websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
debian/changelog vendored
View File

@@ -1,9 +1,152 @@
freeipa (4.8.10-2) unstable; urgency=medium
* client: Drop obsolete nssdb migration, which is now causing an
error. (Closes: #971363)
* Move ipa-epn service to -client-epn package.
* control: Rebuild against new krb5.
-- Timo Aaltonen <tjaalton@debian.org> Mon, 23 Nov 2020 20:48:56 +0200
freeipa (4.8.10-1) unstable; urgency=medium
* New upstream release.
* control: Build freeipa-client-epn only where nodejs is available.
(Closes: #970230)
* install: ipa-print-pac belongs to the server instead of -client-epn.
* control, pkcs11-openssl-for-bind.diff: Add support for bind 9.16.
(LP: #1874568)
* fix-chrony-service-name.diff: Map to correct chrony service name.
(Closes: #968428)
* freeipa-client-epn.install: Add epn.conf.
-- Timo Aaltonen <tjaalton@debian.org> Mon, 28 Sep 2020 13:12:26 +0300
freeipa (4.8.8-2) unstable; urgency=medium
* copyright: Fix duplicate-globbing-patterns lintian error.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 02 Sep 2020 11:05:55 +0300
freeipa (4.8.8-1) unstable; urgency=medium
* New upstream release.
- CVE-2020-1722 (Closes: #966200)
* use-bind9.16.diff: Fix some paths to what's in bind9 9.16.
* write-out-only-one-cert-per-file.diff, tasks-fixes.diff: Dropped,
upstream.
* control: Replace node-uglify build-dependency with python3-rjsmin.
* control: Add freeipa-client-epn package.
* .install: Updated.
* control: Drop libnss3-dev from build-depends, use libssl for util &
libotp.
* fix-sssd-socket-activation.diff: Don't add a 'services =' line on
sssd.conf. (LP: #1879083)
* sources: Fix some lintian errors.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 02 Sep 2020 08:05:51 +0300
freeipa (4.8.6-1) unstable; urgency=medium
* New upstream release.
* pki-proxy-Don-t-rely-on-running-apache-until-it-s-co.patch: Dropped,
upstream.
* migrate-to-gpg.diff: Use gpg instead of gpg2, update dependencies.
(Closes: #919062)
* control: Bump gssproxy depends.
* control: Relax apache2 dependency so it works on ubuntu.
* control: Bump policy to 4.5.0.
* control: Fix some M-A issues.
* control: Drop the dummy freeipa-admintools package.
* source: Update diff-ignore.
* rules: Don't remove po/ipa.pot on clean.
* tasks-fixes.diff: Use enable/disable_ldap_automount from base,
parse_ipa_version from redhat. Add librpm8 to python3-ipalib Depends.
* dnssec-race-wa.diff: Work-around racy dnssec setup, the socket isn't
necessarily ready when doing policy import.
* control: Update bind9-utils dependency.
* control: Bump depends on opendnssec.
-- Timo Aaltonen <tjaalton@debian.org> Tue, 07 Apr 2020 06:28:03 +0300
freeipa (4.8.5-1) unstable; urgency=medium
* New upstream release.
* control: Drop client from freeipa-tests depends.
* Fix-font-awesome-path.patch: Dropped, upstream.
* fix-ods-conf-template.diff: Dropped, upstream.
* Use debhelper-compat.
* Add debian/gitlab-ci.yml.
- allow blhc and piuparts to fail
* write-out-only-one-cert-per-file.diff: Fix writing CA cert to file.
* tests: Make failure an actual failure again, and dump only last 2000
lines on failure, also from ipaclient log.
* rules: Import architecture.mk.
* source: Update extend-diff-ignore.
* server.install: Updated.
* pki-proxy-Don-t-rely-on-running-apache-until-it-s-co.patch: Fix
httpd_proxy install.
* control: Bump dependency on apache2 to where mod_proxy_ajp got fixed.
* tests: Add sudo to dependencies for dogtag.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 25 Mar 2020 19:42:37 +0200
freeipa (4.8.3-1) unstable; urgency=medium
* New upstream release.
- CVE-2019-10195: Don't log passwords embedded in commands in calls
using batch
- CVE-2019-14867: Make sure to have storage space for tag
* Fix-font-awesome-path.patch: Fix the path to font-awesome dir. (LP:
#1853863)
-- Timo Aaltonen <tjaalton@debian.org> Tue, 26 Nov 2019 20:14:47 +0200
freeipa (4.8.2-1) unstable; urgency=medium
* New upstream release.
* control: Server needs to depend on the py3 version of mod-wsgi.
* server.install: Updated.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Nov 2019 19:58:42 +0200
freeipa (4.8.1-2) unstable; urgency=medium
* client.postinst: Migrate checks to python3. (Closes: #936555)
* server.postinst: Let ipactl run the upgrader when needed, drop it from here.
* control: Add python3-pki-base to python3-ipaserver depends.
* control: Add ssl-cert to freeipa-server depends.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Sep 2019 00:30:23 +0300
freeipa (4.8.1-1) experimental; urgency=medium
* New upstream release.
* Drop upstreamed patches.
* install: Updated.
* fix-ods-conf-template.diff: Drop an obsolete conf option.
* rules: Rework gentarball target.
* control: Bump policy to 4.4.0.
* Bump debhelper compat to 12.
* Migrate to python3.
* d/s/local-options: Updated.
* install: Updated.
* control, install: Add freeipa-client-samba.
* d/pydist-overrides: Updated.
-- Timo Aaltonen <tjaalton@debian.org> Sun, 08 Sep 2019 00:18:39 +0300
freeipa (4.7.2-3) unstable; urgency=medium
* control: Move python-jwcrypto to python-ipaserver depends.
-- Timo Aaltonen <tjaalton@debian.org> Mon, 06 May 2019 08:43:34 +0300
freeipa (4.7.2-2+exp1) experimental; urgency=medium
* rules: Build the server for experimental.
-- Timo Aaltonen <tjaalton@debian.org> Tue, 12 Feb 2019 16:05:05 +0200
freeipa (4.7.2-2) unstable; urgency=medium
* tests: Disabled, they are for the server.

