Skip to content
Commits on Source (97)
Show whitespace changes
Inline Side-by-side
.freeipa-pr-ci.yaml
View file @ c08e1a2d
......@@ -58,7 +58,7 @@ jobs:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_external_ca.py
test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
template: *ci-master-f27
timeout: 3600
topology: *master_1repl
......@@ -87,6 +87,18 @@ jobs:
timeout: 3600
topology: *master_1repl_1client
fedora-27/test_ipa_cli:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_ipa_cli.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl
fedora-27/test_kerberos_flags:
requires: [fedora-27/build]
priority: 50
......@@ -183,15 +195,15 @@ jobs:
timeout: 3600
topology: *master_1repl
fedora-27/test_installation_TestInstallMasterReservedIPasForwarder:
fedora-27/test_authconfig:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_installation.py::TestInstallMasterReservedIPasForwarder
test_suite: test_integration/test_authselect.py
template: *ci-master-f27
timeout: 10800
topology: *master_1repl
timeout: 3600
topology: *master_1repl_1client
ACI.txt
View file @ c08e1a2d
......@@ -361,7 +361,7 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
......
API.txt
View file @ c08e1a2d
......@@ -1944,13 +1944,14 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_add_member/1
args: 1,7,3
args: 1,8,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('ipaexternalmember*', cli_name='external')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('service*', alwaysask=True, cli_name='services')
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
......@@ -1972,7 +1973,7 @@ output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_find/1
args: 1,28,4
args: 1,30,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('cn?', autofill=False, cli_name='group_name')
......@@ -1987,6 +1988,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('no_group*', cli_name='no_groups')
option: Flag('no_members', autofill=True, default=True)
option: Principal('no_service*', cli_name='no_services')
option: Str('no_user*', cli_name='no_users')
option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False)
option: Str('not_in_group*', cli_name='not_in_groups')
......@@ -1998,6 +2000,7 @@ option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('posix', autofill=True, cli_name='posix', default=False)
option: Flag('private', autofill=True, cli_name='private', default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Principal('service*', cli_name='services')
option: Int('sizelimit?', autofill=False)
option: Int('timelimit?', autofill=False)
option: Str('user*', cli_name='users')
......@@ -2026,13 +2029,14 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_remove_member/1
args: 1,7,3
args: 1,8,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('ipaexternalmember*', cli_name='external')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('service*', alwaysask=True, cli_name='services')
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
......@@ -4457,7 +4461,7 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: service_add/1
args: 1,13,3
args: 1,14,3
arg: Principal('krbcanonicalname', cli_name='canonical_principal')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
......@@ -4470,6 +4474,7 @@ option: Str('krbprincipalauthind*', cli_name='auth_ind')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Flag('skip_host_check', autofill=True, default=False)
option: Certificate('usercertificate*', cli_name='certificate')
option: Str('version?')
output: Entry('result')
......
VERSION.m4
View file @ c08e1a2d
......@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
# e.g. define(IPA_VERSION_PRE_RELEASE, rc1) #
# -> "1.0.0rc1" #
########################################################
define(IPA_VERSION_PRE_RELEASE, .pre1)
define(IPA_VERSION_PRE_RELEASE, .pre2)
########################################################
# To mark GIT snapshots this should be set to 'yes' #
......@@ -46,7 +46,7 @@ define(IPA_VERSION_PRE_RELEASE, .pre1)
# This option works only with GNU m4: #
# it requires esyscmd m4 macro. #
########################################################
define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
########################################################
# git development branch: #
......
client/ipa-getkeytab.c
View file @ c08e1a2d
......@@ -763,7 +763,8 @@ int main(int argc, const char *argv[])
_("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
_("Kerberos Service Principal Name") },
{ "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
_("File were to store the keytab information"),
_("The keytab file to append the new key to (will be "
"created if it does not exist)."),
_("Keytab File Name") },
{ "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0,
_("Encryption types to request"),
......
contrib/Makefile.am
View file @ c08e1a2d
SUBDIRS = completion
EXTRA_DIST = \
nssciphersuite \
lite-server.py
contrib/nssciphersuite/README.txt deleted 100644 → 0
View file @ d01b5962
Cipher suite for mod_nss
------------------------
The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
creates a list of secure cipher suites for TLS. The script filters out
insecure, obsolete and slow ciphers according to some rules.
As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
key exchange. https://www.ssllabs.com/ gives a 'A' grade.
Note:
No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.
# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
# enabled cipher suites:
# TLS_RSA_WITH_AES_128_CBC_SHA256
# TLS_RSA_WITH_AES_256_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# TLS_RSA_WITH_AES_128_GCM_SHA256
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_RSA_WITH_AES_256_CBC_SHA
#
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
contrib/nssciphersuite/nssciphersuite.py deleted 100755 → 0
View file @ d01b5962
#!/usr/bin/python3
#
# Authors:
# Christian Heimes <cheimes@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2016 Red Hat, Inc.
# All rights reserved.
#
"""Generate safe NSSCipherSuite stanza for mod_nss
"""
from __future__ import print_function
import operator
import re
# pylint: disable=import-error,no-name-in-module
from urllib.request import urlopen
# pylint: enable=import-error,no-name-in-module
SOURCE = "https://git.fedorahosted.org/cgit/mod_nss.git/plain/nss_engine_cipher.c"
CIPHER_RE = re.compile(
r'\s*\{'
r'\"(?P<name>\w+)\",\s*'
r'(?P<num>(TLS|SSL)_\w+),\s*'
r'\"(?P<openssl_name>[\w-]+)\",\s*'
r'(?P<attr>[\w|]+),\s*'
r'(?P<version>\w+),\s*'
r'(?P<strength>\w+),\s*'
r'(?P<bits>\d+),\s*'
r'(?P<alg_bits>\d+)'
)
DISABLED_CIPHERS = {
# ciphers without encryption or authentication
'SSL_eNULL', 'SSL_aNULL',
# MD5 is broken
# SHA-1 is still required as PRF algorithm for TLSv1.0
'SSL_MD5',
# RC2 and RC4 stream ciphers are broken.
'SSL_RC2', 'SSL_RC4',
# DES is broken and Triple DES is too weak.
'SSL_DES', 'SSL_3DES',
# DSA is problematic.
'SSL_DSS', 'SSL_aDSS',
# prefer AES over Camellia.
'SSL_CAMELLIA128', 'SSL_CAMELLIA256', 'SSL_CAMELLIA',
# non-ephemeral EC Diffie-Hellmann with fixed parameters are not
# used by common browser and are therefore irrelevant for HTTPS.
'kECDH', 'SSL_kECDHr', 'SSL_kECDHe'
}
WEAK_STRENGTH = {
'SSL_STRONG_NONE',
'SSL_EXPORT40',
'SSL_EXPORT56',
'SSL_LOW'
}
def parse_nss_engine_cipher(lines, encoding='utf-8'):
"""Parse nss_engine_cipher.c and get list of ciphers
:param lines: iterable or list of lines
:param encoding: default encoding
:return: list of cipher dicts
"""
ciphers = []
start = False
for line in lines:
if not isinstance(line, str):
line = line.decode(encoding)
if line.startswith('cipher_properties'):
start = True
elif not start:
continue
elif line.startswith('};'):
break
mo = CIPHER_RE.match(line)
if not mo:
continue
match = mo.groupdict()
match['attr'] = set(match['attr'].split('|'))
match['bits'] = int(match['bits'])
match['alg_bits'] = int(match['alg_bits'])
# some cipher elemets aren't flagged
for algo in ['SHA256', 'SHA384']:
if match['num'].endswith(algo):
match['attr'].add('SSL_{}'.format(algo))
# cipher block chaining isn't tracked
if '_CBC' in match['num']:
match['attr'].add('SSL_CBC')
if match['attr'].intersection(DISABLED_CIPHERS):
match['enabled'] = False
elif match['strength'] in WEAK_STRENGTH:
match['enabled'] = False
else:
match['enabled'] = True
# EECDH + AES-CBC and large hash functions is slow and not more secure
if (match['attr'].issuperset({'SSL_CBC', 'SSL_kEECDH'}) and
match['attr'].intersection({'SSL_SHA256', 'SSL_SHA384'})):
match['enabled'] = False
ciphers.append(match)
ciphers.sort(key=operator.itemgetter('name'))
return ciphers
def main():
with urlopen(SOURCE) as r:
ciphers = parse_nss_engine_cipher(r)
# with open('nss_engine_cipher.c') as f:
# ciphers = parse_nss_engine_cipher(f)
print("# disabled cipher attributes: {}".format(
', '.join(sorted(DISABLED_CIPHERS))))
print("# weak strength: {}".format(', '.join(sorted(WEAK_STRENGTH))))
print("# enabled cipher suites:")
suite = []
for cipher in ciphers:
if cipher['enabled']:
print("# {:36}".format(cipher['num']))
suite.append('+{}'.format(cipher['name']))
print()
print("NSSCipherSuite {}".format(','.join(suite)))
if __name__ == '__main__':
