From holger at layer-acht.org Wed Apr 1 10:06:45 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 1 Apr 2015 12:06:45 +0200 Subject: [Pkg-freeipa-devel] Bug#781607: Bug#781607: freeipa: please package new upstream version In-Reply-To: <551AFFCC.5080603@debian.org> References: <201503311631.22793.holger@layer-acht.org> <551AFFCC.5080603@debian.org> Message-ID: <201504011206.47528.holger@layer-acht.org> control: block -1 by 780354 Hi Timo, On Dienstag, 31. M?rz 2015, Timo Aaltonen wrote: > It needs at least bind 9.10 or up and softhsm 2.0.0b2 (see bug #780354). > Could be others too, didn't really bother checking further. Thanks for the info! bind 9.10 is in experimental but softhsm 2.0.0b2 aint available yet. cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From owner at bugs.debian.org Wed Apr 1 10:09:07 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 01 Apr 2015 10:09:07 +0000 Subject: [Pkg-freeipa-devel] Processed: Re: Bug#781607: freeipa: please package new upstream version References: <201504011206.47528.holger@layer-acht.org> <201503311631.22793.holger@layer-acht.org> Message-ID: Processing control commands: > block -1 by 780354 Bug #781607 [freeipa] freeipa: please package new upstream version 781607 was not blocked by any bugs. 781607 was not blocking any bugs. Added blocking bug(s) of 781607: 780354 -- 781607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781607 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From ondrej at debian.org Wed Apr 1 12:25:06 2015 From: ondrej at debian.org (=?UTF-8?Q?Ond=C5=99ej=20Sur=C3=BD?=) Date: Wed, 01 Apr 2015 14:25:06 +0200 Subject: [Pkg-freeipa-devel] Processed: Re: Bug#781607: freeipa: please package new upstream version In-Reply-To: References: <201504011206.47528.holger@layer-acht.org> <201503311631.22793.holger@layer-acht.org> Message-ID: <1427891106.1699106.248030881.247D6F8C@webmail.messagingengine.com> Hey FreeIPA people, I suggest we wait for jessie release that is so close now and I will upgrade softhsm directly in unstable then. Sounds good? Cheers, Ondrej On Wed, Apr 1, 2015, at 12:09, Debian Bug Tracking System wrote: > Processing control commands: > > > block -1 by 780354 > Bug #781607 [freeipa] freeipa: please package new upstream version > 781607 was not blocked by any bugs. > 781607 was not blocking any bugs. > Added blocking bug(s) of 781607: 780354 > > -- > 781607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781607 > Debian Bug Tracking System > Contact owner at bugs.debian.org with problems -- Ond?ej Sur? Knot DNS (https://www.knot-dns.cz/) ? a high-performance DNS server From tjaalton at debian.org Thu Apr 2 05:44:26 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 08:44:26 +0300 Subject: [Pkg-freeipa-devel] Bug#781607: Bug#781607: Bug#781607: freeipa: please package new upstream version In-Reply-To: <201504011206.47528.holger@layer-acht.org> References: <201503311631.22793.holger@layer-acht.org> <551AFFCC.5080603@debian.org> <201504011206.47528.holger@layer-acht.org> Message-ID: <551CD73A.2070505@debian.org> On 01.04.2015 13:06, Holger Levsen wrote: > control: block -1 by 780354 > > Hi Timo, > > On Dienstag, 31. M?rz 2015, Timo Aaltonen wrote: >> It needs at least bind 9.10 or up and softhsm 2.0.0b2 (see bug #780354). >> Could be others too, didn't really bother checking further. > > Thanks for the info! > > bind 9.10 is in experimental but softhsm 2.0.0b2 aint available yet. actually it needs bind 9.10.1 or newer, experimental has rc2 from a ~year ago. -- t From tjaalton at debian.org Thu Apr 2 07:51:12 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 10:51:12 +0300 Subject: [Pkg-freeipa-devel] Bug#781607: Bug#781607: Bug#781607: Bug#781607: freeipa: please package new upstream version In-Reply-To: <551CD73A.2070505@debian.org> References: <201503311631.22793.holger@layer-acht.org> <551AFFCC.5080603@debian.org> <201504011206.47528.holger@layer-acht.org> <551CD73A.2070505@debian.org> Message-ID: <551CF4F0.7020707@debian.org> On 02.04.2015 08:44, Timo Aaltonen wrote: > On 01.04.2015 13:06, Holger Levsen wrote: >> control: block -1 by 780354 >> >> Hi Timo, >> >> On Dienstag, 31. M?rz 2015, Timo Aaltonen wrote: >>> It needs at least bind 9.10 or up and softhsm 2.0.0b2 (see bug #780354). >>> Could be others too, didn't really bother checking further. >> >> Thanks for the info! >> >> bind 9.10 is in experimental but softhsm 2.0.0b2 aint available yet. > > actually it needs bind 9.10.1 or newer, experimental has rc2 from a > ~year ago. I got a suggestion to pull a patch from Centos, which disables DNSSEC support.. that should let us move forward with 4.1 sooner. -- t From tjaalton at moszumanska.debian.org Thu Apr 2 08:44:26 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 08:44:26 +0000 Subject: [Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.0.5-4' Message-ID: Tag 'debian/4.0.5-4' created by Timo Aaltonen at 2015-04-02 07:54 +0000 tagging package freeipa version debian/4.0.5-4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVHPWmAAoJEMtwMWWoiYTcv4gP/3M9/g//LDh6GXIBfRlyyEnp GMyiL+htz2Hhbc4ezln/ciW5dMYcdz18nNiguqooUQXUtz0Ueruu48NwAHOfERmR aXjsv4dpv52EMHUfuCP48TCOpbi/RwltEiFuqd7JUntZqKfmKvEtFvGJXButcFtY Qjm3OI/EiQUfSV7MnMLtxzNSBdtG2ewt5GxZiYSSGZ9FhAOjNpwpZQZcIKOoiLem bbUHd9yguVfqlutHctEbk1PuIZjLSJvY/M/bcIS6i/SgBMlKWr7gb+obtrP6iMRT ejxqdscAT4pzqVjjyiuoRevYdGz3bQf1Y6rtBSIZXTgFdDvnfbUkhEc03utP4ogx QZ/4m1SOQLX99i8Ez2IAoPfUrOjv7+x/chyDkdOV25giKJ7caRV2Ik2o/RhcpXvm mZhrhlabYRPzePQQ9hFp7oZXiddiQT4SC4Fx91wtQrk2SEVMGsCCOjmdovPM5F46 bYYKeKlNgx4GB4935BSSn3Mhi101OUnqMTQ+J7gwuvmDZB2EZS85f74XJ6vAWMyv lzUW/gk0+6Jwm4RQ0I+HCtxUUv+gUhupgp61qpKWBvAFg8j4JY90dYfJja0FfPiC Dn8B/huSdplDifoBT+vnRG+2JjJUxY5bx4ZbvZF4l6pfLX3ZKu/d+tnfflYUJTpz kT53mrDZrkIdllLZ9Nnh =cWRo -----END PGP SIGNATURE----- Changes since debian/4.0.5-3: Timo Aaltonen (9): control: Fix freeipa-tests depends. sort freeipa-tests deps further deps control: Add systemd-sysv to server depends. (Closes: #780386) freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. (Closes: #772136) dont-check-for-systemd-pc.diff: Dropped, not needed anymore. control: Add systemd to build-depends. releasing package freeipa version 4.0.5-4 --- debian/changelog | 12 +++++ debian/control | 18 +++++++- debian/freeipa-client.postrm | 1 debian/patches/add-a-clear-openssl-exception.diff | 49 ++++++++++++++++++++++ debian/patches/dont-check-for-systemd-pc.diff | 15 ------ debian/patches/series | 2 6 files changed, 80 insertions(+), 17 deletions(-) --- From tjaalton at moszumanska.debian.org Thu Apr 2 08:44:43 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 08:44:43 +0000 Subject: [Pkg-freeipa-devel] freeipa: Changes to 'master' Message-ID: debian/changelog | 12 ++++- debian/control | 6 ++ debian/freeipa-client.postrm | 1 debian/patches/add-a-clear-openssl-exception.diff | 49 ++++++++++++++++++++++ debian/patches/dont-check-for-systemd-pc.diff | 15 ------ debian/patches/series | 2 6 files changed, 66 insertions(+), 19 deletions(-) New commits: commit ddd86a9a6641be7377b9eb7054348b6fefb560b7 Author: Timo Aaltonen Date: Thu Apr 2 10:54:14 2015 +0300 releasing package freeipa version 4.0.5-4 diff --git a/debian/changelog b/debian/changelog index 40788a8..248b601 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -freeipa (4.0.5-4) UNRELEASED; urgency=medium +freeipa (4.0.5-4) unstable; urgency=medium * control: Fix freeipa-tests depends. * control: Add systemd-sysv to server depends. (Closes: #780386) @@ -8,7 +8,7 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * control: Add systemd to build-depends. * dont-check-for-systemd-pc.diff: Dropped, not needed anymore. - -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 + -- Timo Aaltonen Thu, 02 Apr 2015 10:53:55 +0300 freeipa (4.0.5-3) unstable; urgency=medium commit 13eccb052009c2c3845d468f60b0595a34c5983c Author: Timo Aaltonen Date: Thu Apr 2 10:07:42 2015 +0300 control: Add systemd to build-depends. diff --git a/debian/changelog b/debian/changelog index 8200530..40788a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) * add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. (Closes: #772136) + * control: Add systemd to build-depends. * dont-check-for-systemd-pc.diff: Dropped, not needed anymore. -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 diff --git a/debian/control b/debian/control index affc824..461b5b6 100644 --- a/debian/control +++ b/debian/control @@ -53,6 +53,7 @@ Build-Depends: rhino, samba-dev, selinux-policy-dev, + systemd, uuid-dev Standards-Version: 3.9.6 Vcs-Git: git://anonscm.debian.org/pkg-freeipa/freeipa.git commit c45905e4651d282468b78a584b5cb113ee40a7ee Author: Timo Aaltonen Date: Thu Apr 2 10:06:18 2015 +0300 dont-check-for-systemd-pc.diff: Dropped, not needed anymore. diff --git a/debian/changelog b/debian/changelog index 730ecfe..8200530 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) * add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. (Closes: #772136) + * dont-check-for-systemd-pc.diff: Dropped, not needed anymore. -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 diff --git a/debian/patches/dont-check-for-systemd-pc.diff b/debian/patches/dont-check-for-systemd-pc.diff deleted file mode 100644 index 43a32bf..0000000 --- a/debian/patches/dont-check-for-systemd-pc.diff +++ /dev/null @@ -1,15 +0,0 @@ -avoid build-dependency on systemd, which doesn't exist on ubuntu - -diff --git a/daemons/configure.ac b/daemons/configure.ac -index e57dad2..9ca5198 100644 ---- a/daemons/configure.ac -+++ b/daemons/configure.ac -@@ -232,7 +232,7 @@ PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) - dnl --------------------------------------------------------------------------- - dnl - Check for systemd unit directory - dnl --------------------------------------------------------------------------- --PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])]) -+dnl PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])]) - AC_ARG_WITH([systemdsystemunitdir], - AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]), - [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)]) diff --git a/debian/patches/series b/debian/patches/series index bdf9a47..93b585e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,7 +3,6 @@ work-around-apache-fail.diff prefix.patch no-test-lang.diff port-ipa-client-automount.diff -dont-check-for-systemd-pc.diff # send upstream fix-match-hostname.diff commit 48ec7738c1b9a6c3dec0f6b3c9f251219b7d29cb Author: Timo Aaltonen Date: Thu Apr 2 08:48:04 2015 +0300 add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. (Closes: #772136) diff --git a/debian/changelog b/debian/changelog index a28018a..730ecfe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * control: Fix freeipa-tests depends. * control: Add systemd-sysv to server depends. (Closes: #780386) * freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) + * add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. + (Closes: #772136) -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 diff --git a/debian/patches/add-a-clear-openssl-exception.diff b/debian/patches/add-a-clear-openssl-exception.diff new file mode 100644 index 0000000..b42c373 --- /dev/null +++ b/debian/patches/add-a-clear-openssl-exception.diff @@ -0,0 +1,49 @@ +commit d762f61d25508c1856c0fa7dc0ea1e032671542b +Author: Simo Sorce +Date: Fri Feb 20 08:46:40 2015 -0500 + + Add a clear OpenSSL exception. + + We are linking with OpenSSL in 2 files, so make it clear we intentionally + add a GPLv3 exception to allow that linking by third parties. + + Signed-off-by: Simo Sorce + Reviewed-By: Nathaniel McCallum + +diff --git a/COPYING.openssl b/COPYING.openssl +new file mode 100644 +index 0000000..8a92460 +--- /dev/null ++++ b/COPYING.openssl +@@ -0,0 +1,16 @@ ++ADDITIONAL PERMISSIONS ++ ++This file is a modification of the main license file (COPYING), which ++contains the license terms. It applies only to specific files in the ++tree that include an "OpenSSL license exception" disclaimer. ++ ++In addition to the governing license (GPLv3), as a special exception, ++the copyright holders give permission to link the code of this program ++with the OpenSSL library, and distribute linked combinations including ++the two. ++You must obey the GNU General Public License in all respects for all of ++the code used other than OpenSSL. If you modify file(s) with this ++exception, you may extend this exception to your version of the file(s), ++but you are not obligated to do so. If you do not wish to do so, delete ++this exception statement from your version. If you delete the exception ++statement from all source files in the program, then also delete it here. +diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c +index 8ffa666..c6abd4b 100644 +--- a/util/ipa_pwd_ntlm.c ++++ b/util/ipa_pwd_ntlm.c +@@ -18,6 +18,10 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . ++ * ++ * This file includes an "OpenSSL license exception", see the ++ * COPYING.openssl file for details. ++ * + */ + + #include diff --git a/debian/patches/series b/debian/patches/series index af07832..bdf9a47 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,4 @@ fix-ipa-conf.diff fix-pykerberos-api.diff revert-pykerberos-api-change.diff fix-bind-conf.diff +add-a-clear-openssl-exception.diff commit c69b6d0ffd302f654e7b3f71725b026c13ff22de Author: Timo Aaltonen Date: Wed Mar 25 14:48:23 2015 +0200 freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) diff --git a/debian/changelog b/debian/changelog index 58f4a73..a28018a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * control: Fix freeipa-tests depends. * control: Add systemd-sysv to server depends. (Closes: #780386) + * freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 diff --git a/debian/freeipa-client.postrm b/debian/freeipa-client.postrm index 678ff10..2585426 100644 --- a/debian/freeipa-client.postrm +++ b/debian/freeipa-client.postrm @@ -8,6 +8,7 @@ if [ "$1" = purge ]; then /etc/pki/nssdb/key3.db \ /etc/pki/nssdb/secmod.db rmdir /etc/pki/nssdb + rmdir /etc/pki fi #DEBHELPER# commit f3e37256c03c6e062821025e924f577715970763 Author: Timo Aaltonen Date: Fri Mar 13 15:11:26 2015 +0200 control: Add systemd-sysv to server depends. (Closes: #780386) diff --git a/debian/changelog b/debian/changelog index 60abeb6..58f4a73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ freeipa (4.0.5-4) UNRELEASED; urgency=medium * control: Fix freeipa-tests depends. + * control: Add systemd-sysv to server depends. (Closes: #780386) -- Timo Aaltonen Thu, 05 Mar 2015 15:49:03 +0200 diff --git a/debian/control b/debian/control index 5bd225f..affc824 100644 --- a/debian/control +++ b/debian/control @@ -93,6 +93,7 @@ Depends: python-ldap, python-pyasn1, slapi-nis (>= 0.54), + systemd-sysv, ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} commit dd9ca7dcccf105030229d211a3832dcb731a887f Author: Timo Aaltonen Date: Fri Mar 13 15:10:05 2015 +0200 further deps diff --git a/debian/control b/debian/control index 0df8248..5bd225f 100644 --- a/debian/control +++ b/debian/control @@ -178,6 +178,7 @@ Package: freeipa-tests Architecture: any Depends: freeipa-client (= ${binary:Version}), + libnss3-tools, python-coverage, python-freeipa (= ${binary:Version}), python-nose, @@ -187,6 +188,8 @@ Depends: xz-utils, ${misc:Depends}, ${python:Depends} +Recommends: + python-yaml, Description: FreeIPA centralized identity framework -- tests FreeIPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy @@ -205,6 +208,7 @@ Depends: python-dbus, python-dnspython, python-kerberos, + python-krbv, python-ldap, python-libipa-hbac, python-lxml, From ftpmaster at ftp-master.debian.org Thu Apr 2 08:47:16 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 02 Apr 2015 08:47:16 +0000 Subject: [Pkg-freeipa-devel] Processing of freeipa_4.0.5-4_amd64.changes Message-ID: freeipa_4.0.5-4_amd64.changes uploaded successfully to localhost along with the files: freeipa_4.0.5-4.dsc freeipa_4.0.5.orig.tar.gz freeipa_4.0.5-4.debian.tar.xz freeipa-server_4.0.5-4_amd64.deb freeipa-server-trust-ad_4.0.5-4_amd64.deb freeipa-client_4.0.5-4_amd64.deb freeipa-admintools_4.0.5-4_amd64.deb freeipa-tests_4.0.5-4_amd64.deb python-freeipa_4.0.5-4_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Thu Apr 2 09:20:08 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 02 Apr 2015 09:20:08 +0000 Subject: [Pkg-freeipa-devel] freeipa_4.0.5-4_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 02 Apr 2015 10:53:55 +0300 Source: freeipa Binary: freeipa-server freeipa-server-trust-ad freeipa-client freeipa-admintools freeipa-tests python-freeipa Architecture: source amd64 Version: 4.0.5-4 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: freeipa-admintools - FreeIPA centralized identity framework -- admintools freeipa-client - FreeIPA centralized identity framework -- client freeipa-server - FreeIPA centralized identity framework -- server freeipa-server-trust-ad - FreeIPA centralized identity framework -- AD trust installer freeipa-tests - FreeIPA centralized identity framework -- tests python-freeipa - FreeIPA centralized identity framework -- Python modules Closes: 772136 780386 781114 Changes: freeipa (4.0.5-4) unstable; urgency=medium . * control: Fix freeipa-tests depends. * control: Add systemd-sysv to server depends. (Closes: #780386) * freeipa-client.postrm: Purge /etc/pki if empty. (Closes: #781114) * add-a-clear-openssl-exception.diff: Add a clear OpenSSL exception. (Closes: #772136) * control: Add systemd to build-depends. * dont-check-for-systemd-pc.diff: Dropped, not needed anymore. Checksums-Sha1: 970c8c88d49dd94873babdecfc426bd64e6dfc5e 2989 freeipa_4.0.5-4.dsc 1b690aae94b34e81a612363a4624994f14ffd79f 4730699 freeipa_4.0.5.orig.tar.gz 9b53cbf5b1db312b22d20347f362ae609c26207d 22488 freeipa_4.0.5-4.debian.tar.xz df29bc4ffe91e820ba1da5a5bcb87987b17545c5 690202 freeipa-server_4.0.5-4_amd64.deb ee5060ecdd93ce7bc6f6a7e4a41b0edac247e663 78136 freeipa-server-trust-ad_4.0.5-4_amd64.deb 08d04599636299e1fd65dd289c7cd6055813613e 83220 freeipa-client_4.0.5-4_amd64.deb 1a0ebfa34910c2110029592ae9cedb7c42d57108 13348 freeipa-admintools_4.0.5-4_amd64.deb 7e9b3fff9dcab44ae83a8cebb66d25c964a60688 221168 freeipa-tests_4.0.5-4_amd64.deb ec23eedae1056ae5574f67064985a8448c286a65 518750 python-freeipa_4.0.5-4_amd64.deb Checksums-Sha256: 661af4b53e2c8f197fb5a5738abab41cd54d72d8ffeb9cbcbde50c32e8edefee 2989 freeipa_4.0.5-4.dsc fa95de2b99d242a4a794d316bc272333e954eefd2857ebdac7380ceabca5c8cd 4730699 freeipa_4.0.5.orig.tar.gz 9ab8fb010ba135c47c8e0ce7ec5a346080f178d7b2ce664b449f8c1d2eeab0e4 22488 freeipa_4.0.5-4.debian.tar.xz f9f5d0ebc033471e752e64defdd4bc4d7b42ec41095c3081923ad42a2bc0241f 690202 freeipa-server_4.0.5-4_amd64.deb 3175e4049478fd4ebdda2c1ce5576a8f6506a9f4a46eeb540564a34505009884 78136 freeipa-server-trust-ad_4.0.5-4_amd64.deb 114835b23d39d450e4439097155a93a132c2c9d91028b8349e6320fcc5b9fe39 83220 freeipa-client_4.0.5-4_amd64.deb 3bd1a92774701761ec5e22694f358dd4e02c7c22a65ac69f9bf54b24b59de507 13348 freeipa-admintools_4.0.5-4_amd64.deb d0e78035c2442f5ecfd6506efcc00fbb702bdcff29702727d8060bf67386ad81 221168 freeipa-tests_4.0.5-4_amd64.deb 6c512f5cffa9cf525b65204809cb00d55756ba356be5c4646d33920aaa26f60a 518750 python-freeipa_4.0.5-4_amd64.deb Files: 00cf4886f8e2db885810b3ea29f49eab 2989 net extra freeipa_4.0.5-4.dsc dc0ebfe24a20bd850641df05ff0a7268 4730699 net extra freeipa_4.0.5.orig.tar.gz 705a9b2294242845cf18a2b86f323144 22488 net extra freeipa_4.0.5-4.debian.tar.xz 9db5f9e3067eeee16f7fe5111d1b908a 690202 net extra freeipa-server_4.0.5-4_amd64.deb 