1
debian/compat vendored
View File

@@ -1 +0,0 @@
11

383
debian/control vendored
View File

@@ -3,13 +3,13 @@ Section: net
Priority: optional
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton@debian.org>
Standards-Version: 4.1.5
Standards-Version: 4.5.0
Vcs-Git: https://salsa.debian.org/freeipa-team/freeipa.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/freeipa
Homepage: http://www.freeipa.org
Build-Depends:
check,
debhelper (>= 11),
debhelper-compat (= 12),
dh-python,
gettext,
krb5-user,
@@ -19,51 +19,56 @@ Build-Depends:
libkrb5-dev (>= 1.16),
libldap2-dev,
libnspr4-dev,
libnss3-dev,
libpopt-dev,
libsasl2-dev,
libssl-dev,
libtalloc-dev,
libxmlrpc-core-c3-dev (>= 1.33.06),
python-all-dev,
python-cryptography,
python-dbus,
python-dnspython (>= 1.11.1),
python-gssapi,
python-jinja2,
python-kdcproxy,
python-ldap (>= 3.1),
python-lesscpy,
python-libipa-hbac,
python-libsss-nss-idmap,
python-lxml,
python-netaddr,
python-netifaces (>= 0.10.4),
python-nose,
python-nss (>= 0.16.0),
python-polib,
python-pyasn1,
python-qrcode (>= 5.0.0),
python-setuptools,
python-six,
python-sss (>= 1.14.0),
python-usb (>= 1.0.0~b2),
python-yubico,
python3-all-dev,
python3-cryptography,
python3-dbus,
python3-dnspython (>= 1.11.1),
python3-gssapi,
python3-jinja2,
python3-kdcproxy,
python3-ldap (>= 3.1),
python3-lesscpy,
python3-libipa-hbac,
python3-libsss-nss-idmap,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nose,
python3-nss (>= 0.16.0),
python3-polib,
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-setuptools,
python3-six,
python3-sss (>= 1.14.0),
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
uuid-dev,
Package: freeipa-admintools
Architecture: any
Depends: ${misc:Depends},
Description: transitional dummy package
This is a transitional dummy package, it can be safely removed.
389-ds-base-dev (>= 1.3.7.9),
libsss-idmap-dev,
libsss-certmap-dev,
libsss-nss-idmap-dev (>= 1.14.0),
libtevent-dev,
libunistring-dev,
libverto-dev,
nodejs [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x],
pki-base (>= 10.6.0~),
python3-lesscpy,
python3-pkg-resources,
python3-rjsmin,
samba-dev,
Package: freeipa-common
Architecture: all
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
${misc:Depends},
Multi-Arch: foreign
Description: FreeIPA centralized identity framework -- common files
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -75,7 +80,7 @@ Description: FreeIPA centralized identity framework -- common files
Package: freeipa-client
Architecture: any
Depends:
bind9utils,
bind9-utils,
certmonger (>= 0.79.5-2),
curl,
dnsutils,
@@ -88,22 +93,19 @@ Depends:
libsss-sudo,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
oddjob-mkhomedir,
python-dnspython,
python-ipaclient (= ${source:Version}),
python-gssapi,
python-ldap,
python-sss,
python3-dnspython,
python3-ipaclient (= ${source:Version}),
python3-gssapi,
python3-ldap,
python3-sss,
sssd (>= 1.14.0),
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
chrony,
Suggests:
libpam-krb5,
Breaks: freeipa-admintools (<< 4.6.3-2~)
Replaces: freeipa-admintools (<< 4.6.3-2~)
Provides: freeipa-admintools
Description: FreeIPA centralized identity framework -- client
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -112,64 +114,287 @@ Description: FreeIPA centralized identity framework -- client
.
This is the client package.
Package: python-ipaclient
Package: freeipa-client-epn
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Depends:
freeipa-client (= ${binary:Version}),
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Breaks: freeipa-server (<< 4.8.10-2)
Replaces: freeipa-server (<< 4.8.10-2)
Description: FreeIPA centralized identity framework -- tools for configuring Expiring Password Notification
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package provides a service to collect and send expiring password
notifications via email (SMTP).
Package: freeipa-client-samba
Architecture: any
Depends:
cifs-utils,
freeipa-client (= ${binary:Version}),
libwbclient-sssd,
python3-samba,
samba-common-bin,
smbclient,
tdb-tools,
winbind,
${misc:Depends},
${python3:Depends},
Multi-Arch: same
Description: FreeIPA centralized identity framework -- Samba client
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment.
Package: python3-ipaclient
Architecture: all
Section: python
Breaks: freeipa-client (<< 4.3.0-1)
Replaces: freeipa-client (<< 4.3.0-1)
Depends:
freeipa-common (= ${binary:Version}),
python-augeas,
python-dnspython,
python-ipalib (>= ${source:Version}),
python-jinja2,
python3-augeas,
python3-dnspython,
python3-ipalib (>= ${source:Version}),
python3-jinja2,
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for ipaclient
${python3:Depends},
Description: FreeIPA centralized identity framework -- Python3 modules for ipaclient
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA client.
This Python3 module is used by FreeIPA client.
Package: python-ipalib
Package: python3-ipalib
Architecture: all
Section: python
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
freeipa-common (= ${source:Version}),
gnupg2,
gnupg-agent,
gnupg,
gpg-agent,
keyutils,
python-cffi,
python-cryptography,
python-dbus,
python-dnspython,
python-gssapi,
python-ldap,
python-libipa-hbac,
python-lxml,
python-netaddr,
python-netifaces (>= 0.10.4),
python-nss (>= 0.16.0),
python-pyasn1,
python-qrcode (>= 5.0.0),
python-requests,
python-setuptools,
python-six,
python-usb (>= 1.0.0~b2),
python-yubico,
librpm8,
python3-cffi,
python3-cryptography,
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ldap,
python3-libipa-hbac,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nss (>= 0.16.0),
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-requests,
python3-setuptools,
python3-six,
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends},
Description: FreeIPA centralized identity framework -- shared Python modules
Description: FreeIPA centralized identity framework -- shared Python3 modules
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by other FreeIPA packages.
This Python3 module is used by other FreeIPA packages.
Package: freeipa-server
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Breaks: freeipa-server-trust-ad (<< 4.3.0-1)
Replaces: freeipa-server-trust-ad (<< 4.3.0-1)
Depends:
389-ds-base (>= 1.3.7.9),
acl,
adduser,
apache2 (>= 2.4.41-4ubuntu2),
certmonger (>= 0.79.5-2),
chrony,
custodia (>= 0.5.0),
fonts-font-awesome,
fonts-open-sans,
freeipa-client (= ${binary:Version}),
freeipa-common (= ${source:Version}),
gssproxy (>= 0.8.2-2),
krb5-admin-server,
krb5-kdc,
krb5-kdc-ldap,
krb5-otp,
krb5-pkinit,
ldap-utils,
libapache2-mod-auth-gssapi (>= 1.5.0),
libapache2-mod-lookup-identity (>= 1.0.0),
libapache2-mod-wsgi-py3,
libjs-dojo-core,
libjs-jquery,
libjs-scriptaculous,
libnss3-tools,
libsasl2-modules-gssapi-mit,
oddjob (>= 0.34.3-2),
p11-kit,
pki-ca (>= 10.6.0~),
pki-kra (>= 10.6.0~),
python3-dateutil,
python3-ipaserver (= ${source:Version}),
python3-gssapi,
python3-ldap (>= 2.4.22),
python3-systemd,
slapi-nis (>= 0.56.1),
ssl-cert,
sssd-dbus,
systemd-sysv,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
freeipa-server-dns,
Description: FreeIPA centralized identity framework -- server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This is the server package.
Package: freeipa-server-dns
Architecture: all
Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.16),
bind9-dyndb-ldap (>= 11.4),
libengine-pkcs11-openssl,
opendnssec (>= 1:2.1.5),
softhsm2,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- IPA DNS integration
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package adds DNS integration with BIND 9.
Package: freeipa-server-trust-ad
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Depends:
freeipa-common (= ${source:Version}),
freeipa-server (= ${binary:Version}),
python3-ipaserver (= ${source:Version}),
python3-samba,
samba,
winbind,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Multi-Arch: same
Description: FreeIPA centralized identity framework -- AD trust installer
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.
Package: freeipa-tests
Architecture: all
Depends:
python3-ipalib (>= ${source:Version}),
python3-ipatests (>= ${source:Version}),
python3-pytest,
${misc:Depends},
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package contains tests that verify IPA functionality.
Package: python3-ipaserver
Architecture: all
Section: python
Breaks: freeipa-server (<< 4.3.0-1),
freeipa-server-trust-ad (<< 4.4.4-1),
Replaces: freeipa-server (<< 4.3.0-1),
freeipa-server-trust-ad (<< 4.4.4-1),
Depends:
freeipa-common (= ${binary:Version}),
pki-tools (>= 10.2.6-3),
python3-custodia (>= 0.5.0),
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ipaclient (= ${binary:Version}),
python3-ipalib (>= ${source:Version}),
python3-jwcrypto,
python3-kdcproxy,
python3-ldap (>= 2.4.22),
python3-libsss-nss-idmap,
python3-pki-base,
python3-pyasn1,
python3-sss,
samba-common,
zip,
${misc:Depends},
${python3:Depends},
Description: FreeIPA centralized identity framework -- Python3 modules for server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python3 module is used by FreeIPA server.
Package: python3-ipatests
Architecture: all
Section: python
Breaks: freeipa-tests (<< 4.3.0-1)
Replaces: freeipa-tests (<< 4.3.0-1)
Depends:
libnss3-tools,
python3-coverage,
python3-ipalib (>= ${source:Version}),
python3-mock,
python3-paramiko,
python3-paste,
python3-polib,
python3-pytest-multihost,
python3-pytest-sourceorder,
python3-sss,
xz-utils,
${misc:Depends},
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- Python3 modules for tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python3 module is used by FreeIPA tests.

