[Pkg-freeipa-devel] freeipa: Changes to 'master-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sun Mar 27 16:01:10 UTC 2016
API.txt | 2
VERSION | 6
client/ipa-client-install | 2
daemons/dnssec/ipa-dnskeysync-replica | 1
daemons/dnssec/ipa-ods-exporter | 1
daemons/ipa-kdb/ipa_kdb.c | 9
daemons/ipa-kdb/ipa_kdb.h | 1
daemons/ipa-kdb/ipa_kdb_mspac.c | 16
daemons/ipa-kdb/ipa_kdb_principals.c | 23
debian/changelog | 7
debian/freeipa-server.install | 1
debian/patches/add-debian-platform.diff | 28
debian/patches/configure-apache-from-installer.diff | 203 +++
debian/patches/drop-ipap11helper-imports.diff | 20
debian/patches/fix-custodia-conf.diff | 13
debian/patches/fix-kdcproxy-paths.diff | 8
debian/patches/fix-named-conf-template.diff | 33
debian/patches/fix-opendnssec-conf-template.diff | 24
debian/patches/ipaplatform-Move-remaining-user-group-constants-to-i.patch | 672 ----------
debian/patches/series | 6
freeipa.spec.in | 32
install/oddjob/com.redhat.idm.trust-fetch-domains | 3
install/share/60basev3.ldif | 2
install/share/copy-schema-to-ca.py | 8
install/share/custodia.conf.template | 4
install/share/kdc.conf.template | 10
install/share/krb5.conf.template | 2
install/share/opendnssec_conf.template | 4
install/tools/ipa-replica-conncheck | 2
install/ui/src/freeipa/topology.js | 48
install/ui/src/freeipa/topology_graph.js | 146 ++
install/ui/src/freeipa/user.js | 10
install/ui/src/freeipa/widget.js | 6
install/updates/20-sslciphers.update | 6
install/updates/20-syncrepl.update | 2
ipaclient/ipadiscovery.py | 10
ipalib/messages.py | 8
ipalib/plugins/config.py | 3
ipalib/plugins/otptoken.py | 73 -
ipalib/plugins/stageuser.py | 17
ipalib/plugins/trust.py | 4
ipaplatform/base/constants.py | 9
ipaplatform/base/paths.py | 3
ipaplatform/base/services.py | 12
ipaplatform/redhat/services.py | 26
ipaplatform/redhat/tasks.py | 5
ipapython/certdb.py | 18
ipaserver/install/bindinstance.py | 2
ipaserver/install/cainstance.py | 16
ipaserver/install/custodiainstance.py | 6
ipaserver/install/dns.py | 4
ipaserver/install/dnskeysyncinstance.py | 9
ipaserver/install/dogtaginstance.py | 12
ipaserver/install/dsinstance.py | 11
ipaserver/install/httpinstance.py | 2
ipaserver/install/ipa_backup.py | 4
ipaserver/install/ipa_restore.py | 25
ipaserver/install/krainstance.py | 9
ipaserver/install/krbinstance.py | 11
ipaserver/install/odsexporterinstance.py | 5
ipaserver/install/opendnssecinstance.py | 17
ipaserver/install/server/upgrade.py | 3
ipatests/test_integration/base.py | 8
ipatests/test_integration/tasks.py | 49
ipatests/test_integration/test_backup_and_restore.py | 5
ipatests/test_integration/test_replica_promotion.py | 223 +++
ipatests/test_xmlrpc/test_cert_plugin.py | 2
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6
ipatests/test_xmlrpc/test_user_plugin.py | 2
ipatests/test_xmlrpc/tracker/user_plugin.py | 58
70 files changed, 1040 insertions(+), 998 deletions(-)
New commits:
commit 142ea373935f62b952bc524b5e19f8559d34da7a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sun Mar 27 19:00:03 2016 +0300
configure apache systemd unit from the installer
diff --git a/debian/freeipa-server.install b/debian/freeipa-server.install
index fe86838..d44dc58 100644
--- a/debian/freeipa-server.install
+++ b/debian/freeipa-server.install
@@ -65,6 +65,7 @@ usr/share/ipa/html/*
usr/share/ipa/ipa-pki-proxy.conf
usr/share/ipa/ipa-rewrite.conf
usr/share/ipa/ipa.conf
+usr/share/ipa/ipa-httpd.conf
usr/share/ipa/kdcproxy.conf
usr/share/ipa/migration/*
usr/share/ipa/profiles/*.cfg
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index f0c9193..7da3b5c 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -31,7 +31,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,358 @@
+@@ -0,0 +1,360 @@
+# Authors:
+# Timo Aaltonen <tjaalton at ubuntu.com>
+#
@@ -168,6 +168,8 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
+# ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
++ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.d/"
++ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.d/ipa.conf"
+# SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
+# SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+# SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
@@ -693,7 +695,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
-@@ -502,6 +503,8 @@ class HTTPInstance(service.Service):
+@@ -507,6 +508,8 @@ class HTTPInstance(service.Service):
except Exception:
pass
diff --git a/debian/patches/configure-apache-from-installer.diff b/debian/patches/configure-apache-from-installer.diff
new file mode 100644
index 0000000..2622fd0
--- /dev/null
+++ b/debian/patches/configure-apache-from-installer.diff
@@ -0,0 +1,203 @@
+From 9cce757cbdb19e71d314339cd2b822792dde3210 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti at redhat.com>
+Date: Wed, 16 Mar 2016 09:04:42 +0100
+Subject: [PATCH] Configure httpd service from installer instead of directly
+ from RPM
+
+File httpd.service was created by RPM, what causes that httpd service may
+fail due IPA specific configuration even if IPA wasn't installed or was
+uninstalled (without erasing RPMs).
