websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
debian/patches/add-a-clear-openssl-exception.diff vendored Normal file
View File

@@ -0,0 +1,49 @@
commit d762f61d25508c1856c0fa7dc0ea1e032671542b
Author: Simo Sorce <simo@redhat.com>
Date: Fri Feb 20 08:46:40 2015 -0500
Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
diff --git a/COPYING.openssl b/COPYING.openssl
new file mode 100644
index 0000000..8a92460
--- /dev/null
+++ b/COPYING.openssl
@@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index 8ffa666..c6abd4b 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -18,6 +18,10 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * This file includes an "OpenSSL license exception", see the
+ * COPYING.openssl file for details.
+ *
*/
#include <stdbool.h>

549
debian/patches/add-debian-platform.diff vendored
View File

@@ -31,7 +31,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,360 @@
@@ -0,0 +1,70 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -58,343 +58,53 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+import sysconfig
+
+MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+# BASH = "/bin/bash"
+# BIN_FALSE = "/bin/false"
+# BIN_HOSTNAME = "/bin/hostname"
+# LS = "/bin/ls"
+# SH = "/bin/sh"
+# SYSTEMCTL = "/bin/systemctl"
+# TAR = "/bin/tar"
+# BIN_TRUE = "/bin/true"
+# DEV_NULL = "/dev/null"
+# DEV_STDIN = "/dev/stdin"
+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
+# ETC_DIRSRV = "/etc/dirsrv"
+# DS_KEYTAB = "/etc/dirsrv/ds.keytab"
+# ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
+# ETC_FEDORA_RELEASE = "/etc/fedora-release"
+# GROUP = "/etc/group"
+# ETC_HOSTNAME = "/etc/hostname"
+# HOSTS = "/etc/hosts"
+ ETC_HTTPD_DIR = "/etc/apache2"
+ HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+ HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+# HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
+ HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+ HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+ HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+# HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
+ IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+ HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+# IDMAPD_CONF = "/etc/idmapd.conf"
+# ETC_IPA = "/etc/ipa"
+# CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache"
+# IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache"
+# IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
+# IPA_CA_CRT = "/etc/ipa/ca.crt"
+# IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+# IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
+# IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+# DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
+# DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
+# IPA_NSSDB_DIR = "/etc/ipa/nssdb"
+# IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
+# KRB5_CONF = "/etc/krb5.conf"
+# KRB5_KEYTAB = "/etc/krb5.keytab"
+# LDAP_CONF = "/etc/ldap.conf"
+# LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
+ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_VAR_DIR = "/var/cache/bind"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+ NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+ NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
+ NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
+# NSLCD_CONF = "/etc/nslcd.conf"
+# NSS_LDAP_CONF = "/etc/nss_ldap.conf"
+# NSSWITCH_CONF = "/etc/nsswitch.conf"
+# NTP_CONF = "/etc/ntp.conf"
+# NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
+# ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
+# OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
+# OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
+# OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml"
+ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
+# PAM_LDAP_CONF = "/etc/pam_ldap.conf"
+# PASSWD = "/etc/passwd"
+# SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
+ IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
+# NSS_DB_DIR = "/etc/pki/nssdb"
+# PKI_TOMCAT = "/etc/pki/pki-tomcat"
+# PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
+# PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
+# ETC_REDHAT_RELEASE = "/etc/redhat-release"
+# RESOLV_CONF = "/etc/resolv.conf"
+# SAMBA_KEYTAB = "/etc/samba/samba.keytab"
+# SMB_CONF = "/etc/samba/smb.conf"
+# LIMITS_CONF = "/etc/security/limits.conf"
+# SSH_CONFIG = "/etc/ssh/ssh_config"
+# SSHD_CONFIG = "/etc/ssh/sshd_config"
+# SSSD_CONF = "/etc/sssd/sssd.conf"
+# SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
+# SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
+ ETC_SYSCONFIG_DIR = "/etc/default"
+# ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
+ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
+ SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
+# SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
+ SYSCONFIG_NAMED = "/etc/default/bind9"
+# SYSCONFIG_NETWORK = "/etc/sysconfig/network"
+# SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp"
+ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
+ SYSCONFIG_ODS = "/etc/default/opendnssec"
+ SYSCONFIG_PKI = "/etc/dogtag/"
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
+# ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.d/"
+ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.d/ipa.conf"
+# SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
+# SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+# SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
+# SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
+ DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
+# HOME_DIR = "/home"
+# ROOT_IPA_CACHE = "/root/.ipa_cache"
+# ROOT_PKI = "/root/.pki"
+# DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
+ KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
+# CACERT_P12 = "/root/cacert.p12"
+# ROOT_IPA_CSR = "/root/ipa.csr"
+# NAMED_PID = "/run/named/named.pid"
+# IP = "/sbin/ip"
+# NOLOGIN = "/sbin/nologin"
+# SBIN_REBOOT = "/sbin/reboot"
+# SBIN_RESTORECON = "/sbin/restorecon"
+ SBIN_SERVICE = "/usr/sbin/service"
+# TMP = "/tmp"
+# TMP_CA_P12 = "/tmp/ca.p12"
+# TMP_KRB5CC = "/tmp/krb5cc_%d"
+# USR_DIR = "/usr"
+ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
+# PKCS12EXPORT = "/usr/bin/PKCS12Export"
+# CERTUTIL = "/usr/bin/certutil"
+# CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
+# DS_NEWINST_PL = "/usr/bin/ds_newinst.pl"
+# FIREFOX = "/usr/bin/firefox"
+# GETCERT = "/usr/bin/getcert"
+# GPG = "/usr/bin/gpg"
+# GPG_AGENT = "/usr/bin/gpg-agent"
+# IPA_GETCERT = "/usr/bin/ipa-getcert"
+# KDESTROY = "/usr/bin/kdestroy"
+# KINIT = "/usr/bin/kinit"
+# BIN_KVNO = "/usr/bin/kvno"
+# LDAPMODIFY = "/usr/bin/ldapmodify"
+# LDAPPASSWD = "/usr/bin/ldappasswd"
+# NET = "/usr/bin/net"
+# BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
+# NSUPDATE = "/usr/bin/nsupdate"
+# ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+# ODS_SIGNER = "/usr/sbin/ods-signer"
+# OPENSSL = "/usr/bin/openssl"
+# PK12UTIL = "/usr/bin/pk12util"
+# SETPASSWD = "/usr/bin/setpasswd"
+# SIGNTOOL = "/usr/bin/signtool"
+# SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
+# SSLGET = "/usr/bin/sslget"
+# SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
+# SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
+# BIN_TIMEOUT = "/usr/bin/timeout"
+ UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
+# BIN_CURL = "/usr/bin/curl"
+# ZIP = "/usr/bin/zip"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
+ BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
+# USR_LIB_DIRSRV = "/usr/lib/dirsrv"
+# LIB_FIREFOX = "/usr/lib/firefox"
+ LIBSOFTHSM2_SO = "/usr/lib/%s/softhsm/libsofthsm2.so" % MULTIARCH
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
+# BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
+# USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
+# LIB64_FIREFOX = "/usr/lib64/firefox"
+# LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit"
+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-renew-agent-submit"
+ IPA_SERVER_GUARD = "/usr/lib/certmonger/ipa-server-guard"
+ GENERATE_RNDC_KEY = "/bin/true"
+ IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
+ IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+ IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
+# DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+# GETSEBOOL = "/usr/sbin/getsebool"
+# GROUPADD = "/usr/sbin/groupadd"
+ HTTPD = "/usr/sbin/apache2ctl"
+# IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+# IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
+# SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
+# IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
+# IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
+# IPACTL = "/usr/sbin/ipactl"
+# NAMED = "/usr/sbin/named"
+# NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
+# NTPD = "/usr/sbin/ntpd"
+# PKIDESTROY = "/usr/sbin/pkidestroy"
+# PKISPAWN = "/usr/sbin/pkispawn"
+ REMOVE_DS_PL = "/usr/sbin/remove-ds"
+# RESTORECON = "/usr/sbin/restorecon"
+# SELINUXENABLED = "/usr/sbin/selinuxenabled"
+# SETSEBOOL = "/usr/sbin/setsebool"
+ SETUP_DS_PL = "/usr/sbin/setup-ds"
+# SMBD = "/usr/sbin/smbd"
+# USERADD = "/usr/sbin/useradd"
+# USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+# CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
+# FFEXTENSION = "/usr/share/ipa/ffextension"
+# IPA_HTML_DIR = "/usr/share/ipa/html"
+# CA_CRT = "/usr/share/ipa/html/ca.crt"
+# KERBEROSAUTH_XPI = "/usr/share/ipa/html/kerberosauth.xpi"
+# KRB_CON = "/usr/share/ipa/html/krb.con"
+# KRB_JS = "/usr/share/ipa/html/krb.js"
+# HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
+# HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
+# NIS_ULDIF = "/usr/share/ipa/nis.uldif"
+# IPA_PLUGINS = "/usr/share/ipa/plugins"
+# SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
+# IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
+# UPDATES_DIR = "/usr/share/ipa/updates/"
+# DICT_WORDS = "/usr/share/dict/words"
+# CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
+ VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+ VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+ CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
+ KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
+ KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
+ KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
+ KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
+# VAR_LIB = "/var/lib"
+# AUTHCONFIG_LAST = "/var/lib/authconfig/last"
+# VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
+# CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
+# CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal"
+# CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
+# VAR_LIB_DIRSRV = "/var/lib/dirsrv"
+# DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
+# VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
+# VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
+# SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
+# SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
+# SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
+# VAR_LIB_IPA = "/var/lib/ipa"
+# IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
+# SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
+# IPA_BACKUP_DIR = "/var/lib/ipa/backup"
+# IPA_DNSSEC_DIR = "/var/lib/ipa/dnssec"
+# IPA_KASP_DB_BACKUP = "/var/lib/ipa/ipa-kasp.db.backup"
+# DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
+# DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
+# IPA_CA_CSR = "/var/lib/ipa/ca.csr"
+# PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
+# REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
+# REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
+# SYSRESTORE = "/var/lib/ipa/sysrestore"
+# STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
+# VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
+# VAR_LIB_PKI_DIR = "/var/lib/pki"
+# VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias"
+# VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
+# CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
+# KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
+# CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
+# CAJARSIGNINGCERT_CFG = (
+# "/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg")
+# CASIGNEDLOGCERT_CFG = (
+# "/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
+# KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
+# KRACERT_P12 = "/root/kracert.p12"
+# SAMBA_DIR = "/var/lib/samba/"
+# SSSD_DB = "/var/lib/sss/db"
+# SSSD_MC_GROUP = "/var/lib/sss/mc/group"
+# SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
+# SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
+# SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
+# DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
+# VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
+# SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
+# SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
+ VAR_LOG_HTTPD_DIR = "/var/log/apache2"
+# IPABACKUP_LOG = "/var/log/ipabackup.log"
+# IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
+# IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
+# IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
+# IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
+# IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
+# IPARESTORE_LOG = "/var/log/iparestore.log"
+# IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
+# IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+# IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
+# IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
+# IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
+# IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
+# KADMIND_LOG = "/var/log/kadmind.log"
+# MESSAGES = "/var/log/messages"
+# VAR_LOG_PKI_DIR = "/var/log/pki/"
+# TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
+# TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
+# TOMCAT_CA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/ca/archive"
+# TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
+# TOMCAT_KRA_DIR = "/var/log/pki/pki-tomcat/kra"
+# TOMCAT_KRA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/kra/archive"
+# TOMCAT_KRA_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/kra/signedAudit"
+# LOG_SECURE = "/var/log/secure"
+ NAMED_RUN = "/var/cache/bind/named.run"
+ VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
+ OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
+ IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
+# VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
+ KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache"
+# IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
+# SVC_LIST_FILE = "/var/run/ipa/services.list"
+# IPA_MEMCACHED_DIR = "/var/run/ipa_memcached"
+# VAR_RUN_IPA_MEMCACHED = "/var/run/ipa_memcached/ipa_memcached"
+# KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
+# SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
+# ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
+# ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+# ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
+# LDIF2DB = '/usr/sbin/ldif2db'
+# DB2LDIF = '/usr/sbin/db2ldif'
+# BAK2DB = '/usr/sbin/bak2db'
+# DB2BAK = '/usr/sbin/db2bak'
+# KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
+# CERTMONGER = '/usr/sbin/certmonger'
+# NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
+# IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
+# IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
+ IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
+ IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
+ IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
+ GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
+
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
@@ -0,0 +1,200 @@
@@ -0,0 +1,184 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -432,15 +142,8 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# to their actual systemd service names
+debian_system_units = redhat_services.redhat_system_units
+
+debian_system_units['named-regular'] = 'bind9.service'
+debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
+debian_system_units['named'] = debian_system_units['named-pkcs11']
+debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
+debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
+debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'
+debian_system_units['ods_enforcerd'] = debian_system_units['ods-enforcerd']
+debian_system_units['ods-signerd'] = 'opendnssec-signer.service'
+debian_system_units['ods_signerd'] = debian_system_units['ods-signerd']
+
+# Service classes that implement Debian-specific behaviour
+
@@ -490,17 +193,13 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def is_running(self, instance_name=""):
+ ret = True
+ try:
+ result = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name],
+ capture_output=True)
+ sout = result.output
+ (sout, serr, rcode) = ipautil.run([paths.SBIN_SERVICE,
+ self.service_name, "status",
+ instance_name])
+ if sout.find("NOT running") >= 0:
+ ret = False
+ if sout.find("stop") >= 0:
+ ret = False
+ if sout.find("inactive") >= 0:
+ ret = False
+ except ipautil.CalledProcessError:
+ ret = False
+ return ret
@@ -536,18 +235,13 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+# For services which have no Debian counterpart
+class DebianNoService(base_services.PlatformService):
+ def start(self):
+ return True
+
+ def stop(self):
+ return True
+
+ def restart(self):
+ return True
+
+ def disable(self):
+ return True
+
+
+class DebianSSHService(DebianSysvService):
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
@@ -569,11 +263,11 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ if name == 'krb5kdc':
+ return DebianSysvService("krb5-kdc")
+ if name == 'messagebus':
+ return DebianNoService(name)
+ return DebianSysvService("dbus")
+ if name == 'named':
+ return DebianSysvService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'smb':
+ return DebianSysvService("smbd")
+ if name == 'sshd':
+ return DebianSSHService(name)
+ return DebianService(name)
@@ -597,7 +291,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+knownservices = DebianServices()
--- /dev/null
+++ b/ipaplatform/debian/tasks.py
@@ -0,0 +1,52 @@
@@ -0,0 +1,53 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -625,8 +319,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+from ipaplatform.base.tasks import *
+from ipaplatform.redhat.tasks import RedHatTaskNamespace
+
+BaseTask = BaseTaskNamespace()
+
+class DebianTaskNamespace(RedHatTaskNamespace):
+
+ def restore_pre_ipa_client_configuration(self, fstore, statestore,
@@ -643,11 +335,14 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def modify_pam_to_use_krb5(self, statestore):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
+ return True
+
+ def parse_ipa_version(self, version):
+ return BaseTask.parse_ipa_version(version)
+ def remove_ca_certs_from_systemwide_ca_store(self):
+ return True
+
+ def restore_network_configuration(self, fstore, statestore):
+ return True
+
+tasks = DebianTaskNamespace()
--- a/ipaplatform/setup.py.in
@@ -662,7 +357,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
"ipaplatform.rhel"],
--- a/ipaserver/install/ntpinstance.py
+++ b/ipaserver/install/ntpinstance.py
@@ -50,6 +50,8 @@ class NTPInstance(service.Service):
@@ -46,6 +46,8 @@ class NTPInstance(service.Service):
os = "fedora"
elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
os = "rhel"
@@ -671,37 +366,177 @@ Date: Fri Mar 1 12:21:00 2013 +0200
srv_vals = []
srv_vals.append("0.%s.pool.ntp.org" % os)
--- /dev/null
+++ b/ipaplatform/debian/constants.py
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
@@ -105,9 +107,9 @@ class NTPInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
for opt in needopts:
if sline.find(opt['val']) != -1:
opt['need'] = False
@@ -123,12 +125,12 @@ class NTPInstance(service.Service):
for line in lines:
if not done:
sline = line.strip()
- if not sline.startswith('OPTIONS'):
+ if not sline.startswith('NTPD_OPTS'):
fd.write(line)
continue
- sline = sline.replace('"', '')
+ sline = sline.replace('\'', '')
(variable, opts) = sline.split('=', 1)
- fd.write('OPTIONS="%s %s"\n' % (opts, ' '.join(newopts)))
+ fd.write('NTPD_OPTS="%s %s"\n' % (opts, ' '.join(newopts)))
done = True
else:
fd.write(line)
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -247,9 +247,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -118,6 +118,7 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
@@ -204,14 +205,14 @@ class HTTPInstance(service.Service):
self.move_service(self.principal)
self.add_cert_to_service()
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def remove_httpd_ccache(self):
# Clean up existing ccache
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
- ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
+ ipautil.run(['kdestroy', '-A'], runas='www-data', raiseonerr=False, env={})
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
@@ -260,11 +261,11 @@ class HTTPInstance(service.Service):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def __set_mod_nss_passwordfile(self):
- installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+ installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
- if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+ if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf-available/ipa-rewrite.conf\n</VirtualHost>') != 0:
print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
def __setup_ssl(self):
@@ -305,7 +306,7 @@ class HTTPInstance(service.Service):
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
@@ -400,6 +401,8 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
+'''
+This Debian family platform module exports platform dependant constants.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class DebianConstantsNamespace(BaseConstantsNamespace):
+# DS_USER = "dirsrv"
+# DS_GROUP = "dirsrv"
+ HTTPD_USER = "www-data"
+# IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
+# KDCPROXY_USER = "kdcproxy"
+ NAMED_USER = "bind"
+ NAMED_GROUP = "bind"
+ # ntpd init variable used for daemon options
+ NTPD_OPTS_VAR = "NTPD_OPTS"
+ # quote used for daemon options
+ NTPD_OPTS_QUOTE = "\'"
+ ODS_USER = "opendnssec"
+ ODS_GROUP = "opendnssec"
+# PKI_USER = "pkiuser"
+ SECURE_NFS_VAR = "NEED_GSSD"
+# SSSD_USER = "sssd"
+
+constants = DebianConstantsNamespace()
self.stop_tracking_certificates()
if not enabled is None and not enabled:
self.disable()
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -148,7 +148,7 @@ class ServerCertInstall(admintool.AdminT
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1130,7 +1130,7 @@ class CAInstance(service.Service):
os.chmod(self.ra_agent_db + "/key3.db", 0640)
os.chmod(self.ra_agent_db + "/secmod.db", 0640)
- pent = pwd.getpwnam("apache")
+ pent = pwd.getpwnam("www-data")
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -740,7 +740,7 @@ class CertDB(object):
f.close()
pwdfile.close()
# TODO: replace explicit uid by a platform-specific one
- self.set_perms(self.pwd_conf, uid="apache")
+ self.set_perms(self.pwd_conf, uid="www-data")
def find_root_cert(self, nickname):
"""
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -483,7 +483,7 @@ class BindInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
- reverse_zone, named_user="named", zonemgr=None,
+ reverse_zone, named_user="bind", zonemgr=None,
ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
@@ -874,7 +874,7 @@ class BindInstance(service.Service):
def __generate_rndc_key(self):
installutils.check_entropy()
- ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ ipautil.run(paths.GENERATE_RNDC_KEY)
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False, ca_configured=None):
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