293892acb0b34853361ad52cf9a4f14b 78136 net extra freeipa-server-trust-ad_4.0.5-4_amd64.deb c7cf7b73eb7081247270f619512108f1 83220 net extra freeipa-client_4.0.5-4_amd64.deb e6abfa310cb195fc0e8a32335a59fc4a 13348 net extra freeipa-admintools_4.0.5-4_amd64.deb aed5285c024dcb27c62ce6602279a719 221168 net extra freeipa-tests_4.0.5-4_amd64.deb 6910690cb8fb566734f8936813bb41c4 518750 python extra python-freeipa_4.0.5-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVHQE4AAoJEMtwMWWoiYTc8B0P/1jnzBWfMOe1QXZ8vfGqXKxG VUFTbp0ghqOafMXCSecNnkyyPwQyoL4xOuLHdg8UAI7eDbVyqv68ZhnQjiHt+ah0 KXast8ewehnWQ2SHfppR4Jc7nBS7CPYJotY1PmIQA+/eNpWsDhMmdeh/o85JOkuK ztIM+RpkGSmmfTNqX7vT+0jjbU8ltQ2S8/hziREHKEKtOXApOcLdhbN/RIV3RuKS tww4HPF5VAuK3np7YebhIoQkQ45CDn6uGXsPL8flgseNEwZzQdNTZso/KaA4pMck EhnZMps2RUX0wiQIpwsqzekIKh0QoWPkVozrZ3j7TZvJUhw49SgCe/kkK+dPE5xX S5rIOlASrN+Oez2uppqpG6yR+heCet5snvmbXTxq+hIawyq7PaICrZsi93YxNT4j DwkqjCbW/TBFjV+IezISR+8sUAknRd6zyrRhuVQDthZWs/PqwRO4Z6w2Yd+bkplX 8/f7ZcDVNVAvsNHn6WSE5J4/G+xZunuhRXwFQMg7ZIR2PWb98vScpzAx+Avn3GY9 cbjHf//CgxhlOBqGm2bahlUAMFl9GfXQ+QJ8sD4GIH8qNnsIQpdZcSaj7ep76xi9 KQEtGtpu/WldxdyEbtr1E+TLCkm79BmZCnaXiS6FLbDzfRY8936eiUPg5QcNZCu9 9S0EY5o4ExoduaeYddau =pXmY -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Thu Apr 2 09:21:15 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 02 Apr 2015 09:21:15 +0000 Subject: [Pkg-freeipa-devel] Bug#772136: marked as done (freeipa-server-trust-ad: unnecessary depends on libssl1.0.0 or possible licensing issue) References: <20141205123317.1578.82872.reportbug@aurelia.vernstok.nl> Message-ID: Your message dated Thu, 02 Apr 2015 09:20:08 +0000 with message-id and subject line Bug#772136: fixed in freeipa 4.0.5-4 has caused the Debian Bug report #772136, regarding freeipa-server-trust-ad: unnecessary depends on libssl1.0.0 or possible licensing issue to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 772136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772136 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Jelmer Vernooij Subject: freeipa-server-trust-ad: unnecessary depends on libssl1.0.0 or possible licensing issue Date: Fri, 05 Dec 2014 13:33:17 +0100 Size: 2254 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#772136: fixed in freeipa 4.0.5-4 Date: Thu, 02 Apr 2015 09:20:08 +0000 Size: 7494 URL: From owner at bugs.debian.org Thu Apr 2 09:21:19 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 02 Apr 2015 09:21:19 +0000 Subject: [Pkg-freeipa-devel] Bug#780386: marked as done (freeipa: missing depends on systemd-sysv) References: <20150313092057.51c77744@dpcl082.ac.aixigo.de> Message-ID: Your message dated Thu, 02 Apr 2015 09:20:08 +0000 with message-id and subject line Bug#780386: fixed in freeipa 4.0.5-4 has caused the Debian Bug report #780386, regarding freeipa: missing depends on systemd-sysv to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 780386: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780386 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Harald Dunkel Subject: missing Depends Date: Fri, 13 Mar 2015 09:20:57 +0100 Size: 6074 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#780386: fixed in freeipa 4.0.5-4 Date: Thu, 02 Apr 2015 09:20:08 +0000 Size: 7519 URL: From owner at bugs.debian.org Thu Apr 2 09:21:23 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 02 Apr 2015 09:21:23 +0000 Subject: [Pkg-freeipa-devel] Bug#781114: marked as done (freeipa-client: unowned files after purge (policy 6.8, 10.8)) References: <201503241816.10525.holger@layer-acht.org> Message-ID: Your message dated Thu, 02 Apr 2015 09:20:08 +0000 with message-id and subject line Bug#781114: fixed in freeipa 4.0.5-4 has caused the Debian Bug report #781114, regarding freeipa-client: unowned files after purge (policy 6.8, 10.8) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 781114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781114 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Holger Levsen Subject: freeipa-client: unowned files after purge (policy 6.8, 10.8) Date: Tue, 24 Mar 2015 18:16:08 +0100 Size: 143428 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#781114: fixed in freeipa 4.0.5-4 Date: Thu, 02 Apr 2015 09:20:08 +0000 Size: 7517 URL: From holger at layer-acht.org Thu Apr 2 10:29:04 2015 From: holger at layer-acht.org (Holger Levsen) Date: Thu, 2 Apr 2015 12:29:04 +0200 Subject: [Pkg-freeipa-devel] Bug#781607: Bug#781607: freeipa: please package new upstream version In-Reply-To: <551CF4F0.7020707@debian.org> References: <201503311631.22793.holger@layer-acht.org> <551CD73A.2070505@debian.org> <551CF4F0.7020707@debian.org> Message-ID: <201504021229.06320.holger@layer-acht.org> Hi Timo, thanks for uploading 4.0.5-4! On Donnerstag, 2. April 2015, Timo Aaltonen wrote: > > actually it needs bind 9.10.1 or newer, experimental has rc2 from a > > ~year ago. > I got a suggestion to pull a patch from Centos, which disables DNSSEC > support.. that should let us move forward with 4.1 sooner. ah, cool. cheers, Holger, currently working on a freeipa-client package suitabel for wheezy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From tjaalton at moszumanska.debian.org Thu Apr 2 11:25:46 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 11:25:46 +0000 Subject: [Pkg-freeipa-devel] slapi-nis: Changes to 'master' Message-ID: configure.ac | 3 debian/changelog | 8 + doc/ipa/sch-ipa.txt | 14 ++ slapi-nis.spec | 11 ++ src/back-sch-idview.c | 86 ++++++++++++----- src/back-sch-nss.c | 250 +++++++++++++++++++++++++++++++++++++++++++------- src/back-sch.c | 150 +++++++++++++++++++++++++----- src/back-sch.h | 9 + src/plug-sch.c | 3 src/plugin.h | 1 10 files changed, 448 insertions(+), 87 deletions(-) New commits: commit 0573ce762f4246e1b6cca53f96c204c5c0cdd155 Author: Timo Aaltonen Date: Thu Apr 2 09:24:54 2015 +0300 releasing package slapi-nis version 0.54.2-1 diff --git a/debian/changelog b/debian/changelog index 7c1f3ee..9d0dbd0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,10 @@ -slapi-nis (0.54.2-1) UNRELEASED; urgency=medium +slapi-nis (0.54.2-1) unstable; urgency=medium * New upstream bugfix release - CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() (Closes: #781346) - -- Timo Aaltonen Thu, 02 Apr 2015 09:20:48 +0300 + -- Timo Aaltonen Thu, 02 Apr 2015 09:24:07 +0300 slapi-nis (0.54-1) unstable; urgency=medium commit 03e9991140577bd5a153de4a5e8a74bd29adfe28 Author: Timo Aaltonen Date: Thu Apr 2 09:22:56 2015 +0300 update the changelog diff --git a/debian/changelog b/debian/changelog index f037e9e..7c1f3ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +slapi-nis (0.54.2-1) UNRELEASED; urgency=medium + + * New upstream bugfix release + - CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() + (Closes: #781346) + + -- Timo Aaltonen Thu, 02 Apr 2015 09:20:48 +0300 + slapi-nis (0.54-1) unstable; urgency=medium * New upstream release. commit 6573f91c95f7a353ad3bdf2fe95b0c15932aa097 Author: Alexander Bokovoy Date: Thu Mar 26 11:02:14 2015 +0200 Tag release 0.54.2 CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() diff --git a/configure.ac b/configure.ac index 92647ea..ae626de 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(slapi-nis,0.54.1) +AC_INIT(slapi-nis,0.54.2) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE(foreign) LT_INIT([disable-static]) diff --git a/slapi-nis.spec b/slapi-nis.spec index f77f2a4..f0c2647 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -10,7 +10,7 @@ %endif Name: slapi-nis -Version: 0.54.1 +Version: 0.54.2 Release: 1%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons @@ -85,6 +85,11 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Mar 26 2015 Alexander Bokovoy - 0.54.2-1 +- CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() +- Make sure nss_sss.so.2 module is used directly +- Allow building slapi-nis with ID views against 389-ds-base from RHEL7.0/CentOS7.0 releases + * Thu Nov 6 2014 Alexander Bokovoy - 0.54.1-1 - support FreeIPA overrides in LDAP BIND callback - ignore FreeIPA override searchs outside configured schema compat subtrees commit dd1d44730f2724986f820151d6ec2a49f6e52ddf Author: Alexander Bokovoy Date: Wed Feb 25 10:08:39 2015 +0200 Make sure default buffer for nsswitch operations is big enough By default initial buffer sizes for getgrent/getgrnam/... functions are way small for large groups in Active Directory so make sure we have something reasonable for groups with hundreds or thousands members. diff --git a/src/back-sch.c b/src/back-sch.c index d0ed323..dd6f92d 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1448,10 +1448,7 @@ backend_search_cb(Slapi_PBlock *pb) /* If during search of some sets we staged additional lookups, perform them. */ if (cbdata.staged != NULL) { /* Allocate buffer to be used for getpwnam_r/getgrnam_r requests */ - cbdata.nsswitch_buffer_len = MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX)); - if (cbdata.nsswitch_buffer_len == -1) { - cbdata.nsswitch_buffer_len = 16384; - } + cbdata.nsswitch_buffer_len = MAX(16384, MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX))); cbdata.nsswitch_buffer = malloc(cbdata.nsswitch_buffer_len); /* Go over the list of staged requests and retrieve entries. * It is important to perform the retrieval *without* holding any locks to the map cache */ commit 44c97a46a1920f6db18b8c90b396a94a653d755c Author: Alexander Bokovoy Date: Tue Feb 24 13:18:34 2015 +0200 nss: make sure to remember the length of reallocated buffer diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index 3a21ff6..f8177d7 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -484,6 +484,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -613,6 +614,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -668,6 +670,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -718,6 +721,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } commit 3368b2c04c870ffa5bfb831980d28bfa50534e0b Author: Alexander Bokovoy Date: Wed Nov 12 13:23:17 2014 +0200 schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain users via NSS When Schema Compatibility plugin is configured to enumerate users and groups from Active Directory domains trusted by FreeIPA, use nss_sss module directly instead of following nsswitch.conf configuration. The issue with nsswitch.conf configuration is in the fact that for each request all modules in NSS chain are processed while only one of them is responsible for users from trusted Active Directory domains, namely, nss_sss. diff --git a/configure.ac b/configure.ac index 9174980..92647ea 100644 --- a/configure.ac +++ b/configure.ac @@ -343,6 +343,7 @@ fi AM_CONDITIONAL([USE_PAM], [test "x$use_pam" != xno]) if test "x$use_nsswitch" != xno ; then + AC_CHECK_HEADERS([stdint.h nss.h dlfcn.h]) if pkg-config sss_nss_idmap 2> /dev/null ; then if test x$use_sss_nss_idmap != xno ; then AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.]) diff --git a/doc/ipa/sch-ipa.txt b/doc/ipa/sch-ipa.txt index f560580..106e6cc 100644 --- a/doc/ipa/sch-ipa.txt +++ b/doc/ipa/sch-ipa.txt @@ -47,6 +47,11 @@ Plugin allows to expose users and groups from trusted domains. These users and groups are available on the compatibility trees and can be used for querying their attributes and authenticating against them. +Schema Compatibility Plugin relies on SSSD to discover users from trusted +domains. NSS module provided by SSSD (libnss_sss.so.2) is loaded explicitly by +Schema Compatibility Plugin and all calls are directed to SSSD instead of using +generic NSSWITCH API. + Additionally, authentication against IPA users is also supported, provided that the Schema Compatibility Plugin is given an ordering preference in the Directory Server configuration. By default, all Directory server plugins @@ -70,10 +75,11 @@ schema-compat-nsswitch-min-id: specifies that the minimal numeric id of the user or group should be not less than the value. Defaults to 1000. -When FreeIPA 3.3 is in use, ipa-adtrust-install utility will automatically configure -the Schema Compatibility Plugin to allow serving users and groups from trusted domains. -No additional configuration is needed. ipa-adtrust-install, however, will not set the -minimal numeric id for user or group. +When FreeIPA 3.3 or later is in use, ipa-adtrust-install utility will +automatically configure the Schema Compatibility Plugin to allow serving users +and groups from trusted domains. No additional configuration is needed. +ipa-adtrust-install, however, will not set the minimal numeric id for user or +group. == Authentication of the trusted domains' users == diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index 12ae589..3a21ff6 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -28,9 +28,10 @@ #include #include #include +#include +#include #include #include -#include #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H #include @@ -307,6 +308,144 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd, return entry; } +/* Possible results of lookup using a nss_* function. + * Note: don't include nss.h as its path gets overriden by NSS library */ +enum nss_status +{ + NSS_STATUS_TRYAGAIN = -2, + NSS_STATUS_UNAVAIL, + NSS_STATUS_NOTFOUND, + NSS_STATUS_SUCCESS, + NSS_STATUS_RETURN +}; + +struct nss_ops_ctx { + void *dl_handle; + + enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setpwent)(void); + enum nss_status (*getpwent_r)(struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endpwent)(void); + + enum nss_status (*getgrnam_r)(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getgrgid_r)(gid_t gid, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setgrent)(void); + enum nss_status (*getgrent_r)(struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endgrent)(void); + + enum nss_status (*initgroups_dyn)(const char *user, gid_t group, + long int *start, long int *size, + gid_t **groups, long int limit, + int *errnop); +}; + +void backend_nss_init_context(struct nss_ops_ctx **nss_context) +{ + struct nss_ops_ctx *ctx = NULL; + + if (nss_context == NULL) { + return; + } + + ctx = calloc(1, sizeof(struct nss_ops_ctx)); + + *nss_context = ctx; + if (ctx == NULL) { + return; + } + + ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (ctx->dl_handle == NULL) { + goto fail; + } + + ctx->getpwnam_r = dlsym(ctx->dl_handle, "_nss_sss_getpwnam_r"); + if (ctx->getpwnam_r == NULL) { + goto fail; + } + + ctx->getpwuid_r = dlsym(ctx->dl_handle, "_nss_sss_getpwuid_r"); + if (ctx->getpwuid_r == NULL) { + goto fail; + } + + ctx->setpwent = dlsym(ctx->dl_handle, "_nss_sss_setpwent"); + if (ctx->setpwent == NULL) { + goto fail; + } + + ctx->getpwent_r = dlsym(ctx->dl_handle, "_nss_sss_getpwent_r"); + if (ctx->getpwent_r == NULL) { + goto fail; + } + + ctx->endpwent = dlsym(ctx->dl_handle, "_nss_sss_endpwent"); + if (ctx->endpwent == NULL) { + goto fail; + } + + ctx->getgrnam_r = dlsym(ctx->dl_handle, "_nss_sss_getgrnam_r"); + if (ctx->getgrnam_r == NULL) { + goto fail; + } + + ctx->getgrgid_r = dlsym(ctx->dl_handle, "_nss_sss_getgrgid_r"); + if (ctx->getgrgid_r == NULL) { + goto fail; + } + + ctx->setgrent = dlsym(ctx->dl_handle, "_nss_sss_setgrent"); + if (ctx->setgrent == NULL) { + goto fail; + } + + ctx->getgrent_r = dlsym(ctx->dl_handle, "_nss_sss_getgrent_r"); + if (ctx->getgrent_r == NULL) { + goto fail; + } + + ctx->endgrent = dlsym(ctx->dl_handle, "_nss_sss_endgrent"); + if (ctx->endgrent == NULL) { + goto fail; + } + + ctx->initgroups_dyn = dlsym(ctx->dl_handle, "_nss_sss_initgroups_dyn"); + if (ctx->initgroups_dyn == NULL) { + goto fail; + } + + return; + +fail: + backend_nss_free_context(nss_context); + + return; +} + +void +backend_nss_free_context(struct nss_ops_ctx **nss_context) +{ + if (nss_context == NULL) { + return; + } + + if ((*nss_context)->dl_handle != NULL) { + dlclose((*nss_context)->dl_handle); + } + + free((*nss_context)); + *nss_context = NULL; +} + + + static Slapi_Entry ** backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, char *container_sdn, @@ -315,25 +454,33 @@ backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, { struct passwd pwd, *result; Slapi_Entry *entry, **entries; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } if (is_uid) { - rc = getpwuid_r((uid_t) atoll(user_name), &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getpwuid_r((uid_t) atoll(user_name), &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } else { - rc = getpwnam_r(user_name, &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getpwnam_r(user_name, &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -437,25 +584,32 @@ backend_retrieve_group_entry_from_nsswitch(char *group_name, bool_t is_gid, { struct group grp, *result; Slapi_Entry *entry, **entries; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } if (is_gid) { - rc = getgrgid_r((gid_t) atoll(group_name), &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrgid_r((gid_t) atoll(group_name), &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } else { - rc = getgrnam_r(group_name, &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrnam_r(group_name, &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -490,20 +644,27 @@ backend_retrieve_group_entry_from_nsswitch_by_gid(gid_t gid, { struct group grp, *result; Slapi_Entry *entry; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + ctx = cbdata->state->nss_context; + + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } - rc = getgrgid_r(gid, &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrgid_r(gid, &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -532,19 +693,28 @@ backend_retrieve_group_list_from_nsswitch(char *user_name, char *container_sdn, gid_t *grouplist, *tmp_list; Slapi_Entry **entries, *entry, **tmp; char *buf = NULL; - int rc, ngroups, i, idx; - + int i, idx; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + long int ngroups = 0; + long int start = 0; + enum nss_status rc; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } - rc = getpwnam_r(user_name, &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &pwd_result); + rc = ctx->getpwnam_r(user_name, &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); - if ((pwd_result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -559,14 +729,20 @@ repeat: } ngroups = 32; + start = 0; grouplist = malloc(sizeof(gid_t) * ngroups); if (grouplist == NULL) { return NULL; } + grouplist[0] = pwd.pw_gid; + start++; + do { - rc = getgrouplist(user_name, pwd.pw_gid, grouplist, &ngroups); - if (rc < ngroups) { + rc = ctx->initgroups_dyn(user_name, pwd.pw_gid, + &start, &ngroups, &grouplist, + -1, &lerrno); + if ((rc != NSS_STATUS_SUCCESS)) { tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); if (tmp_list == NULL) { free(grouplist); @@ -574,7 +750,7 @@ repeat: } grouplist = tmp_list; } - } while (rc != ngroups); + } while (rc != NSS_STATUS_SUCCESS); entries = calloc(ngroups + 1, sizeof(entries[0])); if (entries == NULL) { diff --git a/src/back-sch.h b/src/back-sch.h index 26e12d1..1aedf36 100644 --- a/src/back-sch.h +++ b/src/back-sch.h @@ -115,6 +115,11 @@ struct backend_search_filter_config { int backend_analyze_search_filter(Slapi_Filter *filter, struct backend_search_filter_config *config); +/* Operations against nsswitch API */ +struct nss_ops_ctx; +void backend_nss_init_context(struct nss_ops_ctx **nss_context); +void backend_nss_free_context(struct nss_ops_ctx **nss_context); + void backend_search_nsswitch(struct backend_set_data *set_data, struct backend_search_cbdata *cbdata); diff --git a/src/plug-sch.c b/src/plug-sch.c index 5d74beb..5a6e736 100644 --- a/src/plug-sch.c +++ b/src/plug-sch.c @@ -52,6 +52,7 @@ #include "backend.h" #include "back-shr.h" +#include "back-sch.h" #include "map.h" #include "plugin.h" #include "portmap.h" @@ -109,6 +110,7 @@ plugin_startup(Slapi_PBlock *pb) /* Populate the tree of fake entries. */ backend_startup(pb, state); state->pam_lock = wrap_new_rwlock(); + backend_nss_init_context((struct nss_ops_ctx**) &state->nss_context); /* Note that the plugin is ready to go. */ slapi_log_error(SLAPI_LOG_PLUGIN, plugin_description.spd_id, "plugin startup completed\n"); @@ -123,6 +125,7 @@ plugin_shutdown(Slapi_PBlock *pb) map_done(state); wrap_free_rwlock(state->pam_lock); state->pam_lock = NULL; + backend_nss_free_context((struct nss_ops_ctx**) &state->nss_context); state->plugin_base = NULL; slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, "plugin shutdown completed\n"); diff --git a/src/plugin.h b/src/plugin.h index 3967fb0..94ad747 100644 --- a/src/plugin.h +++ b/src/plugin.h @@ -46,6 +46,7 @@ struct plugin_state { } listener[4]; /* Schema compat-specific data. */ struct wrapped_rwlock *pam_lock; + void *nss_context; }; #endif commit 13ebc3edfe1d6d8888f3d70f189638cf5ddd71ed Author: Alexander Bokovoy Date: Tue Oct 14 17:25:46 2014 +0300 Use slapi_entry_find_attr instead of slapi_entry_attr_exists To keep slapi-nis code portable to older versions of 389-ds-base, avoid using slapi_entry_attr_exists() as it was only introduced in 389-ds-base 1.3.3.0. diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index f1150cd..93fbab5 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -157,6 +157,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, /* 2. If there is indeed an override, replace attribute values except for the ones that should be ignored */ if (override_entry != NULL) { Slapi_Attr *override_attr = NULL; + Slapi_Attr *sattr = NULL; result = slapi_entry_first_attr(override_entry, &override_attr); while (result == 0) { @@ -173,7 +174,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, if (filterout_attrs[i] == NULL) { /* Replace the attribute's value with the override or * add an override value if the attribute didn't exist */ - result = slapi_entry_attr_exists(entry, override_type); + result = slapi_entry_attr_find(entry, override_type, &sattr); if (result == 1) { result = slapi_entry_attr_delete(entry, override_type); } diff --git a/src/back-sch.c b/src/back-sch.c index 2388d2f..d0ed323 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -997,9 +997,11 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, { Slapi_DN *sdn; Slapi_Entry *entry; + Slapi_Attr *attr = NULL; struct backend_search_cbdata *cbdata; struct backend_entry_data *entry_data; int result; + bool_t is_attr_exists = FALSE; cbdata = cb_data; entry_data = backend_data; @@ -1042,7 +1044,10 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, idview_process_overrides(cbdata, key, map, domain, entry); } - if (slapi_entry_attr_exists(entry, IPA_IDVIEWS_ATTR_ANCHORUUID) == 1) { + /* slapi_entry_attr_exists() was introduced only in https://fedorahosted.org/389/ticket/47710 */ + is_attr_exists = slapi_entry_attr_find(entry, IPA_IDVIEWS_ATTR_ANCHORUUID, &attr) == 0; + + if (is_attr_exists == TRUE) { slapi_entry_attr_delete(entry, IPA_IDVIEWS_ATTR_ANCHORUUID); slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); } commit a42204ee958a380648ade421a742db2ad2d5eb39 Author: Alexander Bokovoy Date: Thu Nov 6 14:32:11 2014 +0200 Tag slapi-nis 0.54.1 diff --git a/configure.ac b/configure.ac index 59fa6e5..9174980 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(slapi-nis,0.54) +AC_INIT(slapi-nis,0.54.1) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE(foreign) LT_INIT([disable-static]) diff --git a/slapi-nis.spec b/slapi-nis.spec index 21935ca..f77f2a4 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -10,7 +10,7 @@ %endif Name: slapi-nis -Version: 0.54 +Version: 0.54.1 Release: 1%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons @@ -85,6 +85,10 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Nov 6 2014 Alexander Bokovoy - 0.54.1-1 +- support FreeIPA overrides in LDAP BIND callback +- ignore FreeIPA override searchs outside configured schema compat subtrees + * Fri Oct 10 2014 Alexander Bokovoy - 0.54-1 - Add support for FreeIPA's ID views - Allow searching SSSD-provided users as memberUid case-insensitevly commit c9c9d1413a6950344bc842024fda84212cc7322f Author: Alexander Bokovoy Date: Tue Oct 28 11:16:50 2014 +0200 schema-compat: support ID overrides in bind callback If RDN of the bind DN is overridden within the ID view, rewrite the target to use original value of the uid attribute. If original uid attribute is not available, fail the search and thus the whole bind request by claiming that bind DN does not exist. diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index a56a9e9..f1150cd 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -290,21 +290,15 @@ idview_replace_target_dn(char **target, char **idview) } } -static int -idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct berval *bval, struct backend_search_filter_config *config) +int +idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, + struct berval *bval, struct backend_search_cbdata *cbdata) { int res, i; - Slapi_Value *filter_val, *value, *anchor_val; + Slapi_Value *attr_val, *value, *anchor_val; Slapi_Attr *anchor, *attr = NULL; - struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; - - if (cbdata == NULL || cbdata->idview == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; - } - - if (filter_type == NULL || config->name == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; - } + bool_t uid_override_found = FALSE; + bool_t anchor_override_found = FALSE; if (cbdata->overrides == NULL) { /* Only retrieve overrides for the view first time when neccessary */ @@ -312,31 +306,34 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b } if (cbdata->overrides == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; + return 0; } - filter_val = slapi_value_new_berval(bval); + attr_val = slapi_value_new_berval(bval); + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Searching for an override of the %s %s with %s=%*s from the overrides\n.", + bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val); /* If filter contains an attribute name which is overridden in the view and filter value * corresponds to the override, replace the filter by (ipaAnchorUUID=...) from the override * to point to the original because otherwise an entry will not be found in the slapi-nis map */ for(i=0; cbdata->overrides[i] != NULL; i++) { - res = slapi_entry_attr_find(cbdata->overrides[i], filter_type, &attr); + res = slapi_entry_attr_find(cbdata->overrides[i], attr_name, &attr); if ((res == 0) && (attr != NULL)) { res = slapi_attr_first_value(attr, &value); - res = slapi_value_compare(attr, value, filter_val); + res = slapi_value_compare(attr, value, attr_val); if (res == 0) { /* For uid overrides we should have ipaOriginalUID in the override */ - if (strcasecmp(filter_type, "uid") == 0) { + if (strcasecmp(attr_name, "uid") == 0) { res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ORIGINALUID, &anchor); if (res == 0) { res = slapi_attr_first_value(anchor, &anchor_val); slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); - config->override_found = TRUE; - slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, - "Overriding the filter %s with %s=%*s from the override %s\n.", - filter_type, filter_type, bval->bv_len, bval->bv_val, + uid_override_found = TRUE; + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Overriding the %s %s with %s=%*s from the override %s\n.", + bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val, slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -346,14 +343,13 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ANCHORUUID, &anchor); if (res == 0) { res = slapi_attr_first_value(anchor, &anchor_val); - slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); - config->override_found = TRUE; - slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, - "Overriding the filter %s with %s=%*s from the override %s\n.", - filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, - bval->bv_len, bval->bv_val, + anchor_override_found = TRUE; + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Overriding the %s %s with %s=%*s from the override %s\n.", + bval_usage, attr_name, IPA_IDVIEWS_ATTR_ANCHORUUID, + (int) bval->bv_len, bval->bv_val, slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -362,7 +358,41 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b } } - slapi_value_free(&filter_val); + slapi_value_free(&attr_val); + + if (uid_override_found) { + return 1; + } + + if (anchor_override_found) { + return 2; + } + + return 0; +} + +static int +idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, + struct berval *bval, struct backend_search_filter_config *config) +{ + int res; + struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; + + if (cbdata == NULL || cbdata->idview == NULL) { + return SLAPI_FILTER_SCAN_CONTINUE; + } + + if (filter_type == NULL || config->name == NULL) { + return SLAPI_FILTER_SCAN_CONTINUE; + } + + res = idview_replace_bval_by_override("filter", filter_type, bval, cbdata); + + if (res == 2) { + slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); + } + + config->override_found = (res != 0); return SLAPI_FILTER_SCAN_CONTINUE; diff --git a/src/back-sch.c b/src/back-sch.c index 27ac24f..2388d2f 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1631,7 +1631,6 @@ static void backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char **group, const char**set) { struct backend_locate_cbdata cbdata; - char *idview = NULL; slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &cbdata.state); if (cbdata.state->plugin_base == NULL) { @@ -1640,22 +1639,64 @@ backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char ** return; } slapi_pblock_get(pb, SLAPI_TARGET_DN, &cbdata.target); -#ifdef USE_IPA_IDVIEWS - idview_replace_target_dn(&cbdata.target, &idview); -#endif + cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); cbdata.entry_data = NULL; cbdata.entry_group = NULL; cbdata.entry_set = NULL; map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); +#ifdef USE_IPA_IDVIEWS + /* In case nothing was found but we are operating on the ID override, + * rebuild the target's RDN to use original attribute's value */ + if (cbdata.entry_data == NULL) { + char *idview = NULL; + char *target, *original_target; + target = original_target = slapi_ch_strdup(cbdata.target); + idview_replace_target_dn(&target, &idview); + if (target != original_target) { + slapi_ch_free_string(&original_target); + } + if (idview != NULL) { + char *rdnstr; + char *val; + struct berval bval; + int res; + struct backend_search_cbdata scbdata; + Slapi_RDN *rdn = slapi_rdn_new_all_dn(target); + if (rdn != NULL) { + res = slapi_rdn_get_first(rdn, &rdnstr, &val); + if (res == 1) { + bval.bv_len = strlen(val) + 1; + bval.bv_val = slapi_ch_strdup(val); + memset(&scbdata, 0, sizeof(scbdata)); + scbdata.idview = idview; + scbdata.target = target; + scbdata.pb = pb; + scbdata.state = cbdata.state; + scbdata.target_dn = slapi_sdn_new_dn_byval(target); + res = idview_replace_bval_by_override("rdn", rdnstr, &bval, &scbdata); + /* only accept uid overrides */ + if (res == 1) { + slapi_rdn_remove_index(rdn, 1); + slapi_rdn_add(rdn, "uid", bval.bv_val); + slapi_sdn_free(&cbdata.target_dn); + cbdata.target_dn = slapi_sdn_set_rdn(scbdata.target_dn, rdn); + map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); + } + slapi_ber_bvdone(&bval); + slapi_rdn_free(&rdn); + idview_free_overrides(&scbdata); + } + } + } + slapi_ch_free_string(&target); + slapi_ch_free_string(&idview); + } +#endif *data = cbdata.entry_data; *group = cbdata.entry_group; *set = cbdata.entry_set; slapi_sdn_free(&cbdata.target_dn); - if (idview != NULL) { - slapi_ch_free_string(&cbdata.target); - } - slapi_ch_free_string(&idview); } /* Check if the target DN is part of this group's tree. If it is, return an diff --git a/src/back-sch.h b/src/back-sch.h index 9f0b201..26e12d1 100644 --- a/src/back-sch.h +++ b/src/back-sch.h @@ -131,6 +131,10 @@ void idview_process_overrides(struct backend_search_cbdata *cbdata, Slapi_Entry *entry); void idview_replace_target_dn(char **target, char **idview); void idview_replace_filter(struct backend_search_cbdata *cbdata); +/* Takes struct berval value of an attribute attr_name and replaces it with an override + * Returns 0 if no override was found, 1 for 'uid' replacement, 2 for ipaAnchorUUID replacement */ +int idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, + struct berval *bval, struct backend_search_cbdata *cbdata); #endif #endif commit 778c95866f28d894822e37223b69816981d29529 Author: Alexander Bokovoy Date: Tue Oct 28 10:09:47 2014 +0200 ID views: ignore searches for views outside the subtrees of schema-compat sets schema-compat plugin may provide multiple disjoint subtrees which can be used to request overridden entries by prefixing the subtree suffix with a cn=,cn=views, From tjaalton at moszumanska.debian.org Thu Apr 2 11:25:47 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 11:25:47 +0000 Subject: [Pkg-freeipa-devel] slapi-nis: Changes to 'upstream' Message-ID: configure.ac | 3 doc/ipa/sch-ipa.txt | 14 ++ slapi-nis.spec | 11 ++ src/back-sch-idview.c | 86 ++++++++++++----- src/back-sch-nss.c | 250 +++++++++++++++++++++++++++++++++++++++++++------- src/back-sch.c | 150 +++++++++++++++++++++++++----- src/back-sch.h | 9 + src/plug-sch.c | 3 src/plugin.h | 1 9 files changed, 440 insertions(+), 87 deletions(-) New commits: commit 6573f91c95f7a353ad3bdf2fe95b0c15932aa097 Author: Alexander Bokovoy Date: Thu Mar 26 11:02:14 2015 +0200 Tag release 0.54.2 CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() diff --git a/configure.ac b/configure.ac index 92647ea..ae626de 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(slapi-nis,0.54.1) +AC_INIT(slapi-nis,0.54.2) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE(foreign) LT_INIT([disable-static]) diff --git a/slapi-nis.spec b/slapi-nis.spec index f77f2a4..f0c2647 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -10,7 +10,7 @@ %endif Name: slapi-nis -Version: 0.54.1 +Version: 0.54.2 Release: 1%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons @@ -85,6 +85,11 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Mar 26 2015 Alexander Bokovoy - 0.54.2-1 +- CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() +- Make sure nss_sss.so.2 module is used directly +- Allow building slapi-nis with ID views against 389-ds-base from RHEL7.0/CentOS7.0 releases + * Thu Nov 6 2014 Alexander Bokovoy - 0.54.1-1 - support FreeIPA overrides in LDAP BIND callback - ignore FreeIPA override searchs outside configured schema compat subtrees commit dd1d44730f2724986f820151d6ec2a49f6e52ddf Author: Alexander Bokovoy Date: Wed Feb 25 10:08:39 2015 +0200 Make sure default buffer for nsswitch operations is big enough By default initial buffer sizes for getgrent/getgrnam/... functions are way small for large groups in Active Directory so make sure we have something reasonable for groups with hundreds or thousands members. diff --git a/src/back-sch.c b/src/back-sch.c index d0ed323..dd6f92d 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1448,10 +1448,7 @@ backend_search_cb(Slapi_PBlock *pb) /* If during search of some sets we staged additional lookups, perform them. */ if (cbdata.staged != NULL) { /* Allocate buffer to be used for getpwnam_r/getgrnam_r requests */ - cbdata.nsswitch_buffer_len = MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX)); - if (cbdata.nsswitch_buffer_len == -1) { - cbdata.nsswitch_buffer_len = 16384; - } + cbdata.nsswitch_buffer_len = MAX(16384, MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX))); cbdata.nsswitch_buffer = malloc(cbdata.nsswitch_buffer_len); /* Go over the list of staged requests and retrieve entries. * It is important to perform the retrieval *without* holding any locks to the map cache */ commit 44c97a46a1920f6db18b8c90b396a94a653d755c Author: Alexander Bokovoy Date: Tue Feb 24 13:18:34 2015 +0200 nss: make sure to remember the length of reallocated buffer diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index 3a21ff6..f8177d7 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -484,6 +484,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -613,6 +614,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -668,6 +670,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } @@ -718,6 +721,7 @@ repeat: buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; + cbdata->nsswitch_buffer_len *= 2; goto repeat; } } commit 3368b2c04c870ffa5bfb831980d28bfa50534e0b Author: Alexander Bokovoy Date: Wed Nov 12 13:23:17 2014 +0200 schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain users via NSS When Schema Compatibility plugin is configured to enumerate users and groups from Active Directory domains trusted by FreeIPA, use nss_sss module directly instead of following nsswitch.conf configuration. The issue with nsswitch.conf configuration is in the fact that for each request all modules in NSS chain are processed while only one of them is responsible for users from trusted Active Directory domains, namely, nss_sss. diff --git a/configure.ac b/configure.ac index 9174980..92647ea 100644 --- a/configure.ac +++ b/configure.ac @@ -343,6 +343,7 @@ fi AM_CONDITIONAL([USE_PAM], [test "x$use_pam" != xno]) if test "x$use_nsswitch" != xno ; then + AC_CHECK_HEADERS([stdint.h nss.h dlfcn.h]) if pkg-config sss_nss_idmap 2> /dev/null ; then if test x$use_sss_nss_idmap != xno ; then AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.]) diff --git a/doc/ipa/sch-ipa.txt b/doc/ipa/sch-ipa.txt index f560580..106e6cc 100644 --- a/doc/ipa/sch-ipa.txt +++ b/doc/ipa/sch-ipa.txt @@ -47,6 +47,11 @@ Plugin allows to expose users and groups from trusted domains. These users and groups are available on the compatibility trees and can be used for querying their attributes and authenticating against them. +Schema Compatibility Plugin relies on SSSD to discover users from trusted +domains. NSS module provided by SSSD (libnss_sss.so.2) is loaded explicitly by +Schema Compatibility Plugin and all calls are directed to SSSD instead of using +generic NSSWITCH API. + Additionally, authentication against IPA users is also supported, provided that the Schema Compatibility Plugin is given an ordering preference in the Directory Server configuration. By default, all Directory server plugins @@ -70,10 +75,11 @@ schema-compat-nsswitch-min-id: specifies that the minimal numeric id of the user or group should be not less than the value. Defaults to 1000. -When FreeIPA 3.3 is in use, ipa-adtrust-install utility will automatically configure -the Schema Compatibility Plugin to allow serving users and groups from trusted domains. -No additional configuration is needed. ipa-adtrust-install, however, will not set the -minimal numeric id for user or group. +When FreeIPA 3.3 or later is in use, ipa-adtrust-install utility will +automatically configure the Schema Compatibility Plugin to allow serving users +and groups from trusted domains. No additional configuration is needed. +ipa-adtrust-install, however, will not set the minimal numeric id for user or +group. == Authentication of the trusted domains' users == diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index 12ae589..3a21ff6 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -28,9 +28,10 @@ #include #include #include +#include +#include #include #include -#include #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H #include @@ -307,6 +308,144 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd, return entry; } +/* Possible results of lookup using a nss_* function. + * Note: don't include nss.h as its path gets overriden by NSS library */ +enum nss_status +{ + NSS_STATUS_TRYAGAIN = -2, + NSS_STATUS_UNAVAIL, + NSS_STATUS_NOTFOUND, + NSS_STATUS_SUCCESS, + NSS_STATUS_RETURN +}; + +struct nss_ops_ctx { + void *dl_handle; + + enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setpwent)(void); + enum nss_status (*getpwent_r)(struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endpwent)(void); + + enum nss_status (*getgrnam_r)(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getgrgid_r)(gid_t gid, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setgrent)(void); + enum nss_status (*getgrent_r)(struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endgrent)(void); + + enum nss_status (*initgroups_dyn)(const char *user, gid_t group, + long int *start, long int *size, + gid_t **groups, long int limit, + int *errnop); +}; + +void backend_nss_init_context(struct nss_ops_ctx **nss_context) +{ + struct nss_ops_ctx *ctx = NULL; + + if (nss_context == NULL) { + return; + } + + ctx = calloc(1, sizeof(struct nss_ops_ctx)); + + *nss_context = ctx; + if (ctx == NULL) { + return; + } + + ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (ctx->dl_handle == NULL) { + goto fail; + } + + ctx->getpwnam_r = dlsym(ctx->dl_handle, "_nss_sss_getpwnam_r"); + if (ctx->getpwnam_r == NULL) { + goto fail; + } + + ctx->getpwuid_r = dlsym(ctx->dl_handle, "_nss_sss_getpwuid_r"); + if (ctx->getpwuid_r == NULL) { + goto fail; + } + + ctx->setpwent = dlsym(ctx->dl_handle, "_nss_sss_setpwent"); + if (ctx->setpwent == NULL) { + goto fail; + } + + ctx->getpwent_r = dlsym(ctx->dl_handle, "_nss_sss_getpwent_r"); + if (ctx->getpwent_r == NULL) { + goto fail; + } + + ctx->endpwent = dlsym(ctx->dl_handle, "_nss_sss_endpwent"); + if (ctx->endpwent == NULL) { + goto fail; + } + + ctx->getgrnam_r = dlsym(ctx->dl_handle, "_nss_sss_getgrnam_r"); + if (ctx->getgrnam_r == NULL) { + goto fail; + } + + ctx->getgrgid_r = dlsym(ctx->dl_handle, "_nss_sss_getgrgid_r"); + if (ctx->getgrgid_r == NULL) { + goto fail; + } + + ctx->setgrent = dlsym(ctx->dl_handle, "_nss_sss_setgrent"); + if (ctx->setgrent == NULL) { + goto fail; + } + + ctx->getgrent_r = dlsym(ctx->dl_handle, "_nss_sss_getgrent_r"); + if (ctx->getgrent_r == NULL) { + goto fail; + } + + ctx->endgrent = dlsym(ctx->dl_handle, "_nss_sss_endgrent"); + if (ctx->endgrent == NULL) { + goto fail; + } + + ctx->initgroups_dyn = dlsym(ctx->dl_handle, "_nss_sss_initgroups_dyn"); + if (ctx->initgroups_dyn == NULL) { + goto fail; + } + + return; + +fail: + backend_nss_free_context(nss_context); + + return; +} + +void +backend_nss_free_context(struct nss_ops_ctx **nss_context) +{ + if (nss_context == NULL) { + return; + } + + if ((*nss_context)->dl_handle != NULL) { + dlclose((*nss_context)->dl_handle); + } + + free((*nss_context)); + *nss_context = NULL; +} + + + static Slapi_Entry ** backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, char *container_sdn, @@ -315,25 +454,33 @@ backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, { struct passwd pwd, *result; Slapi_Entry *entry, **entries; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } if (is_uid) { - rc = getpwuid_r((uid_t) atoll(user_name), &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getpwuid_r((uid_t) atoll(user_name), &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } else { - rc = getpwnam_r(user_name, &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getpwnam_r(user_name, &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -437,25 +584,32 @@ backend_retrieve_group_entry_from_nsswitch(char *group_name, bool_t is_gid, { struct group grp, *result; Slapi_Entry *entry, **entries; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } if (is_gid) { - rc = getgrgid_r((gid_t) atoll(group_name), &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrgid_r((gid_t) atoll(group_name), &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } else { - rc = getgrnam_r(group_name, &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrnam_r(group_name, &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); } - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -490,20 +644,27 @@ backend_retrieve_group_entry_from_nsswitch_by_gid(gid_t gid, { struct group grp, *result; Slapi_Entry *entry; - int rc; + enum nss_status rc; char *buf = NULL; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + ctx = cbdata->state->nss_context; + + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } - rc = getgrgid_r(gid, &grp, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &result); + rc = ctx->getgrgid_r(gid, &grp, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); - if ((result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -532,19 +693,28 @@ backend_retrieve_group_list_from_nsswitch(char *user_name, char *container_sdn, gid_t *grouplist, *tmp_list; Slapi_Entry **entries, *entry, **tmp; char *buf = NULL; - int rc, ngroups, i, idx; - + int i, idx; + struct nss_ops_ctx *ctx = NULL; + int lerrno = 0; + long int ngroups = 0; + long int start = 0; + enum nss_status rc; + + ctx = cbdata->state->nss_context; + if (ctx == NULL) { + return NULL; + } repeat: if (cbdata->nsswitch_buffer == NULL) { return NULL; } - rc = getpwnam_r(user_name, &pwd, - cbdata->nsswitch_buffer, - cbdata->nsswitch_buffer_len, &pwd_result); + rc = ctx->getpwnam_r(user_name, &pwd, + cbdata->nsswitch_buffer, + cbdata->nsswitch_buffer_len, &lerrno); - if ((pwd_result == NULL) || (rc != 0)) { - if (rc == ERANGE) { + if ((rc != NSS_STATUS_SUCCESS)) { + if (lerrno == ERANGE) { buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); if (buf != NULL) { cbdata->nsswitch_buffer = buf; @@ -559,14 +729,20 @@ repeat: } ngroups = 32; + start = 0; grouplist = malloc(sizeof(gid_t) * ngroups); if (grouplist == NULL) { return NULL; } + grouplist[0] = pwd.pw_gid; + start++; + do { - rc = getgrouplist(user_name, pwd.pw_gid, grouplist, &ngroups); - if (rc < ngroups) { + rc = ctx->initgroups_dyn(user_name, pwd.pw_gid, + &start, &ngroups, &grouplist, + -1, &lerrno); + if ((rc != NSS_STATUS_SUCCESS)) { tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); if (tmp_list == NULL) { free(grouplist); @@ -574,7 +750,7 @@ repeat: } grouplist = tmp_list; } - } while (rc != ngroups); + } while (rc != NSS_STATUS_SUCCESS); entries = calloc(ngroups + 1, sizeof(entries[0])); if (entries == NULL) { diff --git a/src/back-sch.h b/src/back-sch.h index 26e12d1..1aedf36 100644 --- a/src/back-sch.h +++ b/src/back-sch.h @@ -115,6 +115,11 @@ struct backend_search_filter_config { int backend_analyze_search_filter(Slapi_Filter *filter, struct backend_search_filter_config *config); +/* Operations against nsswitch API */ +struct nss_ops_ctx; +void backend_nss_init_context(struct nss_ops_ctx **nss_context); +void backend_nss_free_context(struct nss_ops_ctx **nss_context); + void backend_search_nsswitch(struct backend_set_data *set_data, struct backend_search_cbdata *cbdata); diff --git a/src/plug-sch.c b/src/plug-sch.c index 5d74beb..5a6e736 100644 --- a/src/plug-sch.c +++ b/src/plug-sch.c @@ -52,6 +52,7 @@ #include "backend.h" #include "back-shr.h" +#include "back-sch.h" #include "map.h" #include "plugin.h" #include "portmap.h" @@ -109,6 +110,7 @@ plugin_startup(Slapi_PBlock *pb) /* Populate the tree of fake entries. */ backend_startup(pb, state); state->pam_lock = wrap_new_rwlock(); + backend_nss_init_context((struct nss_ops_ctx**) &state->nss_context); /* Note that the plugin is ready to go. */ slapi_log_error(SLAPI_LOG_PLUGIN, plugin_description.spd_id, "plugin startup completed\n"); @@ -123,6 +125,7 @@ plugin_shutdown(Slapi_PBlock *pb) map_done(state); wrap_free_rwlock(state->pam_lock); state->pam_lock = NULL; + backend_nss_free_context((struct nss_ops_ctx**) &state->nss_context); state->plugin_base = NULL; slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, "plugin shutdown completed\n"); diff --git a/src/plugin.h b/src/plugin.h index 3967fb0..94ad747 100644 --- a/src/plugin.h +++ b/src/plugin.h @@ -46,6 +46,7 @@ struct plugin_state { } listener[4]; /* Schema compat-specific data. */ struct wrapped_rwlock *pam_lock; + void *nss_context; }; #endif commit 13ebc3edfe1d6d8888f3d70f189638cf5ddd71ed Author: Alexander Bokovoy Date: Tue Oct 14 17:25:46 2014 +0300 Use slapi_entry_find_attr instead of slapi_entry_attr_exists To keep slapi-nis code portable to older versions of 389-ds-base, avoid using slapi_entry_attr_exists() as it was only introduced in 389-ds-base 1.3.3.0. diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index f1150cd..93fbab5 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -157,6 +157,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, /* 2. If there is indeed an override, replace attribute values except for the ones that should be ignored */ if (override_entry != NULL) { Slapi_Attr *override_attr = NULL; + Slapi_Attr *sattr = NULL; result = slapi_entry_first_attr(override_entry, &override_attr); while (result == 0) { @@ -173,7 +174,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, if (filterout_attrs[i] == NULL) { /* Replace the attribute's value with the override or * add an override value if the attribute didn't exist */ - result = slapi_entry_attr_exists(entry, override_type); + result = slapi_entry_attr_find(entry, override_type, &sattr); if (result == 1) { result = slapi_entry_attr_delete(entry, override_type); } diff --git a/src/back-sch.c b/src/back-sch.c index 2388d2f..d0ed323 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -997,9 +997,11 