+
+With this patch httpd service is configured by httpd.d/ipa.conf during
+IPA installation and this config is removed by uninstaller, so no
+residual http configuration related to IPA should stay there.
+
+https://fedorahosted.org/freeipa/ticket/5681
+---
+ freeipa.spec.in | 4 ++--
+ install/share/Makefile.am | 1 +
+ .../httpd.service => install/share/ipa-httpd.conf | 2 +-
+ ipaplatform/base/paths.py | 2 ++
+ ipaplatform/base/tasks.py | 8 ++++++++
+ ipaplatform/redhat/tasks.py | 19 +++++++++++++++++++
+ ipaserver/install/httpinstance.py | 6 ++++++
+ ipaserver/install/server/upgrade.py | 5 +++++
+ 8 files changed, 44 insertions(+), 3 deletions(-)
+ rename init/systemd/httpd.service => install/share/ipa-httpd.conf (82%)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 07a239af02dbe7adf36063af25d29394dbc6f647..40276e843ab80678846fabe5ea2e262caea7f94e 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -828,7 +828,6 @@ mkdir -p %{buildroot}%{_unitdir}
+ mkdir -p %{buildroot}%{etc_systemd_dir}
+ install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
+ install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
+ install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
+ # END
+ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
+@@ -1136,7 +1135,7 @@ fi
+ %{_tmpfilesdir}/%{name}.conf
+ %attr(644,root,root) %{_unitdir}/ipa_memcached.service
+ %attr(644,root,root) %{_unitdir}/ipa-custodia.service
+-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
++%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
+ # END
+ %dir %{_usr}/share/ipa
+ %{_usr}/share/ipa/wsgi.py*
+@@ -1211,6 +1210,7 @@ fi
+ %{_usr}/share/ipa/ipa-rewrite.conf
+ %{_usr}/share/ipa/ipa-pki-proxy.conf
+ %{_usr}/share/ipa/kdcproxy.conf
++%{_usr}/share/ipa/ipa-httpd.conf
+ %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+ %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
+ %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index b4cb8312471a68d8cd855f542478afe10d200c39..16745bab34057bd72b19bd7659a67df0d291b27e 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -88,6 +88,7 @@ app_DATA = \
+ kdcproxy.conf \
+ kdcproxy-enable.uldif \
+ kdcproxy-disable.uldif \
++ ipa-httpd.conf \
+ $(NULL)
+
+ EXTRA_DIST = \
+diff --git a/init/systemd/httpd.service b/install/share/ipa-httpd.conf
+similarity index 82%
+rename from init/systemd/httpd.service
+rename to install/share/ipa-httpd.conf
+index 7ce8f04d8b9bb3663e59d4fdc610af0eb4478178..8292b1c8ec8983f5210f0769f14e01bcedaf9da5 100644
+--- a/init/systemd/httpd.service
++++ b/install/share/ipa-httpd.conf
+@@ -1,4 +1,4 @@
+-.include /usr/lib/systemd/system/httpd.service
++# Do not edit. Created by IPA installer.
