Timo Aaltonen · Timo Aaltonen · Timo Aaltonen · Timo Aaltonen · Timo Aaltonen · Timo Aaltonen
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ freeipa (4.7.0~pre2-1) UNRELEASED; urgency=medium
  * New upstream prerelease.
    - fix-version.diff: Dropped, not needed
    - hack-duplicate-cert-directive.diff: Dropped, fixed upstream
+    - refresh patches
  * tests/server-install: Fix the fake domain, single label domains are not
    supported anymore.
  * tests: If the server install fails, just dump the log and exit
@@ -10,6 +11,17 @@ freeipa (4.7.0~pre2-1) UNRELEASED; urgency=medium
  * server.postinst: Fix upgrade from earlier version.
  * Create-kadm5.acl-if-it-doesn-t-exist.diff: Fix kadmind startup issue
    if kadm5.acl doesn't exist. (LP: #1772447)
+  * fix-fontawesome-path.diff: Fix the path to font-awesome. (LP:
+    #1772921)
+  * fix-krb5kdc-cert-path.diff: Apache can't access KDC certs, move them
+    to /var/lib/ipa/certs. (LP: #1772447)
+  * ipa-httpd-pwdreader-force-fqdn.diff: Make sure HOSTNAME is a FQDN. (LP:
+    #1769485)
+  * dont-allow-compressed-certs.diff: mod_deflate is enabled by default on
+    Debian, but the current apache config doesn't know how to uncompress the
+    received cert data so disallow gzip content for now. (LP: #1772450)
+  * control: Add libjs-scriptaculous to server depends.
+  * fix-gzip-path.diff: Fix path to gzip. (LP: #1778236)

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 18 Apr 2018 17:50:11 +0300


--- a/debian/control.server
+++ b/debian/control.server
@@ -25,6 +25,7 @@ Depends:
 libapache2-mod-wsgi,
 libjs-dojo-core,
 libjs-jquery,
+ libjs-scriptaculous,
 libnss3-tools,
 libsasl2-modules-gssapi-mit,
 oddjob (>= 0.34.3-2),

--- a/debian/patches/create-sysconfig-ods.diff
+++ b/debian/patches/create-sysconfig-ods.diff
 --- a/ipaserver/install/opendnssecinstance.py
 +++ b/ipaserver/install/opendnssecinstance.py
-@@ -197,6 +197,9 @@ class OpenDNSSECInstance(service.Service
+@@ -199,6 +199,9 @@ class OpenDNSSECInstance(service.Service
         if not self.fstore.has_file(paths.SYSCONFIG_ODS):
             self.fstore.backup_file(paths.SYSCONFIG_ODS)
 

--- a/debian/patches/dont-allow-compressed-certs.diff
+++ b/debian/patches/dont-allow-compressed-certs.diff
+--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
+@@ -1918,8 +1918,7 @@ class ra(rabase.rabase, RestClient):
+             client_keyfile=None,
+             cafile=self.ca_cert,
+             method='POST',
+-            headers={'Accept-Encoding': 'gzip, deflate',
+-                     'User-Agent': 'IPA',
+            headers={'User-Agent': 'IPA',
+                      'Content-Type': 'application/xml'},
+             body=payload
+         )
--- a/debian/patches/fix-apache-ssl-setup.diff
+++ b/debian/patches/fix-apache-ssl-setup.diff
@@ -10,7 +10,7 @@
     HTTPD_PASSWD_FILE_FMT = "/var/lib/ipa/passwds/{host}-443-RSA"
 --- a/ipaplatform/debian/paths.py
 +++ b/ipaplatform/debian/paths.py
-@@ -26,6 +26,8 @@ class DebianPathNamespace(BasePathNamesp
+@@ -28,6 +28,8 @@ class DebianPathNamespace(BasePathNamesp
     HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
     HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
     HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
@@ -30,7 +30,7 @@
 
 logger = logging.getLogger(__name__)
 
