You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1445 lines
50 KiB

  1. # 389-ds-base 1.4 no longer supports i686 platform, build only client
  2. # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
  3. %if 0%{?fedora} >= 28 || 0%{?rhel} > 7
  4. %ifarch %{ix86}
  5. %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
  6. %endif
  7. %endif
  8. # Define ONLY_CLIENT to only make the ipa-client and ipa-python
  9. # subpackages
  10. %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
  11. %if %{ONLY_CLIENT}
  12. %global enable_server_option --disable-server
  13. %else
  14. %global enable_server_option --enable-server
  15. %endif
  16. # Build ipatests
  17. %if 0%{?rhel}
  18. %global with_ipatests 0
  19. %endif
  20. %if ! %{ONLY_CLIENT}
  21. %{!?with_ipatests:%global with_ipatests 1}
  22. %endif
  23. %if 0%{?with_ipatests}
  24. %global with_ipatests_option --with-ipatests
  25. %else
  26. %global with_ipatests_option --without-ipatests
  27. %endif
  28. # lint is not executed during rpmbuild
  29. # %%global with_lint 1
  30. %if 0%{?with_lint}
  31. %global linter_options --enable-pylint --with-jslint
  32. %else
  33. %global linter_options --disable-pylint --without-jslint
  34. %endif
  35. # Include SELinux subpackage
  36. %if 0%{?fedora} >= 30 || 0%{?rhel} > 8
  37. %global with_selinux 1
  38. %global selinuxtype targeted
  39. %global modulename ipa
  40. %endif
  41. %if 0%{?rhel}
  42. %global package_name ipa
  43. %global alt_name freeipa
  44. %global krb5_version 1.16.1
  45. %global krb5_kdb_version 7.0
  46. # 0.7.16: https://github.com/drkjam/netaddr/issues/71
  47. %global python_netaddr_version 0.7.16
  48. # Require 4.7.0 which brings Python 3 bindings
  49. %global samba_version 4.7.0
  50. %global selinux_policy_version 3.14.3-21
  51. %global slapi_nis_version 0.56.1-4
  52. %global python_ldap_version 3.1.0-1
  53. # python3-lib389
  54. # Fix for "Installation fails: Replica Busy"
  55. # https://pagure.io/389-ds-base/issue/49818
  56. %global ds_version 1.4.0.16
  57. # Fix for TLS 1.3 PHA, RHBZ#1775158
  58. %global httpd_version 2.4.37-21
  59. %else
  60. # Fedora
  61. %global package_name freeipa
  62. %global alt_name ipa
  63. # Fix for CVE-2018-20217
  64. %global krb5_version 1.16.1-24
  65. # 0.7.16: https://github.com/drkjam/netaddr/issues/71
  66. %global python_netaddr_version 0.7.16
  67. # Require 4.7.0 which brings Python 3 bindings
  68. %global samba_version 2:4.7.0
  69. # SELinux context for /etc/named directory, RHBZ#1759495
  70. %global selinux_policy_version 3.14.3-52
  71. %global slapi_nis_version 0.56.1
  72. # krb5 can only provide one KDB at a time
  73. %if 0%{?fedora} >= 32
  74. %global krb5_kdb_version 8.0
  75. %else
  76. %global krb5_kdb_version 7.0
  77. %endif
  78. # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
  79. %global python_ldap_version 3.1.0-1
  80. # Fix for create suffix
  81. # https://pagure.io/389-ds-base/issue/49984
  82. %if 0%{?fedora} >= 30
  83. %global ds_version 1.4.1.1
  84. %else
  85. %global ds_version 1.4.0.21
  86. %endif
  87. # Fix for TLS 1.3 PHA, RHBZ#1775146
  88. %if 0%{?fedora} >= 31
  89. %global httpd_version 2.4.41-9
  90. %else
  91. %global httpd_version 2.4.41-6.1
  92. %endif
  93. # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
  94. # Some packages don't provide new dist aliases.
  95. # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
  96. %{?python_disable_dependency_generator}
  97. # Fedora
  98. %endif
  99. # 10.7.3 supports LWCA key replication using AES
  100. # https://pagure.io/freeipa/issue/8020
  101. %global pki_version 10.7.3-1
  102. # https://pagure.io/certmonger/issue/90
  103. %global certmonger_version 0.79.7-1
  104. # NSS release with fix for p11-kit-proxy issue, affects F28
  105. # https://pagure.io/freeipa/issue/7810
  106. %if 0%{?fedora} == 28
  107. %global nss_version 3.41.0-3
  108. %else
  109. %global nss_version 3.41.0-1
  110. %endif
  111. # One-Way Trust authenticated by trust secret
  112. # https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
  113. %global sssd_version 1.16.3-2
  114. %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
  115. %global plugin_dir %{_libdir}/dirsrv/plugins
  116. %global etc_systemd_dir %{_sysconfdir}/systemd/system
  117. %global gettext_domain ipa
  118. %define _hardened_build 1
  119. # Work-around fact that RPM SPEC parser does not accept
  120. # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
  121. %define IPA_VERSION @VERSION@
  122. %define AT_SIGN @
  123. # redefine IPA_VERSION only if its value matches the Autoconf placeholder
  124. %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
  125. %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
  126. %endif
  127. Name: %{package_name}
  128. Version: %{IPA_VERSION}
  129. Release: 0%{?dist}
  130. Summary: The Identity, Policy and Audit system
  131. Group: System Environment/Base
  132. License: GPLv3+
  133. URL: http://www.freeipa.org/
  134. Source0: freeipa-%{version}.tar.gz
  135. BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
  136. BuildRequires: openldap-devel
  137. # For KDB DAL version, make explicit dependency so that increase of version
  138. # will cause the build to fail due to unsatisfied dependencies.
  139. # DAL version change may cause code crash or memory leaks, it is better to fail early.