193
debian/patches/configure-apache-from-installer.diff vendored
View File

@@ -1,193 +0,0 @@
From 9cce757cbdb19e71d314339cd2b822792dde3210 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 16 Mar 2016 09:04:42 +0100
Subject: [PATCH] Configure httpd service from installer instead of directly
from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
---
freeipa.spec.in | 4 ++--
install/share/Makefile.am | 1 +
.../httpd.service => install/share/ipa-httpd.conf | 2 +-
ipaplatform/base/paths.py | 2 ++
ipaplatform/base/tasks.py | 8 ++++++++
ipaplatform/redhat/tasks.py | 19 +++++++++++++++++++
ipaserver/install/httpinstance.py | 6 ++++++
ipaserver/install/server/upgrade.py | 5 +++++
8 files changed, 44 insertions(+), 3 deletions(-)
rename init/systemd/httpd.service => install/share/ipa-httpd.conf (82%)
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -832,7 +832,6 @@ mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
# END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@@ -1143,7 +1142,7 @@ fi
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
@@ -1218,6 +1217,7 @@ fi
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%{_usr}/share/ipa/kdcproxy.conf
+%{_usr}/share/ipa/ipa-httpd.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -88,6 +88,7 @@ app_DATA = \
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
+ ipa-httpd.conf \
$(NULL)
EXTRA_DIST = \
--- a/init/systemd/httpd.service
+++ /dev/null
@@ -1,7 +0,0 @@
-.include /usr/lib/systemd/system/httpd.service
-
-[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
-ExecStopPost=-/usr/bin/kdestroy -A
--- /dev/null
+++ b/install/share/ipa-httpd.conf
@@ -0,0 +1,7 @@
+# Do not edit. Created by IPA installer.
+
+[Service]
+Environment=KRB5CCNAME=/run/apache2/ipa/krbcache/krb5ccache
+Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
+ExecStartPre=/usr/lib/ipa/ipa-httpd-kdcproxy
+ExecStopPost=-/usr/bin/kdestroy -A
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,6 +127,8 @@ class BasePathNamespace(object):
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
+ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
+ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
:return: object implementing proper __cmp__ method for version compare
"""
return parse_version(version)
+
+ def configure_httpd_service_ipa_conf(self):
+ """Configure httpd service to work with IPA"""
+ return
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove configuration of httpd service of IPA"""
+ return
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -30,6 +30,7 @@ import stat
import socket
import sys
import base64
+import shutil
from cffi import FFI
from ctypes.util import find_library
from functools import total_ordering
@@ -460,5 +461,23 @@ class RedHatTaskNamespace(BaseTaskNamesp
"""
return IPAVersion(version)
+ def configure_httpd_service_ipa_conf(self):
+ """Create systemd config for httpd service to work with IPA
+ """
+ if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
+ os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
+
+ shutil.copy(
+ os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf'),
+ paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
+ self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+
+ def remove_httpd_service_ipa_conf(self):
+ """Remove systemd config for httpd service of IPA"""
+ try:
+ os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+ except OSError:
+ pass
tasks = RedHatTaskNamespace()
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
[paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
def __configure_http(self):
+ self.update_httpd_service_ipa_conf()
+
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
except Exception as e:
root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+ def update_httpd_service_ipa_conf(self):
+ tasks.configure_httpd_service_ipa_conf()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
@@ -534,6 +539,7 @@ class HTTPInstance(service.Service):
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+ tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1376,6 +1376,10 @@ def update_mod_nss_cipher_suite(http):
'cipher_suite_updated',
httpinstance.NSS_CIPHER_REVISION)
+def update_ipa_httpd_service_conf(http):
+ root_logger.info('[Updating HTTPD service IPA configuration]')
+ http.update_httpd_service_ipa_conf()
+
def ds_enable_sidgen_extdom_plugins(ds):
"""For AD trust agents, make sure we enable sidgen and extdom plugins
@@ -1562,6 +1566,7 @@ def upgrade_configuration():
http.enable_kdcproxy()
http.stop()
+ update_ipa_httpd_service_conf(http)
update_mod_nss_protocol(http)
update_mod_nss_cipher_suite(http)
fix_trust_flags()