-@@ -208,6 +208,7 @@ class HTTPInstance(service.Service):
+@@ -214,6 +214,7 @@ class HTTPInstance(service.Service):
 
     def backup_ssl_conf(self):
         self.fstore.backup_file(paths.HTTPD_SSL_CONF)
@@ -38,7 +38,7 @@
 
     def disable_nss_conf(self):
         """
-@@ -229,12 +230,13 @@ class HTTPInstance(service.Service):
+@@ -235,12 +236,13 @@ class HTTPInstance(service.Service):
                                    '+TLSv1 +TLSv1.1 +TLSv1.2', False)
 
     def set_mod_ssl_logdir(self):
@@ -58,7 +58,7 @@
 
     def disable_mod_ssl_ocsp(self):
         if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
-@@ -266,14 +268,14 @@ class HTTPInstance(service.Service):
+@@ -272,14 +274,14 @@ class HTTPInstance(service.Service):
 
     def __add_include(self):
         """This should run after __set_mod_nss_port so is already backed up"""
@@ -75,7 +75,7 @@
 
     def configure_certmonger_renewal_guard(self):
         certmonger = services.knownservices.certmonger
-@@ -398,10 +400,10 @@ class HTTPInstance(service.Service):
+@@ -404,10 +406,10 @@ class HTTPInstance(service.Service):
 
     def configure_mod_ssl_certs(self):
         """Configure the mod_ssl certificate directives"""
@@ -88,7 +88,7 @@
                                    'SSLCertificateKeyFile',
                                    paths.HTTPD_KEY_FILE, False)
         installutils.set_directive(
-@@ -409,7 +411,7 @@ class HTTPInstance(service.Service):
+@@ -415,7 +417,7 @@ class HTTPInstance(service.Service):
             'SSLPassPhraseDialog',
             'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
             False)
@@ -96,8 +96,8 @@
 +        installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
                                    'SSLCACertificateFile',
                                    paths.IPA_CA_CRT, False)
- 
-@@ -501,7 +503,7 @@ class HTTPInstance(service.Service):
+         # set SSLVerifyDepth for external CA installations
+@@ -512,7 +514,7 @@ class HTTPInstance(service.Service):
                              'external-helper', helper)
 
         for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
@@ -108,7 +108,7 @@
             except ValueError as error:
 --- a/ipaserver/install/ipa_backup.py
 +++ b/ipaserver/install/ipa_backup.py
-@@ -152,6 +152,7 @@ class Backup(admintool.AdminTool):
+@@ -153,6 +153,7 @@ class Backup(admintool.AdminTool):
         paths.HTTPD_IPA_PKI_PROXY_CONF,
         paths.HTTPD_IPA_REWRITE_CONF,
         paths.HTTPD_SSL_CONF,

--- a/debian/patches/fix-fontawesome-path.diff
+++ b/debian/patches/fix-fontawesome-path.diff
+--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
+@@ -181,7 +181,7 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
+ 
+ #  List explicitly only the fonts we want to serve
+ Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
+-Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
+Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/${FONT_AWESOME_DIR}"
+ <Directory "${FONTS_DIR}">
+   SetHandler None
+   AllowOverride None
+--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
+@@ -244,6 +244,7 @@ class BasePathNamespace(object):
+     SMBD = "/usr/sbin/smbd"
+     USERADD = "/usr/sbin/useradd"
+     FONTS_DIR = "/usr/share/fonts"
+    FONT_AWESOME_DIR = "fontawesome"
+     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
+     IPA_HTML_DIR = "/usr/share/ipa/html"
+--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
+@@ -87,6 +87,7 @@ class DebianPathNamespace(BasePathNamesp
+     REMOVE_DS_PL = "/usr/sbin/remove-ds"
+     SETUP_DS_PL = "/usr/sbin/setup-ds"
+     FONTS_DIR = "/usr/share/fonts/truetype"
+    FONT_AWESOME_DIR = "font-awesome"
+     VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+     VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+     CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
+@@ -103,6 +103,7 @@ class HTTPInstance(service.Service):
+             AUTOREDIR='' if auto_redirect else '#',
+             CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
+             FONTS_DIR=paths.FONTS_DIR,
+            FONT_AWESOME_DIR=paths.FONT_AWESOME_DIR,
+             GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
+             IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+             IPA_CCACHES=paths.IPA_CCACHES,
--- a/debian/patches/fix-gzip-path.diff
+++ b/debian/patches/fix-gzip-path.diff
+--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
+@@ -105,5 +105,6 @@ class DebianPathNamespace(BasePathNamesp
+     IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
+     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
+     WSGI_PREFIX_DIR = "/run/apache2/wsgi"
+    GZIP = "/bin/gzip"
+ 
+ paths = DebianPathNamespace()
--- a/debian/patches/fix-httpd-group.diff
+++ b/debian/patches/fix-httpd-group.diff
 --- a/ipaplatform/debian/constants.py
 +++ b/ipaplatform/debian/constants.py
-@@ -12,6 +12,7 @@ from ipaplatform.base.constants import B
+@@ -14,6 +14,7 @@ from ipaplatform.base.constants import B
 