  140. BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
  141. BuildRequires: krb5-devel >= %{krb5_version}
  142. # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
  143. BuildRequires: xmlrpc-c-devel >= 1.27.4
  144. BuildRequires: popt-devel
  145. BuildRequires: gcc
  146. BuildRequires: make
  147. BuildRequires: pkgconfig
  148. BuildRequires: autoconf
  149. BuildRequires: automake
  150. BuildRequires: libtool
  151. BuildRequires: gettext
  152. BuildRequires: gettext-devel
  153. BuildRequires: python3-devel
  154. BuildRequires: python3-setuptools
  155. BuildRequires: systemd
  156. # systemd-tmpfiles which is executed from make install requires apache user
  157. BuildRequires: httpd
  158. BuildRequires: nspr-devel
  159. BuildRequires: nss-devel >= %{nss_version}
  160. BuildRequires: openssl-devel
  161. BuildRequires: libini_config-devel
  162. BuildRequires: cyrus-sasl-devel
  163. %if ! %{ONLY_CLIENT}
  164. BuildRequires: 389-ds-base-devel >= %{ds_version}
  165. BuildRequires: samba-devel >= %{samba_version}
  166. BuildRequires: libtalloc-devel
  167. BuildRequires: libtevent-devel
  168. BuildRequires: libuuid-devel
  169. BuildRequires: libsss_idmap-devel
  170. BuildRequires: libsss_certmap-devel
  171. BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
  172. BuildRequires: nodejs(abi)
  173. BuildRequires: uglify-js
  174. BuildRequires: libverto-devel
  175. BuildRequires: libunistring-devel
  176. # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
  177. # 0.13.0-2: fix for missing dependency on python-six
  178. BuildRequires: python3-lesscpy >= 0.13.0-2
  179. # ONLY_CLIENT
  180. %endif
  181. #
  182. # Build dependencies for makeapi/makeaci
  183. #
  184. BuildRequires: python3-cffi
  185. BuildRequires: python3-dns
  186. BuildRequires: python3-ldap >= %{python_ldap_version}
  187. BuildRequires: python3-libsss_nss_idmap
  188. BuildRequires: python3-netaddr >= %{python_netaddr_version}
  189. BuildRequires: python3-pyasn1
  190. BuildRequires: python3-pyasn1-modules
  191. BuildRequires: python3-six
  192. #
  193. # Build dependencies for wheel packaging and PyPI upload
  194. #
  195. %if 0%{?with_wheels}
  196. BuildRequires: dbus-glib-devel
  197. BuildRequires: libffi-devel
  198. BuildRequires: python3-tox
  199. %if 0%{?fedora} <= 28
  200. BuildRequires: python3-twine
  201. %else
  202. BuildRequires: twine
  203. %endif
  204. BuildRequires: python3-wheel
  205. # with_wheels
  206. %endif
  207. #
  208. # Build dependencies for lint and fastcheck
  209. #
  210. %if 0%{?with_lint}
  211. BuildRequires: jsl
  212. BuildRequires: rpmlint
  213. BuildRequires: softhsm
  214. BuildRequires: python3-augeas
  215. BuildRequires: python3-cffi
  216. BuildRequires: python3-cryptography >= 1.6
  217. BuildRequires: python3-custodia >= 0.3.1
  218. BuildRequires: python3-dateutil
  219. BuildRequires: python3-dbus
  220. BuildRequires: python3-dns >= 1.15
  221. BuildRequires: python3-docker
  222. BuildRequires: python3-gssapi >= 1.2.0
  223. BuildRequires: python3-jinja2
  224. BuildRequires: python3-jwcrypto >= 0.4.2
  225. BuildRequires: python3-ldap >= %{python_ldap_version}
  226. BuildRequires: python3-ldap >= %{python_ldap_version}
  227. BuildRequires: python3-lib389 >= %{ds_version}
  228. BuildRequires: python3-libipa_hbac
  229. BuildRequires: python3-libsss_nss_idmap
  230. BuildRequires: python3-lxml
  231. BuildRequires: python3-netaddr >= %{python_netaddr_version}
  232. BuildRequires: python3-netifaces
  233. BuildRequires: python3-paste
  234. BuildRequires: python3-pki >= %{pki_version}
  235. BuildRequires: python3-polib
  236. BuildRequires: python3-pyasn1
  237. BuildRequires: python3-pyasn1-modules
  238. BuildRequires: python3-pycodestyle
  239. %if 0%{?fedora} >= 29
  240. # https://bugzilla.redhat.com/show_bug.cgi?id=1648299
  241. BuildRequires: python3-pylint >= 2.1.1-2
  242. %else
  243. BuildRequires: python3-pylint >= 1.7
  244. %endif
  245. BuildRequires: python3-pytest-multihost
  246. BuildRequires: python3-pytest-sourceorder
  247. BuildRequires: python3-qrcode-core >= 5.0.0
  248. BuildRequires: python3-samba
  249. BuildRequires: python3-six
  250. BuildRequires: python3-sss
  251. BuildRequires: python3-sss-murmur
  252. BuildRequires: python3-sssdconfig >= %{sssd_version}
  253. BuildRequires: python3-systemd
  254. BuildRequires: python3-yubico
  255. # with_lint
  256. %endif
  257. #
  258. # Build dependencies for unit tests
  259. #
  260. %if ! %{ONLY_CLIENT}
  261. BuildRequires: libcmocka-devel
  262. # Required by ipa_kdb_tests
  263. BuildRequires: krb5-server >= %{krb5_version}
  264. # ONLY_CLIENT
  265. %endif
  266. #
  267. # Build dependencies for SELinux policy
  268. #
  269. %if 0%{?with_selinux}
  270. BuildRequires: selinux-policy-devel
  271. %endif
  272. %description
  273. IPA is an integrated solution to provide centrally managed Identity (users,
  274. hosts, services), Authentication (SSO, 2FA), and Authorization
  275. (host access control, SELinux user roles, services). The solution provides
  276. features for further integration with Linux based clients (SUDO, automount)
  277. and integration with Active Directory based infrastructures (Trusts).
  278. %if ! %{ONLY_CLIENT}
  279. %package server
  280. Summary: The IPA authentication server
  281. Group: System Environment/Base
  282. Requires: %{name}-server-common = %{version}-%{release}
  283. Requires: %{name}-client = %{version}-%{release}
  284. Requires: %{name}-common = %{version}-%{release}
  285. Requires: python3-ipaserver = %{version}-%{release}
  286. Requires: python3-ldap >= %{python_ldap_version}
  287. Requires: 389-ds-base >= %{ds_version}
  288. Requires: openldap-clients > 2.4.35-4
  289. Requires: nss >= %{nss_version}
  290. Requires: nss-tools >= %{nss_version}
  291. Requires(post): krb5-server >= %{krb5_version}
  292. Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
  293. Requires: krb5-pkinit-openssl >= %{krb5_version}
  294. Requires: cyrus-sasl-gssapi%{?_isa}
  295. Requires: chrony
  296. Requires: httpd >= %{httpd_version}
  297. Requires(preun): python3
  298. Requires(postun): python3
  299. Requires: python3-gssapi >= 1.2.0-5
  300. Requires: python3-systemd
  301. Requires: python3-mod_wsgi
  302. Requires: mod_auth_gssapi >= 1.5.0
  303. Requires: mod_ssl >= %{httpd_version}
  304. Requires: mod_session >= %{httpd_version}
  305. # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
  306. Requires: mod_lookup_identity >= 0.9.9
  307. Requires: acl
  308. Requires: systemd-units >= 38
  309. Requires(pre): shadow-utils
  310. Requires(pre): systemd-units
  311. Requires(post): systemd-units
  312. Requires: selinux-policy >= %{selinux_policy_version}
  313. Requires(post): selinux-policy-base >= %{selinux_policy_version}
  314. Requires: slapi-nis >= %{slapi_nis_version}
  315. Requires: pki-ca >= %{pki_version}
  316. Requires: pki-kra >= %{pki_version}
  317. Requires(preun): systemd-units
  318. Requires(postun): systemd-units
  319. Requires: policycoreutils >= 2.1.12-5
  320. Requires: tar
  321. Requires(pre): certmonger >= %{certmonger_version}
  322. Requires(pre): 389-ds-base >= %{ds_version}
  323. Requires: fontawesome-fonts
  324. Requires: open-sans-fonts
  325. Requires: openssl
  326. Requires: softhsm >= 2.0.0rc1-1
  327. Requires: p11-kit
  328. Requires: %{etc_systemd_dir}
  329. Requires: gzip
  330. Requires: oddjob
  331. # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
  332. Requires: gssproxy >= 0.7.0-2
  333. Requires: sssd-dbus >= %{sssd_version}
  334. Provides: %{alt_name}-server = %{version}
  335. Conflicts: %{alt_name}-server
  336. Obsoletes: %{alt_name}-server < %{version}
  337. # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
  338. # entire SELinux policy is stored in the system policy
  339. Obsoletes: freeipa-server-selinux < 3.3.0
  340. # upgrade path from monolithic -server to -server + -server-dns
  341. Obsoletes: %{name}-server <= 4.2.0
  342. # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
  343. # member.
