[Pkg-freeipa-devel] freeipa: Changes to 'master'

Timo Aaltonen tjaalton at moszumanska.debian.org
Tue Nov 11 08:27:05 UTC 2014


 VERSION                                           |    2 -
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c |   26 +++++++-------
 debian/changelog                                  |   26 ++++++++++++++
 debian/control                                    |   16 +++++----
 debian/copyright                                  |    2 -
 debian/freeipa-server.install                     |    1 
 debian/freeipa-server.lintian-overrides           |    3 +
 debian/freeipa-server.postinst                    |    1 
 debian/patches/add-debian-platform.diff           |   29 ++++++++--------
 debian/patches/fix-bind-conf.diff                 |   39 ++++++++++++++++++++++
 debian/patches/series                             |    1 
 debian/rules                                      |   10 ++++-
 install/updates/10-schema_compat.update           |   30 +++++++++++-----
 ipaserver/install/ldapupdate.py                   |    6 +++
 ipaserver/install/plugins/updateclient.py         |    3 +
 15 files changed, 147 insertions(+), 48 deletions(-)

New commits:
commit 33eff3c54878428a6ce418c014a8e96c0fd59796
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Tue Nov 11 08:17:45 2014 +0200

    platform: Handle /etc/default/nfs-common and /etc/default/autofs. (Closes: #769037)
    
    and drop NSS_DB_DIR which is inherited already

diff --git a/debian/changelog b/debian/changelog
index cd452d1..7045810 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ freeipa (4.0.5-1) UNRELEASED; urgency=medium
     for easier backporting.
   * control: Add python-dateutils to server, and python-dbus and python-
     memcache to python-freeipa dependencies. (Closes: #768187)
+  * platform: Handle /etc/default/nfs-common and /etc/default/autofs,
+    drop NSS_DB_DIR since it's inherited already. (Closes: #769037)
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index de84ec4..f71be9c 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -31,7 +31,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +"""
 --- /dev/null
 +++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,70 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton at ubuntu.com>
 +#
@@ -61,9 +61,6 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +
 +
 +class DebianPathNamespace(BasePathNamespace):
-+    OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
-+    NSS_DB_DIR = "/etc/pki/nssdb"
-+    SBIN_SERVICE = "/usr/sbin/service"
 +    ETC_HTTPD_DIR = "/etc/apache2"
 +    HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
 +    ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
@@ -75,21 +72,26 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
 +    IPA_KEYTAB = "/etc/apache2/ipa.keytab"
 +    HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
-+    ETC_SYSCONFIG_DIR = "/etc/default"
-+    SYSCONFIG_PKI = "/etc/dogtag/"
-+    SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
-+    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
-+    SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
-+    SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
-+    SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
-+    HTTPD = "/usr/sbin/apache2ctl"
-+    BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
 +    NAMED_CONF = "/etc/bind/named.conf"
 +    NAMED_KEYTAB = "/etc/bind/named.keytab"
 +    NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
++    OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
 +    ETC_DEBIAN_VERSION = "/etc/debian_version"
++    ETC_SYSCONFIG_DIR = "/etc/default"
++    SYSCONFIG_AUTOFS = "/etc/default/autofs"
++    SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
++    SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
++    SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
++    SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
++    SYSCONFIG_NFS = "/etc/default/nfs-common"
 +    SYSCONFIG_NTPD = "/etc/default/ntp"
++    SYSCONFIG_PKI = "/etc/dogtag/"
++    SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
++    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
++    SBIN_SERVICE = "/usr/sbin/service"
++    BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
 +    LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
++    HTTPD = "/usr/sbin/apache2ctl"
 +    SETUP_DS_PL = "/usr/sbin/setup-ds"
 +    VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
 +    VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
@@ -97,7 +99,6 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
 +    KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
 +    VAR_LOG_HTTPD_DIR = "/var/log/apache2"
-+    SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
 +    GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
 +
 +paths = DebianPathNamespace()

commit 0d8b1f1e95f4384a7c5e571c2bd4c2b0c246566a
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Fri Nov 7 11:43:26 2014 +0200

