[Pkg-freeipa-devel] freeipa: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Nov 11 08:27:05 UTC 2014
VERSION | 2 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 +++++++-------
debian/changelog | 26 ++++++++++++++
debian/control | 16 +++++----
debian/copyright | 2 -
debian/freeipa-server.install | 1
debian/freeipa-server.lintian-overrides | 3 +
debian/freeipa-server.postinst | 1
debian/patches/add-debian-platform.diff | 29 ++++++++--------
debian/patches/fix-bind-conf.diff | 39 ++++++++++++++++++++++
debian/patches/series | 1
debian/rules | 10 ++++-
install/updates/10-schema_compat.update | 30 +++++++++++-----
ipaserver/install/ldapupdate.py | 6 +++
ipaserver/install/plugins/updateclient.py | 3 +
15 files changed, 147 insertions(+), 48 deletions(-)
New commits:
commit 33eff3c54878428a6ce418c014a8e96c0fd59796
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Nov 11 08:17:45 2014 +0200
platform: Handle /etc/default/nfs-common and /etc/default/autofs. (Closes: #769037)
and drop NSS_DB_DIR which is inherited already
diff --git a/debian/changelog b/debian/changelog
index cd452d1..7045810 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ freeipa (4.0.5-1) UNRELEASED; urgency=medium
for easier backporting.
* control: Add python-dateutils to server, and python-dbus and python-
memcache to python-freeipa dependencies. (Closes: #768187)
+ * platform: Handle /etc/default/nfs-common and /etc/default/autofs,
+ drop NSS_DB_DIR since it's inherited already. (Closes: #769037)
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index de84ec4..f71be9c 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -31,7 +31,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,70 @@
+# Authors:
+# Timo Aaltonen <tjaalton at ubuntu.com>
+#
@@ -61,9 +61,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+
+class DebianPathNamespace(BasePathNamespace):
-+ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
-+ NSS_DB_DIR = "/etc/pki/nssdb"
-+ SBIN_SERVICE = "/usr/sbin/service"
+ ETC_HTTPD_DIR = "/etc/apache2"
+ HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
@@ -75,21 +72,26 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+ IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+ HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
-+ ETC_SYSCONFIG_DIR = "/etc/default"
-+ SYSCONFIG_PKI = "/etc/dogtag/"
-+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
-+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
-+ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
-+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
-+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
-+ HTTPD = "/usr/sbin/apache2ctl"
-+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
++ OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
++ ETC_SYSCONFIG_DIR = "/etc/default"
++ SYSCONFIG_AUTOFS = "/etc/default/autofs"
++ SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
++ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
++ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
++ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
++ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
++ SYSCONFIG_PKI = "/etc/dogtag/"
++ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
++ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
++ SBIN_SERVICE = "/usr/sbin/service"
++ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
++ HTTPD = "/usr/sbin/apache2ctl"
+ SETUP_DS_PL = "/usr/sbin/setup-ds"
+ VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
+ VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
@@ -97,7 +99,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
+ KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
+ VAR_LOG_HTTPD_DIR = "/var/log/apache2"
-+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
+ GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
+
+paths = DebianPathNamespace()
commit 0d8b1f1e95f4384a7c5e571c2bd4c2b0c246566a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Nov 7 11:43:26 2014 +0200
bump dyndb-ldap dep
diff --git a/debian/changelog b/debian/changelog
index 4f4aefd..cd452d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,7 +11,7 @@ freeipa (4.0.5-1) UNRELEASED; urgency=medium
* rules: Fix /var/lib/ipa/backup permissions.
* Add non-standard-dir-perm to server lintian overrides.
* copyright: Fix a typo.
- * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
+ * control: Bump dependency on bind9-dyndb-ldap to 6.0-4~.