  344. Conflicts: nss-pam-ldapd < 0.8.4
  345. %description server
  346. IPA is an integrated solution to provide centrally managed Identity (users,
  347. hosts, services), Authentication (SSO, 2FA), and Authorization
  348. (host access control, SELinux user roles, services). The solution provides
  349. features for further integration with Linux based clients (SUDO, automount)
  350. and integration with Active Directory based infrastructures (Trusts).
  351. If you are installing an IPA server, you need to install this package.
  352. %package -n python3-ipaserver
  353. Summary: Python libraries used by IPA server
  354. Group: System Environment/Libraries
  355. BuildArch: noarch
  356. %{?python_provide:%python_provide python3-ipaserver}
  357. Requires: %{name}-server-common = %{version}-%{release}
  358. Requires: %{name}-common = %{version}-%{release}
  359. # we need pre-requires since earlier versions may break upgrade
  360. Requires(pre): python3-ldap >= %{python_ldap_version}
  361. Requires: python3-augeas
  362. Requires: python3-custodia >= 0.3.1
  363. Requires: python3-dbus
  364. Requires: python3-dns >= 1.15
  365. Requires: python3-gssapi >= 1.2.0
  366. Requires: python3-ipaclient = %{version}-%{release}
  367. Requires: python3-kdcproxy >= 0.3
  368. Requires: python3-lxml
  369. Requires: python3-pki >= %{pki_version}
  370. Requires: python3-pyasn1 >= 0.3.2-2
  371. Requires: python3-sssdconfig >= %{sssd_version}
  372. Requires: rpm-libs
  373. # Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
  374. %if 0%{?rhel}
  375. Requires: python3-urllib3 >= 1.24.2-3
  376. %else
  377. Requires: python3-urllib3 >= 1.25.7
  378. %endif
  379. %description -n python3-ipaserver
  380. IPA is an integrated solution to provide centrally managed Identity (users,
  381. hosts, services), Authentication (SSO, 2FA), and Authorization
  382. (host access control, SELinux user roles, services). The solution provides
  383. features for further integration with Linux based clients (SUDO, automount)
  384. and integration with Active Directory based infrastructures (Trusts).
  385. If you are installing an IPA server, you need to install this package.
  386. %package server-common
  387. Summary: Common files used by IPA server
  388. Group: System Environment/Base
  389. BuildArch: noarch
  390. Requires: %{name}-client-common = %{version}-%{release}
  391. Requires: httpd >= %{httpd_version}
  392. Requires: systemd-units >= 38
  393. Provides: %{alt_name}-server-common = %{version}
  394. Conflicts: %{alt_name}-server-common
  395. Obsoletes: %{alt_name}-server-common < %{version}
  396. %description server-common
  397. IPA is an integrated solution to provide centrally managed Identity (users,
  398. hosts, services), Authentication (SSO, 2FA), and Authorization
  399. (host access control, SELinux user roles, services). The solution provides
  400. features for further integration with Linux based clients (SUDO, automount)
  401. and integration with Active Directory based infrastructures (Trusts).
  402. If you are installing an IPA server, you need to install this package.
  403. %package server-dns
  404. Summary: IPA integrated DNS server with support for automatic DNSSEC signing
  405. Group: System Environment/Base
  406. BuildArch: noarch
  407. Requires: %{name}-server = %{version}-%{release}
  408. Requires: bind-dyndb-ldap >= 11.0-2
  409. Requires: bind >= 9.11.0-6.P2
  410. Requires: bind-utils >= 9.11.0-6.P2
  411. Requires: bind-pkcs11 >= 9.11.0-6.P2
  412. Requires: bind-pkcs11-utils >= 9.11.0-6.P2
  413. Requires: opendnssec >= 1.4.6-4
  414. %{?systemd_requires}
  415. Provides: %{alt_name}-server-dns = %{version}
  416. Conflicts: %{alt_name}-server-dns
  417. Obsoletes: %{alt_name}-server-dns < %{version}
  418. # upgrade path from monolithic -server to -server + -server-dns
  419. Obsoletes: %{name}-server <= 4.2.0
  420. %description server-dns
  421. IPA integrated DNS server with support for automatic DNSSEC signing.
  422. Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
  423. %package server-trust-ad
  424. Summary: Virtual package to install packages required for Active Directory trusts
  425. Group: System Environment/Base
  426. Requires: %{name}-server = %{version}-%{release}
  427. Requires: %{name}-common = %{version}-%{release}
  428. Requires: samba >= %{samba_version}
  429. Requires: samba-winbind
  430. Requires: libsss_idmap
  431. Requires(post): python3
  432. Requires: python3-samba
  433. Requires: python3-libsss_nss_idmap
  434. Requires: python3-sss
  435. # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
  436. # on the installes where server-trust-ad subpackage is installed because
  437. # IPA AD trusts cannot be used at the same time with the locator plugin
  438. # since Winbindd will be configured in a different mode
  439. Requires(post): %{_sbindir}/update-alternatives
  440. Requires(postun): %{_sbindir}/update-alternatives
  441. Requires(preun): %{_sbindir}/update-alternatives
  442. Provides: %{alt_name}-server-trust-ad = %{version}
  443. Conflicts: %{alt_name}-server-trust-ad
  444. Obsoletes: %{alt_name}-server-trust-ad < %{version}
  445. %description server-trust-ad
  446. Cross-realm trusts with Active Directory in IPA require working Samba 4
  447. installation. This package is provided for convenience to install all required
  448. dependencies at once.