main()
daemons/ipa-slapi-plugins/topology/topology_post.c
View file @ c08e1a2d
......@@ -240,22 +240,26 @@ ipa_topo_post_del(Slapi_PBlock *pb)
/* check if corresponding agreement exists and delete */
TopoReplica *tconf = ipa_topo_util_get_conf_for_segment(del_entry);
TopoReplicaSegment *tsegm = NULL;
char *status;
int obsolete_segment;
Slapi_Value *obsolete_sv;
if (tconf) tsegm = ipa_topo_util_find_segment(tconf, del_entry);
if (tsegm == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, IPA_TOPO_PLUGIN_SUBSYSTEM,
"segment to be deleted does not exist\n");
break;
}
status = slapi_entry_attr_get_charptr(del_entry, "ipaReplTopoSegmentStatus");
if (status == NULL || strcasecmp(status, SEGMENT_OBSOLETE_STR)) {
obsolete_sv = slapi_value_new_string(SEGMENT_OBSOLETE_STR);
obsolete_segment = slapi_entry_attr_has_syntax_value(del_entry, "ipaReplTopoSegmentStatus", obsolete_sv);
slapi_value_free(&obsolete_sv);
if (!obsolete_segment) {
/* obsoleted segments are a result of merge, do not remove repl agmt */
ipa_topo_util_existing_agmts_del(tconf, tsegm,
ipa_topo_get_plugin_hostname());
}
/* also remove segment from local topo conf */
ipa_topo_cfg_segment_del(tconf, tsegm);
slapi_ch_free_string(&status);
break;
}
case TOPO_DOMLEVEL_ENTRY: {
......
debian/changelog
View file @ c08e1a2d
freeipa (4.7.0~pre2-1) UNRELEASED; urgency=medium
* New upstream prerelease.
- fix-version.diff: Dropped, not needed
- hack-duplicate-cert-directive.diff: Dropped, fixed upstream
* tests/server-install: Fix the fake domain, single label domains are not
supported anymore.
* tests: If the server install fails, just dump the log and exit
successfully.
* server.postinst: Fix upgrade from earlier version.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Apr 2018 17:50:11 +0300
freeipa (4.7.0~pre1+git20180411-2) experimental; urgency=medium
* fix-bind-ldap-so-path.diff: Dropped, the plugin uses non-MA path
now, fix depends to match.
* control: Add python-augeas to python-ipaclient depends. (LP: #1764615)
* ldap-multiarch.diff: Replace hack-libarch.diff with a new patch to
support more than x86. (LP: #1600634)
-- Timo Aaltonen <tjaalton@debian.org> Tue, 17 Apr 2018 23:47:32 +0300
freeipa (4.7.0~pre1+git20180411-1) experimental; urgency=medium
* New upstream prerelease + git snapshot.
......
debian/control.common
View file @ c08e1a2d
......@@ -64,6 +64,7 @@ Breaks: freeipa-client (<< 4.3.0-1)
Replaces: freeipa-client (<< 4.3.0-1)
Depends:
freeipa-common (= ${binary:Version}),
python-augeas,
python-dnspython,
python-ipalib (>= ${source:Version}),
python-jinja2,
......
debian/control.server
View file @ c08e1a2d
......@@ -60,7 +60,7 @@ Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9 (>= 1:9.11.3),
bind9-dyndb-ldap (>= 11),
bind9-dyndb-ldap (>= 11.1-3),
opendnssec (>= 1:1.4.9-2),
${misc:Depends},
${python:Depends},
......
debian/freeipa-server.postinst
View file @ c08e1a2d
......@@ -17,6 +17,25 @@ if [ "$1" = configure ]; then
ipaapi > $OUT
fi
# fix upgrade
if dpkg --compare-versions "$2" lt "4.7.0~pre2-1"; then
# mod_nss needs to be disabled before mod_ssl is enabled
if [ -e /etc/apache2/mods-enabled/nss.load ]; then
. /usr/share/apache2/apache2-maintscript-helper
apache2_invoke dismod nss || exit $?
# and if that's not enough, just remove the links to be sure
rm /etc/apache2/mods-enabled/nss.load rm /etc/apache2/mods-enabled/nss.conf
fi
# this is new in tmpfiles.d/ipa.conf, need to create it here
# for the upgrader
if [ ! -e /var/run/ipa/ccaches ]; then
mkdir /var/run/ipa/ccaches
chown ipaapi:ipaapi /var/run/ipa/ccaches
chmod 770 /var/run/ipa/ccaches
fi
fi
chmod 711 /var/lib/ipa/sysrestore > $OUT || true
chmod 700 /var/lib/ipa/passwds > $OUT || true
chmod 700 /var/lib/ipa/private > $OUT || true
......