    bump dyndb-ldap dep

diff --git a/debian/changelog b/debian/changelog
index 4f4aefd..cd452d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,7 +11,7 @@ freeipa (4.0.5-1) UNRELEASED; urgency=medium
   * rules: Fix /var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
-  * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
+  * control: Bump dependency on bind9-dyndb-ldap to 6.0-4~.
   * control: Move dependency on python-qrcode and python-yubico from
     server to python-freeipa and drop python-selinux which belongs to
     pki-server.
diff --git a/debian/control b/debian/control
index 99bc1f8..dfe87bd 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
  acl,
  apache2,
  bind9,
- bind9-dyndb-ldap (>= 6.0-3~),
+ bind9-dyndb-ldap (>= 6.0-4~),
  certmonger (>= 0.75.14),
  dogtag-pki-server-theme,
  fonts-font-awesome,

commit 0fad84cc463f96337816acbccf7fb2a2790de519
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Fri Nov 7 11:42:40 2014 +0200

    bump changelog, fix a typo

diff --git a/debian/changelog b/debian/changelog
index 538f2cb..4f4aefd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,14 @@
-freeipa (4.0.4-3) UNRELEASED; urgency=medium
+freeipa (4.0.5-1) UNRELEASED; urgency=medium
 
+  * New upstream release
+    - Fix CVE-2014-7828. (Closes: #768294)
   * control: Update my email address.
   * fix-bind-conf.diff, add-debian-platform.diff: Fix bind config
     template to use Debian specific paths, and replace named.conf not
     named.conf.local. (Closes: #768122)
   * rules, -server.postinst: Create /var/cache/bind/data owned by bind
     user.
-  * rules: Fix var/lib/ipa/backup permissions.
+  * rules: Fix /var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
   * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.

commit 34d6b0f7409974944e2a27850c2301547954c2ba
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Fri Nov 7 11:08:09 2014 +0200

    control: Add python-dateutils to server, and python-dbus and python- memcache to python-freeipa dependencies. (Closes: #768187)

diff --git a/debian/changelog b/debian/changelog
index c533354..538f2cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
     pki-server.
   * control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep
     for easier backporting.
+  * control: Add python-dateutils to server, and python-dbus and python-
+    memcache to python-freeipa dependencies. (Closes: #768187)
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/control b/debian/control
index 9edbe6e..99bc1f8 100644
--- a/debian/control
+++ b/debian/control
@@ -90,6 +90,7 @@ Depends:
  python-freeipa (= ${binary:Version}),
  python-krbv,
  python-ldap,
+ python-dateutil,
  python-pyasn1,
  slapi-nis (>= 0.54),
  ${misc:Depends},
@@ -192,11 +193,13 @@ Depends:
  gnupg,
  iproute,
  keyutils,
+ python-dbus,
  python-dnspython,
  python-kerberos,
  python-ldap,
  python-libipa-hbac,
  python-lxml,
+ python-memcache,
  python-netaddr,
  python-nss,
  python-openssl,

commit 65a0b586ef72318bf3821a5252f89606e907fa56
Author: Petr Vobornik <pvoborni at redhat.com>
Date:   Thu Nov 6 12:47:20 2014 +0100

    Become IPA 4.0.5

diff --git a/VERSION b/VERSION
index af988d0..e64d5ea 100644
--- a/VERSION
+++ b/VERSION
@@ -20,7 +20,7 @@
 ########################################################
 IPA_VERSION_MAJOR=4
 IPA_VERSION_MINOR=0
-IPA_VERSION_RELEASE=4
+IPA_VERSION_RELEASE=5
 
 ########################################################
 # For 'pre' releases the version will be               #

commit 013e2eae2041729d5ee6ad4dc825bc4f24234ec6
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date:   Wed Nov 5 13:50:41 2014 -0500

    Ensure that a password exists after OTP validation
    
    Before this patch users could log in using only the OTP value. This
    arose because ipapwd_authentication() successfully determined that
    an empty password was invalid, but 389 itself would see this as an
    anonymous bind. An anonymous bind would never even get this far in
    this code, so we simply deny requests with empty passwords.
    
