mods-enabled/auth_gssapi.load ]; then
apache2_invoke dismod auth_gssapi || exit $?
fi
if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then
apache2_invoke dismod authz_user || exit $?
fi
if [ -e /etc/apache2/mods-enabled/deflate.load ]; then
apache2_invoke dismod deflate || exit $?
fi
if [ -e /etc/apache2/mods-enabled/expires.load ]; then
apache2_invoke dismod expires || exit $?
fi
if [ -e /etc/apache2/mods-enabled/headers.load ]; then
apache2_invoke dismod headers || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke dismod proxy || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
apache2_invoke dismod proxy_ajp || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy_http.load ]; then
apache2_invoke dismod proxy_http || exit $?
fi
if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke dismod rewrite || exit $?
fi
fi
;;
esac
case "$1" in
purge)
rm -f \
/var/log/ipareplica-conncheck.log \
/var/log/ipareplica-install.log \
/var/log/ipaserver-install.log \
/var/log/ipaserver-uninstall.log \
/var/log/ipaupgrade.log
;;
esac
#DEBHELPER#

26
debian/freeipa-server.prerm vendored
View File

@@ -1,26 +0,0 @@
#!/bin/sh
set -e
if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
. /usr/share/apache2/apache2-maintscript-helper
if [ -e /etc/apache2/mods-enabled/auth_kerb ]; then
apache2_invoke dismod auth_kerb || exit $?
fi
if [ -e /etc/apache2/mods-enabled/auth_gssapi ]; then
apache2_invoke dismod auth_gssapi || exit $?
fi
if [ -e /etc/apache2/mods-enabled/expires ]; then
apache2_invoke dismod expires || exit $?
fi
if [ -e /etc/apache2/mods-enabled/headers ]; then
apache2_invoke dismod headers || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy ]; then
apache2_invoke dismod proxy || exit $?
fi
if [ -e /etc/apache2/mods-enabled/rewrite ]; then
apache2_invoke dismod rewrite || exit $?
fi
fi
#DEBHELPER#

4
debian/freeipa-server.tmpfile vendored
View File

@@ -1,4 +0,0 @@
d /var/run/ipa_memcached 0700 www-data www-data
d /var/run/apache2/ipa 0700 www-data www-data
d /var/run/apache2/ipa/clientcaches 0700 www-data www-data
d /var/run/apache2/ipa/krbcache 0700 www-data www-data

6
debian/freeipa-tests.install vendored
View File

@@ -1,6 +0,0 @@
usr/bin/ipa-run-tests
usr/bin/ipa-test-config
usr/bin/ipa-test-task
usr/share/man/man1/ipa-run-tests.1*
usr/share/man/man1/ipa-test-config.1*
usr/share/man/man1/ipa-test-task.1*

2
debian/freeipa-tests.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# lintian is just wrong
freeipa-tests: python-script-but-no-python-dep

19
debian/generate-rndc-key.sh vendored Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
. /lib/lsb/init-functions
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/bind/rndc.key:"
if /usr/sbin/rndc-confgen -a -r /dev/urandom > /dev/null 2>&1; then
chmod 640 /etc/bind/rndc.key
chown root.bind /etc/bind/rndc.key
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/bind/rndc.key
log_success_msg "/etc/bind/rndc.key generation"
echo
else
log_failure_msg $"/etc/bind/rndc.key generation"
echo
fi
fi

49
debian/patches/add-a-clear-openssl-exception.diff vendored Normal file
View File

@@ -0,0 +1,49 @@
commit d762f61d25508c1856c0fa7dc0ea1e032671542b
Author: Simo Sorce <simo@redhat.com>
Date: Fri Feb 20 08:46:40 2015 -0500
Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
diff --git a/COPYING.openssl b/COPYING.openssl
new file mode 100644
index 0000000..8a92460
--- /dev/null
+++ b/COPYING.openssl
@@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index 8ffa666..c6abd4b 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -18,6 +18,10 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * This file includes an "OpenSSL license exception", see the
+ * COPYING.openssl file for details.
+ *
*/
#include <stdbool.h>

