Skip to content
Commits on Source (8)
Hide whitespace changes
Inline Side-by-side
debian/changelog
View file @ c27a35ea
......@@ -3,6 +3,7 @@ freeipa (4.7.0~pre2-1) UNRELEASED; urgency=medium
* New upstream prerelease.
- fix-version.diff: Dropped, not needed
- hack-duplicate-cert-directive.diff: Dropped, fixed upstream
- refresh patches
* tests/server-install: Fix the fake domain, single label domains are not
supported anymore.
* tests: If the server install fails, just dump the log and exit
......@@ -10,6 +11,17 @@ freeipa (4.7.0~pre2-1) UNRELEASED; urgency=medium
* server.postinst: Fix upgrade from earlier version.
* Create-kadm5.acl-if-it-doesn-t-exist.diff: Fix kadmind startup issue
if kadm5.acl doesn't exist. (LP: #1772447)
* fix-fontawesome-path.diff: Fix the path to font-awesome. (LP:
#1772921)
* fix-krb5kdc-cert-path.diff: Apache can't access KDC certs, move them
to /var/lib/ipa/certs. (LP: #1772447)
* ipa-httpd-pwdreader-force-fqdn.diff: Make sure HOSTNAME is a FQDN. (LP:
#1769485)
* dont-allow-compressed-certs.diff: mod_deflate is enabled by default on
Debian, but the current apache config doesn't know how to uncompress the
received cert data so disallow gzip content for now. (LP: #1772450)
* control: Add libjs-scriptaculous to server depends.
* fix-gzip-path.diff: Fix path to gzip. (LP: #1778236)
-- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Apr 2018 17:50:11 +0300
......
debian/control.server
View file @ c27a35ea
......@@ -25,6 +25,7 @@ Depends:
libapache2-mod-wsgi,
libjs-dojo-core,
libjs-jquery,
libjs-scriptaculous,
libnss3-tools,
libsasl2-modules-gssapi-mit,
oddjob (>= 0.34.3-2),
......
debian/patches/create-sysconfig-ods.diff
View file @ c27a35ea
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -197,6 +197,9 @@ class OpenDNSSECInstance(service.Service
@@ -199,6 +199,9 @@ class OpenDNSSECInstance(service.Service
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
......
debian/patches/dont-allow-compressed-certs.diff 0 → 100644
View file @ c27a35ea
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1918,8 +1918,7 @@ class ra(rabase.rabase, RestClient):
client_keyfile=None,
cafile=self.ca_cert,
method='POST',
- headers={'Accept-Encoding': 'gzip, deflate',
- 'User-Agent': 'IPA',
+ headers={'User-Agent': 'IPA',
'Content-Type': 'application/xml'},
body=payload
)
debian/patches/fix-apache-ssl-setup.diff
View file @ c27a35ea
......@@ -10,7 +10,7 @@
HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -26,6 +26,8 @@ class DebianPathNamespace(BasePathNamesp
@@ -28,6 +28,8 @@ class DebianPathNamespace(BasePathNamesp
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
......@@ -30,7 +30,7 @@
logger = logging.getLogger(__name__)
@@ -208,6 +208,7 @@ class HTTPInstance(service.Service):
@@ -214,6 +214,7 @@ class HTTPInstance(service.Service):
def backup_ssl_conf(self):
self.fstore.backup_file(paths.HTTPD_SSL_CONF)
......@@ -38,7 +38,7 @@
def disable_nss_conf(self):
"""
@@ -229,12 +230,13 @@ class HTTPInstance(service.Service):
@@ -235,12 +236,13 @@ class HTTPInstance(service.Service):
'+TLSv1 +TLSv1.1 +TLSv1.2', False)
def set_mod_ssl_logdir(self):
......@@ -58,7 +58,7 @@
def disable_mod_ssl_ocsp(self):
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
@@ -266,14 +268,14 @@ class HTTPInstance(service.Service):
@@ -272,14 +274,14 @@ class HTTPInstance(service.Service):
def __add_include(self):
"""This should run after __set_mod_nss_port so is already backed up"""
......@@ -75,7 +75,7 @@
def configure_certmonger_renewal_guard(self):
certmonger = services.knownservices.certmonger
@@ -398,10 +400,10 @@ class HTTPInstance(service.Service):
@@ -404,10 +406,10 @@ class HTTPInstance(service.Service):
def configure_mod_ssl_certs(self):
"""Configure the mod_ssl certificate directives"""
......@@ -88,7 +88,7 @@
'SSLCertificateKeyFile',
paths.HTTPD_KEY_FILE, False)
installutils.set_directive(
@@ -409,7 +411,7 @@ class HTTPInstance(service.Service):
@@ -415,7 +417,7 @@ class HTTPInstance(service.Service):
'SSLPassPhraseDialog',
'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
False)
......@@ -96,8 +96,8 @@
+ installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
'SSLCACertificateFile',
paths.IPA_CA_CRT, False)
@@ -501,7 +503,7 @@ class HTTPInstance(service.Service):
# set SSLVerifyDepth for external CA installations
@@ -512,7 +514,7 @@ class HTTPInstance(service.Service):
'external-helper', helper)
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
......@@ -108,7 +108,7 @@
except ValueError as error:
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -152,6 +152,7 @@ class Backup(admintool.AdminTool):
@@ -153,6 +153,7 @@ class Backup(admintool.AdminTool):
paths.HTTPD_IPA_PKI_PROXY_CONF,
paths.HTTPD_IPA_REWRITE_CONF,
paths.HTTPD_SSL_CONF,
......