* control: Move dependency on python-qrcode and python-yubico from
server to python-freeipa and drop python-selinux which belongs to
pki-server.
diff --git a/debian/control b/debian/control
index 99bc1f8..dfe87bd 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
acl,
apache2,
bind9,
- bind9-dyndb-ldap (>= 6.0-3~),
+ bind9-dyndb-ldap (>= 6.0-4~),
certmonger (>= 0.75.14),
dogtag-pki-server-theme,
fonts-font-awesome,
commit 0fad84cc463f96337816acbccf7fb2a2790de519
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Nov 7 11:42:40 2014 +0200
bump changelog, fix a typo
diff --git a/debian/changelog b/debian/changelog
index 538f2cb..4f4aefd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,14 @@
-freeipa (4.0.4-3) UNRELEASED; urgency=medium
+freeipa (4.0.5-1) UNRELEASED; urgency=medium
+ * New upstream release
+ - Fix CVE-2014-7828. (Closes: #768294)
* control: Update my email address.
* fix-bind-conf.diff, add-debian-platform.diff: Fix bind config
template to use Debian specific paths, and replace named.conf not
named.conf.local. (Closes: #768122)
* rules, -server.postinst: Create /var/cache/bind/data owned by bind
user.
- * rules: Fix var/lib/ipa/backup permissions.
+ * rules: Fix /var/lib/ipa/backup permissions.
* Add non-standard-dir-perm to server lintian overrides.
* copyright: Fix a typo.
* control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
commit 34d6b0f7409974944e2a27850c2301547954c2ba
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Nov 7 11:08:09 2014 +0200
control: Add python-dateutils to server, and python-dbus and python- memcache to python-freeipa dependencies. (Closes: #768187)
diff --git a/debian/changelog b/debian/changelog
index c533354..538f2cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
pki-server.
* control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep
for easier backporting.
+ * control: Add python-dateutils to server, and python-dbus and python-
+ memcache to python-freeipa dependencies. (Closes: #768187)
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/control b/debian/control
index 9edbe6e..99bc1f8 100644
--- a/debian/control
+++ b/debian/control
@@ -90,6 +90,7 @@ Depends:
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
+ python-dateutil,
python-pyasn1,
slapi-nis (>= 0.54),
${misc:Depends},
@@ -192,11 +193,13 @@ Depends:
gnupg,
iproute,
keyutils,
+ python-dbus,
python-dnspython,
python-kerberos,
python-ldap,
python-libipa-hbac,
python-lxml,
+ python-memcache,
python-netaddr,
python-nss,
python-openssl,
commit 65a0b586ef72318bf3821a5252f89606e907fa56
Author: Petr Vobornik <pvoborni at redhat.com>
Date: Thu Nov 6 12:47:20 2014 +0100
Become IPA 4.0.5
diff --git a/VERSION b/VERSION
index af988d0..e64d5ea 100644
--- a/VERSION
+++ b/VERSION
@@ -20,7 +20,7 @@
########################################################
IPA_VERSION_MAJOR=4
IPA_VERSION_MINOR=0
-IPA_VERSION_RELEASE=4
+IPA_VERSION_RELEASE=5
########################################################
# For 'pre' releases the version will be #
commit 013e2eae2041729d5ee6ad4dc825bc4f24234ec6
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Wed Nov 5 13:50:41 2014 -0500
Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa..1f595d0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Try to do OTP first. */
syncreq = sync_request_present(pb);
- if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
- slapi_entry_free(entry);
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
- NULL, NULL, 0, NULL);
- return 1;
- }
+ if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+ goto invalid_creds;
+
+ /* Ensure that there is a password. */
+ if (credentials->bv_len == 0)
+ goto invalid_creds;
/* Authenticate the user. */
ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* Attempt to handle a token synchronization request. */
- if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
- slapi_entry_free(entry);
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
- NULL, NULL, 0, NULL);
- return 1;
- }
+ if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+ goto invalid_creds;
/* Attempt to write out kerberos keys for the user. */
ipapwd_write_krb_keys(pb, dn, entry, credentials);
slapi_entry_free(entry);
return 0;
+
+invalid_creds:
+ slapi_entry_free(entry);
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+ NULL, NULL, 0, NULL);
+ return 1;
}
/* Init pre ops */
commit a56a6aff88e9f3fd092fe45056aeb19f15cc2f9f
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date: Wed Oct 29 16:23:03 2014 +0100
Deadlock in schema compat plugin (between automember_update_membership task and dse update)
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index e5bc703..e462bb2 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before
commit d6697b683d3f3517c41e5bbb4b9033fa860fd9d0
Author: Martin Basti <mbasti at redhat.com>
Date: Tue Nov 4 15:59:50 2014 +0100
Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast at redhat.com>
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6bed046..47f0399 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -889,3 +889,9 @@ class LDAPUpdate:
self._run_updates(updates)
return self.modified
+
+ def close_connection(self):
+ """Close ldap connection"""
+ if self.conn:
+ self.conn.unbind()
+ self.conn = None
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 7566b6c..8f5c5b5 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -122,6 +122,9 @@ class updateclient(backend.Executioner):
for update in self.order(updatetype):
(restart, apply_now, res) = self.run(update.name, **kw)
if restart:
+ # connection has to be closed before restart, otherwise
+ # ld instance will try to reuse old non-valid connection
+ ld.close_connection()
self.restart(dm_password, live_run)
if apply_now:
commit 965d1073e8bbd1a318c9005f1269be6d172402b1
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 20:37:34 2014 +0200
control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep for easier backporting.