+
+ [Service]
+ Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index e4b8bd76d5f23c226269f1b3880a9aa3e2ebf63d..4075e136b44179c4953d9ff7ace285cbb6e3a1ac 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -127,6 +127,8 @@ class BasePathNamespace(object):
+ SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
+ ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
++ SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
++ SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
+ SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
+ SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+ SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
+diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
+index 573287c6bf732991946a75c8817899ee6c1842e3..3142120499d76b22a67edb7800ea69a52b0626d1 100644
+--- a/ipaplatform/base/tasks.py
++++ b/ipaplatform/base/tasks.py
+@@ -236,3 +236,11 @@ class BaseTaskNamespace(object):
+ :return: object implementing proper __cmp__ method for version compare
+ """
+ return parse_version(version)
++
++ def configure_httpd_service_ipa_conf(self):
++ """Configure httpd service to work with IPA"""
++ return
++
++ def remove_httpd_service_ipa_conf(self):
++ """Remove configuration of httpd service of IPA"""
++ return
+diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
+index 6380486792bf62e3a7e607aba8658b0c519f67f8..092ec6fdd529dcdbf34f0ae53bf29a1af4a5b01c 100644
+--- a/ipaplatform/redhat/tasks.py
++++ b/ipaplatform/redhat/tasks.py
+@@ -30,6 +30,7 @@ import stat
+ import socket
+ import sys
+ import base64
++import shutil
+ from cffi import FFI
+ from ctypes.util import find_library
+ from functools import total_ordering
+@@ -459,5 +460,23 @@ class RedHatTaskNamespace(BaseTaskNamespace):
+ """
+ return IPAVersion(version)
+
++ def configure_httpd_service_ipa_conf(self):
++ """Create systemd config for httpd service to work with IPA
++ """
++ if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
++ os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
++
++ shutil.copy(
++ os.path.join(ipautil.SHARE_DIR, 'ipa-httpd.conf'),
++ paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
++ os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
++ self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
++
++ def remove_httpd_service_ipa_conf(self):
++ """Remove systemd config for httpd service of IPA"""
++ try:
++ os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
++ except OSError:
++ pass
+
+ tasks = RedHatTaskNamespace()
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 54aeb8ae79eab0eab2661f52885229c09e0affaa..f784be5af3eae302630c4991b5fa6392f47050d1 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -225,6 +225,8 @@ class HTTPInstance(service.Service):
+ [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
+
+ def __configure_http(self):
++ self.update_httpd_service_ipa_conf()
++
+ target_fname = paths.HTTPD_IPA_CONF
+ http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
+ self.fstore.backup_file(paths.HTTPD_IPA_CONF)
+@@ -479,6 +481,9 @@ class HTTPInstance(service.Service):
+ except Exception as e:
+ root_logger.critical("Unable to start oddjobd: {0}".format(str(e)))
+
++ def update_httpd_service_ipa_conf(self):
++ tasks.configure_httpd_service_ipa_conf()
++
+ def uninstall(self):
+ if self.is_configured():
+ self.print_msg("Unconfiguring web server")
+@@ -533,6 +538,7 @@ class HTTPInstance(service.Service):
+ installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
+ installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
+ installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
++ tasks.remove_httpd_service_ipa_conf()
+
+ # Restore SELinux boolean states
+ boolean_states = {name: self.restore_state(name)
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index fc9c2eb62193fde594db89e06dacf8109dbbb60a..005a62018a6b6d7e9ac18d956ddee080025ebdc5 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1375,6 +1375,10 @@ def update_mod_nss_cipher_suite(http):
+ 'cipher_suite_updated',
+ httpinstance.NSS_CIPHER_REVISION)
+
++def update_ipa_httpd_service_conf(http):
++ root_logger.info('[Updating HTTPD service IPA configuration]')
++ http.update_httpd_service_ipa_conf()
++
+
+ def ds_enable_sidgen_extdom_plugins(ds):
+ """For AD trust agents, make sure we enable sidgen and extdom plugins
+@@ -1561,6 +1565,7 @@ def upgrade_configuration():
+ http.enable_kdcproxy()
+
+ http.stop()
++ update_ipa_httpd_service_conf(http)
+ update_mod_nss_protocol(http)
+ update_mod_nss_cipher_suite(http)
+ fix_trust_flags()
+--
+2.5.0
+
diff --git a/debian/patches/fix-kdcproxy-paths.diff b/debian/patches/fix-kdcproxy-paths.diff
index 013bed6..2197232 100644
--- a/debian/patches/fix-kdcproxy-paths.diff
+++ b/debian/patches/fix-kdcproxy-paths.diff
@@ -1,12 +1,11 @@
---- a/init/systemd/httpd.service
-+++ b/init/systemd/httpd.service
+--- a/install/share/ipa-httpd.conf
++++ b/install/share/ipa-httpd.conf
@@ -1,7 +1,7 @@
--.include /usr/lib/systemd/system/httpd.service
-+.include /lib/systemd/system/apache2.service
+ # Do not edit. Created by IPA installer.