debian/patches/fix-fontawesome-path.diff 0 → 100644
View file @ c27a35ea
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -181,7 +181,7 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
-Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
+Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/${FONT_AWESOME_DIR}"
<Directory "${FONTS_DIR}">
SetHandler None
AllowOverride None
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -244,6 +244,7 @@ class BasePathNamespace(object):
SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd"
FONTS_DIR = "/usr/share/fonts"
+ FONT_AWESOME_DIR = "fontawesome"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
IPA_HTML_DIR = "/usr/share/ipa/html"
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -87,6 +87,7 @@ class DebianPathNamespace(BasePathNamesp
REMOVE_DS_PL = "/usr/sbin/remove-ds"
SETUP_DS_PL = "/usr/sbin/setup-ds"
FONTS_DIR = "/usr/share/fonts/truetype"
+ FONT_AWESOME_DIR = "font-awesome"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -103,6 +103,7 @@ class HTTPInstance(service.Service):
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
FONTS_DIR=paths.FONTS_DIR,
+ FONT_AWESOME_DIR=paths.FONT_AWESOME_DIR,
GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CCACHES=paths.IPA_CCACHES,
debian/patches/fix-gzip-path.diff 0 → 100644
View file @ c27a35ea
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -105,5 +105,6 @@ class DebianPathNamespace(BasePathNamesp
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
WSGI_PREFIX_DIR = "/run/apache2/wsgi"
+ GZIP = "/bin/gzip"
paths = DebianPathNamespace()
debian/patches/fix-httpd-group.diff
View file @ c27a35ea
--- a/ipaplatform/debian/constants.py
+++ b/ipaplatform/debian/constants.py
@@ -12,6 +12,7 @@ from ipaplatform.base.constants import B
@@ -14,6 +14,7 @@ from ipaplatform.base.constants import B
class DebianConstantsNamespace(BaseConstantsNamespace):
HTTPD_USER = "www-data"
......
debian/patches/fix-krb5kdc-cert-path.diff 0 → 100644
View file @ c27a35ea
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -90,12 +90,12 @@ class DebianPathNamespace(BasePathNamesp
FONT_AWESOME_DIR = "font-awesome"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
- CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+ CACERT_PEM = "/var/lib/ipa/certs/cacert.pem"
KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
- KDC_CERT = "/var/lib/krb5kdc/kdc.crt"
- KDC_KEY = "/var/lib/krb5kdc/kdc.key"
+ KDC_CERT = "/var/lib/ipa/certs/kdc.crt"
+ KDC_KEY = "/var/lib/ipa/certs/kdc.key"
VAR_LOG_HTTPD_DIR = "/var/log/apache2"
VAR_LOG_HTTPD_ERROR = "/var/log/apache2/error.log"
NAMED_RUN = "/var/cache/bind/named.run"
debian/patches/fix-named-conf-template.diff
View file @ c27a35ea
......@@ -18,7 +18,7 @@ Description: fix named.conf template
// Any host is permitted to issue recursive queries
allow-recursion { any; };
@@ -27,18 +27,14 @@ options {
@@ -30,18 +30,14 @@ options {
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
......