134
debian/control.common vendored
View File

@@ -1,16 +1,9 @@
Package: freeipa-admintools
Architecture: any
Depends: ${misc:Depends},
Description: transitional dummy package
This is a transitional dummy package, it can be safely removed.
Package: freeipa-common
Architecture: all
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
${misc:Depends},
Multi-Arch: foreign
Description: FreeIPA centralized identity framework -- common files
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -22,7 +15,7 @@ Description: FreeIPA centralized identity framework -- common files
Package: freeipa-client
Architecture: any
Depends:
bind9utils,
bind9-utils,
certmonger (>= 0.79.5-2),
curl,
dnsutils,
@@ -35,22 +28,19 @@ Depends:
libsss-sudo,
libxmlrpc-core-c3 (>= 1.16.33-3.1ubuntu5),
oddjob-mkhomedir,
python-dnspython,
python-ipaclient (= ${source:Version}),
python-gssapi,
python-ldap,
python-sss,
python3-dnspython,
python3-ipaclient (= ${source:Version}),
python3-gssapi,
python3-ldap,
python3-sss,
sssd (>= 1.14.0),
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
chrony,
Suggests:
libpam-krb5,
Breaks: freeipa-admintools (<< 4.6.3-2~)
Replaces: freeipa-admintools (<< 4.6.3-2~)
Provides: freeipa-admintools
Description: FreeIPA centralized identity framework -- client
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -59,64 +49,104 @@ Description: FreeIPA centralized identity framework -- client
.
This is the client package.
Package: python-ipaclient
Package: freeipa-client-epn
Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Depends:
freeipa-client (= ${binary:Version}),
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
Breaks: freeipa-server (<< 4.8.10-2)
Replaces: freeipa-server (<< 4.8.10-2)
Description: FreeIPA centralized identity framework -- tools for configuring Expiring Password Notification
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package provides a service to collect and send expiring password
notifications via email (SMTP).
Package: freeipa-client-samba
Architecture: any
Depends:
cifs-utils,
freeipa-client (= ${binary:Version}),
libwbclient-sssd,
python3-samba,
samba-common-bin,
smbclient,
tdb-tools,
winbind,
${misc:Depends},
${python3:Depends},
Multi-Arch: same
Description: FreeIPA centralized identity framework -- Samba client
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment.
Package: python3-ipaclient
Architecture: all
Section: python
Breaks: freeipa-client (<< 4.3.0-1)
Replaces: freeipa-client (<< 4.3.0-1)
Depends:
freeipa-common (= ${binary:Version}),
python-augeas,
python-dnspython,
python-ipalib (>= ${source:Version}),
python-jinja2,
python3-augeas,
python3-dnspython,
python3-ipalib (>= ${source:Version}),
python3-jinja2,
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for ipaclient
${python3:Depends},
Description: FreeIPA centralized identity framework -- Python3 modules for ipaclient
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA client.
This Python3 module is used by FreeIPA client.
Package: python-ipalib
Package: python3-ipalib
Architecture: all
Section: python
Breaks: python-freeipa
Replaces: python-freeipa
Depends:
freeipa-common (= ${source:Version}),
gnupg2,
gnupg-agent,
gnupg,
gpg-agent,
keyutils,
python-cffi,
python-cryptography,
python-dbus,
python-dnspython,
python-gssapi,
python-ldap,
python-libipa-hbac,
python-lxml,
python-netaddr,
python-netifaces (>= 0.10.4),
python-nss (>= 0.16.0),
python-pyasn1,
python-qrcode (>= 5.0.0),
python-requests,
python-setuptools,
python-six,
python-usb (>= 1.0.0~b2),
python-yubico,
librpm8,
python3-cffi,
python3-cryptography,
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ldap,
python3-libipa-hbac,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nss (>= 0.16.0),
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-requests,
python3-setuptools,
python3-six,
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends},
Description: FreeIPA centralized identity framework -- shared Python modules
Description: FreeIPA centralized identity framework -- shared Python3 modules
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by other FreeIPA packages.
This Python3 module is used by other FreeIPA packages.

109
debian/control.server vendored
View File

@@ -7,7 +7,7 @@ Depends:
389-ds-base (>= 1.3.7.9),
acl,
adduser,
apache2,
apache2 (>= 2.4.41-4ubuntu2),
certmonger (>= 0.79.5-2),
chrony,
custodia (>= 0.5.0),
@@ -15,7 +15,7 @@ Depends:
fonts-open-sans,
freeipa-client (= ${binary:Version}),
freeipa-common (= ${source:Version}),
gssproxy (>= 0.7.0),
gssproxy (>= 0.8.2-2),
krb5-admin-server,
krb5-kdc,
krb5-kdc-ldap,
@@ -24,7 +24,7 @@ Depends:
ldap-utils,
libapache2-mod-auth-gssapi (>= 1.5.0),
libapache2-mod-lookup-identity (>= 1.0.0),
libapache2-mod-wsgi,
libapache2-mod-wsgi-py3,
libjs-dojo-core,
libjs-jquery,
libjs-scriptaculous,
@@ -34,17 +34,17 @@ Depends:
p11-kit,
pki-ca (>= 10.6.0~),
pki-kra (>= 10.6.0~),
python-dateutil,
python-ipaserver (= ${source:Version}),
python-gssapi,
python-ldap (>= 2.4.22),
python-systemd,
python3-dateutil,
python3-ipaserver (= ${source:Version}),
python3-gssapi,
python3-ldap (>= 2.4.22),
python3-systemd,
slapi-nis (>= 0.56.1),
softhsm2 (>= 2.1.0-2),
ssl-cert,
sssd-dbus,
systemd-sysv,
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends}
Recommends:
freeipa-server-dns,
@@ -62,11 +62,13 @@ Breaks: freeipa-server (<< 4.3.0-1)
Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.11.3),
bind9-dyndb-ldap (>= 11.1-3),
opendnssec (>= 1:1.4.9-2),
bind9 (>= 1:9.16),
bind9-dyndb-ldap (>= 11.4),
libengine-pkcs11-openssl,
opendnssec (>= 1:2.1.5),
softhsm2,
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends}
Description: FreeIPA centralized identity framework -- IPA DNS integration
FreeIPA is an integrated solution to provide centrally managed Identity
@@ -81,13 +83,14 @@ Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
Depends:
freeipa-common (= ${source:Version}),
freeipa-server (= ${binary:Version}),
python-ipaserver (= ${source:Version}),
python-samba,
python3-ipaserver (= ${source:Version}),
python3-samba,
samba,
winbind,
${misc:Depends},
${python:Depends},
${python3:Depends},
${shlibs:Depends}
Multi-Arch: same
Description: FreeIPA centralized identity framework -- AD trust installer
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -101,13 +104,12 @@ Description: FreeIPA centralized identity framework -- AD trust installer
Package: freeipa-tests
Architecture: all
Depends:
freeipa-client (>= ${source:Version}),
python-ipalib (>= ${source:Version}),
python-ipatests (>= ${source:Version}),
python-pytest,
python3-ipalib (>= ${source:Version}),
python3-ipatests (>= ${source:Version}),
python3-pytest,
${misc:Depends},
${python:Depends}
Recommends: python-yaml
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -116,7 +118,7 @@ Description: FreeIPA centralized identity framework -- tests
.
This package contains tests that verify IPA functionality.
Package: python-ipaserver
Package: python3-ipaserver
Architecture: all
Section: python
Breaks: freeipa-server (<< 4.3.0-1),
@@ -126,55 +128,56 @@ Replaces: freeipa-server (<< 4.3.0-1),
Depends:
freeipa-common (= ${binary:Version}),
pki-tools (>= 10.2.6-3),
python-custodia (>= 0.5.0),
python-dbus,
python-dnspython,
python-gssapi,
python-ipaclient (= ${binary:Version}),
python-ipalib (>= ${source:Version}),
python-jwcrypto,
python-kdcproxy,
python-ldap (>= 2.4.22),
python-libsss-nss-idmap,
python-pyasn1,
python-sss,
python3-custodia (>= 0.5.0),
python3-dbus,
python3-dnspython,
python3-gssapi,
python3-ipaclient (= ${binary:Version}),
python3-ipalib (>= ${source:Version}),
python3-jwcrypto,
python3-kdcproxy,
python3-ldap (>= 2.4.22),
python3-libsss-nss-idmap,
python3-pki-base,
python3-pyasn1,
python3-sss,
samba-common,
zip,
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for server
${python3:Depends},
Description: FreeIPA centralized identity framework -- Python3 modules for server
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA server.
This Python3 module is used by FreeIPA server.
Package: python-ipatests
Package: python3-ipatests
Architecture: all
Section: python
Breaks: freeipa-tests (<< 4.3.0-1)
Replaces: freeipa-tests (<< 4.3.0-1)
Depends:
libnss3-tools,
python-coverage,
python-ipalib (>= ${source:Version}),
python-mock,
python-paramiko,
python-paste,
python-polib,
python-pytest-multihost,
python-pytest-sourceorder,
python-sss,
python3-coverage,
python3-ipalib (>= ${source:Version}),
python3-mock,
python3-paramiko,
python3-paste,
python3-polib,
python3-pytest-multihost,
python3-pytest-sourceorder,
python3-sss,
xz-utils,
${misc:Depends},
${python:Depends}
Recommends: python-yaml
Description: FreeIPA centralized identity framework -- Python modules for tests
${python3:Depends}
Recommends: python3-yaml
Description: FreeIPA centralized identity framework -- Python3 modules for tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
.
This Python module is used by FreeIPA tests.
This Python3 module is used by FreeIPA tests.