[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-+Environment=KRB5CCNAME=/var/run/apache2/ipa/krbcache/krb5ccache
++Environment=KRB5CCNAME=/run/apache2/ipa/krbcache/krb5ccache
Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
+ExecStartPre=/usr/lib/ipa/ipa-httpd-kdcproxy
diff --git a/debian/patches/series b/debian/patches/series
index 6978469..fb20185 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
# upstreamed
+configure-apache-from-installer.diff
# not upstreamable
work-around-apache-fail.diff
commit f0253024560215469f383887373e9546c6b75421
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sun Mar 27 17:30:40 2016 +0300
fix typo in paths.py, enable ipa-rewrite.conf by default
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index 348898c..f0c9193 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -87,9 +87,9 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+ HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+# HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
-+ HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf.enabled/ipa-kdc-proxy.conf"
++ HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+ HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
-+ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
++ HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-enabled/ipa-rewrite.conf"
+ HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+ HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+# HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
commit b2ada4a697f10c0ffc918f6ee453a24df6851390
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sun Mar 27 16:38:52 2016 +0300
fix typos in fix-kdcproxy-paths.diff
diff --git a/debian/patches/fix-kdcproxy-paths.diff b/debian/patches/fix-kdcproxy-paths.diff
index 654a0cd..013bed6 100644
--- a/debian/patches/fix-kdcproxy-paths.diff
+++ b/debian/patches/fix-kdcproxy-paths.diff
@@ -1,11 +1,12 @@
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,7 +1,7 @@
- .include /usr/lib/systemd/system/httpd.service
+-.include /usr/lib/systemd/system/httpd.service
++.include /lib/systemd/system/apache2.service
[Service]
-Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
-+Environment=KRB5CCNAME=/var/run/apache/ipa/krbcache/krb5ccache
++Environment=KRB5CCNAME=/var/run/apache2/ipa/krbcache/krb5ccache
Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
-ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
+ExecStartPre=/usr/lib/ipa/ipa-httpd-kdcproxy
commit deedd4e172199195017d30c4da048db491635155
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sun Mar 27 16:37:27 2016 +0300
bump version, drop patches
diff --git a/debian/changelog b/debian/changelog
index 1912f58..8e24659 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-freeipa (4.3.0+git20160322-1) UNRELEASED; urgency=medium
+freeipa (4.3.1-1) UNRELEASED; urgency=medium
* New upstream snapshot.
- refresh patches
@@ -35,8 +35,7 @@ freeipa (4.3.0+git20160322-1) UNRELEASED; urgency=medium
* Split freeipa-server-dns from server.
* admintools: Use the new location for bash completions.
* rules: Fix paths in oddjob configs.
- * control, rules, fix-ipa-conf.diff, fix-custodia-conf.diff:
- Add support for custodia.
+ * control, rules, fix-ipa-conf.diff: Add support for custodia.
* rules: Remove obsolete configure.jar, preferences.html.
* platform: Fix ipautil.run stdout handling, add support for systemd.
* control: Bump server and python-ipaserver dependency on python-ldap
@@ -66,8 +65,6 @@ freeipa (4.3.0+git20160322-1) UNRELEASED; urgency=medium
various bits to use ipaplatform.constants.
* fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
exporter units.
- * fix-opendnssec-conf-template.diff: Use ODS_USER/ODS_GROUP constants
- in the template.
* control: Add python-systemd to server depends.
* rules, platform, server.dirs, server.install: Add support for
DNSSEC.
diff --git a/debian/patches/Fix-kdc.conf.template-to-use-ipaplatform.paths.patch b/debian/patches/Fix-kdc.conf.template-to-use-ipaplatform.paths.patch
deleted file mode 100644
index e7478a1..0000000
--- a/debian/patches/Fix-kdc.conf.template-to-use-ipaplatform.paths.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 5798e8c04e716bc6fad01c8ea87473a1859eea28 Mon Sep 17 00:00:00 2001
-From: Timo Aaltonen <tjaalton at debian.org>
-Date: Wed, 23 Mar 2016 00:32:52 +0200
-Subject: [PATCH] Fix kdc.conf.template to use ipaplatform.paths.
-
-https://fedorahosted.org/freeipa/ticket/5343
----
- install/share/kdc.conf.template | 10 +++++-----
- ipaplatform/base/paths.py | 3 +++
- ipaserver/install/krbinstance.py | 7 ++++++-
- 3 files changed, 14 insertions(+), 6 deletions(-)
-
---- a/install/share/kdc.conf.template
-+++ b/install/share/kdc.conf.template
-@@ -8,10 +8,10 @@
- master_key_type = aes256-cts
- max_life = 7d
- max_renewable_life = 14d
-- acl_file = /var/kerberos/krb5kdc/kadm5.acl
-- dict_file = /usr/share/dict/words
-+ acl_file = $KRB5KDC_KADM5_ACL
-+ dict_file = $DICT_WORDS
- default_principal_flags = +preauth
--; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
-- pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
-- pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
-+; admin_keytab = $KRB5KDC_KADM5_KEYTAB
-+ pkinit_identity = FILE:$KDC_PEM
-+ pkinit_anchors = FILE:$CACERT_PEM
- }
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -237,10 +237,13 @@ class BasePathNamespace(object):
- SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
- IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
- UPDATES_DIR = "/usr/share/ipa/updates/"
-+ DICT_WORDS = "/usr/share/dict/words"
- CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
- VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
- VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5."
- CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem"
-+ KRB5KDC_KADM5_ACL = "/var/kerberos/krb5kdc/kadm5.acl"
-+ KRB5KDC_KADM5_KEYTAB = "/var/kerberos/krb5kdc/kadm5.keytab"
- KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf"
- KDC_PEM = "/var/kerberos/krb5kdc/kdc.pem"
- VAR_LIB = "/var/lib"
---- a/ipaserver/install/krbinstance.py
-+++ b/ipaserver/install/krbinstance.py
-@@ -228,7 +228,12 @@ class KrbInstance(service.Service):
- DOMAIN=self.domain,
- HOST=self.host,
- SERVER_ID=installutils.realm_to_serverid(self.realm),
-- REALM=self.realm)
-+ REALM=self.realm,
-+ KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
-+ DICT_WORDS=paths.DICT_WORDS,
-+ KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
-+ KDC_PEM=paths.KDC_PEM,
-+ CACERT_PEM=paths.CACERT_PEM)
-
- # IPA server/KDC is not a subdomain of default domain
- # Proper domain-realm mapping needs to be specified
diff --git a/debian/patches/fix-custodia-conf.diff b/debian/patches/fix-custodia-conf.diff
deleted file mode 100644
index b3e3aea..0000000
--- a/debian/patches/fix-custodia-conf.diff
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/install/share/custodia.conf.template
-+++ b/install/share/custodia.conf.template
-@@ -5,8 +5,8 @@ auditlog = $IPA_CUSTODIA_AUDIT_LOG
-
- [auth:simple]
- handler = custodia.httpd.authenticators.SimpleCredsAuth
--uid = 48
--gid = 48
-+uid = 33
-+gid = 33
-
- [auth:header]
- handler = custodia.httpd.authenticators.SimpleHeaderAuth
diff --git a/debian/patches/fix-opendnssec-conf-template.diff b/debian/patches/fix-opendnssec-conf-template.diff
deleted file mode 100644
index 82f18ca..0000000
--- a/debian/patches/fix-opendnssec-conf-template.diff
+++ /dev/null
@@ -1,24 +0,0 @@
---- a/install/share/opendnssec_conf.template
-+++ b/install/share/opendnssec_conf.template
-@@ -28,8 +28,8 @@
-
- <Enforcer>
- <Privileges>
-- <User>ods</User>
-- <Group>ods</Group>
-+ <User>$ODS_USER</User>
-+ <Group>$ODS_GROUP</Group>
- </Privileges>
-
- <Datastore><SQLite>$KASP_DB</SQLite></Datastore>
---- a/ipaserver/install/opendnssecinstance.py
-+++ b/ipaserver/install/opendnssecinstance.py
-@@ -80,6 +80,8 @@ class OpenDNSSECInstance(service.Service
- 'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
- 'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
- 'KASP_DB': paths.OPENDNSSEC_KASP_DB,
-+ 'ODS_USER': constants.ODS_USER,
-+ 'ODS_GROUP': constants.ODS_GROUP,
- }
- self.kasp_file_dict = {}
- self.extra_config = [KEYMASTER]
diff --git a/debian/patches/ipa_restore-Import-only-FQDN-from-ipalib.constants.patch b/debian/patches/ipa_restore-Import-only-FQDN-from-ipalib.constants.patch
deleted file mode 100644
index 285a00f..0000000
--- a/debian/patches/ipa_restore-Import-only-FQDN-from-ipalib.constants.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d161e7ad51c90be6643a2851d5d21e1ae8a375dd Mon Sep 17 00:00:00 2001
-From: Timo Aaltonen <tjaalton at debian.org>
-Date: Tue, 22 Mar 2016 21:05:39 +0200
-Subject: [PATCH] ipa_restore: Import only FQDN from ipalib.constants
-
----
- ipaserver/install/ipa_restore.py | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/ipaserver/install/ipa_restore.py
-+++ b/ipaserver/install/ipa_restore.py
-@@ -30,7 +30,8 @@ import locale
- from six.moves.configparser import SafeConfigParser
- import six
-
--from ipalib import api, errors, constants
-+from ipalib import api, errors
-+from ipalib.constants import FQDN
- from ipapython import version, ipautil, certdb
- from ipapython.ipautil import run, user_input
- from ipapython import admintool
-@@ -218,7 +219,7 @@ class Restore(admintool.AdminTool):
- self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir)
-
- self.log.info("Preparing restore from %s on %s",
-- self.backup_dir, constants.FQDN)
-+ self.backup_dir, FQDN)
-
- self.header = os.path.join(self.backup_dir, 'header')
-
-@@ -281,10 +282,10 @@ class Restore(admintool.AdminTool):
- self.log.info("Performing %s restore from %s backup" %
- (restore_type, self.backup_type))
-
-- if self.backup_host != constants.FQDN:
-+ if self.backup_host != FQDN:
- raise admintool.ScriptError(
- "Host name %s does not match backup name %s" %
-- (constants.FQDN, self.backup_host))
-+ (FQDN, self.backup_host))
-
- if self.backup_ipa_version != str(version.VERSION):
- self.log.warning(
diff --git a/debian/patches/ipaplatform-Move-remaining-user-group-constants-to-i.patch b/debian/patches/ipaplatform-Move-remaining-user-group-constants-to-i.patch
deleted file mode 100644
index 5335915..0000000
--- a/debian/patches/ipaplatform-Move-remaining-user-group-constants-to-i.patch
+++ /dev/null
@@ -1,298 +0,0 @@
-From 424d3cf28f92a624b9970701a341dfa26370f616 Mon Sep 17 00:00:00 2001
-From: Timo Aaltonen <tjaalton at debian.org>
-Date: Fri, 18 Mar 2016 12:22:33 +0200
-Subject: [PATCH] ipaplatform: Move remaining user/group constants to
- ipaplatform.constants.