549
debian/patches/add-debian-platform.diff vendored
View File

@@ -31,7 +31,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,360 @@
@@ -0,0 +1,70 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -58,343 +58,53 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+import sysconfig
+
+MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+# BASH = "/bin/bash"
+# BIN_FALSE = "/bin/false"
+# BIN_HOSTNAME = "/bin/hostname"
+# LS = "/bin/ls"
+# SH = "/bin/sh"
+# SYSTEMCTL = "/bin/systemctl"
+# TAR = "/bin/tar"
+# BIN_TRUE = "/bin/true"
+# DEV_NULL = "/dev/null"
+# DEV_STDIN = "/dev/stdin"
+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
+# ETC_DIRSRV = "/etc/dirsrv"
+# DS_KEYTAB = "/etc/dirsrv/ds.keytab"
+# ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
+# ETC_FEDORA_RELEASE = "/etc/fedora-release"
+# GROUP = "/etc/group"
+# ETC_HOSTNAME = "/etc/hostname"
+# HOSTS = "/etc/hosts"
+ ETC_HTTPD_DIR = "/etc/apache2"
+ HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+ HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+# HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
+ HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+ HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+ HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+# HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+ IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+ HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+# IDMAPD_CONF = "/etc/idmapd.conf"
+# ETC_IPA = "/etc/ipa"
+# CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache"
+# IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache"
+# IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
+# IPA_CA_CRT = "/etc/ipa/ca.crt"
+# IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+# IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
+# IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+# DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
+# DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
+# IPA_NSSDB_DIR = "/etc/ipa/nssdb"
+# IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
+# KRB5_CONF = "/etc/krb5.conf"
+# KRB5_KEYTAB = "/etc/krb5.keytab"
+# LDAP_CONF = "/etc/ldap.conf"
+# LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
+ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_VAR_DIR = "/var/cache/bind"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+ NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+ NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
+ NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
+# NSLCD_CONF = "/etc/nslcd.conf"
+# NSS_LDAP_CONF = "/etc/nss_ldap.conf"
+# NSSWITCH_CONF = "/etc/nsswitch.conf"
+# NTP_CONF = "/etc/ntp.conf"
+# NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
+# ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
+# OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
+# OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
+# OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml"
+ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
+# PAM_LDAP_CONF = "/etc/pam_ldap.conf"
+# PASSWD = "/etc/passwd"
+# SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
+ IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
+# NSS_DB_DIR = "/etc/pki/nssdb"
+# PKI_TOMCAT = "/etc/pki/pki-tomcat"
+# PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
+# PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
+# ETC_REDHAT_RELEASE = "/etc/redhat-release"
+# RESOLV_CONF = "/etc/resolv.conf"
+# SAMBA_KEYTAB = "/etc/samba/samba.keytab"
+# SMB_CONF = "/etc/samba/smb.conf"
+# LIMITS_CONF = "/etc/security/limits.conf"
+# SSH_CONFIG = "/etc/ssh/ssh_config"
+# SSHD_CONFIG = "/etc/ssh/sshd_config"
+# SSSD_CONF = "/etc/sssd/sssd.conf"
+# SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
+# SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
+ ETC_SYSCONFIG_DIR = "/etc/default"
+# ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
+ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
+ SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
+# SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
+ SYSCONFIG_NAMED = "/etc/default/bind9"
+# SYSCONFIG_NETWORK = "/etc/sysconfig/network"
+# SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp"
+ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
+ SYSCONFIG_ODS = "/etc/default/opendnssec"
+ SYSCONFIG_PKI = "/etc/dogtag/"
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
+# ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.d/"
+ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.d/ipa.conf"
+# SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
+# SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+# SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
+# SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
+ DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
+# HOME_DIR = "/home"
+# ROOT_IPA_CACHE = "/root/.ipa_cache"
+# ROOT_PKI = "/root/.pki"
+# DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
+ KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
+# CACERT_P12 = "/root/cacert.p12"
+# ROOT_IPA_CSR = "/root/ipa.csr"
+# NAMED_PID = "/run/named/named.pid"
+# IP = "/sbin/ip"
+# NOLOGIN = "/sbin/nologin"
+# SBIN_REBOOT = "/sbin/reboot"
+# SBIN_RESTORECON = "/sbin/restorecon"
+ SBIN_SERVICE = "/usr/sbin/service"
+# TMP = "/tmp"
+# TMP_CA_P12 = "/tmp/ca.p12"
+# TMP_KRB5CC = "/tmp/krb5cc_%d"
+# USR_DIR = "/usr"
+ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
+# PKCS12EXPORT = "/usr/bin/PKCS12Export"
+# CERTUTIL = "/usr/bin/certutil"
+# CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
+# DS_NEWINST_PL = "/usr/bin/ds_newinst.pl"
+# FIREFOX = "/usr/bin/firefox"
+# GETCERT = "/usr/bin/getcert"
+# GPG = "/usr/bin/gpg"
+# GPG_AGENT = "/usr/bin/gpg-agent"
+# IPA_GETCERT = "/usr/bin/ipa-getcert"
+# KDESTROY = "/usr/bin/kdestroy"
+# KINIT = "/usr/bin/kinit"
+# BIN_KVNO = "/usr/bin/kvno"
+# LDAPMODIFY = "/usr/bin/ldapmodify"
+# LDAPPASSWD = "/usr/bin/ldappasswd"
+# NET = "/usr/bin/net"
+# BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
+# NSUPDATE = "/usr/bin/nsupdate"
+# ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+# ODS_SIGNER = "/usr/sbin/ods-signer"
+# OPENSSL = "/usr/bin/openssl"
+# PK12UTIL = "/usr/bin/pk12util"
+# SETPASSWD = "/usr/bin/setpasswd"
+# SIGNTOOL = "/usr/bin/signtool"
+# SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
+# SSLGET = "/usr/bin/sslget"
+# SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
+# SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
+# BIN_TIMEOUT = "/usr/bin/timeout"
+ UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
+# BIN_CURL = "/usr/bin/curl"
+# ZIP = "/usr/bin/zip"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
+ BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
+# USR_LIB_DIRSRV = "/usr/lib/dirsrv"
+# LIB_FIREFOX = "/usr/lib/firefox"
+ LIBSOFTHSM2_SO = "/usr/lib/%s/softhsm/libsofthsm2.so" % MULTIARCH
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
+# BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
+# USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
+# LIB64_FIREFOX = "/usr/lib64/firefox"
+# LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit"
+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-renew-agent-submit"
+ IPA_SERVER_GUARD = "/usr/lib/certmonger/ipa-server-guard"
+ GENERATE_RNDC_KEY = "/bin/true"
+ IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
+ IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+ IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
+# DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+# GETSEBOOL = "/usr/sbin/getsebool"
+# GROUPADD = "/usr/sbin/groupadd"
+ HTTPD = "/usr/sbin/apache2ctl"
+# IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+# IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
+# SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
+# IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
+# IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
+# IPACTL = "/usr/sbin/ipactl"
+# NAMED = "/usr/sbin/named"
+# NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
+# NTPD = "/usr/sbin/ntpd"
+# PKIDESTROY = "/usr/sbin/pkidestroy"
+# PKISPAWN = "/usr/sbin/pkispawn"
+ REMOVE_DS_PL = "/usr/sbin/remove-ds"
+# RESTORECON = "/usr/sbin/restorecon"
+# SELINUXENABLED = "/usr/sbin/selinuxenabled"
+# SETSEBOOL = "/usr/sbin/setsebool"
+ SETUP_DS_PL = "/usr/sbin/setup-ds"
+# SMBD = "/usr/sbin/smbd"
+# USERADD = "/usr/sbin/useradd"
+# USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+# CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
+# FFEXTENSION = "/usr/share/ipa/ffextension"
+# IPA_HTML_DIR = "/usr/share/ipa/html"
+# CA_CRT = "/usr/share/ipa/html/ca.crt"
+# KERBEROSAUTH_XPI = "/usr/share/ipa/html/kerberosauth.xpi"
+# KRB_CON = "/usr/share/ipa/html/krb.con"
+# KRB_JS = "/usr/share/ipa/html/krb.js"
+# HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
+# HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
+# NIS_ULDIF = "/usr/share/ipa/nis.uldif"
+# IPA_PLUGINS = "/usr/share/ipa/plugins"
+# SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
+# IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
+# UPDATES_DIR = "/usr/share/ipa/updates/"
+# DICT_WORDS = "/usr/share/dict/words"
+# CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
+ VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+ VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+ CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
+ KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
+ KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
+ KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
+ KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
+# VAR_LIB = "/var/lib"
+# AUTHCONFIG_LAST = "/var/lib/authconfig/last"
+# VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
+# CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
+# CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal"
+# CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
+# VAR_LIB_DIRSRV = "/var/lib/dirsrv"
+# DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
+# VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
+# VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
+# SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
+# SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
+# SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
+# VAR_LIB_IPA = "/var/lib/ipa"
+# IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
+# SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
+# IPA_BACKUP_DIR = "/var/lib/ipa/backup"
+# IPA_DNSSEC_DIR = "/var/lib/ipa/dnssec"
+# IPA_KASP_DB_BACKUP = "/var/lib/ipa/ipa-kasp.db.backup"
+# DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
+# DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
+# IPA_CA_CSR = "/var/lib/ipa/ca.csr"
+# PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
+# REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
+# REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
+# SYSRESTORE = "/var/lib/ipa/sysrestore"
+# STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
+# VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
+# VAR_LIB_PKI_DIR = "/var/lib/pki"
+# VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias"
+# VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
+# CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
+# KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
+# CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
+# CAJARSIGNINGCERT_CFG = (
+# "/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg")
+# CASIGNEDLOGCERT_CFG = (
+# "/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
+# KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
+# KRACERT_P12 = "/root/kracert.p12"
+# SAMBA_DIR = "/var/lib/samba/"
+# SSSD_DB = "/var/lib/sss/db"
+# SSSD_MC_GROUP = "/var/lib/sss/mc/group"
+# SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
+# SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
+# SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
+# DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
+# VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
+# SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
+# SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
+ VAR_LOG_HTTPD_DIR = "/var/log/apache2"
+# IPABACKUP_LOG = "/var/log/ipabackup.log"
+# IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
+# IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
+# IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
+# IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
+# IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
+# IPARESTORE_LOG = "/var/log/iparestore.log"
+# IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
+# IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+# IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
+# IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
+# IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
+# IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
+# KADMIND_LOG = "/var/log/kadmind.log"
+# MESSAGES = "/var/log/messages"
+# VAR_LOG_PKI_DIR = "/var/log/pki/"
+# TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
+# TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
+# TOMCAT_CA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/ca/archive"
+# TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
+# TOMCAT_KRA_DIR = "/var/log/pki/pki-tomcat/kra"
+# TOMCAT_KRA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/kra/archive"
+# TOMCAT_KRA_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/kra/signedAudit"
+# LOG_SECURE = "/var/log/secure"
+ NAMED_RUN = "/var/cache/bind/named.run"
+ VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
+ OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
+ IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
+# VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
+ KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache"
+# IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
+# SVC_LIST_FILE = "/var/run/ipa/services.list"
+# IPA_MEMCACHED_DIR = "/var/run/ipa_memcached"
+# VAR_RUN_IPA_MEMCACHED = "/var/run/ipa_memcached/ipa_memcached"
+# KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
+# SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
+# ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
+# ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+# ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
+# LDIF2DB = '/usr/sbin/ldif2db'
+# DB2LDIF = '/usr/sbin/db2ldif'
+# BAK2DB = '/usr/sbin/bak2db'
+# DB2BAK = '/usr/sbin/db2bak'
+# KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
+# CERTMONGER = '/usr/sbin/certmonger'
+# NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
+# IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
+# IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
+ IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
+ IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
+ IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
+ GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
+
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
@@ -0,0 +1,200 @@
@@ -0,0 +1,184 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -432,15 +142,8 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# to their actual systemd service names
+debian_system_units = redhat_services.redhat_system_units
+
+debian_system_units['named-regular'] = 'bind9.service'
+debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
+debian_system_units['named'] = debian_system_units['named-pkcs11']
+debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
+debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
+debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'
+debian_system_units['ods_enforcerd'] = debian_system_units['ods-enforcerd']
+debian_system_units['ods-signerd'] = 'opendnssec-signer.service'
+debian_system_units['ods_signerd'] = debian_system_units['ods-signerd']
+
+# Service classes that implement Debian-specific behaviour
+
@@ -490,17 +193,13 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def is_running(self, instance_name=""):
+ ret = True
+ try:
+ result = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name],
+ capture_output=True)
+ sout = result.output
+ (sout, serr, rcode) = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name])
+ if sout.find("NOT running") >= 0:
+ ret = False
+ if sout.find("stop") >= 0:
+ ret = False
+ if sout.find("inactive") >= 0:
+ ret = False
+ except ipautil.CalledProcessError:
+ ret = False
+ return ret
@@ -536,18 +235,13 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+# For services which have no Debian counterpart
+class DebianNoService(base_services.PlatformService):
+ def start(self):
+ return True
+
+ def stop(self):
+ return True
+
+ def restart(self):
+ return True
+
+ def disable(self):
+ return True
+
+
+class DebianSSHService(DebianSysvService):
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
@@ -569,11 +263,11 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ if name == 'krb5kdc':
+ return DebianSysvService("krb5-kdc")
+ if name == 'messagebus':
+ return DebianNoService(name)
+ return DebianSysvService("dbus")
+ if name == 'named':
+ return DebianSysvService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'smb':
+ return DebianSysvService("smbd")
+ if name == 'sshd':
+ return DebianSSHService(name)
+ return DebianService(name)
@@ -597,7 +291,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+knownservices = DebianServices()
--- /dev/null
+++ b/ipaplatform/debian/tasks.py
@@ -0,0 +1,52 @@
@@ -0,0 +1,53 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -625,8 +319,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+from ipaplatform.base.tasks import *
+from ipaplatform.redhat.tasks import RedHatTaskNamespace
+
+BaseTask = BaseTaskNamespace()
+
+class DebianTaskNamespace(RedHatTaskNamespace):
+
+ def restore_pre_ipa_client_configuration(self, fstore, statestore,
@@ -643,11 +335,14 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def modify_pam_to_use_krb5(self, statestore):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
+ return True
+
+ def parse_ipa_version(self, version):
+ return BaseTask.parse_ipa_version(version)
+ def remove_ca_certs_from_systemwide_ca_store(self):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ return True
+
+tasks = DebianTaskNamespace()
--- a/ipaplatform/setup.py.in
@@ -662,7 +357,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
"ipaplatform.rhel"],
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -50,6 +50,8 @@ class NTPInstance(service.Service):
@@ -46,6 +46,8 @@ class NTPInstance(service.Service):
os = "fedora"
elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
os = "rhel"
@@ -671,37 +366,177 @@ Date: Fri Mar 1 12:21:00 2013 +0200
srv_vals = []
srv_vals.append("0.%s.pool.ntp.org" % os)
--- /dev/null
+++ b/ipaplatform/debian/constants.py
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
@@ -105,9 +107,9 @@ class NTPInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
for opt in needopts:
if sline.find(opt['val']) != -1:
opt['need'] = False
@@ -123,12 +125,12 @@ class NTPInstance(service.Service):
for line in lines:
if not done:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
fd.write(line)
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
(variable, opts) = sline.split('=', 1)
- fd.write('OPTIONS="%s %s"\n' % (opts, ' '.join(newopts)))
+ fd.write('NTPD_OPTS="%s %s"\n' % (opts, ' '.join(newopts)))
done = True
else:
fd.write(line)
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -247,9 +247,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -118,6 +118,7 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -204,14 +205,14 @@ class HTTPInstance(service.Service):
self.move_service(self.principal)
self.add_cert_to_service()
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='www-data', raiseonerr=False, env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@@ -260,11 +261,11 @@ class HTTPInstance(service.Service):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def __set_mod_nss_passwordfile(self):
- installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+ installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
- if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+ if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf-available/ipa-rewrite.conf\n</VirtualHost>') != 0:
print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
def __setup_ssl(self):
@@ -305,7 +306,7 @@ class HTTPInstance(service.Service):
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -400,6 +401,8 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
+'''
+This Debian family platform module exports platform dependant constants.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class DebianConstantsNamespace(BaseConstantsNamespace):
+# DS_USER = "dirsrv"
+# DS_GROUP = "dirsrv"
+ HTTPD_USER = "www-data"
+# IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
+# KDCPROXY_USER = "kdcproxy"
+ NAMED_USER = "bind"
+ NAMED_GROUP = "bind"
+ # ntpd init variable used for daemon options
+ NTPD_OPTS_VAR = "NTPD_OPTS"
+ # quote used for daemon options
+ NTPD_OPTS_QUOTE = "\'"
+ ODS_USER = "opendnssec"
+ ODS_GROUP = "opendnssec"
+# PKI_USER = "pkiuser"
+ SECURE_NFS_VAR = "NEED_GSSD"
+# SSSD_USER = "sssd"
+
+constants = DebianConstantsNamespace()
self.stop_tracking_certificates()
if not enabled is None and not enabled:
self.disable()
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -148,7 +148,7 @@ class ServerCertInstall(admintool.AdminT
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1130,7 +1130,7 @@ class CAInstance(service.Service):
os.chmod(self.ra_agent_db + "/key3.db", 0640)
os.chmod(self.ra_agent_db + "/secmod.db", 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -740,7 +740,7 @@ class CertDB(object):
f.close()
pwdfile.close()
# TODO: replace explicit uid by a platform-specific one
- self.set_perms(self.pwd_conf, uid="apache")
+ self.set_perms(self.pwd_conf, uid="www-data")
def find_root_cert(self, nickname):
"""
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -483,7 +483,7 @@ class BindInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
- reverse_zone, named_user="named", zonemgr=None,
+ reverse_zone, named_user="bind", zonemgr=None,
ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
@@ -874,7 +874,7 @@ class BindInstance(service.Service):
def __generate_rndc_key(self):
installutils.check_entropy()
- ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ ipautil.run(paths.GENERATE_RNDC_KEY)
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False, ca_configured=None):
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

