[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 4 commits: Move ipa-epn service to -client-epn package.
Timo Aaltonen
gitlab at salsa.debian.org
Mon Nov 23 18:41:30 GMT 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
165b649d by Timo Aaltonen at 2020-10-01T13:53:49+03:00
Move ipa-epn service to -client-epn package.
- - - - -
a629c503 by Timo Aaltonen at 2020-11-09T23:24:36+02:00
Revert-Specify-cert_paths-when-calling-PKIConnection
- - - - -
ee71d249 by Timo Aaltonen at 2020-11-23T20:38:27+02:00
control: Rebuild against new krb5.
- - - - -
545500e5 by Timo Aaltonen at 2020-11-23T20:39:25+02:00
releasing package freeipa version 4.8.10-2
- - - - -
7 changed files:
- debian/changelog
- debian/control
- debian/control.common
- debian/freeipa-client-epn.install
- debian/freeipa-server.install
- + debian/patches/0001-Revert-Specify-cert_paths-when-calling-PKIConnection.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,9 +1,11 @@
-freeipa (4.8.10-2) UNRELEASED; urgency=medium
+freeipa (4.8.10-2) unstable; urgency=medium
* client: Drop obsolete nssdb migration, which is now causing an
error. (Closes: #971363)
+ * Move ipa-epn service to -client-epn package.
+ * control: Rebuild against new krb5.
- -- Timo Aaltonen <tjaalton at debian.org> Tue, 29 Sep 2020 18:01:12 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 23 Nov 2020 20:38:40 +0200
freeipa (4.8.10-1) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -16,7 +16,7 @@ Build-Depends:
libcmocka-dev,
libini-config-dev,
libkrad-dev,
- libkrb5-dev (>= 1.16),
+ libkrb5-dev (>= 1.18),
libldap2-dev,
libnspr4-dev,
libpopt-dev,
@@ -121,6 +121,8 @@ Depends:
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
+Breaks: freeipa-server (<< 4.8.10-2)
+Replaces: freeipa-server (<< 4.8.10-2)
Description: FreeIPA centralized identity framework -- tools for configuring Expiring Password Notification
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -232,7 +234,7 @@ Depends:
freeipa-common (= ${source:Version}),
gssproxy (>= 0.8.2-2),
krb5-admin-server,
- krb5-kdc,
+ krb5-kdc (>= 1.18),
krb5-kdc-ldap,
krb5-otp,
krb5-pkinit,
=====================================
debian/control.common
=====================================
@@ -56,6 +56,8 @@ Depends:
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
+Breaks: freeipa-server (<< 4.8.10-2)
+Replaces: freeipa-server (<< 4.8.10-2)
Description: FreeIPA centralized identity framework -- tools for configuring Expiring Password Notification
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
=====================================
debian/freeipa-client-epn.install
=====================================
@@ -1,5 +1,7 @@
etc/ipa/epn.conf
etc/ipa/epn/expire_msg.template
+lib/systemd/system/ipa-epn.service
+lib/systemd/system/ipa-epn.timer
usr/sbin/ipa-epn
usr/share/man/man1/ipa-epn.1
usr/share/man/man5/epn.conf.5
=====================================
debian/freeipa-server.install
=====================================
@@ -4,7 +4,13 @@ etc/ipa/html/*
etc/ipa/kdcproxy
etc/dbus-1/system.d/org.freeipa.server.conf
etc/oddjobd.conf.d/ipa-server.conf
-lib/systemd/system/*
+lib/systemd/system/ipa-custodia.service
+lib/systemd/system/ipa-dnskeysyncd.service
+lib/systemd/system/ipa-ods-exporter.service
+lib/systemd/system/ipa-ods-exporter.socket
+lib/systemd/system/ipa-otpd.socket
+lib/systemd/system/ipa-otpd at .service
+lib/systemd/system/ipa.service
usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
=====================================
debian/patches/0001-Revert-Specify-cert_paths-when-calling-PKIConnection.patch
=====================================
@@ -0,0 +1,103 @@
+From fdd874fe39fcd2b300bc5f6623c36d2e03737d1f Mon Sep 17 00:00:00 2001
+From: Timo Aaltonen <tjaalton at debian.org>
+Date: Mon, 9 Nov 2020 20:50:48 +0200
+Subject: [PATCH] Revert "Specify cert_paths when calling PKIConnection"
+
+This reverts commit 9ded9e2573a00c388533f2a09365c499a4e2961e.