    This patch resolves CVE-2014-7828.
    
    https://fedorahosted.org/freeipa/ticket/4690
    
    Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa..1f595d0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
 
     /* Try to do OTP first. */
     syncreq = sync_request_present(pb);
-    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+        goto invalid_creds;
+
+    /* Ensure that there is a password. */
+    if (credentials->bv_len == 0)
+        goto invalid_creds;
 
     /* Authenticate the user. */
     ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
 
     /* Attempt to handle a token synchronization request. */
-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+        goto invalid_creds;
 
     /* Attempt to write out kerberos keys for the user. */
     ipapwd_write_krb_keys(pb, dn, entry, credentials);
 
     slapi_entry_free(entry);
     return 0;
+
+invalid_creds:
+    slapi_entry_free(entry);
+    slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+                           NULL, NULL, 0, NULL);
+    return 1;
 }
 
 /* Init pre ops */

commit a56a6aff88e9f3fd092fe45056aeb19f15cc2f9f
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date:   Wed Oct 29 16:23:03 2014 +0100

    Deadlock in schema compat plugin (between automember_update_membership task and dse update)
    
    	Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
    	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
    	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
    	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
    	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
    
    https://fedorahosted.org/freeipa/ticket/4635
    
    Reviewed-By: Martin Basti <mbasti at redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index e5bc703..e462bb2 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
 add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
 replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
 default:objectClass: top
@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
 default:schema-compat-entry-attribute: objectclass=ieee802Device
 default:schema-compat-entry-attribute: cn=%{fqdn}
 default:schema-compat-entry-attribute: macAddress=%{macAddress}
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
 
 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=Schema Compatibility,cn=plugins,cn=config
 # We need to run schema-compat pre-bind callback before

commit d6697b683d3f3517c41e5bbb4b9033fa860fd9d0
Author: Martin Basti <mbasti at redhat.com>
Date:   Tue Nov 4 15:59:50 2014 +0100

    Fix upgrade: do not use invalid ldap connection
    
    Ticket: https://fedorahosted.org/freeipa/ticket/4670
    Reviewed-By: Jan Cholasta <jcholast at redhat.com>

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6bed046..47f0399 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -889,3 +889,9 @@ class LDAPUpdate:
         self._run_updates(updates)
 
         return self.modified
+
+    def close_connection(self):
+        """Close ldap connection"""
+        if self.conn:
+            self.conn.unbind()
+            self.conn = None
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 7566b6c..8f5c5b5 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -122,6 +122,9 @@ class updateclient(backend.Executioner):
         for update in self.order(updatetype):
             (restart, apply_now, res) = self.run(update.name, **kw)
             if restart:
+                # connection has to be closed before restart, otherwise
+                # ld instance will try to reuse old non-valid connection
+                ld.close_connection()
                 self.restart(dm_password, live_run)
 
             if apply_now:

commit 965d1073e8bbd1a318c9005f1269be6d172402b1
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 20:37:34 2014 +0200

    control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep for easier backporting.

diff --git a/debian/changelog b/debian/changelog
index f24ac5c..c533354 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * control: Move dependency on python-qrcode and python-yubico from
     server to python-freeipa and drop python-selinux which belongs to
     pki-server.
+  * control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep
+    for easier backporting.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/control b/debian/control
index 3a30f60..9edbe6e 100644
--- a/debian/control
+++ b/debian/control
@@ -30,7 +30,7 @@ Build-Depends:
  libtevent-dev,
  libunistring-dev,
  libverto-dev,
- libxmlrpc-core-c3-dev (>= 1.33.14),
+ libxmlrpc-core-c3-dev (>= 1.33.06),
  python-all-dev,
  python-dnspython (>= 1.11.1),
  python-kerberos,
@@ -62,7 +62,7 @@ Homepage: http://www.freeipa.org
 Package: freeipa-server
 Architecture: any
 Depends:
- 389-ds-base (>= 1.3.3.5-2),
+ 389-ds-base (>= 1.3.3.5-2~),
  acl,
  apache2,
  bind9,

commit dadffcde1d5677c737a21defc6f0e74b71eb2a55
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 19:51:23 2014 +0200

    control: Move dependency on python-qrcode and python-yubico to python-freeipa and drop python-selinux which belongs to pki-server.

diff --git a/debian/changelog b/debian/changelog
index 8c408ae..f24ac5c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
   * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
+  * control: Move dependency on python-qrcode and python-yubico from
+    server to python-freeipa and drop python-selinux which belongs to
+    pki-server.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/control b/debian/control
index 74c9348..3a30f60 100644
--- a/debian/control
+++ b/debian/control
@@ -91,9 +91,6 @@ Depends:
  python-krbv,
  python-ldap,
  python-pyasn1,
- python-qrcode (>= 5.0.0),
- python-selinux,
- python-yubico,
  slapi-nis (>= 0.54),
  ${misc:Depends},
  ${python:Depends},
@@ -203,6 +200,8 @@ Depends:
  python-netaddr,
  python-nss,
  python-openssl,
+ python-qrcode (>= 5.0.0),
+ python-yubico,
  ${misc:Depends},
  ${python:Depends},
  ${shlibs:Depends}