2
debian/control.server-bdeps vendored
View File

@@ -6,8 +6,8 @@
libunistring-dev,
libverto-dev,
nodejs [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x],
node-uglify [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x],
pki-base (>= 10.6.0~),
python3-lesscpy,
python3-pkg-resources,
python3-rjsmin,
samba-dev,

53
debian/control.stub vendored
View File

@@ -3,13 +3,13 @@ Section: net
Priority: optional
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton@debian.org>
Standards-Version: 4.1.5
Standards-Version: 4.5.0
Vcs-Git: https://salsa.debian.org/freeipa-team/freeipa.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/freeipa
Homepage: http://www.freeipa.org
Build-Depends:
check,
debhelper (>= 11),
debhelper-compat (= 12),
dh-python,
gettext,
krb5-user,
@@ -19,35 +19,34 @@ Build-Depends:
libkrb5-dev (>= 1.16),
libldap2-dev,
libnspr4-dev,
libnss3-dev,
libpopt-dev,
libsasl2-dev,
libssl-dev,
libtalloc-dev,
libxmlrpc-core-c3-dev (>= 1.33.06),
python-all-dev,
python-cryptography,
python-dbus,
python-dnspython (>= 1.11.1),
python-gssapi,
python-jinja2,
python-kdcproxy,
python-ldap (>= 3.1),
python-lesscpy,
python-libipa-hbac,
python-libsss-nss-idmap,
python-lxml,
python-netaddr,
python-netifaces (>= 0.10.4),
python-nose,
python-nss (>= 0.16.0),
python-polib,
python-pyasn1,
python-qrcode (>= 5.0.0),
python-setuptools,
python-six,
python-sss (>= 1.14.0),
python-usb (>= 1.0.0~b2),
python-yubico,
python3-all-dev,
python3-cryptography,
python3-dbus,
python3-dnspython (>= 1.11.1),
python3-gssapi,
python3-jinja2,
python3-kdcproxy,
python3-ldap (>= 3.1),
python3-lesscpy,
python3-libipa-hbac,
python3-libsss-nss-idmap,
python3-lxml,
python3-netaddr,
python3-netifaces (>= 0.10.4),
python3-nose,
python3-nss (>= 0.16.0),
python3-polib,
python3-pyasn1,
python3-qrcode (>= 5.0.0),
python3-setuptools,
python3-six,
python3-sss (>= 1.14.0),
python3-usb (>= 1.0.0~b2),
python3-yubico,
systemd,
uuid-dev,

4
debian/copyright vendored
View File

@@ -88,10 +88,6 @@ Copyright: 2004-2012, The Dojo Foundation
License: BSD-3-clause or AFL-2.1
Files: install/ui/test/qunit.css install/ui/test/qunit.js
Copyright: 2009, John Resig, Jörn Zaefferer
License: MIT or GPL-2
Files: install/ui/test/qunit.js
Copyright: 2009, John Resig, Jörn Zaefferer
2008, Ariel Flesler
License: MIT or GPL-2 or BSD-2-clause

7
debian/freeipa-client-epn.install vendored Normal file
View File

@@ -0,0 +1,7 @@
etc/ipa/epn.conf
etc/ipa/epn/expire_msg.template
lib/systemd/system/ipa-epn.service
lib/systemd/system/ipa-epn.timer
usr/sbin/ipa-epn
usr/share/man/man1/ipa-epn.1
usr/share/man/man5/epn.conf.5

2
debian/freeipa-client-samba.install vendored Normal file
View File

@@ -0,0 +1,2 @@
usr/sbin/ipa-client-samba
usr/share/man/man1/ipa-client-samba.1*

1
debian/freeipa-client.install vendored
View File

@@ -1,3 +1,4 @@
etc/default/certmonger
usr/bin/ipa
usr/sbin/ipa-certupdate
usr/sbin/ipa-client-automount

9
debian/freeipa-client.postinst vendored
View File

@@ -1,15 +1,6 @@
#!/bin/sh
set -e
LOGFILE=/var/log/ipaclient-upgrade.log
if [ "$1" = configure ]; then
if [ -f /etc/ipa/nssdb/cert8.db ]; then
python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' \
> $LOGFILE 2>&1
fi
fi
if [ ! -e /run/ipa ]; then
mkdir -m 0700 /run/ipa
fi

21
debian/freeipa-server.install vendored
View File

@@ -4,7 +4,13 @@ etc/ipa/html/*
etc/ipa/kdcproxy
etc/dbus-1/system.d/org.freeipa.server.conf
etc/oddjobd.conf.d/ipa-server.conf
lib/systemd/system/*
lib/systemd/system/ipa-custodia.service
lib/systemd/system/ipa-dnskeysyncd.service
lib/systemd/system/ipa-ods-exporter.service
lib/systemd/system/ipa-ods-exporter.socket
lib/systemd/system/ipa-otpd.socket
lib/systemd/system/ipa-otpd@.service
lib/systemd/system/ipa.service
usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
@@ -25,6 +31,10 @@ usr/lib/*/krb5/plugins/kdb/*.so
usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit
usr/lib/certmonger/ipa-server-guard
usr/lib/ipa/certmonger/*
usr/lib/ipa/custodia/ipa-custodia-dmldap
usr/lib/ipa/custodia/ipa-custodia-pki-tomcat
usr/lib/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
usr/lib/ipa/custodia/ipa-custodia-ra-agent
usr/lib/ipa/ipa-custodia
usr/lib/ipa/ipa-custodia-check
usr/lib/ipa/ipa-dnskeysync-replica
@@ -34,13 +44,18 @@ usr/lib/ipa/ipa-httpd-pwdreader
usr/lib/ipa/ipa-ods-exporter
usr/lib/ipa/ipa-otpd
usr/lib/ipa/ipa-pki-retrieve-key
usr/lib/ipa/ipa-pki-wait-running
usr/lib/ipa/ipa-print-pac
usr/lib/ipa/oddjob/org.freeipa.server.conncheck
usr/lib/ipa/oddjob/org.freeipa.server.trust-enable-agent
usr/lib/tmpfiles.d/ipa.conf
usr/sbin/ipa-advise
usr/sbin/ipa-backup
usr/sbin/ipa-ca-install
usr/sbin/ipa-cacert-manage
usr/sbin/ipa-cert-fix
usr/sbin/ipa-compat-manage
usr/sbin/ipa-crlgen-manage
usr/sbin/ipa-csreplica-manage
usr/sbin/ipa-kra-install
usr/sbin/ipa-ldap-updater
@@ -61,8 +76,10 @@ usr/share/ipa/*.ldif
usr/share/ipa/*.template
usr/share/ipa/*.uldif
usr/share/ipa/advise/legacy/*.template
usr/share/ipa/bind.ipa-ext.conf.template
usr/share/ipa/gssapi.login
usr/share/ipa/html/*
usr/share/ipa/ipaca_*.ini
usr/share/ipa/ipakrb5.aug
usr/share/ipa/kdcproxy.wsgi
usr/share/ipa/migration/*
@@ -77,7 +94,9 @@ usr/share/man/man1/ipa-advise.1*
usr/share/man/man1/ipa-backup.1*
usr/share/man/man1/ipa-ca-install.1*
usr/share/man/man1/ipa-cacert-manage.1*
usr/share/man/man1/ipa-cert-fix.1*
usr/share/man/man1/ipa-compat-manage.1*
usr/share/man/man1/ipa-crlgen-manage.1*
usr/share/man/man1/ipa-csreplica-manage.1*
usr/share/man/man1/ipa-kra-install.1*
usr/share/man/man1/ipa-ldap-updater.1*

7
debian/freeipa-server.postinst vendored
View File

@@ -92,13 +92,6 @@ if [ "$1" = configure ]; then
apache2_invoke ensite default-ssl || exit $?
fi
fi
# check if IPA is set up
is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
if [ $is_configured = yes ]; then
echo "Running ipa-server-upgrade..."
ipa-server-upgrade --quiet >/dev/null
fi
fi
if [ ! -e /run/apache2/ipa ]; then

9
debian/gitlab-ci.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
blhc:
allow_failure: true
piuparts:
allow_failure: true

12
debian/patches/create-sysconfig-ods.diff vendored
View File

@@ -1,12 +0,0 @@
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -199,6 +199,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
+ # create the configfile, opendnssec-enforcer doesn't ship it
+ open(paths.SYSCONFIG_ODS, 'a').close()
+
directivesetter.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,

14
debian/patches/dnssec-race-wa.diff vendored Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 95029fd5e..9b800f509 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -306,6 +306,9 @@ class OpenDNSSECInstance(service.Service):
def __start(self):
self.restart() # needed to reload conf files
+ import time
+ while not os.path.exists('/run/opendnssec/enforcer.sock'):
+ time.sleep(1)
tasks.run_ods_policy_import()
if self.kasp_db_file:
# regenerate zonelist.xml

13
debian/patches/dont-migrate-to-authselect.diff vendored
View File

@@ -1,13 +0,0 @@
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -57,6 +57,10 @@ class DebianTaskNamespace(RedHatTaskName
# Debian doesn't use authconfig, nothing to restore
return True
+ def migrate_auth_configuration(self, statestore):
+ # Debian doesn't have authselect
+ return True
+
@staticmethod
def parse_ipa_version(version):
return BaseTaskNamespace.parse_ipa_version(version)

12
debian/patches/fix-chrony-service-name.diff vendored Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 812bbdaf2..9750fdeaa 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -20,6 +20,7 @@ debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
+debian_system_units['chronyd'] = 'chrony.service'
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'