 class DebianConstantsNamespace(BaseConstantsNamespace):
     HTTPD_USER = "www-data"

--- a/debian/patches/fix-krb5kdc-cert-path.diff
+++ b/debian/patches/fix-krb5kdc-cert-path.diff
+--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
+@@ -90,12 +90,12 @@ class DebianPathNamespace(BasePathNamesp
+     FONT_AWESOME_DIR = "font-awesome"
+     VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+     VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
+-    CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
+    CACERT_PEM = "/var/lib/ipa/certs/cacert.pem"
+     KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
+     KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
+     KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
+-    KDC_CERT = "/var/lib/krb5kdc/kdc.crt"
+-    KDC_KEY = "/var/lib/krb5kdc/kdc.key"
+    KDC_CERT = "/var/lib/ipa/certs/kdc.crt"
+    KDC_KEY = "/var/lib/ipa/certs/kdc.key"
+     VAR_LOG_HTTPD_DIR = "/var/log/apache2"
+     VAR_LOG_HTTPD_ERROR = "/var/log/apache2/error.log"
+     NAMED_RUN = "/var/cache/bind/named.run"
--- a/debian/patches/fix-named-conf-template.diff
+++ b/debian/patches/fix-named-conf-template.diff
@@ -18,7 +18,7 @@ Description: fix named.conf template
 
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
-@@ -27,18 +27,14 @@ options {
+@@ -30,18 +30,14 @@ options {
  * By default, SELinux policy does not allow named to modify the /var/named directory,
  * so put the default debug log file in data/ :
  */

--- a/debian/patches/fix-opendnssec-setup.diff
+++ b/debian/patches/fix-opendnssec-setup.diff
@@ -12,7 +12,7 @@ Description: Fix ODS setup with 2.0.x
 	</RepositoryList>
 --- a/ipaserver/install/opendnssecinstance.py
 +++ b/ipaserver/install/opendnssecinstance.py
-@@ -282,20 +282,15 @@ class OpenDNSSECInstance(service.Service
+@@ -284,20 +284,15 @@ class OpenDNSSECInstance(service.Service
             os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
 
             # regenerate zonelist.xml
@@ -37,7 +37,7 @@ Description: Fix ODS setup with 2.0.x
 
 --- a/ipaplatform/base/paths.py
 +++ b/ipaplatform/base/paths.py
-@@ -167,7 +167,8 @@ class BasePathNamespace(object):
+@@ -182,7 +182,8 @@ class BasePathNamespace(object):
     NET = "/usr/bin/net"
     BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
     NSUPDATE = "/usr/bin/nsupdate"

--- a/debian/patches/fix-paths.diff
+++ b/debian/patches/fix-paths.diff
 --- a/ipaplatform/debian/paths.py
 +++ b/ipaplatform/debian/paths.py
-@@ -37,6 +37,7 @@ class DebianPathNamespace(BasePathNamesp
+@@ -39,6 +39,7 @@ class DebianPathNamespace(BasePathNamesp
     NAMED_ROOT_KEY = "/etc/bind/bind.keys"
     NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
     NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
@@ -8,7 +8,7 @@
     OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
     ETC_DEBIAN_VERSION = "/etc/debian_version"
     IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
-@@ -60,6 +61,7 @@ class DebianPathNamespace(BasePathNamesp
+@@ -62,6 +63,7 @@ class DebianPathNamespace(BasePathNamesp
     DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
     GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
     OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
@@ -16,7 +16,7 @@
     SBIN_SERVICE = "/usr/sbin/service"
     CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
     UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
-@@ -78,6 +80,7 @@ class DebianPathNamespace(BasePathNamesp
+@@ -80,6 +82,7 @@ class DebianPathNamespace(BasePathNamesp
     IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
     IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
     IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"