  449. # ONLY_CLIENT
  450. %endif
  451. %package client
  452. Summary: IPA authentication for use on clients
  453. Group: System Environment/Base
  454. Requires: %{name}-client-common = %{version}-%{release}
  455. Requires: %{name}-common = %{version}-%{release}
  456. Requires: python3-gssapi >= 1.2.0-5
  457. Requires: python3-ipaclient = %{version}-%{release}
  458. Requires: python3-ldap >= %{python_ldap_version}
  459. Requires: python3-sssdconfig >= %{sssd_version}
  460. Requires: cyrus-sasl-gssapi%{?_isa}
  461. Requires: chrony
  462. Requires: krb5-workstation >= %{krb5_version}
  463. Requires: authselect >= 0.4-2
  464. Requires: curl
  465. # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
  466. %if 0%{?fedora} >= 29
  467. Requires: hostname
  468. %else
  469. Requires: initscripts
  470. %endif
  471. Requires: libcurl >= 7.21.7-2
  472. Requires: xmlrpc-c >= 1.27.4
  473. Requires: sssd-ipa >= %{sssd_version}
  474. Requires: certmonger >= %{certmonger_version}
  475. Requires: nss-tools >= %{nss_version}
  476. Requires: bind-utils
  477. Requires: oddjob-mkhomedir
  478. Requires: libsss_autofs
  479. Requires: autofs
  480. Requires: libnfsidmap
  481. Requires: nfs-utils
  482. Requires: sssd-tools >= %{sssd_version}
  483. Requires(post): policycoreutils
  484. Provides: %{alt_name}-client = %{version}
  485. Conflicts: %{alt_name}-client
  486. Obsoletes: %{alt_name}-client < %{version}
  487. Provides: %{alt_name}-admintools = %{version}
  488. Conflicts: %{alt_name}-admintools
  489. Obsoletes: %{alt_name}-admintools < 4.4.1
  490. Obsoletes: %{name}-admintools < 4.4.1
  491. Provides: %{name}-admintools = %{version}-%{release}
  492. %description client
  493. IPA is an integrated solution to provide centrally managed Identity (users,
  494. hosts, services), Authentication (SSO, 2FA), and Authorization
  495. (host access control, SELinux user roles, services). The solution provides
  496. features for further integration with Linux based clients (SUDO, automount)
  497. and integration with Active Directory based infrastructures (Trusts).
  498. If your network uses IPA for authentication, this package should be
  499. installed on every client machine.
  500. This package provides command-line tools for IPA administrators.
  501. %package client-samba
  502. Summary: Tools to configure Samba on IPA client
  503. Group: System Environment/Base
  504. Requires: %{name}-client = %{version}-%{release}
  505. Requires: python3-samba
  506. Requires: samba-client
  507. Requires: samba-winbind
  508. Requires: samba-common-tools
  509. Requires: samba
  510. Requires: sssd-winbind-idmap
  511. Requires: tdb-tools
  512. Requires: cifs-utils
  513. %description client-samba
  514. This package provides command-line tools to deploy Samba domain member
  515. on the machine enrolled into a FreeIPA environment
  516. %package -n python3-ipaclient
  517. Summary: Python libraries used by IPA client
  518. Group: System Environment/Libraries
  519. BuildArch: noarch
  520. %{?python_provide:%python_provide python3-ipaclient}
  521. Requires: %{name}-client-common = %{version}-%{release}
  522. Requires: %{name}-common = %{version}-%{release}
  523. Requires: python3-ipalib = %{version}-%{release}
  524. Requires: python3-augeas
  525. Requires: python3-dns >= 1.15
  526. Requires: python3-jinja2
  527. %description -n python3-ipaclient
  528. IPA is an integrated solution to provide centrally managed Identity (users,
  529. hosts, services), Authentication (SSO, 2FA), and Authorization
  530. (host access control, SELinux user roles, services). The solution provides
  531. features for further integration with Linux based clients (SUDO, automount)
  532. and integration with Active Directory based infrastructures (Trusts).
  533. If your network uses IPA for authentication, this package should be
  534. installed on every client machine.
  535. %package client-common
  536. Summary: Common files used by IPA client
  537. Group: System Environment/Base
  538. BuildArch: noarch
  539. Provides: %{alt_name}-client-common = %{version}
  540. Conflicts: %{alt_name}-client-common
  541. Obsoletes: %{alt_name}-client-common < %{version}
  542. # python2-ipa* packages are no longer available in 4.8.
  543. Obsoletes: python2-ipaclient < 4.8.0-1
  544. Obsoletes: python2-ipalib < 4.8.0-1
  545. Obsoletes: python2-ipaserver < 4.8.0-1
  546. Obsoletes: python2-ipatests < 4.8.0-1
  547. %description client-common
  548. IPA is an integrated solution to provide centrally managed Identity (users,
  549. hosts, services), Authentication (SSO, 2FA), and Authorization
  550. (host access control, SELinux user roles, services). The solution provides
  551. features for further integration with Linux based clients (SUDO, automount)
  552. and integration with Active Directory based infrastructures (Trusts).
  553. If your network uses IPA for authentication, this package should be
  554. installed on every client machine.
  555. %package python-compat
  556. Summary: Compatiblity package for Python libraries used by IPA
  557. Group: System Environment/Libraries
  558. BuildArch: noarch
  559. Obsoletes: %{name}-python < 4.2.91
  560. Provides: %{name}-python = %{version}-%{release}
  561. Requires: %{name}-common = %{version}-%{release}
  562. Requires: python3-ipalib = %{version}-%{release}
  563. Provides: %{alt_name}-python-compat = %{version}
  564. Conflicts: %{alt_name}-python-compat
  565. Obsoletes: %{alt_name}-python-compat < %{version}
  566. Obsoletes: %{alt_name}-python < 4.2.91
  567. Provides: %{alt_name}-python = %{version}
  568. %description python-compat
  569. IPA is an integrated solution to provide centrally managed Identity (users,
  570. hosts, services), Authentication (SSO, 2FA), and Authorization
  571. (host access control, SELinux user roles, services). The solution provides
  572. features for further integration with Linux based clients (SUDO, automount)
  573. and integration with Active Directory based infrastructures (Trusts).
  574. This is a compatibility package to accommodate %{name}-python split into
  575. python3-ipalib and %{name}-common. Packages still depending on
  576. %{name}-python should be fixed to depend on python2-ipaclient or
  577. %{name}-common instead.
