[Pkg-freeipa-devel] freeipa: Changes to 'master-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed Mar 2 10:40:54 UTC 2016
debian/changelog | 13 ++++++++++---
debian/control | 1 +
debian/freeipa-server.postinst | 6 ++++++
debian/freeipa-server.postrm | 6 ++++++
debian/patches/add-debian-platform.diff | 12 +++---------
debian/patches/fix-custodia-conf.diff | 13 +++++++++++++
debian/patches/fix-ipa-conf.diff | 9 +++++++++
debian/patches/series | 1 +
8 files changed, 49 insertions(+), 12 deletions(-)
New commits:
commit e3c29303ae848b1c09af0015846cbe5cac8a26bc
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Mar 2 12:40:38 2016 +0200
fix custodia support
diff --git a/debian/changelog b/debian/changelog
index 8a0a3e2..2e8f210 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,7 +33,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* Split freeipa-server-dns from server.
* admintools: Use the new location for bash completions.
* rules: Fix paths in oddjob configs.
- * control, rules: Add support for custodia.
+ * control, rules, fix-ipa-conf.diff, fix-custodia-conf.diff:
+ Add support for custodia.
* rules: Remove obsolete configure.jar, preferences.html.
* platform: Fix ipautil.run stdout handling, add support for systemd.
* control: Bump server and python-ipaserver dependency on python-ldap
diff --git a/debian/patches/fix-custodia-conf.diff b/debian/patches/fix-custodia-conf.diff
new file mode 100644
index 0000000..b3e3aea
--- /dev/null
+++ b/debian/patches/fix-custodia-conf.diff
@@ -0,0 +1,13 @@
+--- a/install/share/custodia.conf.template
++++ b/install/share/custodia.conf.template
+@@ -5,8 +5,8 @@ auditlog = $IPA_CUSTODIA_AUDIT_LOG
+
+ [auth:simple]
+ handler = custodia.httpd.authenticators.SimpleCredsAuth
+-uid = 48
+-gid = 48
++uid = 33
++gid = 33
+
+ [auth:header]
+ handler = custodia.httpd.authenticators.SimpleHeaderAuth
diff --git a/debian/patches/fix-ipa-conf.diff b/debian/patches/fix-ipa-conf.diff
index ec307c6..76ba6eb 100644
--- a/debian/patches/fix-ipa-conf.diff
+++ b/debian/patches/fix-ipa-conf.diff
@@ -23,6 +23,15 @@ Description: Fix paths
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
+@@ -107,7 +107,7 @@ WSGIScriptReloading Off
+ # Custodia stuff is redirected to the custodia daemon
+ # after authentication
+ <Location "/ipa/keys/">
+- ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
++ ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
+ RequestHeader set GSS_NAME %{GSS_NAME}s
+ RequestHeader set REMOTE_USER %{REMOTE_USER}s
+ </Location>
@@ -141,8 +141,8 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
diff --git a/debian/patches/series b/debian/patches/series
index 2432f71..c236adc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ fix-kdcproxy-paths.diff
fix-ipa-otpd-install.diff
fix-certmonger-script-install.diff
use-httpd-user.diff
+fix-custodia-conf.diff
commit 70ad747693d1ace69c867e03417d6db8a3ac7552
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Mar 2 12:37:51 2016 +0200
platform: use systemwide certificate store
diff --git a/debian/changelog b/debian/changelog
index feac2e6..8a0a3e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -42,8 +42,11 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* server.postinst, tmpfile: Create state directories for
mod_auth_gssapi.
* fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
- * add-debian-platform.diff: Update paths.py to include all variables,
- comment out ones we don't modify.
+ * add-debian-platform.diff:
+ - Update paths.py to include all variables, comment out ones we don't
+ modify.
+ - Use systemwide certificate store; put ipa-ca.crt in
+ /usr/local/share/ca-certificates, and run update-ca-certificates
* rules, server.install: Install scripts under /usr/lib instead of
multiarch path to avoid hacking the code too much.
* fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index 5674411..bb1de9c 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -131,7 +131,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# PAM_LDAP_CONF = "/etc/pam_ldap.conf"
+# PASSWD = "/etc/passwd"
+# SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
-+# IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
++ IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
+# NSS_DB_DIR = "/etc/pki/nssdb"
+# PKI_TOMCAT = "/etc/pki/pki-tomcat"
+# PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
@@ -217,7 +217,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
+# SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
+# BIN_TIMEOUT = "/usr/bin/timeout"
-+# UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
++ UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
+# BIN_CURL = "/usr/bin/curl"
+# ZIP = "/usr/bin/zip"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
@@ -592,7 +592,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+knownservices = DebianServices()
--- /dev/null
+++ b/ipaplatform/debian/tasks.py
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,47 @@
+# Authors:
+# Timo Aaltonen <tjaalton at ubuntu.com>
+#
@@ -636,12 +636,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def modify_pam_to_use_krb5(self, statestore):
+ return True
+
-+ def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
-+ return True
-+
-+ def remove_ca_certs_from_systemwide_ca_store(self):
-+ return True
-+
+ def restore_network_configuration(self, fstore, statestore):
+ return True
+
commit 4786dac4280503f221a0933c3106baf2bb573456
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Mar 2 11:42:19 2016 +0200
server: enable mod_proxy_http too
diff --git a/debian/changelog b/debian/changelog
index ecf756e..feac2e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -54,7 +54,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
to server, needed on upgrades even if trust-ad isn't set up.
* user-httpd-user.diff: Patch dogtaginstance.py to use HTTPD_USER.
* control: Add pki-tools to python-ipaserver deps.
- * server: Enable mod_proxy_ajp on postinst, disable on postrm.
+ * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable
+ on postrm.
* control: Add zip to python-ipaserver depends.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index f744791..697e424 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -25,6 +25,9 @@ if [ "$1" = configure ]; then
if [ ! -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
apache2_invoke enmod proxy_ajp || exit $?
fi
+ if [ ! -e /etc/apache2/mods-enabled/proxy_http.load ]; then
+ apache2_invoke enmod proxy_http || exit $?
+ fi
if [ ! -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke enmod rewrite || exit $?
fi
diff --git a/debian/freeipa-server.postrm b/debian/freeipa-server.postrm
index 25374d4..235ebba 100644
--- a/debian/freeipa-server.postrm
+++ b/debian/freeipa-server.postrm
@@ -30,6 +30,9 @@ case "$1" in
if [ -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
apache2_invoke dismod proxy_ajp || exit $?
fi
+ if [ -e /etc/apache2/mods-enabled/proxy_http.load ]; then
+ apache2_invoke dismod proxy_http || exit $?
+ fi
if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke dismod rewrite || exit $?
fi
commit 68d9f84bccaa7259a1037cc656922b207ae1d0a3
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Mar 2 11:36:21 2016 +0200
control: Add zip to python-ipaserver depends.
diff --git a/debian/changelog b/debian/changelog
index 7314db0..ecf756e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -55,6 +55,7 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* user-httpd-user.diff: Patch dogtaginstance.py to use HTTPD_USER.
* control: Add pki-tools to python-ipaserver deps.
* server: Enable mod_proxy_ajp on postinst, disable on postrm.
+ * control: Add zip to python-ipaserver depends.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/control b/debian/control
index 3571229..4946daa 100644
--- a/debian/control
+++ b/debian/control
@@ -312,6 +312,7 @@ Depends:
python-ldap (>= 2.4.22),
python-libsss-nss-idmap,
python-pyasn1,
+ zip,
${misc:Depends},
${python:Depends},
Description: FreeIPA centralized identity framework -- Python modules for server
commit 5372ffa2932dd74971d0ea1f89c7bfcfef44dec2
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 1 17:39:32 2016 +0200
server: Enable mod_proxy_ajp on postinst, disable on postrm.
diff --git a/debian/changelog b/debian/changelog
index ccbcd38..7314db0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -54,6 +54,7 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
to server, needed on upgrades even if trust-ad isn't set up.
* user-httpd-user.diff: Patch dogtaginstance.py to use HTTPD_USER.
* control: Add pki-tools to python-ipaserver deps.
+ * server: Enable mod_proxy_ajp on postinst, disable on postrm.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index fd8ae36..f744791 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -22,6 +22,9 @@ if [ "$1" = configure ]; then
if [ ! -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke enmod proxy || exit $?
fi
+ if [ ! -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
+ apache2_invoke enmod proxy_ajp || exit $?
+ fi
if [ ! -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke enmod rewrite || exit $?
fi
diff --git a/debian/freeipa-server.postrm b/debian/freeipa-server.postrm
index fa94838..25374d4 100644
--- a/debian/freeipa-server.postrm
+++ b/debian/freeipa-server.postrm
@@ -27,6 +27,9 @@ case "$1" in
if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke dismod proxy || exit $?
fi
+ if [ -e /etc/apache2/mods-enabled/proxy_ajp.load ]; then
+ apache2_invoke dismod proxy_ajp || exit $?
+ fi
if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke dismod rewrite || exit $?
fi
More information about the Pkg-freeipa-devel
mailing list