12
debian/patches/create-sysconfig-ods.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -212,6 +212,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
+ # create the configfile, opendnssec-enforcer doesn't ship it
+ open(paths.SYSCONFIG_ODS, 'a').close()
+
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,

20
debian/patches/enable-mod-nss-during-setup.diff vendored
View File

@@ -1,20 +0,0 @@
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -183,6 +183,7 @@ class HTTPInstance(service.Service):
self.step("create KDC proxy user", create_kdcproxy_user)
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
+ ipautil.run(["/usr/sbin/a2enmod", "nss"], capture_output=True)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
@@ -507,6 +508,8 @@ class HTTPInstance(service.Service):
except Exception:
pass
+ ipautil.run(["/usr/sbin/a2dismod", "nss"], capture_output=True)
+
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')

39
debian/patches/fix-bind-conf.diff vendored Normal file
View File

@@ -0,0 +1,39 @@
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "/var/cache/bind"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
@@ -14,7 +14,7 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-keytab "/etc/named.keytab";
+ tkey-gssapi-keytab "/etc/bind/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable yes;
@@ -32,12 +32,13 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
+// included below
+//zone "." IN {
+// type hint;
+// file "named.ca";
+//};
-include "/etc/named.rfc1912.zones";
+include "/etc/bind/named.conf.default-zones";
dynamic-db "ipa" {
library "ldap.so";

34
debian/patches/fix-dnssec-services.diff vendored
View File

@@ -1,34 +0,0 @@
--- a/daemons/dnssec/ipa-dnskeysyncd.service
+++ b/daemons/dnssec/ipa-dnskeysyncd.service
@@ -2,11 +2,11 @@
Description=IPA key daemon
[Service]
-EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd
-ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd
-User=ods
-Group=named
-SupplementaryGroups=ods
+EnvironmentFile=/etc/default/ipa-dnskeysyncd
+ExecStart=/usr/lib/ipa/ipa-dnskeysyncd
+User=opendnssec
+Group=bind
+SupplementaryGroups=opendnssec
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
--- a/daemons/dnssec/ipa-ods-exporter.service
+++ b/daemons/dnssec/ipa-ods-exporter.service
@@ -4,9 +4,9 @@ Wants=ipa-ods-exporter.socket
After=ipa-ods-exporter.socket
[Service]
-EnvironmentFile=/etc/sysconfig/ipa-ods-exporter
-ExecStart=/usr/libexec/ipa/ipa-ods-exporter
-User=ods
+EnvironmentFile=/etc/default/ipa-ods-exporter
+ExecStart=/usr/lib/ipa/ipa-ods-exporter
+User=opendnssec
PrivateTmp=yes
Restart=on-failure
RestartSec=60s

77
debian/patches/fix-hyphen-used-as-minus-sign.patch vendored Normal file
View File

@@ -0,0 +1,77 @@
Description: Fix hyphen-used-as-minus-sign warning (found by Lintian).
See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for
an explanation.
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -107,7 +107,7 @@ The name of the user with administrative
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
-The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -70,13 +70,13 @@ Output only errors
.SH "EXAMPLES"
.TP
-\fBipa-replica-conncheck -m master.example.com\fR
+\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
-\fBipa-replica-conncheck -R replica.example.com\fR
+\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
-\fBipa-replica-conncheck -m master.example.com -a -r EXAMPLE.COM -w password\fR
+\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -49,7 +49,7 @@ Create home directories for users on the
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
+The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -22,7 +22,7 @@ ipa\-test\-config \- Generate FreeIPA te
.SH "SYNOPSIS"
ipa\-test\-config [options]
.br
-ipa\-test\-config [options] --global
+ipa\-test\-config [options] \-\-global
.br
ipa\-test\-config [options] hostname
.SH "DESCRIPTION"
@@ -37,7 +37,7 @@ If run without arguments, it prints out
host.
Another host may be specified as an argument, or via the \-\-master,
\-\-replica, and \-\-client options.
-With the --global option, it prints only configuration that is not specific to
+With the \-\-global option, it prints only configuration that is not specific to
any host.
.SH "OPTIONS"
--- a/ipatests/man/ipa-test-task.1
+++ b/ipatests/man/ipa-test-task.1
@@ -20,7 +20,7 @@
.SH "NAME"
ipa\-test\-task \- Run a task for FreeIPA testing
.SH "SYNOPSIS"
-ipa\-test\-task -h
+ipa\-test\-task \-h
.br
ipa\-test\-task [global-options] TASK [task-options]
.SH "DESCRIPTION"

50
debian/patches/fix-ipa-conf.diff vendored
View File

@@ -1,7 +1,7 @@
Description: Fix paths
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -37,7 +37,7 @@ FileETag None
@@ -38,7 +38,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
@@ -10,29 +10,16 @@ Description: Fix paths
# Configure mod_wsgi handler for /ipa
@@ -62,9 +62,9 @@ WSGIScriptReloading Off
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
- GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
- GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
- GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiCredStore keytab:/etc/apache2/ipa.keytab
+ GssapiCredStore client_keytab:/etc/apache2/ipa.keytab
+ GssapiDelegCcacheDir /var/run/apache2/ipa/clientcaches
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
@@ -71,7 +71,7 @@ KrbConstrainedDelegationLock ipa
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
@@ -107,7 +107,7 @@ WSGIScriptReloading Off
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
- ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
+ ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
@@ -141,8 +141,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
@@ -138,8 +138,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
@@ -43,3 +30,20 @@ Description: Fix paths
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
@@ -175,14 +175,14 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
</Directory>
# Protect our CGIs
-<Directory /var/www/cgi-bin>
+<Directory /usr/lib/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ Krb5KeyTab /etc/apache2/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html

12
debian/patches/fix-ipa-otpd-install.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFL
AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
dist_noinst_DATA = ipa-otpd.socket.in ipa-otpd@.service.in test.py
systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service

33
debian/patches/fix-kdcproxy-paths.diff vendored
View File

@@ -1,33 +0,0 @@
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -1,24 +1,24 @@
# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
#
-# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
-# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
+# The symlink from /etc/ipa/kdcproxy/ to /etc/apache2/conf.enabled/ is maintained
+# by the ExecStartPre script /usr/lib/ipa/ipa-httpd-kdcproxy in
# httpd.service. The service also sets the environment variable
# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
#
# Disable KDC Proxy on the current host:
# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
-# # systemctl restart httpd.service
+# # systemctl restart apache2.service
#
# Enable KDC Proxy on the current host:
# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
-# # systemctl restart httpd.service
+# # systemctl restart apache2.service
#
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+WSGIImportScript /usr/lib/python2.7/dist-packages/kdcproxy/__init__.py \
process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptAlias /KdcProxy /usr/lib/python2.7/dist-packages/kdcproxy/__init__.py
WSGIScriptReloading Off
<Location "/KdcProxy">

93
debian/patches/fix-manpage-has-errors-from-man.patch vendored Normal file
View File