51
debian/patches/fix-fontawesome-path.diff vendored
View File

@@ -1,51 +0,0 @@
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -183,7 +183,7 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
-Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
+Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/${FONT_AWESOME_DIR}"
<Directory "${FONTS_DIR}">
SetHandler None
AllowOverride None
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -245,6 +245,7 @@ class BasePathNamespace(object):
SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd"
FONTS_DIR = "/usr/share/fonts"
+ FONT_AWESOME_DIR = "fontawesome"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -87,6 +87,7 @@ class DebianPathNamespace(BasePathNamesp
REMOVE_DS_PL = "/usr/sbin/remove-ds"
SETUP_DS_PL = "/usr/sbin/setup-ds"
FONTS_DIR = "/usr/share/fonts/truetype"
+ FONT_AWESOME_DIR = "font-awesome"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -104,6 +104,7 @@ class HTTPInstance(service.Service):
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
FONTS_DIR=paths.FONTS_DIR,
+ FONT_AWESOME_DIR=paths.FONT_AWESOME_DIR,
GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CCACHES=paths.IPA_CCACHES,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1789,6 +1789,7 @@ def upgrade_configuration():
WSGI_PROCESSES=constants.WSGI_PROCESSES,
GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
FONTS_DIR=paths.FONTS_DIR,
+ FONT_AWESOME_DIR=paths.FONT_AWESOME_DIR,
IPA_CCACHES=paths.IPA_CCACHES,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,

9
debian/patches/fix-gzip-path.diff vendored
View File

@@ -1,9 +0,0 @@
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -105,5 +105,6 @@ class DebianPathNamespace(BasePathNamesp
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
WSGI_PREFIX_DIR = "/run/apache2/wsgi"
+ GZIP = "/bin/gzip"
paths = DebianPathNamespace()

18
debian/patches/fix-krb5kdc-cert-path.diff vendored
View File

@@ -1,18 +0,0 @@
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -90,12 +90,12 @@ class DebianPathNamespace(BasePathNamesp
FONT_AWESOME_DIR = "font-awesome"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
- CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ CACERT_PEM = "/var/lib/ipa/certs/cacert.pem"
KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
- KDC_CERT = "/var/lib/krb5kdc/kdc.crt"
- KDC_KEY = "/var/lib/krb5kdc/kdc.key"
+ KDC_CERT = "/var/lib/ipa/certs/kdc.crt"
+ KDC_KEY = "/var/lib/ipa/certs/kdc.key"
VAR_LOG_HTTPD_DIR = "/var/log/apache2"
VAR_LOG_HTTPD_ERROR = "/var/log/apache2/error.log"
NAMED_RUN = "/var/cache/bind/named.run"

11
debian/patches/fix-oddjobd-conf.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -6,7 +6,7 @@
<object name="/">
<interface name="org.freeipa.server">
<method name="conncheck">
- <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
+ <helper exec="/usr/lib/ipa/oddjob/org.freeipa.server.conncheck"
arguments="1"
prepend_user_name="no"
argument_passing_method="cmdline"/>

81
debian/patches/fix-opendnssec-setup.diff vendored
View File

@@ -1,81 +0,0 @@
Description: Fix ODS setup with 2.0.x
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -8,7 +8,7 @@
<Module>$SOFTHSM_LIB</Module>
<TokenLabel>$TOKEN_LABEL</TokenLabel>
<PIN>$PIN</PIN>
- <AllowExtraction/>
+ <AllowExtraction/>
</Repository>
</RepositoryList>
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -284,20 +284,15 @@ class OpenDNSSECInstance(service.Service
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml
- cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
+ cmd = [paths.ODS_ENFORCER, 'zonelist', 'export']
result = ipautil.run(cmd,
runas=constants.ODS_USER,
capture_output=True)
- with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
- zonelistf.write(result.output)
- os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
- self.ods_uid, self.ods_gid)
- os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660)
else:
# initialize new kasp.db
command = [
- paths.ODS_KSMUTIL,
+ paths.ODS_ENFORCER_SETUP,
'setup'
]
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -183,7 +183,8 @@ class BasePathNamespace(object):
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
- ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+ ODS_ENFORCER_SETUP = "/usr/sbin/ods-enforcer-db-setup"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -11,6 +11,7 @@ except ImportError:
from xml.etree import ElementTree as etree
from ipapython import ipa_log_manager, ipautil
+from ipaplatform.paths import paths
logger = logging.getLogger(__name__)
@@ -130,17 +131,18 @@ class ODSMgr(object):
self.zl_ldap = LDAPZoneListReader()
def ksmutil(self, params):
- """Call ods-ksmutil with given parameters and return stdout.
+ """Call ods-enforcer with given parameters and return stdout.
Raises CalledProcessError if returncode != 0.
"""
- cmd = ['ods-ksmutil'] + params
+ cmd = [paths.ODS_ENFORCER] + params
result = ipautil.run(cmd, capture_output=True)
return result.output
def get_ods_zonelist(self):
stdout = self.ksmutil(['zonelist', 'export'])
- reader = ODSZoneListReader(stdout)
+ with open(paths.OPENDNSSEC_ZONELIST_FILE) as f:
+ reader = ODSZoneListReader(f.read())
return reader
def add_ods_zone(self, uuid, name):

9
debian/patches/fix-py3-lesscpy-name.diff vendored
View File

@@ -1,9 +0,0 @@
--- a/install/ui/util/make-css.sh
+++ b/install/ui/util/make-css.sh
@@ -22,5 +22,5 @@ set -o errexit
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-py3-lesscpy -x $DIR/../less/ipa.less > $DIR/../css/ipa.css
+python3-lesscpy -x $DIR/../less/ipa.less > $DIR/../css/ipa.css
exit $?

8
debian/patches/fix-sssd-socket-activation.diff vendored Normal file
View File

@@ -0,0 +1,8 @@
--- a/install/share/advise/legacy/sssd.conf.template
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -1,5 +1,4 @@
[sssd]
-services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

11
debian/patches/hack-tomcat-race.diff vendored
View File

@@ -1,11 +0,0 @@
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1755,6 +1755,8 @@ def migrate_profiles_to_ldap():
match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
profile_ids = match.group(1).split(',')
+ time.sleep(80)
+
for profile_id in profile_ids:
match = re.search(
r'^profile\.{}\.config=(\S*)'.format(profile_id),

11
debian/patches/migrate-to-gpg.diff vendored Normal file
View File

@@ -0,0 +1,11 @@
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -176,7 +176,7 @@ class BasePathNamespace:
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
- GPG2 = "/usr/bin/gpg2"
+ GPG2 = "/usr/bin/gpg"
GPG_CONF = "/usr/bin/gpgconf"
GPG_CONNECT_AGENT = "/usr/bin/gpg-connect-agent"
GPG_AGENT = "/usr/bin/gpg-agent"

13
debian/patches/not-git.diff vendored
View File

@@ -1,13 +0,0 @@
diff --git a/VERSION.m4 b/VERSION.m4
index 744270173..0f6d3cc4e 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -46,7 +46,7 @@ define(IPA_VERSION_PRE_RELEASE, )
# This option works only with GNU m4: #
# it requires esyscmd m4 macro. #
########################################################
-define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
+define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
########################################################
# git development branch: #