--- a/debian/patches/fix-replicainstall.diff
+++ b/debian/patches/fix-replicainstall.diff
 --- a/ipaserver/install/server/replicainstall.py
 +++ b/ipaserver/install/server/replicainstall.py
-@@ -758,7 +758,7 @@ def install_check(installer):
+@@ -765,7 +765,7 @@ def install_check(installer):
         finally:
             shutil.rmtree(tmp_db_dir)
 

--- a/debian/patches/hack-tomcat-race.diff
+++ b/debian/patches/hack-tomcat-race.diff
 --- a/ipaserver/install/cainstance.py
 +++ b/ipaserver/install/cainstance.py
-@@ -1755,6 +1755,8 @@ def migrate_profiles_to_ldap():
+@@ -1754,6 +1754,8 @@ def migrate_profiles_to_ldap():
     match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
     profile_ids = match.group(1).split(',')
 

--- a/debian/patches/ipa-httpd-pwdreader-force-fqdn.diff
+++ b/debian/patches/ipa-httpd-pwdreader-force-fqdn.diff
+--- a/install/tools/ipa-httpd-pwdreader
+++ b/install/tools/ipa-httpd-pwdreader
+@@ -4,6 +4,7 @@
+ # If you'd like to write your custom binary providing passwords to mod_ssl,
+ # see the documentation of the aforementioned directive of the mod_ssl module.
+ 
+HOSTNAME=`hostname -f`
+ USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
+ ERR_UNKNOWN_KEY="\
+ ERROR: You seem to be running a non-standard IPA installation.
--- a/debian/patches/ldap-multiarch.diff
+++ b/debian/patches/ldap-multiarch.diff
 --- a/ipaplatform/debian/paths.py
 +++ b/ipaplatform/debian/paths.py
-@@ -65,6 +65,7 @@ class DebianPathNamespace(BasePathNamesp
+@@ -67,6 +67,7 @@ class DebianPathNamespace(BasePathNamesp
     UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
     BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
@@ -10,7 +10,7 @@
     LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
 --- a/ipaserver/install/ldapupdate.py
 +++ b/ipaserver/install/ldapupdate.py
-@@ -42,6 +42,7 @@ from ipalib import api, create_api
+@@ -43,6 +43,7 @@ from ipalib import api, create_api
 from ipalib import constants
 from ipaplatform.paths import paths
 from ipapython.dn import DN
@@ -18,7 +18,7 @@
 
 if six.PY3:
     unicode = str
-@@ -327,12 +328,15 @@ class LDAPUpdate(object):
+@@ -328,12 +329,15 @@ class LDAPUpdate(object):
            etc.  Determine if a suffix is needed based on the current
            architecture.
         """

--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,8 @@ fix-httpd-group.diff
 support-pam-mkhomedir.diff
 fix-paths.diff
 hack-tomcat-race.diff
+fix-fontawesome-path.diff
+fix-krb5kdc-cert-path.diff
+ipa-httpd-pwdreader-force-fqdn.diff
+dont-allow-compressed-certs.diff
+fix-gzip-path.diff
--- a/debian/patches/support-pam-mkhomedir.diff
+++ b/debian/patches/support-pam-mkhomedir.diff
 --- a/ipaplatform/debian/tasks.py
 +++ b/ipaplatform/debian/tasks.py
-@@ -9,14 +9,20 @@ This module contains default Debian-spec
+@@ -11,14 +11,20 @@ from __future__ import absolute_import
 from ipaplatform.base.tasks import BaseTaskNamespace
 from ipaplatform.redhat.tasks import RedHatTaskNamespace
 
@@ -23,7 +23,7 @@
 
     @staticmethod
     def set_nisdomain(nisdomain):
-@@ -25,8 +31,13 @@ class DebianTaskNamespace(RedHatTaskName
+@@ -27,8 +33,13 @@ class DebianTaskNamespace(RedHatTaskName
 
     @staticmethod
     def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):