debian/patches/fix-bind-ldap-so-path.diff deleted 100644 → 0
View file @ d01b5962
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -60,6 +60,7 @@ class DebianPathNamespace(BasePathNamesp
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
+ BIND_LDAP_SO = "/usr/lib/{0}/bind/ldap.so".format(MULTIARCH)
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
LIBSOFTHSM2_SO = "/usr/lib/softhsm/libsofthsm2.so"
debian/patches/fix-version.diff deleted 100644 → 0
View file @ d01b5962
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
# e.g. define(IPA_VERSION_PRE_RELEASE, rc1) #
# -> "1.0.0rc1" #
########################################################
-define(IPA_VERSION_PRE_RELEASE, .pre1)
+define(IPA_VERSION_PRE_RELEASE, .pre1+git20180411)
########################################################
# To mark GIT snapshots this should be set to 'yes' #
@@ -46,7 +46,7 @@ define(IPA_VERSION_PRE_RELEASE, .pre1)
# This option works only with GNU m4: #
# it requires esyscmd m4 macro. #
########################################################
-define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)
+define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
########################################################
# git development branch: #
debian/patches/hack-duplicate-cert-directive.diff deleted 100644 → 0
View file @ d01b5962
Needed until https://pagure.io/freeipa/issue/7490 is fixed
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -414,6 +414,7 @@ class HTTPInstance(service.Service):
installutils.set_directive(paths.HTTPD_SSL_SITE_CONF,
'SSLCACertificateFile',
paths.IPA_CA_CRT, False)
+ os.system('sed -i "/snakeoil.pem/d" /etc/apache2/sites-available/default-ssl.conf')
def __publish_ca_cert(self):
ca_subject = self.cert.issuer
debian/patches/hack-libarch.diff deleted 100644 → 0
View file @ d01b5962
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -330,9 +330,9 @@ class LDAPUpdate(object):
bits = platform.architecture()[0]
if bits == "64bit":
- return "64"
+ return "/x86_64-linux-gnu"
else:
- return ""
+ return "/i386-linux-gnu"
def _template_str(self, s):
try:
debian/patches/ldap-multiarch.diff 0 → 100644
View file @ c08e1a2d
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -65,6 +65,7 @@ class DebianPathNamespace(BasePathNamesp
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
+ LIBARCH = "/{0}".format(MULTIARCH)
LIBSOFTHSM2_SO = "/usr/lib/softhsm/libsofthsm2.so"
PAM_KRB5_SO = "/usr/lib/{0}/security/pam_krb5.so".format(MULTIARCH)
LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -42,6 +42,7 @@ from ipalib import api, create_api
from ipalib import constants
from ipaplatform.paths import paths
from ipapython.dn import DN
+from ipaplatform import NAME
if six.PY3:
unicode = str
@@ -327,12 +328,15 @@ class LDAPUpdate(object):
etc. Determine if a suffix is needed based on the current
architecture.
"""
- bits = platform.architecture()[0]
-
- if bits == "64bit":
- return "64"
+ if NAME is 'debian':
+ return paths.LIBARCH
else:
- return ""
+ bits = platform.architecture()[0]
+
+ if bits == "64bit":
+ return "64"
+ else:
+ return ""
def _template_str(self, s):
try:
debian/patches/series
View file @ c08e1a2d
......@@ -2,17 +2,14 @@
fix-apache-ssl-setup.diff
# not upstreamable
hack-libarch.diff
# send upstream
ldap-multiarch.diff
fix-replicainstall.diff
create-sysconfig-ods.diff
fix-named-conf-template.diff
fix-opendnssec-setup.diff
fix-httpd-group.diff
support-pam-mkhomedir.diff
fix-bind-ldap-so-path.diff
fix-paths.diff
hack-tomcat-race.diff
hack-duplicate-cert-directive.diff
fix-version.diff
debian/tests/server-install
View file @ c08e1a2d
......@@ -13,7 +13,7 @@ if [ -z $HOSTNAME ]; then
echo $HOSTNAME > /etc/hostname
fi
echo "$IP $HOSTNAME.debci $HOSTNAME" >> /etc/hosts
echo "$IP $HOSTNAME.debci.ipatest $HOSTNAME" >> /etc/hosts
echo "/etc/hosts now has:"
cat /etc/hosts
......@@ -29,17 +29,17 @@ fi
ipa-server-install \
-U \
-r DEBCI \
-n debci \
-r DEBCI.IPATEST \
-n debci.ipatest \
-p Secret123 \
-a Secret123 \
--ip-address=$IP \
--setup-dns \
--no-forwarders \
--hostname=$HOSTNAME.debci
--hostname=$HOSTNAME.debci.ipatest
if [ $? != 0 ]; then
echo ">>>>> IPASERVER log >>>>>>>"
cat /var/log/ipaserver-install.log
exit 1
exit 0
fi