commit 03eab6c951241067debfe2028384d9fd23543d1d
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 18:44:47 2014 +0200

    bump bind9-dyndb-ldap dep again

diff --git a/debian/changelog b/debian/changelog
index 63014c0..8c408ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,7 +9,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * rules: Fix var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
-  * control: Bump dependency on bind9-dyndb-ldap.
+  * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/control b/debian/control
index 54f3a9f..74c9348 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
  acl,
  apache2,
  bind9,
- bind9-dyndb-ldap (>= 6.0-2~),
+ bind9-dyndb-ldap (>= 6.0-3~),
  certmonger (>= 0.75.14),
  dogtag-pki-server-theme,
  fonts-font-awesome,

commit 04fcd775f84f6499f350a947b4050d1e93d24f6e
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 18:44:08 2014 +0200

    update fix-bind-conf.diff to not use the dot zone, as that's already on default-zones

diff --git a/debian/patches/fix-bind-conf.diff b/debian/patches/fix-bind-conf.diff
index ce3448c..61d523a 100644
--- a/debian/patches/fix-bind-conf.diff
+++ b/debian/patches/fix-bind-conf.diff
@@ -18,10 +18,20 @@
  	pid-file "/run/named/named.pid";
  
  	dnssec-enable yes;
-@@ -37,7 +37,7 @@ zone "." IN {
- 	file "named.ca";
+@@ -32,12 +32,13 @@ logging {
+ 	};
  };
  
+-zone "." IN {
+-	type hint;
+-	file "named.ca";
+-};
++// included below
++//zone "." IN {
++//	type hint;
++//	file "named.ca";
++//};
+ 
 -include "/etc/named.rfc1912.zones";
 +include "/etc/bind/named.conf.default-zones";
  

commit 7a818c10fc66d37b6a74d6008e8aa5021f3f172f
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 17:38:48 2014 +0200

    fix non-standard-dir-perm lintian overrides

diff --git a/debian/freeipa-server.lintian-overrides b/debian/freeipa-server.lintian-overrides
index 0fd7f6b..9b4b31d 100644
--- a/debian/freeipa-server.lintian-overrides
+++ b/debian/freeipa-server.lintian-overrides
@@ -5,5 +5,5 @@ web-application-should-not-depend-unconditionally-on-apache2
 # embedded versions used for better performance and function
 embedded-javascript-library
 # this is how we need them
-non-standard-dir-perm var/cache/bind/data/
-non-standard-dir-perm var/lib/ipa/backup/
+non-standard-dir-perm var/cache/bind/data/ *
+non-standard-dir-perm var/lib/ipa/backup/ *

commit 14195ded651e1bac2239d256fd6d1aa0f10ac966
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 17:14:07 2014 +0200

    set NAMED_CONF = named.conf

diff --git a/debian/changelog b/debian/changelog
index 532eab4..63014c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
 freeipa (4.0.4-3) UNRELEASED; urgency=medium
 
   * control: Update my email address.
-  * fix-bind-conf.diff: Fix bind config template to use Debian specific
-    paths. (Closes: #768122)
+  * fix-bind-conf.diff, add-debian-platform.diff: Fix bind config
+    template to use Debian specific paths, and replace named.conf not
+    named.conf.local. (Closes: #768122)
   * rules, -server.postinst: Create /var/cache/bind/data owned by bind
     user.
   * rules: Fix var/lib/ipa/backup permissions.
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index 5400a8a..de84ec4 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -84,7 +84,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
 +    HTTPD = "/usr/sbin/apache2ctl"
 +    BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
-+    NAMED_CONF = "/etc/bind/named.conf.local"
++    NAMED_CONF = "/etc/bind/named.conf"
 +    NAMED_KEYTAB = "/etc/bind/named.keytab"
 +    NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
 +    ETC_DEBIAN_VERSION = "/etc/debian_version"

commit 81567fcda6adfb48d00f35ea300180a3770a2241
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:44:24 2014 +0200

    control: Bump dependency on bind9-dyndb-ldap.

diff --git a/debian/changelog b/debian/changelog
index 4db15d1..532eab4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * rules: Fix var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
+  * control: Bump dependency on bind9-dyndb-ldap.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/control b/debian/control
index 61f521b..54f3a9f 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
  acl,
  apache2,
  bind9,
- bind9-dyndb-ldap,
+ bind9-dyndb-ldap (>= 6.0-2~),
  certmonger (>= 0.75.14),
  dogtag-pki-server-theme,
  fonts-font-awesome,

commit 877759b7a117d77e98da5ea92dcd56d7556aa152
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:43:30 2014 +0200

    copyright: Fix a typo.

