summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
Commit message (Collapse)AuthorAgeFilesLines
* Use libunistring ulc_casecmp() on unicode stringsNathaniel McCallum2013-07-181-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3772
* Bump version of sssd in spec fileAna Krivokapic2013-07-181-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/3652
* Require new selinux-policy replacing old server-selinux subpackageMartin Kosek2013-07-171-1/+5
| | | | | | | | | | Features of the new policy: - labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is writeable by PKI and readable by HTTPD - contains Conflicts with old freeipa-server-selinux package to avoid SELinux upgrade issues https://fedorahosted.org/freeipa/ticket/3788
* Provide ipa-advise toolTomas Babej2013-07-171-0/+4
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig. https://fedorahosted.org/freeipa/ticket/3670
* Upstream Web UI testsPetr Vobornik2013-07-161-0/+1
| | | | | | Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests https://fedorahosted.org/freeipa/ticket/3744
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-2/+4
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Add a framework for integration testingPetr Viktorin2013-07-151-0/+1
| | | | | | | | | | | | Add methods to run commands and copy files to Host objects. Adds a base class for integration tests which can currently install and uninstall IPA in a "star" topology with per-test specified number of hosts. A simple test for user replication between two masters is provided. Log files from the remote hosts can be marked for collection, but the actual collection is left to a Nose plugin. Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
* Add a framework for integration test configurationPetr Viktorin2013-07-151-0/+1
| | | | | | | | | | | Integration tests are configured via environment variables. Add a framework for parsing these variables and storing them in easy-to-use objects. Add an `ipa-test-config` executable that loads the configuration and prints out variables needed in shell scripts. Part of the work for https://fedorahosted.org/freeipa/ticket/3621
* Run server upgrade and restart in posttransMartin Kosek2013-07-111-9/+16
| | | | | | | Running server upgrade or restart in %post or %postun may cause issues when there are still parts of old FreeIPA software (like entitlements plugin). https://fedorahosted.org/freeipa/ticket/3739
* Add libsss_nss_idmap-devel to BuildRequiresTomas Babej2013-07-111-0/+1
|
* Make sure replication works after DM password is changedAna Krivokapic2013-07-111-3/+6
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
* Enable SASL mapping fallback.Jan Cholasta2013-06-271-2/+6
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Remove entitlement supportMartin Kosek2013-06-261-4/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Add ipa-run-tests commandPetr Viktorin2013-06-171-0/+1
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
* Make an ipa-tests packagePetr Viktorin2013-06-171-0/+43
| | | | | | | Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM containing the test suite Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
* Drop redundant directory /var/cache/ipa/sessionsMartin Kosek2013-06-171-2/+1
| | | | This directory is no longer used as session storage.
* Drop SELinux subpackageMartin Kosek2013-06-171-72/+7
| | | | | | | | | All SELinux policy needed by FreeIPA server is now part of the global system SELinux policy which makes the subpackage redundant and slowing down the installation. This patch drops it. https://fedorahosted.org/freeipa/ticket/3683 https://fedorahosted.org/freeipa/ticket/3684
* Add the krb5/FreeIPA RADIUS companion daemonNathaniel McCallum2013-05-171-4/+5
| | | | | | | | | | | This daemon listens for RADIUS packets on a well known UNIX domain socket. When a packet is received, it queries LDAP to see if the user is configured for RADIUS authentication. If so, then the packet is forwarded to the 3rd party RADIUS server. Otherwise, a bind is attempted against the LDAP server. https://fedorahosted.org/freeipa/ticket/3366 http://freeipa.org/page/V3/OTP
* Fix SASL_NOCANON behavior for LDAPIMartin Kosek2013-05-101-1/+5
| | | | | Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222).
* Only require libsss_nss_idmap-python in Fedora 19+Petr Viktorin2013-05-071-0/+5
| | | | | The package is only available in Fedora 19. This means SID resolution in the UI won't work in Fedora 18.
* Resolve SIDs in Web UIAlexander Bokovoy2013-05-061-0/+1
| | | | | | | | | | | | | | | | | Introduce new command, 'trust-resolve', to aid resolving SIDs to names in the Web UI. The command uses new SSSD interface, nss_idmap, to resolve actual SIDs. SSSD caches resolved data so that future requests to resolve same SIDs are returned from a memory cache. Web UI code is using Dojo/Deferred to deliver result of SID resolution out of band. Once resolved names are available, they replace SID values. Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved at the same time. They all sent within the single request to the server. https://fedorahosted.org/freeipa/ticket/3302
* Generate plugin index dynamicallyPetr Vobornik2013-05-061-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Web UI plugin loaderPetr Vobornik2013-05-061-2/+6
| | | | https://fedorahosted.org/freeipa/ticket/3235
* Handle a 501 in cert-find from dogtag as a "not supported"Rob Crittenden2013-05-031-1/+4
| | | | | | | | | | | Upgrading from d9 -> d10 does not set up the RESTful interface in dogtag, they just never coded it. Rather than trying to backport things they have decided to not support upgrades. We need to catch this and report a more reasonable error. They are returning a 501 (HTTP method unimplemented) in this case. https://fedorahosted.org/freeipa/ticket/3549
* Drop uniqueMember mapping with nss-pam-ldapd.Rob Crittenden2013-05-021-0/+9
| | | | | | | | | | nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to member so it is no longer needed in the config file, and in fact causes an error to be raised. Add a Conflicts on older versions. https://fedorahosted.org/freeipa/ticket/3589
* Add support for OpenSSH 6.2.Jan Cholasta2013-04-301-0/+39
| | | | | | | Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
* Require version of NSS that properly parses base64-encoded certsRob Crittenden2013-04-291-2/+10
| | | | | | | | There were cases where a base64-encoded cert with no header/footer would not be handled properly and rejected. This was causing the CA install to fail. https://fedorahosted.org/freeipa/ticket/3586
* Fix the spec fileAna Krivokapic2013-04-221-1/+1
| | | | | | Correct ownership for /etc/ipa and remove unnecessary %config directive. https://fedorahosted.org/freeipa/ticket/3551
* Handle missing /etc/ipa in ipa-client-installAna Krivokapic2013-04-191-1/+1
| | | | | | | | Make sure /etc/ipa is created and owned by freeipa-python package. Report correct error to user if /etc/ipa is missing during client installation. https://fedorahosted.org/freeipa/ticket/3551
* Require new samba and krb5Martin Kosek2013-04-161-4/+9
| | | | | | | | | | Require samba 4.0.5 (passdb API changed). Make sure that we use the right epoch number with samba so that the Requires is correctly enforced. Require krb5 1.11.2-1 to fix missing PAC issue. Also fix backup dir permissions.