-
-Use ipaplatform.constants in every corner instead of importing other bits or calling
-some platform specific things, and remove most of the remaining hardcoded uid's.
----
- install/oddjob/com.redhat.idm.trust-fetch-domains | 3 ++-
- ipaplatform/base/constants.py | 5 +++++
- ipaplatform/base/services.py | 12 -----------
- ipaplatform/redhat/services.py | 26 -----------------------
- ipaserver/install/bindinstance.py | 2 +-
- ipaserver/install/dns.py | 4 ++--
- ipaserver/install/dnskeysyncinstance.py | 9 ++++----
- ipaserver/install/dogtaginstance.py | 1 -
- ipaserver/install/httpinstance.py | 2 +-
- ipaserver/install/odsexporterinstance.py | 5 +++--
- ipaserver/install/opendnssecinstance.py | 15 +++++++------
- 11 files changed, 27 insertions(+), 57 deletions(-)
-
---- a/install/oddjob/com.redhat.idm.trust-fetch-domains
-+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
-@@ -8,6 +8,7 @@ from ipapython.dn import DN
- from ipalib.config import Env
- from ipalib.constants import DEFAULT_CONFIG
- from ipapython.ipautil import kinit_keytab
-+from ipaplatform.constants import constants
- import sys
- import os, pwd
-
-@@ -30,7 +31,7 @@ def retrieve_keytab(api, ccache_name, on
- raiseonerr=False)
- # Make sure SSSD is able to read the keytab
- try:
-- sssd = pwd.getpwnam('sssd')
-+ sssd = pwd.getpwnam(constants.SSSD_USER)
- os.chown(oneway_keytab_name, sssd[2], sssd[3])
- except KeyError as e:
- # If user 'sssd' does not exist, we don't need to chown from root to sssd
---- a/ipaplatform/base/constants.py
-+++ b/ipaplatform/base/constants.py
-@@ -12,12 +12,17 @@ class BaseConstantsNamespace(object):
- DS_GROUP = 'dirsrv'
- HTTPD_USER = "apache"
- IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
-+ KDCPROXY_USER = "kdcproxy"
- NAMED_USER = "named"
-+ NAMED_GROUP = "named"
- PKI_USER = 'pkiuser'
- PKI_GROUP = 'pkiuser'
- # ntpd init variable used for daemon options
- NTPD_OPTS_VAR = "OPTIONS"
- # quote used for daemon options
- NTPD_OPTS_QUOTE = "\""
-+ ODS_USER = "ods"
-+ ODS_GROUP = "ods"
- # nfsd init variable used to enable kerberized NFS
- SECURE_NFS_VAR = "SECURE_NFS"
-+ SSSD_USER = "sssd"
---- a/ipaplatform/base/services.py
-+++ b/ipaplatform/base/services.py
-@@ -181,18 +181,6 @@ class PlatformService(object):
- def get_config_dir(self, instance_name=""):
- return
-
-- def get_user_name(self, instance_name=""):
-- return
--
-- def get_group_name(self, instance_name=""):
-- return
--
-- def get_binary_path(self):
-- return
--
-- def get_package_name(self):
-- return
--
-
- class SystemdService(PlatformService):
- SYSTEMD_SRV_TARGET = "%s.target.wants"
---- a/ipaplatform/redhat/services.py
-+++ b/ipaplatform/redhat/services.py
-@@ -247,28 +247,6 @@ class RedHatCAService(RedHatService):
- self.wait_until_running()
-
-
--class RedHatNamedService(RedHatService):
-- def get_user_name(self):
-- return u'named'
--
-- def get_group_name(self):
-- return u'named'
--
-- def get_binary_path(self):
-- return paths.NAMED_PKCS11
--
-- def get_package_name(self):
-- return u"bind-pkcs11"
--
--
--class RedHatODSEnforcerdService(RedHatService):
-- def get_user_name(self):
-- return u'ods'
--
-- def get_group_name(self):
-- return u'ods'
--
--
- # Function that constructs proper Red Hat OS family-specific server classes for
- # services of specified name
-
-@@ -281,10 +259,6 @@ def redhat_service_class_factory(name):
- return RedHatSSHService(name)
- if name in ('pki-tomcatd', 'pki_tomcatd'):
- return RedHatCAService(name)
-- if name == 'named':
-- return RedHatNamedService(name)
-- if name in ('ods-enforcerd', 'ods_enforcerd'):
-- return RedHatODSEnforcerdService(name)
- return RedHatService(name)
-
-
---- a/ipaserver/install/bindinstance.py
-+++ b/ipaserver/install/bindinstance.py
-@@ -1262,4 +1262,4 @@ class BindInstance(service.Service):
- self.named_regular.start()
-
- installutils.remove_keytab(paths.NAMED_KEYTAB)
-- installutils.remove_ccache(run_as='named')
-+ installutils.remove_ccache(run_as=constants.NAMED_USER)
---- a/ipaserver/install/dns.py
-+++ b/ipaserver/install/dns.py
-@@ -231,8 +231,8 @@ def install_check(standalone, api, repli