796
debian/patches/pkcs11-openssl-for-bind.diff vendored Normal file
View File

@@ -0,0 +1,796 @@
--- a/daemons/dnssec/ipa-dnskeysync-replica.in
+++ b/daemons/dnssec/ipa-dnskeysync-replica.in
@@ -145,7 +145,7 @@ def ldap2replica_zone_keys_sync(ldapkeyd
# IPA framework initialization
-standard_logging_setup(verbose=True, debug=True)
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/daemons/dnssec/ipa-dnskeysyncd.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.in
@@ -23,12 +23,9 @@ logger = logging.getLogger(os.path.basen
# IPA framework initialization
-standard_logging_setup(verbose=True)
+standard_logging_setup(debug=True)
api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
api.finalize()
-if api.env.debug:
- root_logger = logging.getLogger()
- root_logger.setLevel(logging.DEBUG)
# Global state
watcher_running = True
--- a/daemons/dnssec/ipa-ods-exporter.in
+++ b/daemons/dnssec/ipa-ods-exporter.in
@@ -29,12 +29,12 @@ import dns.dnssec
from gssapi.exceptions import GSSError
import six
import systemd.daemon
-import systemd.journal
import ipalib
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
+from ipapython.ipa_log_manager import standard_logging_setup
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -650,20 +650,8 @@ def cleanup_ldap_zone(ldap, dns_dn, zone
ldap.delete_entry(ldap_key)
-# this service is usually socket-activated
-root_logger = logging.getLogger()
-root_logger.addHandler(systemd.journal.JournalHandler())
-root_logger.setLevel(level=logging.DEBUG)
-
-if len(sys.argv) > 2:
- print(__doc__)
- sys.exit(1)
-# program was likely invoked from console, log to it
-elif len(sys.argv) == 2:
- console = logging.StreamHandler()
- root_logger.addHandler(console)
-
# IPA framework initialization
+standard_logging_setup(debug=True)
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -99,6 +99,15 @@
%global httpd_version 2.4.41-6.1
%endif
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+%if 0%{?fedora} >= 31
+ %global with_bind_pkcs11 0
+ %global openssl_pkcs11_version 0.4.10-6
+ %global softhsm_version 2.5.0-4
+%else
+ %global with_bind_pkcs11 1
+%endif
+
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -463,8 +472,13 @@ Requires: %{name}-server = %{version}-%{
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
+%if 0%{?with_bind_pkcs11}
Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
%if 0%{?fedora} >= 32
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
Requires: opendnssec >= 2.1.6-5
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,8 @@ dist_app_DATA = \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.named.conf.template \
+ bind.openssl.cnf.template \
+ bind.openssl.cryptopolicy.cnf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
--- /dev/null
+++ b/install/share/bind.openssl.cnf.template
@@ -0,0 +1,14 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- /dev/null
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_configuration
+engines = engine_section
+
+[ssl_configuration]
+system_default = crypto_policy
+
+[crypto_policy]
+.include $CRYPTO_POLICY_FILE
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -23,6 +23,8 @@ class BaseConstantsNamespace:
NAMED_USER = "named"
NAMED_GROUP = "named"
NAMED_DATA_DIR = "data/"
+ NAMED_OPTIONS_VAR = "OPTIONS"
+ NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -26,6 +26,7 @@ import os
class BasePathNamespace:
BIN_HOSTNAMECTL = "/bin/hostnamectl"
+ CRYPTO_POLICY_OPENSSLCNF_FILE = None
ECHO = "/bin/echo"
FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
GZIP = "/bin/gzip"
@@ -69,6 +70,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ DNSSEC_OPENSSL_CONF = None
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
@@ -253,8 +255,6 @@ class BasePathNamespace:
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
- NAMED = "/usr/sbin/named"
- NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
CHRONYC = "/usr/bin/chronyc"
CHRONYD = "/usr/sbin/chronyd"
PKIDESTROY = "/usr/sbin/pkidestroy"
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -27,4 +27,6 @@ class FedoraConstantsNamespace(RedHatCon
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
+ NAMED_OPENSSL_ENGINE = "pkcs11"
+
constants = FedoraConstantsNamespace()
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,8 @@ class FedoraPathNamespace(RedHatPathName
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -29,6 +29,8 @@ from ipaplatform.redhat import services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
+fedora_system_units['named'] = fedora_system_units['named-regular']
+fedora_system_units['named-conflict'] = fedora_system_units['named-pkcs11']
# Service classes that implement Fedora-specific behaviour
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedH
# of specified name
def fedora_service_class_factory(name, api=None):
+ if name in ['named', 'named-conflict']:
+ return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BaseP
class RedHatPathNamespace(BasePathNamespace):
+ CRYPTO_POLICY_OPENSSLCNF_FILE = (
+ '/etc/crypto-policies/back-ends/opensslcnf.config'
+ )
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] =
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
+redhat_system_units['named-conflict'] = redhat_system_units['named-regular']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -16,11 +16,14 @@ import stat
import six
import ipalib.constants
+
from ipapython.dn import DN
from ipapython import ipautil
+from ipaplatform.constants import constants as platformconstants
from ipaplatform.paths import paths
from ipaserver.dnssec.temp import TemporaryDirectory
+from ipaserver.install import installutils
logger = logging.getLogger(__name__)
@@ -133,8 +136,11 @@ class BINDMgr:
cmd.extend(['-f', 'KSK'])
if attrs.get('idnsSecKeyRevoke', [b'FALSE'])[0].upper() == b'TRUE':
cmd.extend(['-R', datetime.now().strftime(time_bindfmt)])
+ if platformconstants.NAMED_OPENSSL_ENGINE is not None:
+ cmd.extend(['-E', platformconstants.NAMED_OPENSSL_ENGINE])
cmd.append(zone.to_text())
+ installutils.check_entropy()
# keys has to be readable by ODS & named
result = ipautil.run(cmd, capture_output=True)
basename = result.output.strip()
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -663,7 +663,7 @@ class BindInstance(service.Service):
self.no_dnssec_validation = False
self.sub_dict = None
self.reverse_zones = ()
- self.named_regular = services.service('named-regular', api)
+ self.named_conflict = services.service('named-conflict', api)
suffix = ipautil.dn_attribute_property('_suffix')
@@ -770,7 +770,7 @@ class BindInstance(service.Service):
# named has to be started after softhsm initialization
# self.step("restarting named", self.__start)
- self.step("configuring named to start on boot", self.__enable)
+ self.step("configuring named to start on boot", self.switch_service)
self.step(
"changing resolv.conf to point to ourselves",
self.setup_resolv_conf
@@ -783,19 +783,16 @@ class BindInstance(service.Service):
def __start(self):
try:
- if self.get_state("running") is None:
- # first time store status
- self.backup_state("running", self.is_running())
self.restart()
except Exception as e:
logger.error("Named service failed to start (%s)", e)
print("named service failed to start")
+ def switch_service(self):
+ self.mask_conflict()
+ self.__enable()
+
def __enable(self):
- if self.get_state("enabled") is None:
- self.backup_state("enabled", self.is_running())
- self.backup_state("named-regular-enabled",
- self.named_regular.is_running())
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
@@ -806,20 +803,19 @@ class BindInstance(service.Service):
# don't crash, just report error
logger.error("DNS service already exists")
- # disable named, we need to run named-pkcs11 only
- if self.get_state("named-regular-running") is None:
- # first time store status
- self.backup_state("named-regular-running",
- self.named_regular.is_running())
+ def mask_conflict(self):
+ # disable named-conflict (either named or named-pkcs11)
try:
- self.named_regular.stop()
+ self.named_conflict.stop()
except Exception as e:
- logger.debug("Unable to stop named (%s)", e)
+ logger.debug("Unable to stop %s (%s)",
+ self.named_conflict.systemd_name, e)
try:
- self.named_regular.mask()
+ self.named_conflict.mask()
except Exception as e:
- logger.debug("Unable to mask named (%s)", e)
+ logger.debug("Unable to mask %s (%s)",
+ self.named_conflict.systemd_name, e)
def _get_dnssec_validation(self):
"""get dnssec-validation value
@@ -1318,11 +1314,6 @@ class BindInstance(service.Service):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
- running = self.restore_state("running")
- enabled = self.restore_state("enabled")
- named_regular_running = self.restore_state("named-regular-running")
- named_regular_enabled = self.restore_state("named-regular-enabled")
-
self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected())
try:
@@ -1337,23 +1328,10 @@ class BindInstance(service.Service):
ipautil.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)
- # disabled by default, by ldap_configure()
- if enabled:
- self.enable()
- else:
- self.disable()
-
- if running:
- self.restart()
- else:
- self.stop()
-
- self.named_regular.unmask()
- if named_regular_enabled:
- self.named_regular.enable()
+ self.disable()
+ self.stop()
- if named_regular_running:
- self.named_regular.start()
+ self.named_conflict.unmask()
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -4,11 +4,12 @@
from __future__ import print_function, absolute_import
-import logging
import errno
+import grp
+import logging
import os
import pwd
-import grp
+import re
import shutil
import stat
@@ -56,10 +57,10 @@ class DNSKeySyncInstance(service.Service
keytab=paths.IPA_DNSKEYSYNCD_KEYTAB
)
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
- self.named_uid = None
- self.named_gid = None
- self.ods_uid = None
- self.ods_gid = None
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+ self.ods_uid = self.__get_ods_uid()
+ self.ods_gid = self.__get_ods_gid()
suffix = ipautil.dn_attribute_property('_suffix')
@@ -67,12 +68,6 @@ class DNSKeySyncInstance(service.Service
"""
Setting up correct permissions to allow write/read access for daemons
"""
- if self.named_uid is None:
- self.named_uid = self.__get_named_uid()
-
- if self.named_gid is None:
- self.named_gid = self.__get_named_gid()
-
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
# dnssec daemons require to have access into the directory
@@ -133,20 +128,19 @@ class DNSKeySyncInstance(service.Service