193
debian/patches/configure-apache-from-installer.diff vendored
View File

@@ -1,193 +0,0 @@
From 9cce757cbdb19e71d314339cd2b822792dde3210 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 4 ++--
install/share/Makefile.am | 1 +
.../httpd.service => install/share/ipa-httpd.conf | 2 +-
ipaplatform/base/paths.py | 2 ++
ipaplatform/base/tasks.py | 8 ++++++++
ipaplatform/redhat/tasks.py | 19 +++++++++++++++++++
ipaserver/install/httpinstance.py | 6 ++++++
ipaserver/install/server/upgrade.py | 5 +++++
8 files changed, 44 insertions(+), 3 deletions(-)
rename init/systemd/httpd.service => install/share/ipa-httpd.conf (82%)
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
@@ -1218,6 +1217,7 @@ fi
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%{_usr}/share/ipa/kdcproxy.conf
+%{_usr}/share/ipa/ipa-httpd.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA = \
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ ipa-httpd.conf \
$(NULL)
EXTRA_DIST = \
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
--- /dev/null
+++ b/install/share/ipa-httpd.conf
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=/run/apache2/ipa/krbcache/krb5ccache
+Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
+ExecStartPre=/usr/lib/ipa/ipa-httpd-kdcproxy
+ExecStopPost=-/usr/bin/kdestroy -A
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
+ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
:return: object implementing proper __cmp__ method for version compare
"""
return parse_version(version)
+
+ def configure_httpd_service_ipa_conf(self):
+ """Configure httpd service to work with IPA"""
+ return
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove configuration of httpd service of IPA"""
+ return
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -30,6 +30,7 @@ import stat
import socket
import sys
import base64
+import shutil
from cffi import FFI
from ctypes.util import find_library
from functools import total_ordering
@@ -460,5 +461,23 @@ class RedHatTaskNamespace(BaseTaskNamesp
"""
return IPAVersion(version)
+ def configure_httpd_service_ipa_conf(self):
+ """Create systemd config for httpd service to work with IPA
+ """
+ if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
+ os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
+
+ shutil.copy(
+ os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf'),
+ paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
+ self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove systemd config for httpd service of IPA"""
+ try:
+ os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ except OSError:
+ pass
tasks = RedHatTaskNamespace()
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self):
+ self.update_httpd_service_ipa_conf()
+
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
except Exception as e:
root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+ def update_httpd_service_ipa_conf(self):
+ tasks.configure_httpd_service_ipa_conf()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
@@ -534,6 +539,7 @@ class HTTPInstance(service.Service):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+ tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION)
+def update_ipa_httpd_service_conf(http):
+ root_logger.info('[Updating HTTPD service IPA configuration]')
+ http.update_httpd_service_ipa_conf()
+
def ds_enable_sidgen_extdom_plugins(ds):
"""For AD trust agents, make sure we enable sidgen and extdom plugins
@@ -1562,6 +1566,7 @@ def upgrade_configuration():
http.enable_kdcproxy()
http.stop()
+ update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
fix_trust_flags()

12
debian/patches/create-sysconfig-ods.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -212,6 +212,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
+ # create the configfile, opendnssec-enforcer doesn't ship it
+ open(paths.SYSCONFIG_ODS, 'a').close()
+
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,

20
debian/patches/enable-mod-nss-during-setup.diff vendored
View File

@@ -1,20 +0,0 @@
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -183,6 +183,7 @@ class HTTPInstance(service.Service):
self.step("create KDC proxy user", create_kdcproxy_user)
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
@@ -507,6 +508,8 @@ class HTTPInstance(service.Service):
except Exception:
pass
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')

39
debian/patches/fix-bind-conf.diff vendored Normal file
View File

@@ -0,0 +1,39 @@
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "/var/cache/bind"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
@@ -14,7 +14,7 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-keytab "/etc/named.keytab";
+ tkey-gssapi-keytab "/etc/bind/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
@@ -32,12 +32,13 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
+// included below
+//zone "." IN {
+// type hint;
+// file "named.ca";
+//};
-include "/etc/named.rfc1912.zones";
+include "/etc/bind/named.conf.default-zones";
dynamic-db "ipa" {
library "ldap.so";