@@ -0,0 +1,93 @@
Description: Fix manpage-has-errors-from-man warning (found by Lintian).
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- freeipa-4.0.2.orig/ipa-client/man/default.conf.5
+++ freeipa-4.0.2/ipa-client/man/default.conf.5
@@ -47,14 +47,14 @@ Valid lines consist of an option name, a
Values should not be quoted, the quotes will not be stripped.
-.np
+.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
-.fi
+.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
--- freeipa-4.0.2.orig/ipa-client/man/ipa-client-install.1
+++ freeipa-4.0.2/ipa-client/man/ipa-client-install.1
@@ -205,35 +205,47 @@ Unattended uninstallation. The user will
.TP
Files that will be replaced if SSSD is configured (default):
-/etc/sssd/sssd.conf\p
+/etc/sssd/sssd.conf
.TP
Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
-/etc/ldap.conf\p
-/etc/nss_ldap.conf\p
-/etc/libnss\-ldap.conf\p
-/etc/pam_ldap.conf\p
-/etc/nslcd.conf\p
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
.TP
Files replaced if NTP is enabled:
-/etc/ntp.conf\p
-/etc/sysconfig/ntpd\p
-/etc/ntp/step\-tickers\p
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
.TP
Files always created (replacing existing content):
-/etc/krb5.conf\p
-/etc/ipa/ca.crt\p
-/etc/ipa/default.conf\p
-/etc/openldap/ldap.conf\p
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/openldap/ldap.conf
.TP
Files updated, existing content is maintained:
-/etc/nsswitch.conf\p
-/etc/pki/nssdb\p
-/etc/krb5.keytab\p
-/etc/sysconfig/network\p
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
.SH "EXIT STATUS"
0 if the installation was successful

11
debian/patches/fix-match-hostname.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -25,7 +25,7 @@ from ipalib.errors import PasswordMismat
from ipalib.request import context
from ipalib.frontend import Local
-from backports.ssl_match_hostname import match_hostname
+from ssl import match_hostname
import base64
import uuid
import urllib

20
debian/patches/fix-memcached.diff vendored
View File

@@ -1,20 +0,0 @@
--- a/init/ipa_memcached.conf
+++ b/init/ipa_memcached.conf
@@ -1,5 +1,5 @@
SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
-USER=apache
+USER=www-data
MAXCONN=1024
CACHESIZE=64
OPTIONS=
--- a/init/systemd/ipa_memcached.service
+++ b/init/systemd/ipa_memcached.service
@@ -4,7 +4,7 @@ After=network.target
[Service]
Type=forking
-EnvironmentFile=/etc/sysconfig/ipa_memcached
+EnvironmentFile=/etc/default/ipa_memcached
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS

46
debian/patches/fix-named-conf-template.diff vendored
View File

@@ -1,46 +0,0 @@
Description: fix named.conf template
* extra logging disabled as it'd just duplicate everything
* zones are loaded via includes
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,9 +4,9 @@ options {
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
- dump-file "data/cache_dump.db";
- statistics-file "data/named_stats.txt";
- memstatistics-file "data/named_mem_stats.txt";
+ dump-file "cache_dump.db";
+ statistics-file "named_stats.txt";
+ memstatistics-file "named_mem_stats.txt";
forward first;
forwarders {$FORWARDERS};
@@ -30,18 +30,14 @@ options {
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
-logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- print-time yes;
- };
-};
+//logging {
+// channel default_debug {
+// file "data/named.run";
+// severity dynamic;
+// print-time yes;
+// };
+//};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

58
debian/patches/fix-oddjobs.diff vendored
View File

@@ -1,58 +0,0 @@
--- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -30,7 +30,7 @@
send_member="Get"/>
</policy>
- <policy user="apache">
+ <policy user="www-data">
<allow send_destination="com.redhat.idm.trust"
send_path="/"
send_interface="com.redhat.idm.trust"
--- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -10,7 +10,7 @@
<allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
</policy>
- <policy user="apache">
+ <policy user="www-data">
<allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
</policy>
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -2,11 +2,11 @@
<oddjobconfig>
<service name="org.freeipa.server">
<allow user="root"/>
- <allow user="apache"/>
+ <allow user="www-data"/>
<object name="/">
<interface name="org.freeipa.server">
<method name="conncheck">
- <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
+ <helper exec="/usr/lib/ipa/oddjob/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -2,7 +2,7 @@
<oddjobconfig>
<service name="com.redhat.idm.trust">
<allow user="root"/>
- <allow user="apache"/>
+ <allow user="www-data"/>
<object name="/">
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>
@@ -10,7 +10,7 @@
</interface>
<interface name="com.redhat.idm.trust">
<method name="fetch_domains">
- <helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
+ <helper exec="/usr/lib/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
arguments="1"
argument_passing_method="cmdline"
prepend_user_name="no"/>

13
debian/patches/fix-pykerberos-api.diff vendored Normal file
View File

@@ -0,0 +1,13 @@
Description: we have a newer pykerberos than Fedora
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 81e7aa3..ce5f2a0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
+ (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)

11
debian/patches/fix-replicainstall.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1073,7 +1073,7 @@ def promote_check(installer):
raise RuntimeError("CA cert file is not available! Please reinstall"
"the client and try again.")
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ ldapuri = 'ldap://%s' % ipautil.format_netloc(config.master_host_name)
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True, context='installer',
ldap_uri=ldapuri)

14
debian/patches/fix-typo.patch vendored Normal file
View File

@@ -0,0 +1,14 @@
Description: Fix typo
Author: Benjamin Drung <benjamin.drung@profitbricks.com>
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -140,7 +140,7 @@
in the logger tree. The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
-preceeding it with a backslash.
+preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.

15
debian/patches/hack-libarch.diff vendored
View File

@@ -1,15 +0,0 @@
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -335,9 +335,9 @@ class LDAPUpdate:
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:

11
debian/patches/no-test-lang.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/Makefile
+++ b/Makefile
@@ -114,7 +114,7 @@ client-dirs:
lint: bootstrap-autogen
./make-lint $(LINT_OPTIONS)
- $(MAKE) -C install/po validate-src-strings
+# $(MAKE) -C install/po validate-src-strings
test:

11
debian/patches/port-ipa-client-automount.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -311,7 +311,7 @@
Configure secure NFS
"""
replacevars = {
- 'SECURE_NFS': 'yes',
+ 'NEED_GSSD': 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
NFS_CONF, replacevars=replacevars)