diff --git a/debian/changelog b/debian/changelog
index f24ac5c..c533354 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* control: Move dependency on python-qrcode and python-yubico from
server to python-freeipa and drop python-selinux which belongs to
pki-server.
+ * control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep
+ for easier backporting.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/control b/debian/control
index 3a30f60..9edbe6e 100644
--- a/debian/control
+++ b/debian/control
@@ -30,7 +30,7 @@ Build-Depends:
libtevent-dev,
libunistring-dev,
libverto-dev,
- libxmlrpc-core-c3-dev (>= 1.33.14),
+ libxmlrpc-core-c3-dev (>= 1.33.06),
python-all-dev,
python-dnspython (>= 1.11.1),
python-kerberos,
@@ -62,7 +62,7 @@ Homepage: http://www.freeipa.org
Package: freeipa-server
Architecture: any
Depends:
- 389-ds-base (>= 1.3.3.5-2),
+ 389-ds-base (>= 1.3.3.5-2~),
acl,
apache2,
bind9,
commit dadffcde1d5677c737a21defc6f0e74b71eb2a55
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 19:51:23 2014 +0200
control: Move dependency on python-qrcode and python-yubico to python-freeipa and drop python-selinux which belongs to pki-server.
diff --git a/debian/changelog b/debian/changelog
index 8c408ae..f24ac5c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* Add non-standard-dir-perm to server lintian overrides.
* copyright: Fix a typo.
* control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
+ * control: Move dependency on python-qrcode and python-yubico from
+ server to python-freeipa and drop python-selinux which belongs to
+ pki-server.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/control b/debian/control
index 74c9348..3a30f60 100644
--- a/debian/control
+++ b/debian/control
@@ -91,9 +91,6 @@ Depends:
python-krbv,
python-ldap,
python-pyasn1,
- python-qrcode (>= 5.0.0),
- python-selinux,
- python-yubico,
slapi-nis (>= 0.54),
${misc:Depends},
${python:Depends},
@@ -203,6 +200,8 @@ Depends:
python-netaddr,
python-nss,
python-openssl,
+ python-qrcode (>= 5.0.0),
+ python-yubico,
${misc:Depends},
${python:Depends},
${shlibs:Depends}
commit 03eab6c951241067debfe2028384d9fd23543d1d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 18:44:47 2014 +0200
bump bind9-dyndb-ldap dep again
diff --git a/debian/changelog b/debian/changelog
index 63014c0..8c408ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,7 +9,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* rules: Fix var/lib/ipa/backup permissions.
* Add non-standard-dir-perm to server lintian overrides.
* copyright: Fix a typo.
- * control: Bump dependency on bind9-dyndb-ldap.