  578. %package -n python3-ipalib
  579. Summary: Python3 libraries used by IPA
  580. Group: System Environment/Libraries
  581. BuildArch: noarch
  582. %{?python_provide:%python_provide python3-ipalib}
  583. Provides: python3-ipapython = %{version}-%{release}
  584. %{?python_provide:%python_provide python3-ipapython}
  585. Provides: python3-ipaplatform = %{version}-%{release}
  586. %{?python_provide:%python_provide python3-ipaplatform}
  587. Requires: %{name}-common = %{version}-%{release}
  588. # we need pre-requires since earlier versions may break upgrade
  589. Requires(pre): python3-ldap >= %{python_ldap_version}
  590. Requires: gnupg2
  591. Requires: keyutils
  592. Requires: python3-cffi
  593. Requires: python3-cryptography >= 1.6
  594. Requires: python3-dateutil
  595. Requires: python3-dbus
  596. Requires: python3-dns >= 1.15
  597. Requires: python3-gssapi >= 1.2.0
  598. Requires: python3-jwcrypto >= 0.4.2
  599. Requires: python3-libipa_hbac
  600. Requires: python3-netaddr >= %{python_netaddr_version}
  601. Requires: python3-netifaces >= 0.10.4
  602. Requires: python3-pyasn1 >= 0.3.2-2
  603. Requires: python3-pyasn1-modules >= 0.3.2-2
  604. Requires: python3-pyusb
  605. Requires: python3-qrcode-core >= 5.0.0
  606. Requires: python3-requests
  607. Requires: python3-setuptools
  608. Requires: python3-six
  609. Requires: python3-sss-murmur
  610. Requires: python3-yubico >= 1.3.2-7
  611. %description -n python3-ipalib
  612. IPA is an integrated solution to provide centrally managed Identity (users,
  613. hosts, services), Authentication (SSO, 2FA), and Authorization
  614. (host access control, SELinux user roles, services). The solution provides
  615. features for further integration with Linux based clients (SUDO, automount)
  616. and integration with Active Directory based infrastructures (Trusts).
  617. If you are using IPA with Python 3, you need to install this package.
  618. %package common
  619. Summary: Common files used by IPA
  620. Group: System Environment/Libraries
  621. BuildArch: noarch
  622. Conflicts: %{name}-python < 4.2.91
  623. Provides: %{alt_name}-common = %{version}
  624. Conflicts: %{alt_name}-common
  625. Obsoletes: %{alt_name}-common < %{version}
  626. Conflicts: %{alt_name}-python < %{version}
  627. %if 0%{?with_selinux}
  628. # This ensures that the *-selinux package and all it’s dependencies are not
  629. # pulled into containers and other systems that do not use SELinux. The
  630. # policy defines types and file contexts for client and server.
  631. Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
  632. %endif
  633. %description common
  634. IPA is an integrated solution to provide centrally managed Identity (users,
  635. hosts, services), Authentication (SSO, 2FA), and Authorization
  636. (host access control, SELinux user roles, services). The solution provides
  637. features for further integration with Linux based clients (SUDO, automount)
  638. and integration with Active Directory based infrastructures (Trusts).
  639. If you are using IPA, you need to install this package.
  640. %if 0%{?with_ipatests}
  641. %package -n python3-ipatests
  642. Summary: IPA tests and test tools
  643. BuildArch: noarch
  644. %{?python_provide:%python_provide python3-ipatests}
  645. Requires: python3-ipaclient = %{version}-%{release}
  646. Requires: python3-ipaserver = %{version}-%{release}
  647. Requires: iptables
  648. Requires: ldns-utils
  649. Requires: python3-coverage
  650. Requires: python3-cryptography >= 1.6
  651. Requires: python3-polib
  652. Requires: python3-pytest >= 2.6
  653. Requires: python3-pytest-multihost >= 0.5
  654. Requires: python3-pytest-sourceorder
  655. Requires: python3-sssdconfig >= %{sssd_version}
  656. Requires: tar
  657. Requires: xz
  658. Requires: openssh-clients
  659. Requires: sshpass
  660. %description -n python3-ipatests
  661. IPA is an integrated solution to provide centrally managed Identity (users,
  662. hosts, services), Authentication (SSO, 2FA), and Authorization
  663. (host access control, SELinux user roles, services). The solution provides
  664. features for further integration with Linux based clients (SUDO, automount)
  665. and integration with Active Directory based infrastructures (Trusts).
  666. This package contains tests that verify IPA functionality under Python 3.
  667. # with_ipatests
  668. %endif
  669. %if 0%{?with_selinux}
  670. # SELinux subpackage
  671. %package selinux
  672. Summary: FreeIPA SELinux policy
  673. BuildArch: noarch
  674. Requires: selinux-policy-%{selinuxtype}
  675. Requires(post): selinux-policy-%{selinuxtype}
  676. %{?selinux_requires}
  677. %description selinux
  678. Custom SELinux policy module
  679. # with_selinux
  680. %endif
  681. %prep
  682. %setup -n freeipa-%{version} -q
  683. %build
  684. # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
  685. export PATH=/usr/bin:/usr/sbin:$PATH
  686. export PYTHON=%{__python3}
  687. autoreconf -ivf
  688. %configure --with-vendor-suffix=-%{release} \
  689. %{enable_server_option} \
  690. %{with_ipatests_option} \
  691. %{linter_options}
  692. # run build in default dir
  693. # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
  694. %make_build -Onone
  695. %check
  696. make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
  697. %install
  698. # Please put as much logic as possible into make install. It allows:
  699. # - easier porting to other distributions
  700. # - rapid devel & install cycle using make install
  701. # (instead of full RPM build and installation each time)
  702. #
  703. # All files and directories created by spec install should be marked as ghost.
  704. # (These are typically configuration files created by IPA installer.)
  705. # All other artifacts should be created by make install.
  706. %make_install
  707. %if 0%{?with_ipatests}
  708. mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
  709. mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
  710. mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
  711. ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
  712. ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
  713. ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
  714. ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
  715. ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
  716. ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
  717. # with_ipatests
  718. %endif
  719. # remove files which are useful only for make uninstall
  720. find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
  721. %find_lang %{gettext_domain}
  722. %if ! %{ONLY_CLIENT}
  723. # Remove .la files from libtool - we don't want to package
  724. # these files
  725. rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
  726. rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
  727. rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
  728. rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
  729. rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
  730. rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
  731. rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
  732. rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
  733. rm %{buildroot}/%{plugin_dir}/libipa_dns.la
  734. rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
  735. rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
  736. rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
  737. rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
  738. rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
  739. rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
  740. rm %{buildroot}/%{plugin_dir}/libtopology.la
  741. rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
  742. rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
  743. # So we can own our Apache configuration
  744. mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
  745. /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
  746. /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
  747. /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
  748. /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
  749. /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
  750. /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
  751. /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
  752. /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
  753. mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
  754. touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
  755. # ONLY_CLIENT
  756. %endif
  757. /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
  758. /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
  759. %if ! %{ONLY_CLIENT}
  760. mkdir -p %{buildroot}%{_sysconfdir}/cron.d
  761. # ONLY_CLIENT
  762. %endif
  763. %clean
  764. rm -rf %{buildroot}
  765. %if ! %{ONLY_CLIENT}
  766. %post server
  767. # NOTE: systemd specific section
  768. /bin/systemctl --system daemon-reload 2>&1 || :
  769. # END
  770. if [ $1 -gt 1 ] ; then
  771. /bin/systemctl condrestart certmonger.service 2>&1 || :
  772. fi
  773. /bin/systemctl reload-or-try-restart dbus
  774. /bin/systemctl reload-or-try-restart oddjobd
  775. %tmpfiles_create ipa.conf
  776. %posttrans server
  777. # don't execute upgrade and restart of IPA when server is not installed
  778. %{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
  779. if [ $? -eq 0 ]; then
  780. # This is necessary for Fedora system upgrades which by default
  781. # work with the network being offline
  782. /bin/systemctl start network-online.target
  783. # Restart IPA processes. This must be also run in postrans so that plugins
  784. # and software is in consistent state. This will also perform the
  785. # system upgrade.