- dnskeysyncd.stop()
- try:
- ipautil.run(cmd, env=environment,
-- runas=ods_enforcerd.get_user_name(),
-- suplementary_groups=[named.get_group_name()])
-+ runas=constants.ODS_USER,
-+ suplementary_groups=[constants.NAMED_GROUP])
- except CalledProcessError as e:
- root_logger.debug("%s", e)
- raise RuntimeError("This IPA server cannot be promoted to "
---- a/ipaserver/install/dnskeysyncinstance.py
-+++ b/ipaserver/install/dnskeysyncinstance.py
-@@ -22,6 +22,7 @@ from ipapython.dn import DN
- from ipapython import ipaldap
- from ipapython import sysrestore, ipautil
- from ipaplatform import services
-+from ipaplatform.constants import constants
- from ipaplatform.paths import paths
- from ipalib import errors, api
- from ipalib.constants import CACERT
-@@ -142,14 +143,14 @@ class DNSKeySyncInstance(service.Service
- def __get_named_uid(self):
- named = services.knownservices.named
- try:
-- return pwd.getpwnam(named.get_user_name()).pw_uid
-+ return pwd.getpwnam(constants.NAMED_USER).pw_uid
- except KeyError:
- raise RuntimeError("Named UID not found")
-
- def __get_named_gid(self):
- named = services.knownservices.named
- try:
-- return grp.getgrnam(named.get_group_name()).gr_gid
-+ return grp.getgrnam(constants.NAMED_GROUP).gr_gid
- except KeyError:
- raise RuntimeError("Named GID not found")
-
-@@ -160,12 +161,12 @@ class DNSKeySyncInstance(service.Service
- self.named_gid = self.__get_named_gid()
-
- try:
-- self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
-+ self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
- except KeyError:
- raise RuntimeError("OpenDNSSEC UID not found")
-
- try:
-- self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
-+ self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
- except KeyError:
- raise RuntimeError("OpenDNSSEC GID not found")
-
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -45,7 +45,6 @@ from ipaserver.install import replicatio
- from ipaserver.install.installutils import stopped_service
- from ipapython.ipa_log_manager import log_mgr
-
--PKI_USER = constants.PKI_USER
- HTTPD_USER = constants.HTTPD_USER
-
-
---- a/ipaserver/install/httpinstance.py
-+++ b/ipaserver/install/httpinstance.py
-@@ -54,8 +54,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
- httpd_run_ipa='on',
- )
-
--KDCPROXY_USER = 'kdcproxy'
- HTTPD_USER = constants.HTTPD_USER
-+KDCPROXY_USER = constants.KDCPROXY_USER
-
- # See contrib/nsscipersuite/nssciphersuite.py
- NSS_CIPHER_SUITE = [
---- a/ipaserver/install/odsexporterinstance.py
-+++ b/ipaserver/install/odsexporterinstance.py
-@@ -13,6 +13,7 @@ from ipaserver.install import installuti
- from ipapython.ipa_log_manager import *
- from ipapython.dn import DN
- from ipapython import sysrestore, ipautil, ipaldap
-+from ipaplatform.constants import constants
- from ipaplatform.paths import paths
- from ipaplatform import services
- from ipalib import errors, api
-@@ -68,12 +69,12 @@ class ODSExporterInstance(service.Servic
- ods_enforcerd = services.knownservices.ods_enforcerd
-
- try:
-- self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
-+ self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
- except KeyError:
- raise RuntimeError("OpenDNSSEC UID not found")
-
- try:
-- self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
-+ self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
- except KeyError:
- raise RuntimeError("OpenDNSSEC GID not found")
-
---- a/ipaserver/install/opendnssecinstance.py
-+++ b/ipaserver/install/opendnssecinstance.py
-@@ -17,6 +17,7 @@ from ipapython.ipa_log_manager import *
- from ipapython.dn import DN
- from ipapython import sysrestore, ipautil, ipaldap, p11helper
- from ipaplatform import services
-+from ipaplatform.constants import constants
- from ipaplatform.paths import paths
- from ipalib import errors, api
- from ipaserver.install import dnskeysyncinstance
-@@ -127,22 +128,22 @@ class OpenDNSSECInstance(service.Service
- ods_enforcerd = services.knownservices.ods_enforcerd
-
- try:
-- self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