34
debian/patches/fix-dnssec-services.diff vendored
View File

@@ -1,34 +0,0 @@
--- a/daemons/dnssec/ipa-dnskeysyncd.service
+++ b/daemons/dnssec/ipa-dnskeysyncd.service
@@ -2,11 +2,11 @@
Description=IPA key daemon
[Service]
-EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd
-ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd
-User=ods
-Group=named
-SupplementaryGroups=ods
+EnvironmentFile=/etc/default/ipa-dnskeysyncd
+ExecStart=/usr/lib/ipa/ipa-dnskeysyncd
+User=opendnssec
+Group=bind
+SupplementaryGroups=opendnssec
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
--- a/daemons/dnssec/ipa-ods-exporter.service
+++ b/daemons/dnssec/ipa-ods-exporter.service
@@ -4,9 +4,9 @@ Wants=ipa-ods-exporter.socket
After=ipa-ods-exporter.socket
[Service]
-EnvironmentFile=/etc/sysconfig/ipa-ods-exporter
-ExecStart=/usr/libexec/ipa/ipa-ods-exporter
-User=ods
+EnvironmentFile=/etc/default/ipa-ods-exporter
+ExecStart=/usr/lib/ipa/ipa-ods-exporter
+User=opendnssec
PrivateTmp=yes
Restart=on-failure
RestartSec=60s

77
debian/patches/fix-hyphen-used-as-minus-sign.patch vendored Normal file
View File

@@ -0,0 +1,77 @@
Description: Fix hyphen-used-as-minus-sign warning (found by Lintian).
See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for
an explanation.
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -107,7 +107,7 @@ The name of the user with administrative
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
-The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -70,13 +70,13 @@ Output only errors
.SH "EXAMPLES"
.TP
-\fBipa-replica-conncheck -m master.example.com\fR
+\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
-\fBipa-replica-conncheck -R replica.example.com\fR
+\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
-\fBipa-replica-conncheck -m master.example.com -a -r EXAMPLE.COM -w password\fR
+\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -49,7 +49,7 @@ Create home directories for users on the
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
+The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -22,7 +22,7 @@ ipa\-test\-config \- Generate FreeIPA te
.SH "SYNOPSIS"
ipa\-test\-config [options]
.br
-ipa\-test\-config [options] --global
+ipa\-test\-config [options] \-\-global
.br
ipa\-test\-config [options] hostname
.SH "DESCRIPTION"
@@ -37,7 +37,7 @@ If run without arguments, it prints out
host.
Another host may be specified as an argument, or via the \-\-master,
\-\-replica, and \-\-client options.
-With the --global option, it prints only configuration that is not specific to
+With the \-\-global option, it prints only configuration that is not specific to
any host.
.SH "OPTIONS"
--- a/ipatests/man/ipa-test-task.1
+++ b/ipatests/man/ipa-test-task.1
@@ -20,7 +20,7 @@
.SH "NAME"
ipa\-test\-task \- Run a task for FreeIPA testing
.SH "SYNOPSIS"
-ipa\-test\-task -h
+ipa\-test\-task \-h
.br
ipa\-test\-task [global-options] TASK [task-options]
.SH "DESCRIPTION"

50
debian/patches/fix-ipa-conf.diff vendored
View File

@@ -1,7 +1,7 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -37,7 +37,7 @@ FileETag None
@@ -38,7 +38,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
@@ -10,29 +10,16 @@ Description: Fix paths
# Configure mod_wsgi handler for /ipa
@@ -62,9 +62,9 @@ WSGIScriptReloading Off
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
- GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
- GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
- GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiCredStore keytab:/etc/apache2/ipa.keytab
+ GssapiCredStore client_keytab:/etc/apache2/ipa.keytab
+ GssapiDelegCcacheDir /var/run/apache2/ipa/clientcaches
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
@@ -71,7 +71,7 @@ KrbConstrainedDelegationLock ipa
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
@@ -107,7 +107,7 @@ WSGIScriptReloading Off
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
- ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
+ ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
@@ -141,8 +141,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
@@ -138,8 +138,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
@@ -43,3 +30,20 @@ Description: Fix paths
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
@@ -175,14 +175,14 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
</Directory>
# Protect our CGIs
-<Directory /var/www/cgi-bin>
+<Directory /usr/lib/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html

12
debian/patches/fix-ipa-otpd-install.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFL
AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
dist_noinst_DATA = ipa-otpd.socket.in ipa-otpd@.service.in test.py
systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service

33
debian/patches/fix-kdcproxy-paths.diff vendored
View File

@@ -1,33 +0,0 @@
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -1,24 +1,24 @@
# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
#
-# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
-# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
+# The symlink from /etc/ipa/kdcproxy/ to /etc/apache2/conf.enabled/ is maintained
+# by the ExecStartPre script /usr/lib/ipa/ipa-httpd-kdcproxy in
# httpd.service. The service also sets the environment variable
# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
#
# Disable KDC Proxy on the current host:
# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
-# # systemctl restart httpd.service
+# # systemctl restart apache2.service
#
# Enable KDC Proxy on the current host:
# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
-# # systemctl restart httpd.service
+# # systemctl restart apache2.service
#
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+WSGIImportScript /usr/lib/python2.7/dist-packages/kdcproxy/__init__.py \
process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptAlias /KdcProxy /usr/lib/python2.7/dist-packages/kdcproxy/__init__.py
WSGIScriptReloading Off
<Location "/KdcProxy">

93
debian/patches/fix-manpage-has-errors-from-man.patch vendored Normal file
View File

@@ -0,0 +1,93 @@
Description: Fix manpage-has-errors-from-man warning (found by Lintian).
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- freeipa-4.0.2.orig/ipa-client/man/default.conf.5
+++ freeipa-4.0.2/ipa-client/man/default.conf.5
@@ -47,14 +47,14 @@ Valid lines consist of an option name, a
Values should not be quoted, the quotes will not be stripped.
-.np
+.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
-.fi
+.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
--- freeipa-4.0.2.orig/ipa-client/man/ipa-client-install.1
+++ freeipa-4.0.2/ipa-client/man/ipa-client-install.1
@@ -205,35 +205,47 @@ Unattended uninstallation. The user will
.TP
Files that will be replaced if SSSD is configured (default):
-/etc/sssd/sssd.conf\p
+/etc/sssd/sssd.conf
.TP
Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
-/etc/ldap.conf\p
-/etc/nss_ldap.conf\p
-/etc/libnss\-ldap.conf\p
-/etc/pam_ldap.conf\p
-/etc/nslcd.conf\p
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
.TP
Files replaced if NTP is enabled:
-/etc/ntp.conf\p
-/etc/sysconfig/ntpd\p
-/etc/ntp/step\-tickers\p
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
.TP
Files always created (replacing existing content):
-/etc/krb5.conf\p
-/etc/ipa/ca.crt\p
-/etc/ipa/default.conf\p
-/etc/openldap/ldap.conf\p
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/openldap/ldap.conf
.TP
Files updated, existing content is maintained:
-/etc/nsswitch.conf\p
-/etc/pki/nssdb\p
-/etc/krb5.keytab\p
-/etc/sysconfig/network\p
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
.SH "EXIT STATUS"
0 if the installation was successful

11
debian/patches/fix-match-hostname.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -25,7 +25,7 @@ from ipalib.errors import PasswordMismat
from ipalib.request import context
from ipalib.frontend import Local
-from backports.ssl_match_hostname import match_hostname
+from ssl import match_hostname
import base64
import uuid
import urllib

20
debian/patches/fix-memcached.diff vendored
View File

@@ -1,20 +0,0 @@
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

46
debian/patches/fix-named-conf-template.diff vendored
View File

@@ -1,46 +0,0 @@
Description: fix named.conf template
* extra logging disabled as it'd just duplicate everything
* zones are loaded via includes
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,9 +4,9 @@ options {
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
- dump-file "data/cache_dump.db";
- statistics-file "data/named_stats.txt";
- memstatistics-file "data/named_mem_stats.txt";
+ dump-file "cache_dump.db";
+ statistics-file "named_stats.txt";
+ memstatistics-file "named_mem_stats.txt";
forward first;
forwarders {$FORWARDERS};
@@ -30,18 +30,14 @@ options {
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
-logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- print-time yes;
- };
-};
+//logging {
+// channel default_debug {
+// file "data/named.run";
+// severity dynamic;
+// print-time yes;
+// };
+//};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