except KeyError:
raise RuntimeError("Named GID not found")
- def __check_dnssec_status(self):
- self.named_uid = self.__get_named_uid()
- self.named_gid = self.__get_named_gid()
-
+ def __get_ods_uid(self):
try:
- self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
+ return pwd.getpwnam(constants.ODS_USER).pw_uid
except KeyError:
raise RuntimeError("OpenDNSSEC UID not found")
+ def __get_ods_gid(self):
try:
- self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
+ return grp.getgrnam(constants.ODS_GROUP).gr_gid
except KeyError:
raise RuntimeError("OpenDNSSEC GID not found")
+ def __check_dnssec_status(self):
if not dns_container_exists(self.suffix):
raise RuntimeError("DNS container does not exist")
@@ -164,10 +158,94 @@ class DNSKeySyncInstance(service.Service
self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, })
- def __setup_softhsm(self):
- assert self.ods_uid is not None
- assert self.named_gid is not None
+ def _are_named_options_configured(self, options):
+ """Check whether the sysconfig of named is patched
+ Additional command line options for named are passed
+ via OPTIONS env variable. Since custom options can be
+ supplied by a vendor, at least, the base parsing of such
+ is required.
+ Current named command line options:
+ NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:M:m:n:N:p:P:sS:t:T:U:u:vVx:X:"
+ If there are several same options the last passed wins.
+ """
+ if options:
+ pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)"
+ engines = re.findall(pattern, options)
+ if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE:
+ return True
+
+ return False
+
+ def setup_named_openssl_conf(self):
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ logger.debug("Setup OpenSSL config for BIND")
+ # setup OpenSSL config for BIND,
+ # this one is needed because FreeIPA installation
+ # disables p11-kit-proxy PKCS11 module
+ conf_file_dict = {
+ 'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
+ 'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
+ 'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
+ }
+ if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
+ opensslcnf_tmpl = "bind.openssl.cnf.template"
+ else:
+ opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
+
+ named_openssl_txt = ipautil.template_file(
+ os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
+ conf_file_dict
+ )
+ with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o640)
+ os.fchown(f.fileno(), 0, self.named_gid)
+ f.write(named_openssl_txt)
+
+ def setup_named_sysconfig(self):
+ logger.debug("Setup BIND sysconfig")
+ sysconfig = paths.SYSCONFIG_NAMED
+ self.fstore.backup_file(sysconfig)
+
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ options = directivesetter.get_directive(
+ paths.SYSCONFIG_NAMED,
+ constants.NAMED_OPTIONS_VAR,
+ separator="="
+ ) or ''
+ if not self._are_named_options_configured(options):
+ engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE)
+ new_options = ' '.join([options, engine_cmd])
+ directivesetter.set_directive(
+ sysconfig,
+ constants.NAMED_OPTIONS_VAR, new_options,
+ quotes=True, separator='=')
+
+ def setup_ipa_dnskeysyncd_sysconfig(self):
+ logger.debug("Setup ipa-dnskeysyncd sysconfig")
+ sysconfig = paths.SYSCONFIG_IPA_DNSKEYSYNCD
+ directivesetter.set_directive(
+ sysconfig,
+ 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF,
+ quotes=False, separator='=')
+
+ if constants.NAMED_OPENSSL_ENGINE is not None:
+ directivesetter.set_directive(
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ def __setup_softhsm(self):
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
@@ -186,23 +264,15 @@ class DNSKeySyncInstance(service.Service
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
logger.debug("Creating new softhsm config file")
- named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(softhsm_conf_txt)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
-
- # setting up named to use softhsm2
- if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
- self.fstore.backup_file(paths.SYSCONFIG_NAMED)
-
- # setting up named and ipa-dnskeysyncd to use our softhsm2 config
- for sysconfig in [paths.SYSCONFIG_NAMED,
- paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
- directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF',
- paths.DNSSEC_SOFTHSM2_CONF,
- quotes=False, separator='=')
+ with open(paths.DNSSEC_SOFTHSM2_CONF, 'w') as f:
+ os.fchmod(f.fileno(), 0o644)
+ f.write(softhsm_conf_txt)
+
+ # setting up named and ipa-dnskeysyncd to use our softhsm2 and
+ # openssl configs
+ self.setup_named_openssl_conf()
+ self.setup_named_sysconfig()
+ self.setup_ipa_dnskeysyncd_sysconfig()
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
@@ -231,23 +301,17 @@ class DNSKeySyncInstance(service.Service
entropy_bits=0, special=None, min_len=pin_length)
logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin)
- named_fd.close()
- os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770)
- # chown to ods:named
- os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
+ with open(paths.DNSSEC_SOFTHSM_PIN, 'w') as f:
+ # chown to ods:named
+ os.fchown(f.fileno(), self.ods_uid, self.named_gid)
+ os.fchmod(f.fileno(), 0o660)
+ f.write(pin)
logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
- named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
- named_fd.seek(0)
- named_fd.truncate(0)
- named_fd.write(pin_so)
- named_fd.close()
- # owner must be root
- os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400)
+ with open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') as f:
+ # owner must be root
+ os.fchmod(f.fileno(), 0o400)
+ f.write(pin_so)
# initialize SoftHSM
@@ -377,7 +441,7 @@ class DNSKeySyncInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid)
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
# chown to ods:named
os.chown(file_path, self.ods_uid, self.named_gid)
@@ -389,7 +453,6 @@ class DNSKeySyncInstance(service.Service
logger.error("DNSKeySync service already exists")
def __setup_principal(self):
- assert self.ods_gid is not None
ipautil.remove_keytab(self.keytab)
installutils.kadmin_addprinc(self.principal)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -185,6 +185,7 @@ class Backup(admintool.AdminTool):
paths.OPENDNSSEC_KASP_FILE,
paths.OPENDNSSEC_ZONELIST_FILE,
paths.OPENDNSSEC_KASP_DB,
+ paths.DNSSEC_OPENSSL_CONF,
paths.DNSSEC_SOFTHSM2_CONF,
paths.DNSSEC_SOFTHSM_PIN_SO,
paths.IPA_ODS_EXPORTER_KEYTAB,
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -106,9 +106,9 @@ def install(api, replica_config, options
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
- # Restarted named-pkcs11 to restore bind-dyndb-ldap operation, see
+ # Restarted named to restore bind-dyndb-ldap operation, see
# https://pagure.io/freeipa/issue/5813
- named = services.knownservices.named # alias for named-pkcs11
+ named = services.knownservices.named # alias for current named
if named.is_running():
named.restart(capture_output=True)
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -269,7 +269,7 @@ class OpenDNSSECInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid) # chown to ods:named
for filename in files:
file_path = os.path.join(root, filename)
- os.chmod(file_path, 0o770 | stat.S_ISGID)
+ os.chmod(file_path, 0o660 | stat.S_ISGID)
os.chown(file_path, self.ods_uid, self.named_gid) # chown to ods:named
finally:
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -509,6 +509,24 @@ def ca_initialize_hsm_state(ca):
ca.set_hsm_state(config)
+def dnssec_set_openssl_engine(dnskeysyncd):
+ """
+ Setup OpenSSL engine for BIND
+ """
+ if constants.NAMED_OPENSSL_ENGINE is None:
+ return False
+
+ if sysupgrade.get_upgrade_state('dns', 'openssl_engine'):
+ return False
+
+ logger.info('[Set OpenSSL engine for BIND]')
+ dnskeysyncd.setup_named_openssl_conf()
+ dnskeysyncd.setup_named_sysconfig()
+ dnskeysyncd.setup_ipa_dnskeysyncd_sysconfig()
+ sysupgrade.set_upgrade_state('dns', 'openssl_engine', True)
+
+ return True
+
def certificate_renewal_update(ca, kra, ds, http):
"""
@@ -1395,7 +1413,10 @@ def upgrade_bind(fstore):
logger.info("DNS service is not configured")
return False
- # get rid of old upgrade states
+ bind_switch_service(bind)
+
+ # get rid of old states
+ bind_old_states(bind)
bind_old_upgrade_states()
# only upgrade with drop-in is missing and /etc/resolv.conf is a link to
@@ -1428,6 +1449,38 @@ def upgrade_bind(fstore):
return changed
+def bind_switch_service(bind):
+ """
+ Mask either named or named-pkcs11, we need to run only one,
+ running both can cause unexpected errors.
+ """
+ named_conflict_name = bind.named_conflict.systemd_name
+ named_conflict_old = sysupgrade.get_upgrade_state('dns', 'conflict_named')
+
+ # nothing changed
+ if named_conflict_old and named_conflict_old == named_conflict_name:
+ return False
+
+ bind.switch_service()
+
+ sysupgrade.set_upgrade_state('dns', 'conflict_named', named_conflict_name)
+ return True
+
+
+def bind_old_states(bind):
+ """Remove old states
+ """
+ # no longer used states
+ old_states = [
+ "enabled",
+ "running",
+ "named-regular-enabled",
+ "named-regular-running",
+ ]
+ for state in old_states:
+ bind.delete_state(state)
+
+
def bind_old_upgrade_states():
"""Remove old upgrade states
"""
@@ -1673,6 +1726,9 @@ def upgrade_configuration():
if not dnskeysyncd.is_configured():
dnskeysyncd.create_instance(fqdn, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
+ else:
+ if dnssec_set_openssl_engine(dnskeysyncd):
+ dnskeysyncd.start_dnskeysyncd()
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -533,6 +533,9 @@ class Service:
def get_state(self, key):
return self.sstore.get_state(self.service_name, key)
+ def delete_state(self, key):
+ self.sstore.delete_state(self.service_name, key)
+
def print_msg(self, message):
print_msg(message, self.output_fd)
@@ -660,6 +663,7 @@ class Service:
]
extra_config_opts.extend(config)
+ self.unmask()
self.disable()
set_service_entry_config(
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -989,7 +989,7 @@ class TestIPACommand(IntegrationTest):
# get minimum version from current crypto-policy
openssl_cnf = self.master.get_file_contents(
- "/etc/crypto-policies/back-ends/opensslcnf.config",
+ paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
encoding="utf-8"
)
mo = re.search(r"MinProtocol\s*=\s*(TLSv[0-9.]+)", openssl_cnf)

