summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
* Port from python-kerberos to python-gssapiMichael Simacek2015-08-051-2/+2
| | | | | | | | | | | | kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. https://fedorahosted.org/freeipa/ticket/5147 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Replace M2Crypto RC4 with python-cryptography ARC4Christian Heimes2015-07-311-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Require Dogtag PKI >= 10.2.6Christian Heimes2015-07-291-3/+3
| | | | | | | | | | | | | Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x instances: https://fedorahosted.org/pki/ticket/1495 https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5140 https://fedorahosted.org/freeipa/ticket/5129 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use 'mv -Z' in specfile to restore SELinux contextMartin Basti2015-07-291-6/+3
| | | | | | | | | There might be AVC denial between moving file and restoring context. Using 'mv -Z' will solve this issue. https://fedorahosted.org/freeipa/ticket/4923 Reviewed-By: David Kupka <dkupka@redhat.com>
* otptoken: use ipapython.nsslib instead of Python's ssl moduleChristian Heimes2015-07-271-2/+0
| | | | | | | | | | | | The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaplatform: Add constants submoduleTomas Babej2015-07-211-0/+2
| | | | | | | | Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Create server-dns sub-package.Petr Spacek2015-07-171-15/+35
| | | | | | | | | | | | | | | This allows us to automatically pull in package bind-pkcs11 and thus create upgrade path for on CentOS 7.1 -> 7.2. IPA previously had no requires on BIND packages and these had to be installed manually before first ipa-dns-install run. We need to pull additional bind-pkcs11 package during RPM upgrade so ipa-dns-install cannot help with this. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix selinux denial during kdcproxy user creationChristian Heimes2015-07-161-1/+3
| | | | | | | | | The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* selinux: enable httpd_run_ipa to allow communicating with oddjobd servicesAlexander Bokovoy2015-07-161-1/+1
| | | | | | | | | | | | | A new SELinux policy allows communication between IPA framework running under Apache with oddjobd-based services via DBus. This communication is crucial for one-way trust support and also is required for any out of band tools which may be executed by IPA framework. Details of out of band communication and SELinux policy can be found in a bug https://bugzilla.redhat.com/show_bug.cgi?id=1238165 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* spec file: Update minimum required version of krb5Jan Cholasta2015-07-151-2/+4
| | | | | | | | Automatically require the krb5 version used at build time. https://fedorahosted.org/freeipa/ticket/5132 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* spec file: Move /etc/ipa/kdcproxy to the server subpackageJan Cholasta2015-07-151-1/+1
| | | | | | | | The directory was in the python subpackage, but that broke client-only build. We don't want the directory to be installed on clients anyway, since it is part of a server-side feature. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* spec file: update the python package names for libipa_hbac and libsss_nss_idmapMilan KubĂ­k2015-07-141-3/+3
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* spec file: Update minimal versions of required packagesJan Cholasta2015-07-081-8/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5103 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-081-1/+1
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-081-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Added symmetric and asymmetric vaults.Endi S. Dewata2015-07-071-0/+2
| | | | | | | | | | | The vault plugin has been modified to support symmetric and asymmetric vaults to provide additional security over the standard vault by encrypting the data before it's sent to the server. The encryption functionality is implemented using the python-cryptography library. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* man: Add manpage for ipa-winsync-migrateTomas Babej2015-07-021-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Include the tool parts in Makefile and friendsTomas Babej2015-07-021-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Upgrade CA schema during upgradeFraser Tweedale2015-07-011-3/+3
| | | | | | | | | | | | New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
* add python-setuptools to requiresPetr Vobornik2015-06-291-0/+1
| | | | | | | | | | | Commit 9f049ca14403f3696d54d186e6b1b15181f055df introduced dependency on python-setuptools on line: from pkg_resources import parse_version This dependency is missing on minimal installation and then ipa-server-upgrade fails on rpm install/upgrade. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add hint how to re-run IPA upgrade.Petr Spacek2015-06-291-1/+1
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add ACI to allow hosts to add their own servicesRob Crittenden2015-06-291-3/+3
| | | | | | | | | | | Use wildcards and DN matching in an ACI to allow a host that binds using GSSAPI to add a service for itself. Set required version of 389-ds-base to 1.3.4.0 GA. https://fedorahosted.org/freeipa/ticket/4567 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Bump minimal BIND version for CentOS.Petr Spacek2015-06-291-2/+2
| | | | | | | | DNSSEC support added dependency on bind-pkcs11 sub-package. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Bump run-time requires to SoftHSM 2.0.0rc1.Petr Spacek2015-06-181-1/+1