58
debian/patches/fix-oddjobs.diff vendored
View File

@@ -1,58 +0,0 @@
--- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -30,7 +30,7 @@
send_member="Get"/>
</policy>
- <policy user="apache">
+ <policy user="www-data">
<allow send_destination="com.redhat.idm.trust"
send_path="/"
send_interface="com.redhat.idm.trust"
--- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -10,7 +10,7 @@
<allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
</policy>
- <policy user="apache">
+ <policy user="www-data">
<allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
</policy>
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -2,11 +2,11 @@
<oddjobconfig>
<service name="org.freeipa.server">
<allow user="root"/>
- <allow user="apache"/>
+ <allow user="www-data"/>
<object name="/">
<interface name="org.freeipa.server">
<method name="conncheck">
- <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
+ <helper exec="/usr/lib/ipa/oddjob/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -2,7 +2,7 @@
<oddjobconfig>
<service name="com.redhat.idm.trust">
<allow user="root"/>
- <allow user="apache"/>
+ <allow user="www-data"/>
<object name="/">
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>
@@ -10,7 +10,7 @@
</interface>
<interface name="com.redhat.idm.trust">
<method name="fetch_domains">
- <helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
+ <helper exec="/usr/lib/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
arguments="1"
argument_passing_method="cmdline"
prepend_user_name="no"/>

13
debian/patches/fix-pykerberos-api.diff vendored Normal file
View File

@@ -0,0 +1,13 @@
Description: we have a newer pykerberos than Fedora
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 81e7aa3..ce5f2a0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
+ (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)

11
debian/patches/fix-replicainstall.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1073,7 +1073,7 @@ def promote_check(installer):
raise RuntimeError("CA cert file is not available! Please reinstall"
"the client and try again.")
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ ldapuri = 'ldap://%s' % ipautil.format_netloc(config.master_host_name)
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True, context='installer',
ldap_uri=ldapuri)

14
debian/patches/fix-typo.patch vendored Normal file
View File

@@ -0,0 +1,14 @@
Description: Fix typo
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -140,7 +140,7 @@
in the logger tree. The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
-preceeding it with a backslash.
+preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.

15
debian/patches/hack-libarch.diff vendored
View File

@@ -1,15 +0,0 @@
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -335,9 +335,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:

11
debian/patches/no-test-lang.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/Makefile
+++ b/Makefile
@@ -114,7 +114,7 @@ client-dirs:
lint: bootstrap-autogen
./make-lint $(LINT_OPTIONS)
- $(MAKE) -C install/po validate-src-strings
+# $(MAKE) -C install/po validate-src-strings
test:

11
debian/patches/port-ipa-client-automount.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -311,7 +311,7 @@
Configure secure NFS
"""
replacevars = {
- 'SECURE_NFS': 'yes',
+ 'NEED_GSSD': 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
NFS_CONF, replacevars=replacevars)

48
debian/patches/prefix.patch vendored
View File

@@ -5,19 +5,23 @@ use the debian layout when installing python modules
--- a/Makefile
+++ b/Makefile
@@ -113,9 +113,9 @@ client-install: client client-dirs
cd install/po && $(MAKE) install || exit 1;
@for subdir in $(CLIENTPYDIRS); do \
if [ "$(DESTDIR)" = "" ]; then \
- (cd $$subdir && $(PYTHON) setup.py install); \
+ (cd $$subdir && $(PYTHON) setup.py install --install-layout=deb); \
else \
- (cd $$subdir && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ (cd $$subdir && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi \
@@ -96,11 +96,11 @@ client-install: client client-dirs
done
cd install/po && $(MAKE) install || exit 1;
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup-client.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup-client.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup-client.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup-client.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
@@ -198,11 +198,11 @@ server: version-update
client-dirs:
@@ -171,11 +171,11 @@ server: version-update
server-install: server
if [ "$(DESTDIR)" = "" ]; then \
@@ -33,7 +37,7 @@ use the debian layout when installing python modules
fi
tests: version-update tests-man-autogen
@@ -213,7 +213,7 @@ tests-install: tests
@@ -186,7 +186,7 @@ tests-install: tests
if [ "$(DESTDIR)" = "" ]; then \
cd ipatests; $(PYTHON) setup.py install; \
else \
@@ -44,23 +48,23 @@ use the debian layout when installing python modules
--- a/ipapython/Makefile
+++ b/ipapython/Makefile
@@ -13,7 +13,7 @@ install:
@@ -14,7 +14,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
$(PYTHON) setup.py install; \
python2 setup.py install; \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
--- a/ipalib/Makefile
+++ b/ipalib/Makefile
@@ -12,7 +12,7 @@ install:
--- a/ipapython/py_default_encoding/Makefile
+++ b/ipapython/py_default_encoding/Makefile
@@ -9,7 +9,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
$(PYTHON) setup.py install; \
python2 setup.py install; \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
clean:

682
debian/patches/purge-firefox-extension.diff vendored
View File

@@ -1,682 +0,0 @@
commit 5d6e79b8f03198056103a31acc20536f8323756d
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Mar 29 21:33:15 2016 +0300
Purge firefox extension
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b0861d8..67152f6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -158,7 +158,6 @@ Requires: pki-ca >= 10.2.6-13
Requires: pki-kra >= 10.2.6-13
Requires(preun): python systemd-units
Requires(postun): python systemd-units
-Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= 0.78
diff --git a/install/Makefile.am b/install/Makefile.am
index ac52ad3..d13ecb7 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -7,7 +7,6 @@ NULL =
SUBDIRS = \
certmonger \
conf \
- ffextension \
html \
migration \
share \
diff --git a/install/ffextension/Makefile.am b/install/ffextension/Makefile.am
deleted file mode 100644
index 7a72205..0000000
--- a/install/ffextension/Makefile.am
+++ /dev/null
@@ -1,23 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- chrome \
- locale \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension
-app_DATA = \
- bootstrap.js \
- chrome.manifest \
- install.rdf \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/bootstrap.js b/install/ffextension/bootstrap.js
deleted file mode 100644
index 7e2ae57..0000000
--- a/install/ffextension/bootstrap.js
+++ /dev/null
@@ -1,88 +0,0 @@
-// Heavily inspired by Dave Townsend's post:
-// Playing with windows in restartless (bootstrapped) extensions
-// http://www.oxymoronical.com/blog/2011/01/Playing-with-windows-in-restartless-bootstrapped-extensions
-
-const Cc = Components.classes;
-const Ci = Components.interfaces;
-const Cu = Components.utils;
-
-var WindowListener = {
-
- setupBrowserUI: function(domWindow) {
- var doc = domWindow.document;
- domWindow.kerberosauth_listener = kerberosauth_listener(domWindow);
- doc.addEventListener('kerberos-auth-config', domWindow.kerberosauth_listener, false, true);
- },
-
- tearDownBrowserUI: function(domWindow) {
-
- var doc = domWindow.document;
- doc.removeEventListener('kerberos-auth-config', domWindow.kerberosauth_listener);
- delete domWindow.kerberosauth_listener;
- },
-
- // nsIWindowMediatorListener functions
- onOpenWindow: function(xulWindow) {
- // A new window has opened
- var domWindow = xulWindow.QueryInterface(Ci.nsIInterfaceRequestor).
- getInterface(Ci.nsIDOMWindowInternal);
-
- // Wait for it to finish loading
- domWindow.addEventListener("load", function listener() {
- domWindow.removeEventListener("load", listener, false);
-
- // If this is a browser window then setup its UI
- if (domWindow.document.documentElement.getAttribute("windowtype") === "navigator:browser") {
- WindowListener.setupBrowserUI(domWindow);
- }
- }, false);
- },
-
- onCloseWindow: function(xulWindow) {
- },
-
- onWindowTitleChange: function(xulWindow, newTitle) {
- }
-};
-
-function startup(data, reason) {
- var wm = Cc["@mozilla.org/appshell/window-mediator;1"].getService(Ci.nsIWindowMediator);
-
- Cu['import']("chrome://kerberosauth/content/kerberosauth.js");
-
- // Get the list of browser windows already open
- var windows = wm.getEnumerator("navigator:browser");
- while (windows.hasMoreElements()) {
- var domWindow = windows.getNext().QueryInterface(Ci.nsIDOMWindow);
-
- WindowListener.setupBrowserUI(domWindow);
- }
-
- // Wait for any new browser windows to open
- wm.addListener(WindowListener);
-}
-
-function shutdown(data, reason) {
- // When the application is shutting down we normally don't have to clean
- // up any UI changes made
- if (reason == APP_SHUTDOWN)
- return;
-
- var wm = Cc["@mozilla.org/appshell/window-mediator;1"].
- getService(Ci.nsIWindowMediator);
-
- // Get the list of browser windows already open
- var windows = wm.getEnumerator("navigator:browser");
- while (windows.hasMoreElements()) {
- var domWindow = windows.getNext().QueryInterface(Ci.nsIDOMWindow);
- WindowListener.tearDownBrowserUI(domWindow);
- }
-
- // Stop listening for any new browser windows to open
- wm.removeListener(WindowListener);
-
- Cu.unload("chrome://kerberosauth/content/kerberosauth.js");
-}
-
-function install() {}
-function uninstall() {}
\ No newline at end of file
diff --git a/install/ffextension/chrome.manifest b/install/ffextension/chrome.manifest
deleted file mode 100644
index 775d3a3..0000000
--- a/install/ffextension/chrome.manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-content kerberosauth chrome/content/
-resource kerberosauth chrome/content/
-overlay chrome://browser/content/browser.xul resource://kerberosauth/kerberosauth_overlay.xul
-locale kerberosauth en-US locale/en-US/
\ No newline at end of file
diff --git a/install/ffextension/chrome/Makefile.am b/install/ffextension/chrome/Makefile.am
deleted file mode 100644
index 10d23a7..0000000
--- a/install/ffextension/chrome/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- content \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension/chrome
-app_DATA = \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/chrome/content/Makefile.am b/install/ffextension/chrome/content/Makefile.am
deleted file mode 100644
index 7ff81e5..0000000
--- a/install/ffextension/chrome/content/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-appdir = $(IPA_DATA_DIR)/ffextension/chrome/content
-app_DATA = \
- kerberosauth_overlay.xul \
- kerberosauth.js \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/chrome/content/kerberosauth.js b/install/ffextension/chrome/content/kerberosauth.js
deleted file mode 100644
index c5afde9..0000000
--- a/install/ffextension/chrome/content/kerberosauth.js
+++ /dev/null
@@ -1,197 +0,0 @@
-/* Authors:
- * Petr Vobornik <pvoborni@redhat.com>
- *
- * Copyright (C) 2012 Red Hat
- * see file 'COPYING' for use and warranty information
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-var EXPORTED_SYMBOLS = ["kerberosauth", "kerberosauth_listener"];
-
-var Cc = Components.classes;
-var Ci = Components.interfaces;
-
-var kerberosauth = {
-
- // Dictionary of configuration options this extension can configure.
- // An alias (key) is set for each options. Using a set of aliases limits
- // configuration pages from supplying potential malicious options.
- config_options: {
- referer: ['network.http.sendRefererHeader', 'int'],
- native_gss_lib: ['network.negotiate-auth.using-native-gsslib', 'bool'],
- trusted_uris: ['network.negotiate-auth.trusted-uris', 'str'],
- allow_proxies: ['network.negotiate-auth.allow-proxies', 'bool']
- },
-
- // Some preconfigurations to make things easier. Can be good if UI is added
- // (mostly for future usage).
- predefined_configurations: {
- ipa: {
- referer: '2',
- native_gss_lib: 'true',
- trusted_uris: '',
- allow_proxies: 'true',
- append: ['trusted_uris']
- }
- },
-
- page_listener: function(event, dom_window) {
-
- var self = this;
-
- var conf = {
- event: event,
- window: dom_window || window,
- element: event.target
- };
-
- if (!conf.element.hasAttribute('method')) return;
-
- var method = conf.element.getAttribute('method');
-
- if (method === 'configure') self.configure(conf);
- if (method === 'can_configure') self.send_response(conf.element, { answer: 'true' });
- },
-
- send_response: function(element, options) {
-
- options = options || {};
-
- var doc = element.ownerDocument;
-
- for (var opt in options) {
- element.setAttribute(opt, options[opt]);
- }
-
- var answer_event = doc.createEvent("HTMLEvents");
- answer_event.initEvent("kerberos-auth-answer", true, false);
- element.dispatchEvent(answer_event);
- },
-
- notify_installed: function(window) {
- var doc = window.document;
- var event = doc.createEvent("HTMLEvents");
- event.initEvent("kerberos-auth-installed", true, false);
- doc.dispatchEvent(event);
- },
-
- configure: function(conf) {
- var self = this;
-
- var options = {}; // options to be configured
- var opt;
-
- // use predefined configuration if supplied
- if (conf.element.hasAttribute('predefined')) {
- var predefined = conf.element.getAttribute('predefined');
-
- var pconfig = self.predefined_configurations[predefined];
- if (pconfig) {
- for (opt in pconfig) {
- options[opt] = pconfig[opt];
- }
- }
- }
-
- // overwrite predefined with supplied and only supported options
- for (var i=0; i < conf.element.attributes.length; i++) {
- var attr = conf.element.attributes[i].name;
- if (attr in self.config_options) {
- options[attr] = conf.element.getAttribute(attr);
- }
- }
-
- if (self.prompt(conf, options)) {
- self.configure_core(conf, options);
- self.send_response(conf.element, { answer: 'configured' });
- } else {
- self.send_response(conf.element, { answer: 'aborted' });
- }
- },
-
- configure_core: function(conf, options) {
-
- var self = this;
-
- var prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
- var append_opts = options.append || [];
-
- for (var opt in options) {
-
- if (!self.config_options[opt]) continue;
-
- var name = self.config_options[opt][0];
- var type = self.config_options[opt][1];
- var value = options[opt];
-
- if (type === 'str') {
- if (value && append_opts.indexOf(opt) > -1) {
- var current = prefs.getCharPref(name) || '';
- if (this.str_contains(current, value)) {
- continue;
- } else if (current) {
- value = current + ', ' + value;
- }
- }
- prefs.setCharPref(name, value);
- } else if (type ==='int') {
- prefs.setIntPref(name, Number(value));
- } else if (type === 'bool') {
- prefs.setBoolPref(name, value === 'true');
- }
- }
- },
-
- str_contains: function(str, value) {
-
- if (!str) return false;
- var vals = str.split(',');
- for (var i=0, l=vals.length; i<l; i++) {
- if (vals[i].trim() === value) return true;
- }
- return false;
- },
-
- prompt: function(conf, options) {
- var strs = Cc["@mozilla.org/intl/stringbundle;1"].
- getService(Ci.nsIStringBundleService).
- createBundle("chrome://kerberosauth/locale/kerberosauth.properties");
-
- var prompts = Cc["@mozilla.org/embedcomp/prompt-service;1"].
- getService(Ci.nsIPromptService);
-
- var title = strs.GetStringFromName('prompt_title');
- var text = strs.GetStringFromName('prompt_topic');
-
- if (options.trusted_uris) {
- text += strs.GetStringFromName('prompt_domain').replace('${domain}', options.trusted_uris);
- }
- text += strs.GetStringFromName('prompt_question');
-
- var flags = prompts.STD_YES_NO_BUTTONS;
-
- var confirmed = prompts.confirmEx(conf.window, title, text, flags, "","","",
- null,{value: false}) === 0;
- return confirmed;
- }
-};
-
-var kerberosauth_listener = function(window) {
-
- return function(event) {
-
- kerberosauth.page_listener(event, window);
- };
-};
\ No newline at end of file
diff --git a/install/ffextension/chrome/content/kerberosauth_overlay.xul b/install/ffextension/chrome/content/kerberosauth_overlay.xul
deleted file mode 100644
index acad079..0000000
--- a/install/ffextension/chrome/content/kerberosauth_overlay.xul
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<overlay id="kerberosauthOverlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
-
- <script type="application/x-javascript">
- Components.utils['import']("resource://kerberosauth/kerberosauth.js");
- window.addEventListener('kerberos-auth-config', kerberosauth_listener(window), false, true);
- </script>
-</overlay>
\ No newline at end of file
diff --git a/install/ffextension/install.rdf b/install/ffextension/install.rdf
deleted file mode 100644
index d931f19..0000000
--- a/install/ffextension/install.rdf
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0"?>
-<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
- xmlns:em="http://www.mozilla.org/2004/em-rdf#">
-
- <Description about="urn:mozilla:install-manifest">
-
- <em:id>kerberosauth@redhat.com</em:id>
- <em:name>Kerberos Configuration</em:name>
- <em:version>0.1</em:version>
- <em:description>Configures browser to use negotiate authentication</em:description>
- <em:type>2</em:type>
- <em:creator>Red Hat, Inc.</em:creator>
- <em:developer>Petr Vobornik</em:developer>
- <em:homepageURL>http://www.redhat.com/</em:homepageURL>
- <em:bootstrap>true</em:bootstrap>
-
- <!-- Firefox -->
- <em:targetApplication>
- <Description>
- <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
- <em:minVersion>10.0</em:minVersion>
- <em:maxVersion>15.0.*</em:maxVersion>
- </Description>
- </em:targetApplication>
- </Description>
-</RDF>
\ No newline at end of file
diff --git a/install/ffextension/locale/Makefile.am b/install/ffextension/locale/Makefile.am
deleted file mode 100644
index 7e64536..0000000
--- a/install/ffextension/locale/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- en-US \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension/locale
-app_DATA = \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/locale/en-US/Makefile.am b/install/ffextension/locale/en-US/Makefile.am
deleted file mode 100644
index d19e8c7..0000000
--- a/install/ffextension/locale/en-US/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-appdir = $(IPA_DATA_DIR)/ffextension/locale/en-US
-app_DATA = \
- kerberosauth.properties \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/locale/en-US/kerberosauth.properties b/install/ffextension/locale/en-US/kerberosauth.properties
deleted file mode 100644
index b822535..0000000
--- a/install/ffextension/locale/en-US/kerberosauth.properties
+++ /dev/null
@@ -1,4 +0,0 @@
-prompt_title=Kerberos configuration confirmation
-prompt_topic=The page you are visiting is trying to configure Firefox for Kerberos authentication.
-prompt_domain=\n\nDomain: ${domain}
-prompt_question=\n\nDo you want to configure the browser?
\ No newline at end of file
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb831..b666bb2 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -51,7 +51,6 @@ app_DATA = \
krb5.conf.template \
krb5.ini.template \
krb.con.template \
- krb.js.template \
krbrealm.con.template \
smb.conf.template \
smb.conf.empty \
diff --git a/install/share/krb.js.template b/install/share/krb.js.template
deleted file mode 100644
index e7ea055..0000000
--- a/install/share/krb.js.template
+++ /dev/null
@@ -1,2 +0,0 @@
-var IPA_REALM = "$REALM";
-var IPA_DOMAIN = "$DOMAIN";
\ No newline at end of file
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1b79015..19dffb0 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -180,7 +180,6 @@ class BasePathNamespace(object):
BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
BIN_CURL = "/usr/bin/curl"
- ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
@@ -223,12 +222,9 @@ class BasePathNamespace(object):
USERADD = "/usr/sbin/useradd"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
- FFEXTENSION = "/usr/share/ipa/ffextension"
IPA_HTML_DIR = "/usr/share/ipa/html"
CA_CRT = "/usr/share/ipa/html/ca.crt"
- KERBEROSAUTH_XPI = "/usr/share/ipa/html/kerberosauth.xpi"
KRB_CON = "/usr/share/ipa/html/krb.con"
- KRB_JS = "/usr/share/ipa/html/krb.js"
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index b0fbe69..8b2d2ea 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -130,7 +130,7 @@ class HTTPInstance(service.Service):
subject_base = ipautil.dn_attribute_property('_subject_base')
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
- autoconfig=True, pkcs12_info=None,
+ pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
ca_is_configured=None, promote=False):
self.fqdn = fqdn
@@ -173,8 +173,6 @@ class HTTPInstance(service.Service):
self.step("setting up httpd keytab", self.__create_http_keytab)
self.step("setting up ssl", self.__setup_ssl)
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
- if autoconfig:
- self.step("setting up browser autoconfig", self.__setup_autoconfig)
if not self.promote:
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
@@ -371,42 +369,6 @@ class HTTPInstance(service.Service):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
self.import_ca_certs(db, self.ca_is_configured)
- def __setup_autoconfig(self):
- self.setup_firefox_extension(self.realm, self.domain)
-
- def setup_firefox_extension(self, realm, domain):
- """Set up the signed browser configuration extension
- """
-
- target_fname = paths.KRB_JS
- sub_dict = dict(REALM=realm, DOMAIN=domain)
- db = certs.CertDB(realm)
- with open(db.passwd_fname) as pwdfile:
- pwd = pwdfile.read()
-
- ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
- target_fname, sub_dict)
- os.chmod(target_fname, 0o644)
-
- # Setup extension
- tmpdir = tempfile.mkdtemp(prefix="tmp-")
- extdir = tmpdir + "/ext"
- target_fname = paths.KERBEROSAUTH_XPI
- shutil.copytree(paths.FFEXTENSION, extdir)
- if db.has_nickname('Signing-Cert'):
- db.run_signtool(["-k", "Signing-Cert",
- "-p", pwd,
- "-X", "-Z", target_fname,
- extdir])
- else:
- root_logger.warning('Object-signing certificate was not found. '
- 'Creating unsigned Firefox configuration extension.')
- filenames = os.listdir(extdir)
- ipautil.run([paths.ZIP, '-r', target_fname] + filenames,
- cwd=extdir)
- shutil.rmtree(tmpdir)
- os.chmod(target_fname, 0o644)
-
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
ca_db.publish_ca_cert(paths.CA_CRT)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e3052c1..6d7ccde 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -180,12 +180,10 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False,
http = httpinstance.HTTPInstance()
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
- config.dirman_password, False, pkcs12_info,
+ config.dirman_password, pkcs12_info,
auto_redirect=auto_redirect, ca_file=ca_file,
ca_is_configured=ca_is_configured, promote=promote)
- http.setup_firefox_extension(config.realm_name, config.domain_name)
-
return http
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3e60cfd..622f5f1 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -282,16 +282,6 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file)
-def setup_firefox_extension(fstore):
- """Set up the Firefox configuration extension, if it's not set up yet
- """
- root_logger.info('[Setting up Firefox extension]')
- http = httpinstance.HTTPInstance(fstore)
- realm = api.env.realm
- domain = api.env.domain
- http.setup_firefox_extension(realm, domain)
-
-
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1600,7 +1590,6 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
- setup_firefox_extension(fstore)
add_ca_dns_records()
# Any of the following functions returns True iff the named.conf file