48
debian/patches/prefix.patch vendored
View File

@@ -5,19 +5,23 @@ use the debian layout when installing python modules
--- a/Makefile
+++ b/Makefile
@@ -113,9 +113,9 @@ client-install: client client-dirs
cd install/po && $(MAKE) install || exit 1;
@for subdir in $(CLIENTPYDIRS); do \
if [ "$(DESTDIR)" = "" ]; then \
- (cd $$subdir && $(PYTHON) setup.py install); \
+ (cd $$subdir && $(PYTHON) setup.py install --install-layout=deb); \
else \
- (cd $$subdir && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ (cd $$subdir && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi \
@@ -96,11 +96,11 @@ client-install: client client-dirs
done
cd install/po && $(MAKE) install || exit 1;
if [ "$(DESTDIR)" = "" ]; then \
- $(PYTHON) setup-client.py install; \
- (cd ipaplatform && $(PYTHON) setup.py install); \
+ $(PYTHON) setup-client.py install --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --install-layout=deb); \
else \
- $(PYTHON) setup-client.py install --root $(DESTDIR); \
- (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
+ $(PYTHON) setup-client.py install --root $(DESTDIR) --install-layout=deb; \
+ (cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb); \
fi
@@ -198,11 +198,11 @@ server: version-update
client-dirs:
@@ -171,11 +171,11 @@ server: version-update
server-install: server
if [ "$(DESTDIR)" = "" ]; then \
@@ -33,7 +37,7 @@ use the debian layout when installing python modules
fi
tests: version-update tests-man-autogen
@@ -213,7 +213,7 @@ tests-install: tests
@@ -186,7 +186,7 @@ tests-install: tests
if [ "$(DESTDIR)" = "" ]; then \
cd ipatests; $(PYTHON) setup.py install; \
else \
@@ -44,23 +48,23 @@ use the debian layout when installing python modules
--- a/ipapython/Makefile
+++ b/ipapython/Makefile
@@ -13,7 +13,7 @@ install:
@@ -14,7 +14,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
$(PYTHON) setup.py install; \
python2 setup.py install; \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
--- a/ipalib/Makefile
+++ b/ipalib/Makefile
@@ -12,7 +12,7 @@ install:
--- a/ipapython/py_default_encoding/Makefile
+++ b/ipapython/py_default_encoding/Makefile
@@ -9,7 +9,7 @@ install:
if [ "$(DESTDIR)" = "" ]; then \
$(PYTHON) setup.py install; \
python2 setup.py install; \
else \
- $(PYTHON) setup.py install --root $(DESTDIR); \
+ $(PYTHON) setup.py install --root $(DESTDIR) --install-layout=deb; \
- python2 setup.py install --root $(DESTDIR); \
+ python2 setup.py install --root $(DESTDIR) --install-layout=deb; \
fi
clean:

682
debian/patches/purge-firefox-extension.diff vendored
View File

@@ -1,682 +0,0 @@
commit 5d6e79b8f03198056103a31acc20536f8323756d
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Mar 29 21:33:15 2016 +0300
Purge firefox extension
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b0861d8..67152f6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -158,7 +158,6 @@ Requires: pki-ca >= 10.2.6-13
Requires: pki-kra >= 10.2.6-13
Requires(preun): python systemd-units
Requires(postun): python systemd-units
-Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= 0.78
diff --git a/install/Makefile.am b/install/Makefile.am
index ac52ad3..d13ecb7 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -7,7 +7,6 @@ NULL =
SUBDIRS = \
certmonger \
conf \
- ffextension \
html \
migration \
share \
diff --git a/install/ffextension/Makefile.am b/install/ffextension/Makefile.am
deleted file mode 100644
index 7a72205..0000000
--- a/install/ffextension/Makefile.am
+++ /dev/null
@@ -1,23 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- chrome \
- locale \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension
-app_DATA = \
- bootstrap.js \
- chrome.manifest \
- install.rdf \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/bootstrap.js b/install/ffextension/bootstrap.js
deleted file mode 100644
index 7e2ae57..0000000
--- a/install/ffextension/bootstrap.js
+++ /dev/null
@@ -1,88 +0,0 @@
-// Heavily inspired by Dave Townsend's post:
-// Playing with windows in restartless (bootstrapped) extensions
-// http://www.oxymoronical.com/blog/2011/01/Playing-with-windows-in-restartless-bootstrapped-extensions
-
-const Cc = Components.classes;
-const Ci = Components.interfaces;
-const Cu = Components.utils;
-
-var WindowListener = {
-
- setupBrowserUI: function(domWindow) {
- var doc = domWindow.document;
- domWindow.kerberosauth_listener = kerberosauth_listener(domWindow);
- doc.addEventListener('kerberos-auth-config', domWindow.kerberosauth_listener, false, true);
- },
-
- tearDownBrowserUI: function(domWindow) {
-
- var doc = domWindow.document;
- doc.removeEventListener('kerberos-auth-config', domWindow.kerberosauth_listener);
- delete domWindow.kerberosauth_listener;
- },
-
- // nsIWindowMediatorListener functions
- onOpenWindow: function(xulWindow) {
- // A new window has opened
- var domWindow = xulWindow.QueryInterface(Ci.nsIInterfaceRequestor).
- getInterface(Ci.nsIDOMWindowInternal);
-
- // Wait for it to finish loading
- domWindow.addEventListener("load", function listener() {
- domWindow.removeEventListener("load", listener, false);
-
- // If this is a browser window then setup its UI
- if (domWindow.document.documentElement.getAttribute("windowtype") === "navigator:browser") {
- WindowListener.setupBrowserUI(domWindow);
- }
- }, false);
- },
-
- onCloseWindow: function(xulWindow) {
- },
-
- onWindowTitleChange: function(xulWindow, newTitle) {
- }
-};
-
-function startup(data, reason) {
- var wm = Cc["@mozilla.org/appshell/window-mediator;1"].getService(Ci.nsIWindowMediator);
-
- Cu['import']("chrome://kerberosauth/content/kerberosauth.js");
-
- // Get the list of browser windows already open
- var windows = wm.getEnumerator("navigator:browser");
- while (windows.hasMoreElements()) {
- var domWindow = windows.getNext().QueryInterface(Ci.nsIDOMWindow);
-
- WindowListener.setupBrowserUI(domWindow);
- }
-
- // Wait for any new browser windows to open
- wm.addListener(WindowListener);
-}
-
-function shutdown(data, reason) {
- // When the application is shutting down we normally don't have to clean
- // up any UI changes made
- if (reason == APP_SHUTDOWN)
- return;
-
- var wm = Cc["@mozilla.org/appshell/window-mediator;1"].
- getService(Ci.nsIWindowMediator);
-
- // Get the list of browser windows already open
- var windows = wm.getEnumerator("navigator:browser");
- while (windows.hasMoreElements()) {
- var domWindow = windows.getNext().QueryInterface(Ci.nsIDOMWindow);
- WindowListener.tearDownBrowserUI(domWindow);
- }
-
- // Stop listening for any new browser windows to open
- wm.removeListener(WindowListener);
-
- Cu.unload("chrome://kerberosauth/content/kerberosauth.js");
-}
-
-function install() {}
-function uninstall() {}
\ No newline at end of file
diff --git a/install/ffextension/chrome.manifest b/install/ffextension/chrome.manifest
deleted file mode 100644
index 775d3a3..0000000
--- a/install/ffextension/chrome.manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-content kerberosauth chrome/content/
-resource kerberosauth chrome/content/
-overlay chrome://browser/content/browser.xul resource://kerberosauth/kerberosauth_overlay.xul
-locale kerberosauth en-US locale/en-US/
\ No newline at end of file
diff --git a/install/ffextension/chrome/Makefile.am b/install/ffextension/chrome/Makefile.am
deleted file mode 100644
index 10d23a7..0000000
--- a/install/ffextension/chrome/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- content \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension/chrome
-app_DATA = \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/chrome/content/Makefile.am b/install/ffextension/chrome/content/Makefile.am
deleted file mode 100644
index 7ff81e5..0000000
--- a/install/ffextension/chrome/content/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-appdir = $(IPA_DATA_DIR)/ffextension/chrome/content
-app_DATA = \
- kerberosauth_overlay.xul \
- kerberosauth.js \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/chrome/content/kerberosauth.js b/install/ffextension/chrome/content/kerberosauth.js
deleted file mode 100644
index c5afde9..0000000
--- a/install/ffextension/chrome/content/kerberosauth.js
+++ /dev/null
@@ -1,197 +0,0 @@
-/* Authors:
- * Petr Vobornik <pvoborni@redhat.com>
- *
- * Copyright (C) 2012 Red Hat
- * see file 'COPYING' for use and warranty information
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-var EXPORTED_SYMBOLS = ["kerberosauth", "kerberosauth_listener"];
-
-var Cc = Components.classes;
-var Ci = Components.interfaces;
-
-var kerberosauth = {
-
- // Dictionary of configuration options this extension can configure.
- // An alias (key) is set for each options. Using a set of aliases limits
- // configuration pages from supplying potential malicious options.
- config_options: {
- referer: ['network.http.sendRefererHeader', 'int'],
- native_gss_lib: ['network.negotiate-auth.using-native-gsslib', 'bool'],
- trusted_uris: ['network.negotiate-auth.trusted-uris', 'str'],
- allow_proxies: ['network.negotiate-auth.allow-proxies', 'bool']
- },
-
- // Some preconfigurations to make things easier. Can be good if UI is added
- // (mostly for future usage).
- predefined_configurations: {
- ipa: {
- referer: '2',
- native_gss_lib: 'true',
- trusted_uris: '',
- allow_proxies: 'true',
- append: ['trusted_uris']
- }
- },
-
- page_listener: function(event, dom_window) {
-
- var self = this;
-
- var conf = {
- event: event,
- window: dom_window || window,
- element: event.target
- };
-
- if (!conf.element.hasAttribute('method')) return;
-
- var method = conf.element.getAttribute('method');
-
- if (method === 'configure') self.configure(conf);
- if (method === 'can_configure') self.send_response(conf.element, { answer: 'true' });
- },
-
- send_response: function(element, options) {
-
- options = options || {};
-
- var doc = element.ownerDocument;
-
- for (var opt in options) {
- element.setAttribute(opt, options[opt]);
- }
-
- var answer_event = doc.createEvent("HTMLEvents");
- answer_event.initEvent("kerberos-auth-answer", true, false);
- element.dispatchEvent(answer_event);
- },
-
- notify_installed: function(window) {
- var doc = window.document;
- var event = doc.createEvent("HTMLEvents");
- event.initEvent("kerberos-auth-installed", true, false);
- doc.dispatchEvent(event);
- },
-
- configure: function(conf) {
- var self = this;
-
- var options = {}; // options to be configured
- var opt;
-
- // use predefined configuration if supplied
- if (conf.element.hasAttribute('predefined')) {
- var predefined = conf.element.getAttribute('predefined');
-
- var pconfig = self.predefined_configurations[predefined];
- if (pconfig) {
- for (opt in pconfig) {
- options[opt] = pconfig[opt];
- }
- }
- }
-
- // overwrite predefined with supplied and only supported options
- for (var i=0; i < conf.element.attributes.length; i++) {
- var attr = conf.element.attributes[i].name;
- if (attr in self.config_options) {
- options[attr] = conf.element.getAttribute(attr);
- }
- }
-
- if (self.prompt(conf, options)) {
- self.configure_core(conf, options);
- self.send_response(conf.element, { answer: 'configured' });
- } else {
- self.send_response(conf.element, { answer: 'aborted' });
- }
- },
-
- configure_core: function(conf, options) {
-
- var self = this;
-
- var prefs = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
- var append_opts = options.append || [];
-
- for (var opt in options) {
-
- if (!self.config_options[opt]) continue;
-
- var name = self.config_options[opt][0];
- var type = self.config_options[opt][1];
- var value = options[opt];
-
- if (type === 'str') {
- if (value && append_opts.indexOf(opt) > -1) {
- var current = prefs.getCharPref(name) || '';
- if (this.str_contains(current, value)) {
- continue;
- } else if (current) {
- value = current + ', ' + value;
- }
- }
- prefs.setCharPref(name, value);
- } else if (type ==='int') {
- prefs.setIntPref(name, Number(value));
- } else if (type === 'bool') {
- prefs.setBoolPref(name, value === 'true');
- }
- }
- },
-
- str_contains: function(str, value) {
-
- if (!str) return false;
- var vals = str.split(',');
- for (var i=0, l=vals.length; i<l; i++) {
- if (vals[i].trim() === value) return true;
- }
- return false;
- },
-
- prompt: function(conf, options) {
- var strs = Cc["@mozilla.org/intl/stringbundle;1"].
- getService(Ci.nsIStringBundleService).
- createBundle("chrome://kerberosauth/locale/kerberosauth.properties");
-
- var prompts = Cc["@mozilla.org/embedcomp/prompt-service;1"].
- getService(Ci.nsIPromptService);
-
- var title = strs.GetStringFromName('prompt_title');
- var text = strs.GetStringFromName('prompt_topic');
-
- if (options.trusted_uris) {
- text += strs.GetStringFromName('prompt_domain').replace('${domain}', options.trusted_uris);
- }
- text += strs.GetStringFromName('prompt_question');
-
- var flags = prompts.STD_YES_NO_BUTTONS;
-
- var confirmed = prompts.confirmEx(conf.window, title, text, flags, "","","",
- null,{value: false}) === 0;
- return confirmed;
- }
-};
-
-var kerberosauth_listener = function(window) {
-
- return function(event) {
-
- kerberosauth.page_listener(event, window);
- };
-};
\ No newline at end of file
diff --git a/install/ffextension/chrome/content/kerberosauth_overlay.xul b/install/ffextension/chrome/content/kerberosauth_overlay.xul
deleted file mode 100644
index acad079..0000000
--- a/install/ffextension/chrome/content/kerberosauth_overlay.xul
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<overlay id="kerberosauthOverlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
-
- <script type="application/x-javascript">
- Components.utils['import']("resource://kerberosauth/kerberosauth.js");
- window.addEventListener('kerberos-auth-config', kerberosauth_listener(window), false, true);
- </script>
-</overlay>
\ No newline at end of file
diff --git a/install/ffextension/install.rdf b/install/ffextension/install.rdf
deleted file mode 100644
index d931f19..0000000
--- a/install/ffextension/install.rdf
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0"?>
-<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
- xmlns:em="http://www.mozilla.org/2004/em-rdf#">
-
- <Description about="urn:mozilla:install-manifest">
-
- <em:id>kerberosauth@redhat.com</em:id>
- <em:name>Kerberos Configuration</em:name>
- <em:version>0.1</em:version>
- <em:description>Configures browser to use negotiate authentication</em:description>
- <em:type>2</em:type>
- <em:creator>Red Hat, Inc.</em:creator>
- <em:developer>Petr Vobornik</em:developer>
- <em:homepageURL>http://www.redhat.com/</em:homepageURL>
- <em:bootstrap>true</em:bootstrap>
-
- <!-- Firefox -->
- <em:targetApplication>
- <Description>
- <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
- <em:minVersion>10.0</em:minVersion>
- <em:maxVersion>15.0.*</em:maxVersion>
- </Description>
- </em:targetApplication>
- </Description>
-</RDF>
\ No newline at end of file
diff --git a/install/ffextension/locale/Makefile.am b/install/ffextension/locale/Makefile.am
deleted file mode 100644
index 7e64536..0000000
--- a/install/ffextension/locale/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-SUBDIRS = \
- en-US \
- $(NULL)
-
-appdir = $(IPA_DATA_DIR)/ffextension/locale
-app_DATA = \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/locale/en-US/Makefile.am b/install/ffextension/locale/en-US/Makefile.am
deleted file mode 100644
index d19e8c7..0000000
--- a/install/ffextension/locale/en-US/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-AUTOMAKE_OPTIONS = 1.7
-
-NULL =
-
-appdir = $(IPA_DATA_DIR)/ffextension/locale/en-US
-app_DATA = \
- kerberosauth.properties \
- $(NULL)
-
-EXTRA_DIST = \
- $(app_DATA) \
- $(NULL)
-
-MAINTAINERCLEANFILES = \
- *~ \
- Makefile.in
diff --git a/install/ffextension/locale/en-US/kerberosauth.properties b/install/ffextension/locale/en-US/kerberosauth.properties
deleted file mode 100644
index b822535..0000000
--- a/install/ffextension/locale/en-US/kerberosauth.properties
+++ /dev/null
@@ -1,4 +0,0 @@
-prompt_title=Kerberos configuration confirmation
-prompt_topic=The page you are visiting is trying to configure Firefox for Kerberos authentication.
-prompt_domain=\n\nDomain: ${domain}
-prompt_question=\n\nDo you want to configure the browser?
\ No newline at end of file
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index b4cb831..b666bb2 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -51,7 +51,6 @@ app_DATA = \
krb5.conf.template \
krb5.ini.template \
krb.con.template \
- krb.js.template \
krbrealm.con.template \
smb.conf.template \
smb.conf.empty \
diff --git a/install/share/krb.js.template b/install/share/krb.js.template
deleted file mode 100644
index e7ea055..0000000
--- a/install/share/krb.js.template
+++ /dev/null
@@ -1,2 +0,0 @@
-var IPA_REALM = "$REALM";
-var IPA_DOMAIN = "$DOMAIN";
\ No newline at end of file
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1b79015..19dffb0 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -180,7 +180,6 @@ class BasePathNamespace(object):
BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
BIN_CURL = "/usr/bin/curl"
- ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
@@ -223,12 +222,9 @@ class BasePathNamespace(object):
USERADD = "/usr/sbin/useradd"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
- FFEXTENSION = "/usr/share/ipa/ffextension"
IPA_HTML_DIR = "/usr/share/ipa/html"
CA_CRT = "/usr/share/ipa/html/ca.crt"
- KERBEROSAUTH_XPI = "/usr/share/ipa/html/kerberosauth.xpi"
KRB_CON = "/usr/share/ipa/html/krb.con"
- KRB_JS = "/usr/share/ipa/html/krb.js"
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index b0fbe69..8b2d2ea 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -130,7 +130,7 @@ class HTTPInstance(service.Service):
subject_base = ipautil.dn_attribute_property('_subject_base')
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
- autoconfig=True, pkcs12_info=None,
+ pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
ca_is_configured=None, promote=False):
self.fqdn = fqdn
@@ -173,8 +173,6 @@ class HTTPInstance(service.Service):
self.step("setting up httpd keytab", self.__create_http_keytab)
self.step("setting up ssl", self.__setup_ssl)
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
- if autoconfig:
- self.step("setting up browser autoconfig", self.__setup_autoconfig)
if not self.promote:
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
@@ -371,42 +369,6 @@ class HTTPInstance(service.Service):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
self.import_ca_certs(db, self.ca_is_configured)
- def __setup_autoconfig(self):
- self.setup_firefox_extension(self.realm, self.domain)
-
- def setup_firefox_extension(self, realm, domain):
- """Set up the signed browser configuration extension
- """
-
- target_fname = paths.KRB_JS
- sub_dict = dict(REALM=realm, DOMAIN=domain)
- db = certs.CertDB(realm)
- with open(db.passwd_fname) as pwdfile:
- pwd = pwdfile.read()
-
- ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
- target_fname, sub_dict)
- os.chmod(target_fname, 0o644)
-
- # Setup extension
- tmpdir = tempfile.mkdtemp(prefix="tmp-")
- extdir = tmpdir + "/ext"
- target_fname = paths.KERBEROSAUTH_XPI
- shutil.copytree(paths.FFEXTENSION, extdir)
- if db.has_nickname('Signing-Cert'):
- db.run_signtool(["-k", "Signing-Cert",
- "-p", pwd,
- "-X", "-Z", target_fname,
- extdir])
- else:
- root_logger.warning('Object-signing certificate was not found. '
- 'Creating unsigned Firefox configuration extension.')
- filenames = os.listdir(extdir)
- ipautil.run([paths.ZIP, '-r', target_fname] + filenames,
- cwd=extdir)
- shutil.rmtree(tmpdir)
- os.chmod(target_fname, 0o644)
-
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
ca_db.publish_ca_cert(paths.CA_CRT)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e3052c1..6d7ccde 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -180,12 +180,10 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False,
http = httpinstance.HTTPInstance()
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
- config.dirman_password, False, pkcs12_info,
+ config.dirman_password, pkcs12_info,
auto_redirect=auto_redirect, ca_file=ca_file,
ca_is_configured=ca_is_configured, promote=promote)
- http.setup_firefox_extension(config.realm_name, config.domain_name)
-
return http
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3e60cfd..622f5f1 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -282,16 +282,6 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file)
-def setup_firefox_extension(fstore):
- """Set up the Firefox configuration extension, if it's not set up yet
- """
- root_logger.info('[Setting up Firefox extension]')
- http = httpinstance.HTTPInstance(fstore)
- realm = api.env.realm
- domain = api.env.domain
- http.setup_firefox_extension(realm, domain)
-
-
def ca_configure_profiles_acl(ca):
root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1600,7 +1590,6 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
- setup_firefox_extension(fstore)
add_ca_dns_records()
# Any of the following functions returns True iff the named.conf file