diff --git a/debian/changelog b/debian/changelog
index dfa0da3..4db15d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
     user.
   * rules: Fix var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
+  * copyright: Fix a typo.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/copyright b/debian/copyright
index 8ab7aed..b10860a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -49,7 +49,7 @@ License: GPL-2
 Files: install/share/05rfc2247.ldif install/share/certmap.conf.template
 Copyright: 2001, Sun Microsystems, Inc.
            2005, Red Hat, Inc.
-Copyright: GPL-2
+License: GPL-2
 
 Files: install/ui/css/patternfly.css
 Copyright: Nicolas Gallagher

commit bc8d3b377a085dc61c694f16e5c75bf0116b0f8d
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:42:37 2014 +0200

    Add non-standard-dir-perm to server lintian overrides.

diff --git a/debian/changelog b/debian/changelog
index 260fc18..dfa0da3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * rules, -server.postinst: Create /var/cache/bind/data owned by bind
     user.
   * rules: Fix var/lib/ipa/backup permissions.
+  * Add non-standard-dir-perm to server lintian overrides.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/freeipa-server.lintian-overrides b/debian/freeipa-server.lintian-overrides
index 4f76e6b..0fd7f6b 100644
--- a/debian/freeipa-server.lintian-overrides
+++ b/debian/freeipa-server.lintian-overrides
@@ -4,3 +4,6 @@ python-script-but-no-python-dep
 web-application-should-not-depend-unconditionally-on-apache2
 # embedded versions used for better performance and function
 embedded-javascript-library
+# this is how we need them
+non-standard-dir-perm var/cache/bind/data/
+non-standard-dir-perm var/lib/ipa/backup/

commit 3c973969eba108133fdeaa9aae3ff84fbf156e8a
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:42:11 2014 +0200

    rules: Fix var/lib/ipa/backup permissions.

diff --git a/debian/changelog b/debian/changelog
index d3d27c0..260fc18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
     paths. (Closes: #768122)
   * rules, -server.postinst: Create /var/cache/bind/data owned by bind
     user.
+  * rules: Fix var/lib/ipa/backup permissions.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/freeipa-server.install b/debian/freeipa-server.install
index 5500382..2d2b13e 100644
--- a/debian/freeipa-server.install
+++ b/debian/freeipa-server.install
@@ -93,7 +93,6 @@ usr/share/man/man1/ipa-server-certinstall.1*
 usr/share/man/man1/ipa-server-install.1*
 usr/share/man/man8/ipa-upgradeconfig.8*
 usr/share/man/man8/ipactl.8*
-var/lib/ipa/backup
 var/lib/ipa/pki-ca
 var/lib/ipa/sysrestore
 var/lib/ipa/sysupgrade
diff --git a/debian/rules b/debian/rules
index 3f9fd08..e790c6c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -59,8 +59,6 @@ ifneq ($(ONLY_CLIENT), 1)
 
 	chmod 755 $(DESTDIR)/usr/lib/*/ipa/certmonger/*
 
-	mkdir -p -m 700 $(DESTDIR)/var/lib/ipa/backup
-
 	mkdir -p $(DESTDIR)/etc/bash_completion.d \
 		 $(DESTDIR)/etc/default \
 		 $(DESTDIR)/usr/share/ipa/html
@@ -95,10 +93,11 @@ override_dh_install:
 
 ifneq ($(ONLY_CLIENT), 1)
 	mkdir -m 770 -p $(CURDIR)/debian/freeipa-server/var/cache/bind/data
+	mkdir -m 700 -p $(CURDIR)/debian/freeipa-server/var/lib/ipa/backup
 endif
 
 override_dh_fixperms:
-	dh_fixperms -X var/cache/bind/data
+	dh_fixperms -X var/cache/bind/data -X var/lib/ipa/backup
 
 %:
 	dh $@ --with autoreconf,python2,systemd

commit 3a985634e81e425429fb38074fe29e08cbee5d4b
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:33:50 2014 +0200

    rules, -server.postinst: Create /var/cache/bind/data owned by bind user.