24
debian/patches/revert-pykerberos-api-change.diff vendored Normal file
View File

@@ -0,0 +1,24 @@
Description: so we don't need to patch pykerberos
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -59,15 +59,12 @@ def json_serialize(obj):
def get_current_principal():
try:
- import kerberos
- rc, vc = kerberos.authGSSClientInit("notempty")
- rc = kerberos.authGSSClientInquireCred(vc)
- username = kerberos.authGSSClientUserName(vc)
- kerberos.authGSSClientClean(vc)
- return unicode(username)
+ # krbV isn't necessarily available on client machines, fail gracefully
+ import krbV
+ return unicode(krbV.default_context().default_ccache().principal().name)
except ImportError:
- raise RuntimeError('python-kerberos is not available.')
- except kerberos.GSSError, e:
+ raise RuntimeError('python-krbV is not available.')
+ except krbV.Krb5Error:
#TODO: do a kinit?
raise errors.CCacheError()

24
debian/patches/series vendored
View File

@@ -1,21 +1,17 @@
# upstreamed
configure-apache-from-installer.diff
# not upstreamable
work-around-apache-fail.diff
prefix.patch
hack-libarch.diff
enable-mod-nss-during-setup.diff
no-test-lang.diff
port-ipa-client-automount.diff
# send upstream
fix-match-hostname.diff
add-debian-platform.diff
fix-hyphen-used-as-minus-sign.patch
fix-manpage-has-errors-from-man.patch
fix-typo.patch
fix-ipa-conf.diff
fix-kdcproxy-paths.diff
fix-ipa-otpd-install.diff
fix-replicainstall.diff
fix-dnssec-services.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-memcached.diff
fix-oddjobs.diff
purge-firefox-extension.diff
fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
fix-bind-conf.diff
add-a-clear-openssl-exception.diff

52
debian/patches/work-around-apache-fail.diff vendored
View File

@@ -1,7 +1,19 @@
Description: service apache2 restart fails on sid, so don't do that
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1212,7 +1212,8 @@ def main():
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -191,7 +191,8 @@ class HTTPInstance(service.Service):
@@ -124,7 +124,8 @@ class HTTPInstance(service.Service):
def __start(self):
self.backup_state("running", self.is_running())
@@ -10,40 +22,4 @@ Description: service apache2 restart fails on sid, so don't do that
+ self.start()
def __enable(self):
self.backup_state("enabled", self.is_enabled())
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -142,7 +142,8 @@ def main():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
http = httpinstance.HTTPInstance(fstore)
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# execute ipactl to refresh services status
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -999,7 +999,8 @@ def install(installer):
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# update DNA shared config entry is done as far as possible
# from restart to avoid waiting for its creation
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -856,7 +856,8 @@ def install(installer):
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Call client install script
service.print_msg("Configuring client side components")
self.backup_state("enabled", self.is_running())

6
debian/python-ipalib.install → debian/python-freeipa.install vendored
View File

@@ -1,7 +1,9 @@
usr/lib/python*/dist-packages/default_encoding_utf8.so
usr/lib/python*/dist-packages/freeipa-*.egg-info
usr/lib/python*/dist-packages/ipalib-*.egg-info
usr/lib/python*/dist-packages/ipalib/*
usr/lib/python*/dist-packages/ipaplatform-*.egg-info
usr/lib/python*/dist-packages/ipaplatform/*
usr/lib/python*/dist-packages/ipapython-*.egg-info
usr/lib/python*/dist-packages/ipapython/*
usr/lib/python*/dist-packages/ipapython/*.py
usr/lib/python*/dist-packages/python_default_encoding-*.egg-info
usr/share/locale