+---
+ freeipa.spec.in | 6 +++---
+ install/tools/ipa-pki-wait-running.in | 3 +--
+ ipaserver/install/cainstance.py | 7 -------
+ ipaserver/install/dogtaginstance.py | 3 +--
+ ipaserver/plugins/dogtag.py | 11 ++++++-----
+ 5 files changed, 11 insertions(+), 19 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 8e6736b60..793eda6cb 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -107,9 +107,9 @@
+ # Fedora
+ %endif
+
+-# PKIConnection has been modified to always validate certs.
+-# https://pagure.io/freeipa/issue/8379
+-%global pki_version 10.9.0-0.4
++# 10.7.3 supports LWCA key replication using AES
++# https://pagure.io/freeipa/issue/8020
++%global pki_version 10.7.3-1
+
+ # https://pagure.io/certmonger/issue/90
+ %global certmonger_version 0.79.7-1
+diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
+index 4f0f2f34a..69f5ec296 100644
+--- a/install/tools/ipa-pki-wait-running.in
++++ b/install/tools/ipa-pki-wait-running.in
+@@ -59,8 +59,7 @@ def get_conn(hostname, subsystem):
+ """
+ conn = PKIConnection(
+ hostname=hostname,
+- subsystem=subsystem,
+- cert_paths=paths.IPA_CA_CRT
++ subsystem=subsystem
+ )
+ logger.info(
+ "Created connection %s://%s:%s/%s",
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 9294f1dba..706bc28cc 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -509,13 +509,6 @@ class CAInstance(DogtagInstance):
+ else:
+ pki_pin = None
+
+- # When spawning a CA instance, always point to IPA_CA_CRT if it
+- # exists. Later, when we're performing step 2 of an external CA
+- # installation, we'll overwrite this key to point to the real
+- # external CA.
+- if os.path.exists(paths.IPA_CA_CRT):
+- cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
+-
+ if self.clone:
+ if self.no_db_setup:
+ cfg.update(
+diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
+index 03fdd7c0b..99ac0f23f 100644
+--- a/ipaserver/install/dogtaginstance.py
++++ b/ipaserver/install/dogtaginstance.py
+@@ -70,8 +70,7 @@ def get_security_domain():
+ connection = PKIConnection(
+ protocol='https',
+ hostname=api.env.ca_host,
+- port='8443',
+- cert_paths=paths.IPA_CA_CRT
++ port='8443'
+ )
+ domain_client = pki.system.SecurityDomainClient(connection)
+ info = domain_client.get_security_domain_info()
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index b300f6b18..4de26d76f 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -2082,12 +2082,13 @@ class kra(Backend):
+ 'https',
+ self.kra_host,
+ str(self.kra_port),
+- 'kra',
+- cert_paths=paths.IPA_CA_CRT
+- )
++ 'kra')
+
+- connection.set_authentication_cert(paths.RA_AGENT_PEM,
+- paths.RA_AGENT_KEY)
++ connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
++ # uncomment the following when this commit makes it to release
++ # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
++ # connection.set_authentication_cert(paths.RA_AGENT_PEM,
++ # paths.RA_AGENT_KEY)
+
+ try:
+ yield KRAClient(connection, crypto)
+--
+2.27.0
+
=====================================
debian/patches/series
=====================================
@@ -1,4 +1,5 @@
# upstreamed
+0001-Revert-Specify-cert_paths-when-calling-PKIConnection.patch
pkcs11-openssl-for-bind.diff
# not upstreamable
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/aac67a17a739ef9fb4739cbc30fa49586f619e68...545500e5e7acd27b4ebab2ce8222b0bce1dd5d5b
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/aac67a17a739ef9fb4739cbc30fa49586f619e68...545500e5e7acd27b4ebab2ce8222b0bce1dd5d5b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201123/f6b84df3/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list