diff --git a/debian/changelog b/debian/changelog
index bf9b3d4..d3d27c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
   * control: Update my email address.
   * fix-bind-conf.diff: Fix bind config template to use Debian specific
     paths. (Closes: #768122)
+  * rules, -server.postinst: Create /var/cache/bind/data owned by bind
+    user.
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index 7c4aab4..198d52b 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -26,6 +26,7 @@ if [ "$1" = configure ]; then
             apache2_invoke enmod rewrite || exit $?
         fi
     fi
+    chown root:bind /var/cache/bind/data
 fi
 
 if [ ! -e /run/ipa_memcached ]; then
diff --git a/debian/rules b/debian/rules
index 07fd39b..3f9fd08 100755
--- a/debian/rules
+++ b/debian/rules
@@ -93,5 +93,12 @@ endif
 override_dh_install:
 	dh_install --fail-missing
 
+ifneq ($(ONLY_CLIENT), 1)
+	mkdir -m 770 -p $(CURDIR)/debian/freeipa-server/var/cache/bind/data
+endif
+
+override_dh_fixperms:
+	dh_fixperms -X var/cache/bind/data
+
 %:
 	dh $@ --with autoreconf,python2,systemd

commit ae77a903ebb0d5293c1919a88e06bd021c380064
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Nov 5 14:31:42 2014 +0200

    fix-bind-conf.diff: Fix bind config template to use Debian specific paths. (Closes: #768122)

diff --git a/debian/changelog b/debian/changelog
index c838c08..bf9b3d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 freeipa (4.0.4-3) UNRELEASED; urgency=medium
 
   * control: Update my email address.
+  * fix-bind-conf.diff: Fix bind config template to use Debian specific
+    paths. (Closes: #768122)
 
  -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
 
diff --git a/debian/patches/fix-bind-conf.diff b/debian/patches/fix-bind-conf.diff
new file mode 100644
index 0000000..ce3448c
--- /dev/null
+++ b/debian/patches/fix-bind-conf.diff
@@ -0,0 +1,29 @@
+--- a/install/share/bind.named.conf.template
++++ b/install/share/bind.named.conf.template
+@@ -3,7 +3,7 @@ options {
+ 	listen-on-v6 {any;};
+ 
+ 	// Put files that named is allowed to write in the data/ directory:
+-	directory "/var/named"; // the default
++	directory "/var/cache/bind"; // the default
+ 	dump-file		"data/cache_dump.db";
+ 	statistics-file		"data/named_stats.txt";
+ 	memstatistics-file	"data/named_mem_stats.txt";
+@@ -14,7 +14,7 @@ options {
+ 	// Any host is permitted to issue recursive queries
+ 	allow-recursion { any; };
+ 
+-	tkey-gssapi-keytab "/etc/named.keytab";
++	tkey-gssapi-keytab "/etc/bind/named.keytab";
+ 	pid-file "/run/named/named.pid";
+ 
+ 	dnssec-enable yes;
+@@ -37,7 +37,7 @@ zone "." IN {
+ 	file "named.ca";
+ };
+ 
+-include "/etc/named.rfc1912.zones";
++include "/etc/bind/named.conf.default-zones";
+ 
+ dynamic-db "ipa" {
+ 	library "ldap.so";
diff --git a/debian/patches/series b/debian/patches/series
index c212b87..af07832 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ fix-typo.patch
 fix-ipa-conf.diff
 fix-pykerberos-api.diff
 revert-pykerberos-api-change.diff
+fix-bind-conf.diff

commit 2335913bd5a021257d07951e542debb7b4301257
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Tue Nov 4 12:17:00 2014 +0200

    control: Update my email address.

diff --git a/debian/changelog b/debian/changelog
index dabda80..c838c08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+freeipa (4.0.4-3) UNRELEASED; urgency=medium
+
+  * control: Update my email address.
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Tue, 04 Nov 2014 12:16:54 +0200
+
 freeipa (4.0.4-2) unstable; urgency=medium
 
   * control: Add python-qrcode, python-selinux, python-yubico
diff --git a/debian/control b/debian/control
index 4b5aa92..61f521b 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: freeipa
 Section: net
 Priority: extra
 Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at lists.alioth.debian.org>
-Uploaders: Timo Aaltonen <tjaalton at ubuntu.com>
+Uploaders: Timo Aaltonen <tjaalton at debian.org>
 Build-Depends:
  389-ds-base-dev (>= 1.3.3.2),
  check,



More information about the Pkg-freeipa-devel mailing list