+ * control: Bump dependency on bind9-dyndb-ldap to 6.0-3~.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/control b/debian/control
index 54f3a9f..74c9348 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
acl,
apache2,
bind9,
- bind9-dyndb-ldap (>= 6.0-2~),
+ bind9-dyndb-ldap (>= 6.0-3~),
certmonger (>= 0.75.14),
dogtag-pki-server-theme,
fonts-font-awesome,
commit 04fcd775f84f6499f350a947b4050d1e93d24f6e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 18:44:08 2014 +0200
update fix-bind-conf.diff to not use the dot zone, as that's already on default-zones
diff --git a/debian/patches/fix-bind-conf.diff b/debian/patches/fix-bind-conf.diff
index ce3448c..61d523a 100644
--- a/debian/patches/fix-bind-conf.diff
+++ b/debian/patches/fix-bind-conf.diff
@@ -18,10 +18,20 @@
pid-file "/run/named/named.pid";
dnssec-enable yes;
-@@ -37,7 +37,7 @@ zone "." IN {
- file "named.ca";
+@@ -32,12 +32,13 @@ logging {
+ };
};
+-zone "." IN {
+- type hint;
+- file "named.ca";
+-};
++// included below
++//zone "." IN {
++// type hint;
++// file "named.ca";
++//};
+
-include "/etc/named.rfc1912.zones";
+include "/etc/bind/named.conf.default-zones";
commit 7a818c10fc66d37b6a74d6008e8aa5021f3f172f
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 17:38:48 2014 +0200
fix non-standard-dir-perm lintian overrides
diff --git a/debian/freeipa-server.lintian-overrides b/debian/freeipa-server.lintian-overrides
index 0fd7f6b..9b4b31d 100644
--- a/debian/freeipa-server.lintian-overrides
+++ b/debian/freeipa-server.lintian-overrides
@@ -5,5 +5,5 @@ web-application-should-not-depend-unconditionally-on-apache2
# embedded versions used for better performance and function
embedded-javascript-library
# this is how we need them
-non-standard-dir-perm var/cache/bind/data/
-non-standard-dir-perm var/lib/ipa/backup/
+non-standard-dir-perm var/cache/bind/data/ *
+non-standard-dir-perm var/lib/ipa/backup/ *
commit 14195ded651e1bac2239d256fd6d1aa0f10ac966
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 17:14:07 2014 +0200
set NAMED_CONF = named.conf
diff --git a/debian/changelog b/debian/changelog
index 532eab4..63014c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
freeipa (4.0.4-3) UNRELEASED; urgency=medium
* control: Update my email address.
- * fix-bind-conf.diff: Fix bind config template to use Debian specific
- paths. (Closes: #768122)
+ * fix-bind-conf.diff, add-debian-platform.diff: Fix bind config
+ template to use Debian specific paths, and replace named.conf not
+ named.conf.local. (Closes: #768122)
* rules, -server.postinst: Create /var/cache/bind/data owned by bind
user.
* rules: Fix var/lib/ipa/backup permissions.
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index 5400a8a..de84ec4 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -84,7 +84,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ HTTPD = "/usr/sbin/apache2ctl"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
-+ NAMED_CONF = "/etc/bind/named.conf.local"
++ NAMED_CONF = "/etc/bind/named.conf"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+ ETC_DEBIAN_VERSION = "/etc/debian_version"
commit 81567fcda6adfb48d00f35ea300180a3770a2241
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:44:24 2014 +0200
control: Bump dependency on bind9-dyndb-ldap.
diff --git a/debian/changelog b/debian/changelog
index 4db15d1..532eab4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* rules: Fix var/lib/ipa/backup permissions.
* Add non-standard-dir-perm to server lintian overrides.
* copyright: Fix a typo.
+ * control: Bump dependency on bind9-dyndb-ldap.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/control b/debian/control
index 61f521b..54f3a9f 100644
--- a/debian/control
+++ b/debian/control
@@ -66,7 +66,7 @@ Depends:
acl,
apache2,
bind9,
- bind9-dyndb-ldap,
+ bind9-dyndb-ldap (>= 6.0-2~),
certmonger (>= 0.75.14),
dogtag-pki-server-theme,
fonts-font-awesome,
commit 877759b7a117d77e98da5ea92dcd56d7556aa152
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:43:30 2014 +0200
copyright: Fix a typo.
diff --git a/debian/changelog b/debian/changelog
index dfa0da3..4db15d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
user.