debian/patches/fix-opendnssec-setup.diff
View file @ c27a35ea
......@@ -12,7 +12,7 @@ Description: Fix ODS setup with 2.0.x
</RepositoryList>
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -282,20 +282,15 @@ class OpenDNSSECInstance(service.Service
@@ -284,20 +284,15 @@ class OpenDNSSECInstance(service.Service
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml
......@@ -37,7 +37,7 @@ Description: Fix ODS setup with 2.0.x
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -167,7 +167,8 @@ class BasePathNamespace(object):
@@ -182,7 +182,8 @@ class BasePathNamespace(object):
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
......
debian/patches/fix-paths.diff
View file @ c27a35ea
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -37,6 +37,7 @@ class DebianPathNamespace(BasePathNamesp
@@ -39,6 +39,7 @@ class DebianPathNamespace(BasePathNamesp
NAMED_ROOT_KEY = "/etc/bind/bind.keys"
NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
......@@ -8,7 +8,7 @@
OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
ETC_DEBIAN_VERSION = "/etc/debian_version"
IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
@@ -60,6 +61,7 @@ class DebianPathNamespace(BasePathNamesp
@@ -62,6 +63,7 @@ class DebianPathNamespace(BasePathNamesp
DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
......@@ -16,7 +16,7 @@
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
@@ -78,6 +80,7 @@ class DebianPathNamespace(BasePathNamesp
@@ -80,6 +82,7 @@ class DebianPathNamespace(BasePathNamesp
IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
......
debian/patches/fix-replicainstall.diff
View file @ c27a35ea
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -758,7 +758,7 @@ def install_check(installer):
@@ -765,7 +765,7 @@ def install_check(installer):
finally:
shutil.rmtree(tmp_db_dir)
......
debian/patches/hack-tomcat-race.diff
View file @ c27a35ea
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1755,6 +1755,8 @@ def migrate_profiles_to_ldap():
@@ -1754,6 +1754,8 @@ def migrate_profiles_to_ldap():
match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
profile_ids = match.group(1).split(',')
......
debian/patches/ipa-httpd-pwdreader-force-fqdn.diff 0 → 100644
View file @ c27a35ea
--- a/install/tools/ipa-httpd-pwdreader
+++ b/install/tools/ipa-httpd-pwdreader
@@ -4,6 +4,7 @@
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.
+HOSTNAME=`hostname -f`
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
ERR_UNKNOWN_KEY="\
ERROR: You seem to be running a non-standard IPA installation.
debian/patches/ldap-multiarch.diff
View file @ c27a35ea
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -65,6 +65,7 @@ class DebianPathNamespace(BasePathNamesp
@@ -67,6 +67,7 @@ class DebianPathNamespace(BasePathNamesp
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
......@@ -10,7 +10,7 @@
LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -42,6 +42,7 @@ from ipalib import api, create_api
@@ -43,6 +43,7 @@ from ipalib import api, create_api
from ipalib import constants
from ipaplatform.paths import paths
from ipapython.dn import DN
......@@ -18,7 +18,7 @@
if six.PY3:
unicode = str
@@ -327,12 +328,15 @@ class LDAPUpdate(object):
@@ -328,12 +329,15 @@ class LDAPUpdate(object):
etc. Determine if a suffix is needed based on the current
architecture.
"""
......
debian/patches/series
View file @ c27a35ea
......@@ -14,3 +14,8 @@ fix-httpd-group.diff
support-pam-mkhomedir.diff
fix-paths.diff
hack-tomcat-race.diff
fix-fontawesome-path.diff
fix-krb5kdc-cert-path.diff
ipa-httpd-pwdreader-force-fqdn.diff
dont-allow-compressed-certs.diff
fix-gzip-path.diff
debian/patches/support-pam-mkhomedir.diff
View file @ c27a35ea
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -9,14 +9,20 @@ This module contains default Debian-spec
@@ -11,14 +11,20 @@ from __future__ import absolute_import
from ipaplatform.base.tasks import BaseTaskNamespace
from ipaplatform.redhat.tasks import RedHatTaskNamespace
......@@ -23,7 +23,7 @@
@staticmethod
def set_nisdomain(nisdomain):
@@ -25,8 +31,13 @@ class DebianTaskNamespace(RedHatTaskName
@@ -27,8 +33,13 @@ class DebianTaskNamespace(RedHatTaskName
@staticmethod
def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
......