  786. # NOTE: systemd specific section
  787. /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
  788. if [ $? -eq 0 ]; then
  789. /bin/systemctl restart ipa.service >/dev/null
  790. fi
  791. fi
  792. # END
  793. %preun server
  794. if [ $1 = 0 ]; then
  795. # NOTE: systemd specific section
  796. /bin/systemctl --quiet stop ipa.service || :
  797. /bin/systemctl --quiet disable ipa.service || :
  798. /bin/systemctl reload-or-try-restart dbus
  799. /bin/systemctl reload-or-try-restart oddjobd
  800. # END
  801. fi
  802. %pre server
  803. # Stop ipa_kpasswd if it exists before upgrading so we don't have a
  804. # zombie process when we're done.
  805. if [ -e /usr/sbin/ipa_kpasswd ]; then
  806. # NOTE: systemd specific section
  807. /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
  808. # END
  809. fi
  810. %pre server-common
  811. # create users and groups
  812. # create kdcproxy group and user
  813. getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
  814. getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
  815. # create ipaapi group and user
  816. getent group ipaapi >/dev/null || groupadd -f -r ipaapi
  817. getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
  818. # add apache to ipaaapi group
  819. id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
  820. %post server-dns
  821. %systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
  822. %preun server-dns
  823. %systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
  824. %postun server-dns
  825. %systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
  826. %postun server-trust-ad
  827. if [ "$1" -ge "1" ]; then
  828. if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
  829. %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
  830. fi
  831. fi
  832. %post server-trust-ad
  833. %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
  834. winbind_krb5_locator.so /dev/null 90
  835. /bin/systemctl reload-or-try-restart dbus
  836. /bin/systemctl reload-or-try-restart oddjobd
  837. %posttrans server-trust-ad
  838. %{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
  839. if [ $? -eq 0 ]; then
  840. # NOTE: systemd specific section
  841. /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
  842. # END
  843. fi
  844. %preun server-trust-ad
  845. if [ $1 -eq 0 ]; then
  846. %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
  847. /bin/systemctl reload-or-try-restart dbus
  848. /bin/systemctl reload-or-try-restart oddjobd
  849. fi
  850. # ONLY_CLIENT
  851. %endif
  852. %post client
  853. if [ $1 -gt 1 ] ; then
  854. # Has the client been configured?
  855. restore=0
  856. test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
  857. if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
  858. if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
  859. echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
  860. cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
  861. mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
  862. fi
  863. fi
  864. if [ $restore -ge 2 ]; then
  865. if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
  866. sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
  867. mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
  868. cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
  869. cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
  870. fi
  871. %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
  872. fi
  873. if [ $restore -ge 2 ]; then
  874. %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
  875. fi
  876. if [ $restore -ge 2 ]; then
  877. sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
  878. fi
  879. fi
  880. %if 0%{?with_selinux}
  881. # SELinux contexts are saved so that only affected files can be
  882. # relabeled after the policy module installation
  883. %pre selinux
  884. %selinux_relabel_pre -s %{selinuxtype}
  885. %post selinux
  886. semodule -d ipa_custodia &> /dev/null || true;
  887. %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
  888. %postun selinux
  889. if [ $1 -eq 0 ]; then
  890. %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
  891. semodule -e ipa_custodia &> /dev/null || true;
  892. fi
  893. %posttrans selinux
  894. %selinux_relabel_post -s %{selinuxtype}
  895. # with_selinux
  896. %endif
  897. %triggerin client -- openssh-server
  898. # Has the client been configured?
  899. restore=0
  900. test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
  901. if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
  902. if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
  903. sed -r '
  904. /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
  905. ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
  906. if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
  907. sed -ri '
  908. s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
  909. s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
  910. ' /etc/ssh/sshd_config.ipanew
  911. elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
  912. sed -ri '
  913. s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
  914. s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
  915. ' /etc/ssh/sshd_config.ipanew
  916. elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
  917. sed -ri '
  918. s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
  919. s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
  920. ' /etc/ssh/sshd_config.ipanew
  921. fi
  922. mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
  923. chmod 600 /etc/ssh/sshd_config
  924. /bin/systemctl condrestart sshd.service 2>&1 || :
  925. fi
  926. fi
  927. %if ! %{ONLY_CLIENT}
  928. %files server
  929. %doc README.md Contributors.txt
  930. %license COPYING
  931. %{_sbindir}/ipa-backup
  932. %{_sbindir}/ipa-restore
  933. %{_sbindir}/ipa-ca-install
  934. %{_sbindir}/ipa-kra-install
  935. %{_sbindir}/ipa-server-install
  936. %{_sbindir}/ipa-replica-conncheck
  937. %{_sbindir}/ipa-replica-install
  938. %{_sbindir}/ipa-replica-manage
  939. %{_sbindir}/ipa-csreplica-manage
  940. %{_sbindir}/ipa-server-certinstall
  941. %{_sbindir}/ipa-server-upgrade
  942. %{_sbindir}/ipa-ldap-updater
  943. %{_sbindir}/ipa-otptoken-import
  944. %{_sbindir}/ipa-compat-manage
  945. %{_sbindir}/ipa-nis-manage
  946. %{_sbindir}/ipa-managed-entries
  947. %{_sbindir}/ipactl
  948. %{_sbindir}/ipa-advise
  949. %{_sbindir}/ipa-cacert-manage
  950. %{_sbindir}/ipa-winsync-migrate
  951. %{_sbindir}/ipa-pkinit-manage
  952. %{_sbindir}/ipa-crlgen-manage
  953. %{_sbindir}/ipa-cert-fix
  954. %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
  955. %{_libexecdir}/certmonger/ipa-server-guard
  956. %dir %{_libexecdir}/ipa
  957. %{_libexecdir}/ipa/ipa-custodia
  958. %{_libexecdir}/ipa/ipa-custodia-check
  959. %{_libexecdir}/ipa/ipa-httpd-kdcproxy