* Full system backup and restoreRob Crittenden2013-04-121-5/+15
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* spec: detect Kerberos DAL driver ABI change from installed krb5-develAlexander Bokovoy2013-04-041-2/+10
| | | | | | | Find out Kerberos middle version to infer ABI changes in DAL driver. We cannot load DAL driver into KDC with wrong ABI. This is also needed to support ipa-devel repository where krb5 1.11 is available for Fedora 18.
* Require 389-base-base 1.3.0.5Martin Kosek2013-04-021-1/+8
| | | | | | | | | Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540
* Remove syslog.target from ipa.serverMartin Kosek2013-03-291-1/+3
| | | | | | | | This required target is no longer needed as systemd from version 38 has its own journal which is also in the basic set of service unit requirementes. https://fedorahosted.org/freeipa/ticket/3511
* Remove build warningsMartin Kosek2013-03-291-16/+16
| | | | | | Fix rpm build warnings report in Fedora 19 build. https://fedorahosted.org/freeipa/ticket/3500
* Clean spec file for Fedora 19Martin Kosek2013-03-291-5/+21
| | | | | | | | | | | This patch includes several cleanups needed for Fedora 19 build: * ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains an updated DAL interface. Remove the conflict from spec file. * Fix ipa-ldap-updater call to produce errors only to avoid cluttering rpm update output * Remove httpd_conf constant which was not used https://fedorahosted.org/freeipa/ticket/3502
* Bump selinux-policy requiresMartin Kosek2013-03-261-1/+4
| | | | | | The higher version is reported to fix a Fedora 17 to 18 upgrade issue. https://fedorahosted.org/freeipa/ticket/3399
* Add 389 DS plugin for special idnsSOASerial attribute handlingPetr Spacek2013-03-221-0/+2
| | | | | | | | | Default value "1" is added to replicated idnsZone objects if idnsSOASerial attribute is missing. https://fedorahosted.org/freeipa/ticket/3347 Signed-off-by: Petr Spacek <pspacek@redhat.com>
* Better logging for AdminTool and ipa-ldap-updaterPetr Viktorin2013-02-011-1/+4
| | | | | | | | | | | | | - Automatically add a "Logging and output options" group with the --quiet, --verbose, --log-file options. - Set up logging based on these options; details are in the setup_logging docstring and in the design document. - Don't bind log methods as individual methods of the class. This means one less linter exception. - Make the help for command line options consistent with optparse's --help and --version options. Design document: http://freeipa.org/page/V3/Logging_and_output
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Make certmonger a (pre) requires on server, restart it before upgradingRob Crittenden2013-01-251-1/+7
| | | | | | | | | | | certmonger may provide new CAs, as in the case from upgrading IPA 2.2 to 3.x. We need these new CAs available during the upgrade process. The certmonger package does its own condrestart as part of %postun which runs after the %post script of freeipa-server, so we need to restart it ourselves before upgrading. https://fedorahosted.org/freeipa/ticket/3378
* Fix BuildRequires: rhino replaced with java-1.7.0-openjdkPetr Vobornik2013-01-221-1/+10
| | | | | | Rhino is needed for Web UI build. Rhino needs java, but from package perspective java-1.7.0-openjdk requires rhino. So the correct BuildRequires is java-1.7.0-openjdk.
* Updated makefiles to build FreeIPA Web UI layerPetr Vobornik2013-01-181-0/+7
| | | | | | | | | Updated makefiles to comply to new directory structure and also to use builder for building Web UI. FreeIPA package spec is modified to use the output of the builder. https://fedorahosted.org/freeipa/ticket/112
* convert the base platform modules into packagesTimo Aaltonen2013-01-141-0/+8
|
* Configuring CA with ConfigParser.Endi Sukma Dewata2012-12-101-1/+4
| | | | | | | | | The configuration code has been modified to use the ConfigParser to set the parameters in the CA section in the deployment configuration. This allows IPA to define additional PKI subsystems in the same configuration file. PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
* Bump 389-ds-base minimum in our spec fileMartin Kosek2012-12-071-2/+5
| | | | | Our code needs both Requires and BuildRequires set to 389-ds-base which supports transactions. Also add the requires to configure.ac.
* Set min for selinux-policy to 3.11.1-60Rob Crittenden2012-12-061-1/+5
| | | | | | This fixes errors including sssd domain mapping in krb5.conf (#873429) https://fedorahosted.org/freeipa/ticket/3132
* Add the includedir to krb5.conf on upgradesJakub Hrozek2012-12-061-0/+16
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Specify includedir in krb5.conf on new installsJakub Hrozek2012-12-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3132
* Change network configuration fileMartin Kosek2012-12-051-1/+12
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279