-+ self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
- except KeyError:
- raise RuntimeError("Named UID not found")
-
- try:
-- self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
-+ self.named_gid = grp.getgrnam(constants.NAMED_GROUP).gr_gid
- except KeyError:
- raise RuntimeError("Named GID not found")
-
- try:
-- self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
-+ self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
- except KeyError:
- raise RuntimeError("OpenDNSSEC UID not found")
-
- try:
-- self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
-+ self.ods_gid = grp.getgrnam(constants.ODS_GROUP).gr_gid
- except KeyError:
- raise RuntimeError("OpenDNSSEC GID not found")
-
-@@ -289,7 +290,7 @@ class OpenDNSSECInstance(service.Service
- ods_enforcerd = services.knownservices.ods_enforcerd
- cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
- result = ipautil.run(cmd,
-- runas=ods_enforcerd.get_user_name(),
-+ runas=constants.ODS_USER,
- capture_output=True)
- with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
- zonelistf.write(result.output)
-@@ -305,7 +306,7 @@ class OpenDNSSECInstance(service.Service
- ]
-
- ods_enforcerd = services.knownservices.ods_enforcerd
-- ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name())
-+ ipautil.run(command, stdin="y", runas=constants.ODS_USER)
-
- def __setup_dnskeysyncd(self):
- # set up dnskeysyncd this is DNSSEC master
-@@ -354,7 +355,7 @@ class OpenDNSSECInstance(service.Service
- cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
- try:
- self.print_msg("Exporting DNSSEC data before uninstallation")
-- ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
-+ ipautil.run(cmd, runas=constants.ODS_USER)
- except CalledProcessError:
- root_logger.error("DNSSEC data export failed")
-
diff --git a/debian/patches/series b/debian/patches/series
index fb3837d..6978469 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,12 +9,7 @@ add-debian-platform.diff
fix-ipa-conf.diff
fix-kdcproxy-paths.diff
fix-ipa-otpd-install.diff
-fix-custodia-conf.diff
fix-replicainstall.diff
-ipaplatform-Move-remaining-user-group-constants-to-i.patch
fix-dnssec-services.diff
-fix-opendnssec-conf-template.diff
create-sysconfig-ods.diff
-ipa_restore-Import-only-FQDN-from-ipalib.constants.patch
-Fix-kdc.conf.template-to-use-ipaplatform.paths.patch
fix-named-conf-template.diff
commit 43d5c02f8ccb69e07238ac988b849c3722af877c
Author: Petr Vobornik <pvoborni at redhat.com>
Date: Fri Mar 4 15:35:44 2016 +0100
Become IPA 4.3.1
diff --git a/VERSION b/VERSION
index 0588da1..92ecb6d 100644
--- a/VERSION
+++ b/VERSION
@@ -21,7 +21,7 @@
########################################################
IPA_VERSION_MAJOR=4
IPA_VERSION_MINOR=3
-IPA_VERSION_RELEASE=0
+IPA_VERSION_RELEASE=1
########################################################
# For 'alpha' releases the version will be #
commit 77e9d31c75f7514f076662ac4e3ffcf66915880f
Author: Martin Babinsky <mbabinsk at redhat.com>
Date: Tue Mar 8 15:56:52 2016 +0100
otptoken-add: improve the robustness of QR code printing
The python-qrcode print_ascii() method does not work in terminals with
non-UTF-8 encoding. When this is the case do not render QR code but print a
warning instead. Also print a warning when the QR code size is greater that
terminal width if the output is a tty.
https://fedorahosted.org/freeipa/ticket/5700
Reviewed-By: Jan Cholasta <jcholast at redhat.com>
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 5d723b2..681fc2b 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -342,6 +342,14 @@ class BrokenTrust(PublicMessage):
"running 'ipa trust-add' again.")
+class ResultFormattingError(PublicMessage):
+ """
+ **13019** Unable to correctly format some part of the result
+ """
+ errno = 13019
+ type = "warning"
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 846155d..4474e8a 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -18,23 +18,28 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
+import sys
from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember
More information about the Pkg-freeipa-devel
mailing list