| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Directory creating was moved from SPEC file to install-data-hook.
At the same time, it is using systemd-tmpfiles to create the directories
so we do not risk any inconsistency between SPEC file and tmpfilesd
configuration.
systemd-tmpfiles call is non-critical on purpose: The build would fail
when run under unprivileged user because systemd-tmpfiles tries to
change ownership. Luckily it creates all the files and just do not
change ownership so it works even under unprivileged user.
Interestingly, systemd-tmpfiles continues if user does not have
sufficient permissions to change ownership but fails if target username
does not exist at all. For this reason there is BuildRequires on httpd.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the same time, I've renamed tmpfilesd config file to static name
"ipa.conf" instead of using package-specific name. It had no purpose
and just complicated build and packaging.
Variable substitution into configuration has to be done in Makefile
and not in Autoconf as documented in:
Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables:
... Most of these variables have values that rely on prefix or
exec_prefix. ... Similarly, you should not rely on AC_CONFIG_FILES
to replace bindir and friends in your shell scripts and other files;
instead, let make manage their replacement.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA has hard dependency on systemd for a long time already.
SystemV directory was just polluting the tarball (while being useless).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This will force recreation of the file-based ccache after IPA restore and
prevent a mismatch between cached and restored Kerberos keys.
https://fedorahosted.org/freeipa/ticket/5296
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
The variable is already defined, exporting in dirsrv systemd
environment is not needed and produces a (benign) error.
|
|
|
|
|
|
|
|
| |
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.
https://fedorahosted.org/freeipa/ticket/3511
|
|
|
|
|
|
|
|
|
|
| |
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).
This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since 389-ds-base-1.2.10-0.8.a7 Directory Server's systemd settings are
configured via /etc/sysconfig/dirsrv.systemd. It means logic change in
systemd/fedora16 platform of FreeIPA.
Additionally, existing installs need to be handled during upgrade.
Fixes:
https://fedorahosted.org/freeipa/ticket/2117
https://fedorahosted.org/freeipa/ticket/2300
|
|
https://fedorahosted.org/freeipa/ticket/1192
|