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Revert 389-DS BuildRequires version to 1.3.3.9Martin Basti2015-06-111-1/+1
| | | | Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.Petr Spacek2015-06-111-1/+1
| | | | | | | SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-101-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* install: Introduce installer framework ipapython.installJan Cholasta2015-06-081-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import included profiles during install or upgradeFraser Tweedale2015-06-041-0/+2
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Install CA with LDAP profiles backendFraser Tweedale2015-06-041-3/+3
| | | | | | | | | Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Make a package out of ipaserver.install.serverJan Cholasta2015-05-291-0/+1
| | | | | | | | | | Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged into a single code base, keep their respective bits in separate modules in the package. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ds plugin - manage replication topology in the shared treeLudwig Krispenz2015-05-261-0/+2
| | | | | | | Implementation of ticket: https://fedorahosted.org/freeipa/ticket/4302 Design page: http://www.freeipa.org/page/V4/Manage_replication_topology Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
* move IPA-related http runtime directories to common subdirectoryMartin Babinsky2015-05-191-2/+6
| | | | | | | | | | | | | | When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: Fix uniqueness pluginsMartin Basti2015-05-191-3/+3
| | | | | | | | | | | | | | | | | | | Due previous changes (in master branch only) the uniqueness plugins became misconfigured. After this patch: * whole $SUFFIX will be checked by unique plugins * just staged users are exluded from check This reverts some changes in commit 52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees' can be used. https://fedorahosted.org/freeipa/ticket/4921 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* provide dedicated ccache file for httpdMartin Babinsky2015-05-121-0/+5
| | | | | | | | | | | | | httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Server Upgrade: enable DS global lock during upgradeMartin Basti2015-05-051-3/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Upgrade: use ipa-server-upgrade in RPM upgradeMartin Basti2015-05-041-2/+1
| | | | | | | https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: ipa-server-upgrade commandMartin Basti2015-05-041-0/+2
| | | | | | | https://fedorahosted.org/freeipa/ticket/4904 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Update python-yubico dependency versionNathaniel McCallum2015-04-241-2/+2
| | | | | | | | This change enables support for all current YubiKey hardware. https://fedorahosted.org/freeipa/ticket/4954 Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* Use mod_auth_gssapi instead of mod_auth_kerb.David Kupka2015-03-301-1/+3
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* slapi-nis: require 0.54.2 for CVE-2015-0283 fixesAlexander Bokovoy2015-03-261-1/+1
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* SPEC: Require python2 version of sssd bindingsLukas Slebodnik2015-03-181-0/+6
| | | | | | | | | | | | | | | | | | | | Python modules pysss and pysss_murmur was part of package sssd-common. Fedora 22 tries to get rid of python2 and therefore these modules were extracted from package sssd-common to separate packages python-sss and python-sss-murmur and python3 version of packages python3-sss python3-sss-murmur git grep "pysss" | grep import ipalib/plugins/trust.py: import pysss_murmur #pylint: disable=F0401 ipaserver/dcerpc.py:import pysss ipaserver/dcerpc.py is pacakged in freeipa-server-trust-ad palib/plugins/trust.py is packaged in freeipa-python Resolves: https://fedorahosted.org/freeipa/ticket/4929 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* SPEC: Explicitly requires python-sssdconfigLukas Slebodnik2015-03-181-0/+2
| | | | | | | Resolves: https://fedorahosted.org/freeipa/ticket/4929 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Bump 389-ds-base and pki-ca dependencies for POODLE fixesJan Cholasta2015-02-101-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Moved dbus-python dependence to freeipa-python packageMartin Babinsky2015-01-281-0/+1
| | | | | | | | Added dbus-python dependency to freeipa-python. This should fix https://fedorahosted.org/freeipa/ticket/4863 and also cover dbus-python dependencies in other freeipa-* packages. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* spec: Add BuildRequires for python-pytest pluginsTomas Babej2015-01-141-1/+3
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Run pylint on testsPetr Viktorin2015-01-141-1/+1
| | | | | | | | | | | | | | | Drop support for pylint < 1.0 Enable ignoring unknown attributes on modules (both nose and pytest use advanced techniques, support for which only made it to pylint recently) Fix some bugs revealed by pylint Do minor refactoring or add pylint:disable directives where the linter complains. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Make certificate renewal process synchronizedJan Cholasta2015-01-131-0/+1
| | | | | | | | Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* Bump SSSD Requires to 1.12.3Martin Kosek2015-01-121-1/+1
| | | | | | | | | | | | | The new SSSD Requires contains support for following features: - FreeIPA user ID View overrides (not just AD users) - User SSH public keys in ID Views - krb5.conf localauth plugin https://fedorahosted.org/freeipa/ticket/4685 https://fedorahosted.org/freeipa/ticket/4509 https://fedorahosted.org/freeipa/ticket/4514 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-06 23:56:19 +0000