* rules: Fix var/lib/ipa/backup permissions.
* Add non-standard-dir-perm to server lintian overrides.
+ * copyright: Fix a typo.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/copyright b/debian/copyright
index 8ab7aed..b10860a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -49,7 +49,7 @@ License: GPL-2
Files: install/share/05rfc2247.ldif install/share/certmap.conf.template
Copyright: 2001, Sun Microsystems, Inc.
2005, Red Hat, Inc.
-Copyright: GPL-2
+License: GPL-2
Files: install/ui/css/patternfly.css
Copyright: Nicolas Gallagher
commit bc8d3b377a085dc61c694f16e5c75bf0116b0f8d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:42:37 2014 +0200
Add non-standard-dir-perm to server lintian overrides.
diff --git a/debian/changelog b/debian/changelog
index 260fc18..dfa0da3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* rules, -server.postinst: Create /var/cache/bind/data owned by bind
user.
* rules: Fix var/lib/ipa/backup permissions.
+ * Add non-standard-dir-perm to server lintian overrides.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/freeipa-server.lintian-overrides b/debian/freeipa-server.lintian-overrides
index 4f76e6b..0fd7f6b 100644
--- a/debian/freeipa-server.lintian-overrides
+++ b/debian/freeipa-server.lintian-overrides
@@ -4,3 +4,6 @@ python-script-but-no-python-dep
web-application-should-not-depend-unconditionally-on-apache2
# embedded versions used for better performance and function
embedded-javascript-library
+# this is how we need them
+non-standard-dir-perm var/cache/bind/data/
+non-standard-dir-perm var/lib/ipa/backup/
commit 3c973969eba108133fdeaa9aae3ff84fbf156e8a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:42:11 2014 +0200
rules: Fix var/lib/ipa/backup permissions.
diff --git a/debian/changelog b/debian/changelog
index d3d27c0..260fc18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
paths. (Closes: #768122)
* rules, -server.postinst: Create /var/cache/bind/data owned by bind
user.
+ * rules: Fix var/lib/ipa/backup permissions.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/freeipa-server.install b/debian/freeipa-server.install
index 5500382..2d2b13e 100644
--- a/debian/freeipa-server.install
+++ b/debian/freeipa-server.install
@@ -93,7 +93,6 @@ usr/share/man/man1/ipa-server-certinstall.1*
usr/share/man/man1/ipa-server-install.1*
usr/share/man/man8/ipa-upgradeconfig.8*
usr/share/man/man8/ipactl.8*
-var/lib/ipa/backup
var/lib/ipa/pki-ca
var/lib/ipa/sysrestore
var/lib/ipa/sysupgrade
diff --git a/debian/rules b/debian/rules
index 3f9fd08..e790c6c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -59,8 +59,6 @@ ifneq ($(ONLY_CLIENT), 1)
chmod 755 $(DESTDIR)/usr/lib/*/ipa/certmonger/*
- mkdir -p -m 700 $(DESTDIR)/var/lib/ipa/backup
-
mkdir -p $(DESTDIR)/etc/bash_completion.d \
$(DESTDIR)/etc/default \
$(DESTDIR)/usr/share/ipa/html
@@ -95,10 +93,11 @@ override_dh_install:
ifneq ($(ONLY_CLIENT), 1)
mkdir -m 770 -p $(CURDIR)/debian/freeipa-server/var/cache/bind/data
+ mkdir -m 700 -p $(CURDIR)/debian/freeipa-server/var/lib/ipa/backup
endif
override_dh_fixperms:
- dh_fixperms -X var/cache/bind/data
+ dh_fixperms -X var/cache/bind/data -X var/lib/ipa/backup
%:
dh $@ --with autoreconf,python2,systemd
commit 3a985634e81e425429fb38074fe29e08cbee5d4b
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:33:50 2014 +0200
rules, -server.postinst: Create /var/cache/bind/data owned by bind user.
diff --git a/debian/changelog b/debian/changelog
index bf9b3d4..d3d27c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ freeipa (4.0.4-3) UNRELEASED; urgency=medium
* control: Update my email address.