24
debian/patches/revert-pykerberos-api-change.diff vendored Normal file
View File

@@ -0,0 +1,24 @@
Description: so we don't need to patch pykerberos
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -59,15 +59,12 @@ def json_serialize(obj):
def get_current_principal():
try:
- import kerberos
- rc, vc = kerberos.authGSSClientInit("notempty")
- rc = kerberos.authGSSClientInquireCred(vc)
- username = kerberos.authGSSClientUserName(vc)
- kerberos.authGSSClientClean(vc)
- return unicode(username)
+ # krbV isn't necessarily available on client machines, fail gracefully
+ import krbV
+ return unicode(krbV.default_context().default_ccache().principal().name)
except ImportError:
- raise RuntimeError('python-kerberos is not available.')
- except kerberos.GSSError, e:
+ raise RuntimeError('python-krbV is not available.')
+ except krbV.Krb5Error:
#TODO: do a kinit?
raise errors.CCacheError()

24
debian/patches/series vendored
View File

@@ -1,21 +1,17 @@
# upstreamed
configure-apache-from-installer.diff
# not upstreamable
work-around-apache-fail.diff
prefix.patch
hack-libarch.diff
enable-mod-nss-during-setup.diff
no-test-lang.diff
port-ipa-client-automount.diff
# send upstream
fix-match-hostname.diff
add-debian-platform.diff
fix-hyphen-used-as-minus-sign.patch
fix-manpage-has-errors-from-man.patch
fix-typo.patch
fix-ipa-conf.diff
fix-kdcproxy-paths.diff
fix-ipa-otpd-install.diff
fix-replicainstall.diff
fix-dnssec-services.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-memcached.diff
fix-oddjobs.diff
purge-firefox-extension.diff
fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
fix-bind-conf.diff
add-a-clear-openssl-exception.diff

52
debian/patches/work-around-apache-fail.diff vendored
View File

@@ -1,7 +1,19 @@
Description: service apache2 restart fails on sid, so don't do that
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1212,7 +1212,8 @@ def main():
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -191,7 +191,8 @@ class HTTPInstance(service.Service):
@@ -124,7 +124,8 @@ class HTTPInstance(service.Service):
def __start(self):
self.backup_state("running", self.is_running())
@@ -10,40 +22,4 @@ Description: service apache2 restart fails on sid, so don't do that
+ self.start()
def __enable(self):
self.backup_state("enabled", self.is_enabled())
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -142,7 +142,8 @@ def main():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
http = httpinstance.HTTPInstance(fstore)
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# execute ipactl to refresh services status
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -999,7 +999,8 @@ def install(installer):
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# update DNA shared config entry is done as far as possible
# from restart to avoid waiting for its creation
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -856,7 +856,8 @@ def install(installer):
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
- http.restart()
+ http.stop()
+ http.start()
# Call client install script
service.print_msg("Configuring client side components")
self.backup_state("enabled", self.is_running())