  960. %{_libexecdir}/ipa/ipa-httpd-pwdreader
  961. %{_libexecdir}/ipa/ipa-pki-retrieve-key
  962. %{_libexecdir}/ipa/ipa-pki-wait-running
  963. %{_libexecdir}/ipa/ipa-otpd
  964. %dir %{_libexecdir}/ipa/custodia
  965. %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
  966. %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
  967. %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
  968. %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
  969. %dir %{_libexecdir}/ipa/oddjob
  970. %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
  971. %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
  972. %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
  973. %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
  974. %dir %{_libexecdir}/ipa/certmonger
  975. %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
  976. # NOTE: systemd specific section
  977. %attr(644,root,root) %{_unitdir}/ipa.service
  978. %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
  979. %attr(644,root,root) %{_unitdir}/ipa-otpd@.service
  980. # END
  981. %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
  982. %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
  983. %attr(755,root,root) %{plugin_dir}/libipa_winsync.so
  984. %attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
  985. %attr(755,root,root) %{plugin_dir}/libipa_uuid.so
  986. %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
  987. %attr(755,root,root) %{plugin_dir}/libipa_lockout.so
  988. %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
  989. %attr(755,root,root) %{plugin_dir}/libipa_dns.so
  990. %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
  991. %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
  992. %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
  993. %attr(755,root,root) %{plugin_dir}/libtopology.so
  994. %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
  995. %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
  996. %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
  997. %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
  998. %{_mandir}/man1/ipa-replica-conncheck.1*
  999. %{_mandir}/man1/ipa-replica-install.1*
  1000. %{_mandir}/man1/ipa-replica-manage.1*
  1001. %{_mandir}/man1/ipa-csreplica-manage.1*
  1002. %{_mandir}/man1/ipa-server-certinstall.1*
  1003. %{_mandir}/man1/ipa-server-install.1*
  1004. %{_mandir}/man1/ipa-server-upgrade.1*
  1005. %{_mandir}/man1/ipa-ca-install.1*
  1006. %{_mandir}/man1/ipa-kra-install.1*
  1007. %{_mandir}/man1/ipa-compat-manage.1*
  1008. %{_mandir}/man1/ipa-nis-manage.1*
  1009. %{_mandir}/man1/ipa-managed-entries.1*
  1010. %{_mandir}/man1/ipa-ldap-updater.1*
  1011. %{_mandir}/man8/ipactl.8*
  1012. %{_mandir}/man1/ipa-backup.1*
  1013. %{_mandir}/man1/ipa-restore.1*
  1014. %{_mandir}/man1/ipa-advise.1*
  1015. %{_mandir}/man1/ipa-otptoken-import.1*
  1016. %{_mandir}/man1/ipa-cacert-manage.1*
  1017. %{_mandir}/man1/ipa-winsync-migrate.1*
  1018. %{_mandir}/man1/ipa-pkinit-manage.1*
  1019. %{_mandir}/man1/ipa-crlgen-manage.1*
  1020. %{_mandir}/man1/ipa-cert-fix.1*
  1021. %files -n python3-ipaserver
  1022. %doc README.md Contributors.txt
  1023. %license COPYING
  1024. %{python3_sitelib}/ipaserver
  1025. %{python3_sitelib}/ipaserver-*.egg-info
  1026. %files server-common
  1027. %doc README.md Contributors.txt
  1028. %license COPYING
  1029. %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
  1030. %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
  1031. %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
  1032. # NOTE: systemd specific section
  1033. %{_tmpfilesdir}/ipa.conf
  1034. %attr(644,root,root) %{_unitdir}/ipa-custodia.service
  1035. %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
  1036. # END
  1037. %{_usr}/share/ipa/wsgi.py*
  1038. %{_usr}/share/ipa/kdcproxy.wsgi
  1039. %{_usr}/share/ipa/ipaca*.ini
  1040. %{_usr}/share/ipa/*.ldif
  1041. %{_usr}/share/ipa/*.uldif
  1042. %{_usr}/share/ipa/*.template
  1043. %{_usr}/share/ipa/bind.ipa-ext.conf
  1044. %dir %{_usr}/share/ipa/advise
  1045. %dir %{_usr}/share/ipa/advise/legacy
  1046. %{_usr}/share/ipa/advise/legacy/*.template
  1047. %dir %{_usr}/share/ipa/profiles
  1048. %{_usr}/share/ipa/profiles/README
  1049. %{_usr}/share/ipa/profiles/*.cfg
  1050. %dir %{_usr}/share/ipa/html
  1051. %{_usr}/share/ipa/html/ssbrowser.html
  1052. %{_usr}/share/ipa/html/unauthorized.html
  1053. %dir %{_usr}/share/ipa/migration
  1054. %{_usr}/share/ipa/migration/index.html
  1055. %{_usr}/share/ipa/migration/migration.py*
  1056. %dir %{_usr}/share/ipa/ui
  1057. %{_usr}/share/ipa/ui/index.html
  1058. %{_usr}/share/ipa/ui/reset_password.html
  1059. %{_usr}/share/ipa/ui/sync_otp.html
  1060. %{_usr}/share/ipa/ui/*.ico
  1061. %{_usr}/share/ipa/ui/*.css
  1062. %dir %{_usr}/share/ipa/ui/css
  1063. %{_usr}/share/ipa/ui/css/*.css
  1064. %dir %{_usr}/share/ipa/ui/js
  1065. %dir %{_usr}/share/ipa/ui/js/dojo
  1066. %{_usr}/share/ipa/ui/js/dojo/dojo.js
  1067. %dir %{_usr}/share/ipa/ui/js/libs
  1068. %{_usr}/share/ipa/ui/js/libs/*.js
  1069. %dir %{_usr}/share/ipa/ui/js/freeipa
  1070. %{_usr}/share/ipa/ui/js/freeipa/app.js
  1071. %{_usr}/share/ipa/ui/js/freeipa/core.js
  1072. %dir %{_usr}/share/ipa/ui/js/plugins
  1073. %dir %{_usr}/share/ipa/ui/images
  1074. %{_usr}/share/ipa/ui/images/*.jpg
  1075. %{_usr}/share/ipa/ui/images/*.png
  1076. %dir %{_usr}/share/ipa/wsgi
  1077. %{_usr}/share/ipa/wsgi/plugins.py*
  1078. %dir %{_sysconfdir}/ipa
  1079. %dir %{_sysconfdir}/ipa/html
  1080. %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
  1081. %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
  1082. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
  1083. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
  1084. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
  1085. %ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
  1086. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
  1087. %ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
  1088. %ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
  1089. %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
  1090. %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
  1091. %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
  1092. %dir %{_usr}/share/ipa/updates/
  1093. %{_usr}/share/ipa/updates/*
  1094. %dir %{_localstatedir}/lib/ipa
  1095. %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
  1096. %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
  1097. %attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
  1098. %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
  1099. %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
  1100. %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
  1101. %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
  1102. %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