15
debian/patches/series vendored
View File

@@ -1,14 +1,11 @@
# upstreamed
pkcs11-openssl-for-bind.diff
# not upstreamable
create-sysconfig-ods.diff
hack-tomcat-race.diff
# send upstream
fix-opendnssec-setup.diff
fix-fontawesome-path.diff
fix-krb5kdc-cert-path.diff
fix-gzip-path.diff
fix-py3-lesscpy-name.diff
dont-migrate-to-authselect.diff
fix-oddjobd-conf.diff
migrate-to-gpg.diff
dnssec-race-wa.diff
use-bind9.16.diff
fix-sssd-socket-activation.diff
fix-chrony-service-name.diff

24
debian/patches/use-bind9.16.diff vendored Normal file
View File

@@ -0,0 +1,24 @@
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -58,7 +58,7 @@ class DebianPathNamespace(BasePathNamesp
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
- SYSCONFIG_NAMED = "/etc/default/bind9"
+ SYSCONFIG_NAMED = "/etc/default/named"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -23,8 +23,8 @@ debian_system_units = redhat_services.re
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
-debian_system_units['named-regular'] = 'bind9.service'
-debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
+debian_system_units['named-regular'] = 'named.service'
+debian_system_units['named-pkcs11'] = 'named-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']

8
debian/pydist-overrides vendored
View File

@@ -1,3 +1,7 @@
dbus_python python-dbus
dbus_python python3-dbus-python
dogtag_pki pki-server
jwcrpyto python-jwcrypto
ipaclient python3-ipaclient
ipalib python3-ipalib
ipaplatform python3-ipaplatform
ipapython python3-ipapython
jwcrypto python3-jwcrypto

2
debian/python-ipatests.lintian-overrides vendored
View File

@@ -1,2 +0,0 @@
# no need to be executable
python-ipatests: script-not-executable usr/lib/python*/dist-packages/ipatests/test_integration/scripts/caless-create-pki

0
debian/python-ipaclient.install → debian/python3-ipaclient.install vendored
View File

1
debian/python-ipalib.install → debian/python3-ipalib.install vendored
View File

@@ -1,7 +1,6 @@
usr/lib/python*/dist-packages/ipalib-*.egg-info
usr/lib/python*/dist-packages/ipalib/*
usr/lib/python*/dist-packages/ipaplatform-*.egg-info
usr/lib/python*/dist-packages/ipaplatform-*-nspkg.pth
usr/lib/python*/dist-packages/ipaplatform/*
usr/lib/python*/dist-packages/ipapython-*.egg-info
usr/lib/python*/dist-packages/ipapython/*

2
debian/python-ipaserver.install → debian/python3-ipaserver.install vendored
View File

@@ -22,6 +22,7 @@ usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py
usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/installutils.py
usr/lib/python*/dist-packages/ipaserver/install/ipa_*.py
usr/lib/python*/dist-packages/ipaserver/install/ipactl.py
usr/lib/python*/dist-packages/ipaserver/install/kra.py
usr/lib/python*/dist-packages/ipaserver/install/krainstance.py
usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py
@@ -36,6 +37,7 @@ usr/lib/python*/dist-packages/ipaserver/install/server/*
usr/lib/python*/dist-packages/ipaserver/install/service.py
usr/lib/python*/dist-packages/ipaserver/install/sysupgrade.py
usr/lib/python*/dist-packages/ipaserver/install/upgradeinstance.py
usr/lib/python*/dist-packages/ipaserver/masters.py
usr/lib/python*/dist-packages/ipaserver/p11helper.py
usr/lib/python*/dist-packages/ipaserver/plugins/*
usr/lib/python*/dist-packages/ipaserver/rpcserver*

0
debian/python-ipatests.install → debian/python3-ipatests.install vendored
View File

2
debian/python3-ipatests.lintian-overrides vendored Normal file
View File

@@ -0,0 +1,2 @@
# no need to be executable
python3-ipatests: script-not-executable usr/lib/python*/dist-packages/ipatests/test_integration/scripts/caless-create-pki

27
debian/rules vendored
View File

@@ -3,7 +3,8 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
include /usr/share/dpkg/architecture.mk
include /usr/share/dpkg/pkg-info.mk
# build server only where nodejs is available
ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x))
@@ -12,12 +13,11 @@ else
ONLY_CLIENT=1
endif
# build client only until dogtag works
ONLY_CLIENT=1
DESTDIR=$(CURDIR)/debian/tmp
export PYTHON=python
export PYTHON=python3
export am_cv_python_pythondir=/usr/lib/python3/dist-packages
export am_cv_python_pyexecdir=/usr/lib/python3/dist-packages
confflags = \
--libexecdir=/usr/lib/ \
@@ -35,12 +35,10 @@ confflags += --enable-server \
endif
# For maintainer use only, generate a tarball:
SOURCE = freeipa
gentarball: UV=$(shell dpkg-parsechangelog|awk '/^Version:/ {print $$2}'|sed 's/-.*$$//')
gentarball:
git archive --format=tar upstream-next --prefix=$(SOURCE)-$(UV)/ | \
xz --best \
> ../$(SOURCE)_$(UV).orig.tar.xz
tar --transform 's,^,$(DEB_SOURCE)-$(DEB_VERSION_UPSTREAM)/,' \
--exclude './debian' --exclude-vcs \
-cJf ../$(DEB_SOURCE)_$(DEB_VERSION_UPSTREAM).orig.tar.xz .
gencontrol:
ifeq ($(ONLY_CLIENT), 1)
@@ -57,7 +55,7 @@ endif
override_dh_clean: gencontrol
dh_clean
rm -f po/*.gmo po/Makefile.hack po/POTFILES.in po/ipa.pot po/stamp-po
rm -f po/*.gmo po/Makefile.hack po/POTFILES.in po/stamp-po
rm -rf contrib/completion/ipa.bash_completion daemons/ipa-version.h \
install/ui/src/libs/loader.js m4
rm -f ipaplatform/override.py ipapython/version.py ipasetup.py
@@ -95,11 +93,10 @@ endif
find $(CURDIR)/debian/tmp -name "*.mo" -type f -exec chmod -x "{}" \;
# remove files which are useful only for make uninstall
find $(CURDIR)/debian/tmp -wholename '*/dist-packages/*/install_files.txt' -exec rm '{}' \;
# we still need to use python2
# fix the interpreter
find debian/tmp ! -name '*.pyc' -a ! -name '*.pyo' -a \
-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python|' {} \;
-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!/usr/bin/python3|' {} \;
override_dh_missing:
dh_missing --fail-missing
@@ -122,5 +119,5 @@ override_dh_fixperms:
fi
%:
dh $@ --with python2
dh $@ --with python3
# --builddirectory=build

4
debian/source/lintian-overrides vendored
View File

@@ -2,10 +2,10 @@
freeipa source: source-is-missing debian/missing-sources/qrcode.js line length is 602 characters (>512)
# missing-sources/dojo/*, see install/ui/src/dojo.profile.js
freeipa source: source-is-missing install/ui/build/dojo/dojo.js line length is 31968 characters (>512)
freeipa source: source-is-missing install/ui/build/dojo/dojo.js line length is 31980 characters (>512)
# missing-sources/jquery-*.js
freeipa source: source-is-missing install/ui/src/libs/jquery.js line length is 32023 characters (>512)
freeipa source: source-is-missing install/ui/src/libs/jquery.js line length is 32584 characters (>512)
# missing-sources/build/*, see install/ui/src/build.profile.js
freeipa source: source-is-missing install/ui/util/build/build.js line length is 31954 characters (>512)

15
debian/tests/control vendored
View File

@@ -1,7 +1,8 @@
#Tests: server-install
#Depends:
# freeipa-server, freeipa-client, freeipa-server-dns, freeipa-admintools,
#Restrictions:
# allow-stderr,
# isolation-container,
# needs-root,
Tests: server-install
Depends:
freeipa-server, freeipa-client, freeipa-server-dns,
sudo,
Restrictions:
allow-stderr,
isolation-container,
needs-root,

6
debian/tests/server-install vendored
View File

@@ -40,6 +40,8 @@ ipa-server-install \
if [ $? != 0 ]; then
echo ">>>>> IPASERVER log >>>>>>>"
cat /var/log/ipaserver-install.log
exit 0
tail -n 2000 /var/log/ipaserver-install.log
echo ">>>>> IPACLIENT log >>>>>>>"
tail -n 2000 /var/log/ipaclient-install.log
exit 1
fi