* fix-bind-conf.diff: Fix bind config template to use Debian specific
paths. (Closes: #768122)
+ * rules, -server.postinst: Create /var/cache/bind/data owned by bind
+ user.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index 7c4aab4..198d52b 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -26,6 +26,7 @@ if [ "$1" = configure ]; then
apache2_invoke enmod rewrite || exit $?
fi
fi
+ chown root:bind /var/cache/bind/data
fi
if [ ! -e /run/ipa_memcached ]; then
diff --git a/debian/rules b/debian/rules
index 07fd39b..3f9fd08 100755
--- a/debian/rules
+++ b/debian/rules
@@ -93,5 +93,12 @@ endif
override_dh_install:
dh_install --fail-missing
+ifneq ($(ONLY_CLIENT), 1)
+ mkdir -m 770 -p $(CURDIR)/debian/freeipa-server/var/cache/bind/data
+endif
+
+override_dh_fixperms:
+ dh_fixperms -X var/cache/bind/data
+
%:
dh $@ --with autoreconf,python2,systemd
commit ae77a903ebb0d5293c1919a88e06bd021c380064
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 5 14:31:42 2014 +0200
fix-bind-conf.diff: Fix bind config template to use Debian specific paths. (Closes: #768122)
diff --git a/debian/changelog b/debian/changelog
index c838c08..bf9b3d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
freeipa (4.0.4-3) UNRELEASED; urgency=medium
* control: Update my email address.
+ * fix-bind-conf.diff: Fix bind config template to use Debian specific
+ paths. (Closes: #768122)
-- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
diff --git a/debian/patches/fix-bind-conf.diff b/debian/patches/fix-bind-conf.diff
new file mode 100644
index 0000000..ce3448c
--- /dev/null
+++ b/debian/patches/fix-bind-conf.diff
@@ -0,0 +1,29 @@
+--- a/install/share/bind.named.conf.template
++++ b/install/share/bind.named.conf.template
+@@ -3,7 +3,7 @@ options {
+ listen-on-v6 {any;};
+
+ // Put files that named is allowed to write in the data/ directory:
+- directory "/var/named"; // the default
++ directory "/var/cache/bind"; // the default
+ dump-file "data/cache_dump.db";
+ statistics-file "data/named_stats.txt";
+ memstatistics-file "data/named_mem_stats.txt";
+@@ -14,7 +14,7 @@ options {
+ // Any host is permitted to issue recursive queries
+ allow-recursion { any; };
+
+- tkey-gssapi-keytab "/etc/named.keytab";
++ tkey-gssapi-keytab "/etc/bind/named.keytab";
+ pid-file "/run/named/named.pid";
+
+ dnssec-enable yes;
+@@ -37,7 +37,7 @@ zone "." IN {
+ file "named.ca";
+ };
+
+-include "/etc/named.rfc1912.zones";
++include "/etc/bind/named.conf.default-zones";
+
+ dynamic-db "ipa" {
+ library "ldap.so";
diff --git a/debian/patches/series b/debian/patches/series
index c212b87..af07832 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ fix-typo.patch
fix-ipa-conf.diff
fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
+fix-bind-conf.diff
commit 2335913bd5a021257d07951e542debb7b4301257
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Nov 4 12:17:00 2014 +0200
control: Update my email address.
diff --git a/debian/changelog b/debian/changelog
index dabda80..c838c08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+freeipa (4.0.4-3) UNRELEASED; urgency=medium
+
+ * control: Update my email address.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Tue, 04 Nov 2014 12:16:54 +0200
+
freeipa (4.0.4-2) unstable; urgency=medium
* control: Add python-qrcode, python-selinux, python-yubico
diff --git a/debian/control b/debian/control
index 4b5aa92..61f521b 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: freeipa
Section: net
Priority: extra
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at lists.alioth.debian.org>
-Uploaders: Timo Aaltonen <tjaalton at ubuntu.com>
+Uploaders: Timo Aaltonen <tjaalton at debian.org>
Build-Depends:
389-ds-base-dev (>= 1.3.3.2),
check,
More information about the Pkg-freeipa-devel
mailing list