  1103. %ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
  1104. %ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
  1105. %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
  1106. %dir %{_usr}/share/ipa/schema.d
  1107. %attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
  1108. %attr(0644,root,root) %{_usr}/share/ipa/gssapi.login
  1109. %{_usr}/share/ipa/ipakrb5.aug
  1110. %files server-dns
  1111. %doc README.md Contributors.txt
  1112. %license COPYING
  1113. %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
  1114. %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
  1115. %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
  1116. %{_libexecdir}/ipa/ipa-dnskeysyncd
  1117. %{_libexecdir}/ipa/ipa-dnskeysync-replica
  1118. %{_libexecdir}/ipa/ipa-ods-exporter
  1119. %{_sbindir}/ipa-dns-install
  1120. %{_mandir}/man1/ipa-dns-install.1*
  1121. %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
  1122. %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
  1123. %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
  1124. %files server-trust-ad
  1125. %doc README.md Contributors.txt
  1126. %license COPYING
  1127. %{_sbindir}/ipa-adtrust-install
  1128. %{_usr}/share/ipa/smb.conf.empty
  1129. %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
  1130. %{_mandir}/man1/ipa-adtrust-install.1*
  1131. %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
  1132. %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
  1133. %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
  1134. %%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
  1135. # ONLY_CLIENT
  1136. %endif
  1137. %files client
  1138. %doc README.md Contributors.txt
  1139. %license COPYING
  1140. %{_sbindir}/ipa-client-install
  1141. %{_sbindir}/ipa-client-automount
  1142. %{_sbindir}/ipa-certupdate
  1143. %{_sbindir}/ipa-getkeytab
  1144. %{_sbindir}/ipa-rmkeytab
  1145. %{_sbindir}/ipa-join
  1146. %{_bindir}/ipa
  1147. %config %{_sysconfdir}/bash_completion.d
  1148. %config %{_sysconfdir}/sysconfig/certmonger
  1149. %{_mandir}/man1/ipa.1*
  1150. %{_mandir}/man1/ipa-getkeytab.1*
  1151. %{_mandir}/man1/ipa-rmkeytab.1*
  1152. %{_mandir}/man1/ipa-client-install.1*
  1153. %{_mandir}/man1/ipa-client-automount.1*
  1154. %{_mandir}/man1/ipa-certupdate.1*
  1155. %{_mandir}/man1/ipa-join.1*
  1156. %files client-samba
  1157. %doc README.md Contributors.txt
  1158. %license COPYING
  1159. %{_sbindir}/ipa-client-samba
  1160. %{_mandir}/man1/ipa-client-samba.1*
  1161. %files -n python3-ipaclient
  1162. %doc README.md Contributors.txt
  1163. %license COPYING
  1164. %dir %{python3_sitelib}/ipaclient
  1165. %{python3_sitelib}/ipaclient/*.py
  1166. %{python3_sitelib}/ipaclient/__pycache__/*.py*
  1167. %dir %{python3_sitelib}/ipaclient/install
  1168. %{python3_sitelib}/ipaclient/install/*.py
  1169. %{python3_sitelib}/ipaclient/install/__pycache__/*.py*
  1170. %dir %{python3_sitelib}/ipaclient/plugins
  1171. %{python3_sitelib}/ipaclient/plugins/*.py
  1172. %{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
  1173. %dir %{python3_sitelib}/ipaclient/remote_plugins
  1174. %{python3_sitelib}/ipaclient/remote_plugins/*.py
  1175. %{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
  1176. %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
  1177. %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
  1178. %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
  1179. %dir %{python3_sitelib}/ipaclient/csrgen
  1180. %dir %{python3_sitelib}/ipaclient/csrgen/profiles
  1181. %{python3_sitelib}/ipaclient/csrgen/profiles/*.json
  1182. %dir %{python3_sitelib}/ipaclient/csrgen/rules
  1183. %{python3_sitelib}/ipaclient/csrgen/rules/*.json
  1184. %dir %{python3_sitelib}/ipaclient/csrgen/templates
  1185. %{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
  1186. %{python3_sitelib}/ipaclient-*.egg-info
  1187. %files client-common
  1188. %doc README.md Contributors.txt
  1189. %license COPYING
  1190. %dir %attr(0755,root,root) %{_sysconfdir}/ipa/
  1191. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
  1192. %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
  1193. %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
  1194. # old dbm format
  1195. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
  1196. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
  1197. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
  1198. # new sql format
  1199. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
  1200. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
  1201. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
  1202. %ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
  1203. %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
  1204. %dir %{_localstatedir}/lib/ipa-client
  1205. %dir %{_localstatedir}/lib/ipa-client/pki
  1206. %dir %{_localstatedir}/lib/ipa-client/sysrestore
  1207. %{_mandir}/man5/default.conf.5*
  1208. %dir %{_usr}/share/ipa/client
  1209. %{_usr}/share/ipa/client/*.template
  1210. %files python-compat
  1211. %doc README.md Contributors.txt
  1212. %license COPYING
  1213. %files common -f %{gettext_domain}.lang
  1214. %doc README.md Contributors.txt
  1215. %license COPYING
  1216. %dir %{_usr}/share/ipa
  1217. %files -n python3-ipalib
  1218. %doc README.md Contributors.txt
  1219. %license COPYING
  1220. %{python3_sitelib}/ipapython/
  1221. %{python3_sitelib}/ipalib/
  1222. %{python3_sitelib}/ipaplatform/
  1223. %{python3_sitelib}/ipapython-*.egg-info
  1224. %{python3_sitelib}/ipalib-*.egg-info
  1225. %{python3_sitelib}/ipaplatform-*.egg-info
  1226. %{python3_sitelib}/ipaplatform-*-nspkg.pth
  1227. %if 0%{?with_ipatests}
  1228. %files -n python3-ipatests
  1229. %doc README.md Contributors.txt
  1230. %license COPYING
  1231. %{python3_sitelib}/ipatests
  1232. %{python3_sitelib}/ipatests-*.egg-info
  1233. %{_bindir}/ipa-run-tests-3
  1234. %{_bindir}/ipa-test-config-3
  1235. %{_bindir}/ipa-test-task-3
  1236. %{_bindir}/ipa-run-tests-%{python3_version}
  1237. %{_bindir}/ipa-test-config-%{python3_version}
  1238. %{_bindir}/ipa-test-task-%{python3_version}
  1239. %{_bindir}/ipa-run-tests
  1240. %{_bindir}/ipa-test-config
  1241. %{_bindir}/ipa-test-task
  1242. %{_mandir}/man1/ipa-run-tests.1*
  1243. %{_mandir}/man1/ipa-test-config.1*
  1244. %{_mandir}/man1/ipa-test-task.1*
  1245. # with_ipatests
  1246. %endif
  1247. %if 0%{?with_selinux}
  1248. %files selinux
  1249. %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
  1250. %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
  1251. # with_selinux
  1252. %endif
  1253. %changelog
  1254. * Tue Nov 26 2013 Petr Viktorin <pviktori@redhat.com> - @VERSION@-@VENDOR_SUFFIX@
  1255. - Remove changelog. The history is kept in Git, downstreams have own logs.
  1256. # note, this entry is here to placate tools that expect a non-empty changelog