2
debian/python-ipaclient.install vendored
View File

@@ -1,2 +0,0 @@
usr/lib/python*/dist-packages/ipaclient-*.egg-info
usr/lib/python*/dist-packages/ipaclient/*.py

33
debian/python-ipaserver.install vendored
View File

@@ -1,33 +0,0 @@
usr/lib/python*/dist-packages/ipaserver/__init__*
usr/lib/python*/dist-packages/ipaserver/advise/*
usr/lib/python*/dist-packages/ipaserver/install/__init__.py
usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ca.py
usr/lib/python*/dist-packages/ipaserver/install/cainstance.py
usr/lib/python*/dist-packages/ipaserver/install/certs.py
usr/lib/python*/dist-packages/ipaserver/install/custodiainstance.py
usr/lib/python*/dist-packages/ipaserver/install/dns.py
usr/lib/python*/dist-packages/ipaserver/install/dnskeysyncinstance.py
usr/lib/python*/dist-packages/ipaserver/install/dogtaginstance.py
usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py
usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/installutils.py
usr/lib/python*/dist-packages/ipaserver/install/ipa_*.py
usr/lib/python*/dist-packages/ipaserver/install/kra.py
usr/lib/python*/dist-packages/ipaserver/install/krainstance.py
usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py
usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/odsexporterinstance.py
usr/lib/python*/dist-packages/ipaserver/install/opendnssecinstance.py
usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py
usr/lib/python*/dist-packages/ipaserver/install/plugins
usr/lib/python*/dist-packages/ipaserver/install/replication.py
usr/lib/python*/dist-packages/ipaserver/install/schemaupdate.py
usr/lib/python*/dist-packages/ipaserver/install/server/*
usr/lib/python*/dist-packages/ipaserver/install/service.py
usr/lib/python*/dist-packages/ipaserver/install/sysupgrade.py
usr/lib/python*/dist-packages/ipaserver/install/upgradeinstance.py
usr/lib/python*/dist-packages/ipaserver/plugins/*
usr/lib/python*/dist-packages/ipaserver/rpcserver*

2
debian/python-ipatests.install vendored
View File

@@ -1,2 +0,0 @@
usr/lib/python*/dist-packages/ipatests-*
usr/lib/python*/dist-packages/ipatests/*

2
debian/python-ipatests.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# no need to be executable
python-ipatests: script-not-executable usr/lib/python*/dist-packages/ipatests/test_integration/scripts/caless-create-pki

55
debian/rules vendored
View File

@@ -3,13 +3,9 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
ONLY_CLIENT=0
ONLY_CLIENT=1
DESTDIR=$(CURDIR)/debian/tmp
export SKIP_API_VERSION_CHECK="yes"
export SUPPORTED_PLATFORM=debian
PLATFORM="SUPPORTED_PLATFORM=debian"
JAVA_STACK_SIZE ?= 8m
export JAVA_STACK_SIZE
@@ -18,17 +14,17 @@ export JAVA_STACK_SIZE
SOURCE = freeipa
gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed 's/-.*$$//')
gentarball:
git archive --format=tar experimental --prefix=$(SOURCE)-$(UV)/ | xz --best > ../$(SOURCE)_$(UV).orig.tar.xz
git archive --format=tar upstream --prefix=$(SOURCE)-$(UV)/ | xz --best > ../$(SOURCE)_$(UV).orig.tar.xz
override_dh_auto_clean:
for i in asn1 daemons install ipalib ipapython; do \
for i in daemons install ipapython ipaserver ipa-client; do \
(cd $$i && [ ! -f Makefile ] || $(MAKE) distclean); \
(cd $$i && rm -f COPYING INSTALL depcomp install-sh missing py-compile config.guess config.sub aclocal.m4 config.h.in version.m4); \
done
find . -name "*.pyo" -o -name "*.pyc" -type f -exec rm -f "{}" \;
find . -name "ltmain.sh" -exec rm -f "{}" \;
find . -name "configure" -exec rm -f "{}" \;
rm -rf daemons/ipa-version.h freeipa.spec freeipa.egg-info version.m4
rm -rf daemons/ipa-version.h freeipa.spec freeipa.egg-info ipa-client/ipa-client.spec version.m4
rm -rf ipapython/build RELEASE build
override_dh_autoreconf:
@@ -36,15 +32,13 @@ override_dh_autoreconf:
dh_autoreconf; cd ..
override_dh_auto_configure:
dh_auto_configure -Dclient
dh_auto_configure -Dipa-client
ifneq ($(ONLY_CLIENT), 1)
dh_auto_configure -Ddaemons -- \
--libexecdir=/usr/lib \
--with-openldap \
--with-systemdsystemunitdir=/lib/systemd/system
dh_auto_configure -Dinstall -- \
--libexecdir=/usr/lib
dh_auto_configure -Dinstall
endif
override_dh_auto_build:
@@ -65,35 +59,26 @@ ifneq ($(ONLY_CLIENT), 1)
make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
cd ..
chmod 755 $(DESTDIR)/usr/lib/ipa/certmonger/*
chmod 755 $(DESTDIR)/usr/lib/*/ipa/certmonger/*
mkdir -p $(DESTDIR)/usr/share/bash-completion/completions \
mkdir -p $(DESTDIR)/etc/bash_completion.d \
$(DESTDIR)/etc/default \
$(DESTDIR)/etc/ipa/kdcproxy \
$(DESTDIR)/usr/share/ipa/html
touch $(DESTDIR)/usr/share/ipa/html/ca.crt
touch $(DESTDIR)/usr/share/ipa/html/configure.jar
touch $(DESTDIR)/usr/share/ipa/html/kerberosauth.xpi
touch $(DESTDIR)/usr/share/ipa/html/krb.con
touch $(DESTDIR)/usr/share/ipa/html/krb.js
touch $(DESTDIR)/usr/share/ipa/html/krb5.ini
touch $(DESTDIR)/usr/share/ipa/html/krbrealm.con
touch $(DESTDIR)/usr/share/ipa/html/preferences.html
install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa
install -m 0644 init/ipa_memcached.conf $(DESTDIR)/etc/default/ipa_memcached
install -m 0644 init/ipa-dnskeysyncd.conf $(DESTDIR)/etc/default/ipa-dnskeysyncd
install -m 0644 init/ipa-ods-exporter.conf $(DESTDIR)/etc/default/ipa-ods-exporter
install -m 0644 install/share/kdcproxy.conf $(DESTDIR)/etc/ipa/kdcproxy/kdcproxy.conf
install -m 0755 daemons/dnssec/ipa-dnskeysync-replica $(DESTDIR)/usr/lib/ipa/
install -m 0755 daemons/dnssec/ipa-dnskeysyncd $(DESTDIR)/usr/lib/ipa/
install -m 0644 daemons/dnssec/ipa-dnskeysyncd.service $(DESTDIR)/lib/systemd/system
install -m 0755 daemons/dnssec/ipa-ods-exporter $(DESTDIR)/usr/lib/ipa/
install -m 0644 daemons/dnssec/ipa-ods-exporter.service $(DESTDIR)/lib/systemd/system
install -m 0644 daemons/dnssec/ipa-ods-exporter.socket $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa_memcached.service $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa.service $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa-custodia.service $(DESTDIR)/lib/systemd/system
install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/usr/share/bash-completion/completions/ipa
install -m 0755 debian/generate-rndc-key.sh $(DESTDIR)/usr/share/ipa
else
make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client-install DESTDIR=$(DESTDIR)
endif
@@ -106,19 +91,15 @@ endif
find $(CURDIR)/debian/tmp -name "*.mo" -type f -exec chmod -x "{}" \;
override_dh_install:
dh_install --fail-missing
dh_install --list-missing
override_dh_systemd_enable:
dh_systemd_enable -pfreeipa-server --no-enable ipa.service
dh_systemd_enable -pfreeipa-server --no-enable ipa_memcached.service
dh_systemd_enable -pfreeipa-server --no-enable ipa-dnskeysyncd.service
dh_systemd_enable -pfreeipa-server --no-enable ipa-custodia.service
dh_systemd_enable -pfreeipa-server --no-enable ipa-ods-exporter.service
ifneq ($(ONLY_CLIENT), 1)
mkdir -m 770 -p $(CURDIR)/debian/freeipa-server/var/cache/bind/data
mkdir -m 700 -p $(CURDIR)/debian/freeipa-server/var/lib/ipa/backup
endif
override_dh_fixperms:
dh_fixperms
chmod 0700 $(CURDIR)/debian/freeipa-server/etc/ipa/custodia
chmod 0700 $(CURDIR)/debian/freeipa-server/var/lib/ipa/backup
dh_fixperms -X var/cache/bind/data -X var/lib/ipa/backup
%:
dh $@ --with autoreconf,python2,systemd