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, { Slapi_DN *sdn; Slapi_Entry *entry; + Slapi_Attr *attr = NULL; struct backend_search_cbdata *cbdata; struct backend_entry_data *entry_data; int result; + bool_t is_attr_exists = FALSE; cbdata = cb_data; entry_data = backend_data; @@ -1042,7 +1044,10 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, idview_process_overrides(cbdata, key, map, domain, entry); } - if (slapi_entry_attr_exists(entry, IPA_IDVIEWS_ATTR_ANCHORUUID) == 1) { + /* slapi_entry_attr_exists() was introduced only in https://fedorahosted.org/389/ticket/47710 */ + is_attr_exists = slapi_entry_attr_find(entry, IPA_IDVIEWS_ATTR_ANCHORUUID, &attr) == 0; + + if (is_attr_exists == TRUE) { slapi_entry_attr_delete(entry, IPA_IDVIEWS_ATTR_ANCHORUUID); slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); } commit a42204ee958a380648ade421a742db2ad2d5eb39 Author: Alexander Bokovoy Date: Thu Nov 6 14:32:11 2014 +0200 Tag slapi-nis 0.54.1 diff --git a/configure.ac b/configure.ac index 59fa6e5..9174980 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(slapi-nis,0.54) +AC_INIT(slapi-nis,0.54.1) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE(foreign) LT_INIT([disable-static]) diff --git a/slapi-nis.spec b/slapi-nis.spec index 21935ca..f77f2a4 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -10,7 +10,7 @@ %endif Name: slapi-nis -Version: 0.54 +Version: 0.54.1 Release: 1%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons @@ -85,6 +85,10 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Nov 6 2014 Alexander Bokovoy - 0.54.1-1 +- support FreeIPA overrides in LDAP BIND callback +- ignore FreeIPA override searchs outside configured schema compat subtrees + * Fri Oct 10 2014 Alexander Bokovoy - 0.54-1 - Add support for FreeIPA's ID views - Allow searching SSSD-provided users as memberUid case-insensitevly commit c9c9d1413a6950344bc842024fda84212cc7322f Author: Alexander Bokovoy Date: Tue Oct 28 11:16:50 2014 +0200 schema-compat: support ID overrides in bind callback If RDN of the bind DN is overridden within the ID view, rewrite the target to use original value of the uid attribute. If original uid attribute is not available, fail the search and thus the whole bind request by claiming that bind DN does not exist. diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index a56a9e9..f1150cd 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -290,21 +290,15 @@ idview_replace_target_dn(char **target, char **idview) } } -static int -idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct berval *bval, struct backend_search_filter_config *config) +int +idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, + struct berval *bval, struct backend_search_cbdata *cbdata) { int res, i; - Slapi_Value *filter_val, *value, *anchor_val; + Slapi_Value *attr_val, *value, *anchor_val; Slapi_Attr *anchor, *attr = NULL; - struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; - - if (cbdata == NULL || cbdata->idview == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; - } - - if (filter_type == NULL || config->name == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; - } + bool_t uid_override_found = FALSE; + bool_t anchor_override_found = FALSE; if (cbdata->overrides == NULL) { /* Only retrieve overrides for the view first time when neccessary */ @@ -312,31 +306,34 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b } if (cbdata->overrides == NULL) { - return SLAPI_FILTER_SCAN_CONTINUE; + return 0; } - filter_val = slapi_value_new_berval(bval); + attr_val = slapi_value_new_berval(bval); + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Searching for an override of the %s %s with %s=%*s from the overrides\n.", + bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val); /* If filter contains an attribute name which is overridden in the view and filter value * corresponds to the override, replace the filter by (ipaAnchorUUID=...) from the override * to point to the original because otherwise an entry will not be found in the slapi-nis map */ for(i=0; cbdata->overrides[i] != NULL; i++) { - res = slapi_entry_attr_find(cbdata->overrides[i], filter_type, &attr); + res = slapi_entry_attr_find(cbdata->overrides[i], attr_name, &attr); if ((res == 0) && (attr != NULL)) { res = slapi_attr_first_value(attr, &value); - res = slapi_value_compare(attr, value, filter_val); + res = slapi_value_compare(attr, value, attr_val); if (res == 0) { /* For uid overrides we should have ipaOriginalUID in the override */ - if (strcasecmp(filter_type, "uid") == 0) { + if (strcasecmp(attr_name, "uid") == 0) { res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ORIGINALUID, &anchor); if (res == 0) { res = slapi_attr_first_value(anchor, &anchor_val); slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); - config->override_found = TRUE; - slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, - "Overriding the filter %s with %s=%*s from the override %s\n.", - filter_type, filter_type, bval->bv_len, bval->bv_val, + uid_override_found = TRUE; + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Overriding the %s %s with %s=%*s from the override %s\n.", + bval_usage, attr_name, attr_name, (int) bval->bv_len, bval->bv_val, slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -346,14 +343,13 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b res = slapi_entry_attr_find(cbdata->overrides[i], IPA_IDVIEWS_ATTR_ANCHORUUID, &anchor); if (res == 0) { res = slapi_attr_first_value(anchor, &anchor_val); - slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); - config->override_found = TRUE; - slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, - "Overriding the filter %s with %s=%*s from the override %s\n.", - filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, - bval->bv_len, bval->bv_val, + anchor_override_found = TRUE; + slapi_log_error(SLAPI_LOG_FATAL, cbdata->state->plugin_desc->spd_id, + "Overriding the %s %s with %s=%*s from the override %s\n.", + bval_usage, attr_name, IPA_IDVIEWS_ATTR_ANCHORUUID, + (int) bval->bv_len, bval->bv_val, slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -362,7 +358,41 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b } } - slapi_value_free(&filter_val); + slapi_value_free(&attr_val); + + if (uid_override_found) { + return 1; + } + + if (anchor_override_found) { + return 2; + } + + return 0; +} + +static int +idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, + struct berval *bval, struct backend_search_filter_config *config) +{ + int res; + struct backend_search_cbdata *cbdata = (struct backend_search_cbdata *) config->callback_data; + + if (cbdata == NULL || cbdata->idview == NULL) { + return SLAPI_FILTER_SCAN_CONTINUE; + } + + if (filter_type == NULL || config->name == NULL) { + return SLAPI_FILTER_SCAN_CONTINUE; + } + + res = idview_replace_bval_by_override("filter", filter_type, bval, cbdata); + + if (res == 2) { + slapi_filter_changetype(filter, IPA_IDVIEWS_ATTR_ANCHORUUID); + } + + config->override_found = (res != 0); return SLAPI_FILTER_SCAN_CONTINUE; diff --git a/src/back-sch.c b/src/back-sch.c index 27ac24f..2388d2f 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1631,7 +1631,6 @@ static void backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char **group, const char**set) { struct backend_locate_cbdata cbdata; - char *idview = NULL; slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &cbdata.state); if (cbdata.state->plugin_base == NULL) { @@ -1640,22 +1639,64 @@ backend_locate(Slapi_PBlock *pb, struct backend_entry_data **data, const char ** return; } slapi_pblock_get(pb, SLAPI_TARGET_DN, &cbdata.target); -#ifdef USE_IPA_IDVIEWS - idview_replace_target_dn(&cbdata.target, &idview); -#endif + cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); cbdata.entry_data = NULL; cbdata.entry_group = NULL; cbdata.entry_set = NULL; map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); +#ifdef USE_IPA_IDVIEWS + /* In case nothing was found but we are operating on the ID override, + * rebuild the target's RDN to use original attribute's value */ + if (cbdata.entry_data == NULL) { + char *idview = NULL; + char *target, *original_target; + target = original_target = slapi_ch_strdup(cbdata.target); + idview_replace_target_dn(&target, &idview); + if (target != original_target) { + slapi_ch_free_string(&original_target); + } + if (idview != NULL) { + char *rdnstr; + char *val; + struct berval bval; + int res; + struct backend_search_cbdata scbdata; + Slapi_RDN *rdn = slapi_rdn_new_all_dn(target); + if (rdn != NULL) { + res = slapi_rdn_get_first(rdn, &rdnstr, &val); + if (res == 1) { + bval.bv_len = strlen(val) + 1; + bval.bv_val = slapi_ch_strdup(val); + memset(&scbdata, 0, sizeof(scbdata)); + scbdata.idview = idview; + scbdata.target = target; + scbdata.pb = pb; + scbdata.state = cbdata.state; + scbdata.target_dn = slapi_sdn_new_dn_byval(target); + res = idview_replace_bval_by_override("rdn", rdnstr, &bval, &scbdata); + /* only accept uid overrides */ + if (res == 1) { + slapi_rdn_remove_index(rdn, 1); + slapi_rdn_add(rdn, "uid", bval.bv_val); + slapi_sdn_free(&cbdata.target_dn); + cbdata.target_dn = slapi_sdn_set_rdn(scbdata.target_dn, rdn); + map_data_foreach_map(cbdata.state, NULL, backend_locate_cb, &cbdata); + } + slapi_ber_bvdone(&bval); + slapi_rdn_free(&rdn); + idview_free_overrides(&scbdata); + } + } + } + slapi_ch_free_string(&target); + slapi_ch_free_string(&idview); + } +#endif *data = cbdata.entry_data; *group = cbdata.entry_group; *set = cbdata.entry_set; slapi_sdn_free(&cbdata.target_dn); - if (idview != NULL) { - slapi_ch_free_string(&cbdata.target); - } - slapi_ch_free_string(&idview); } /* Check if the target DN is part of this group's tree. If it is, return an diff --git a/src/back-sch.h b/src/back-sch.h index 9f0b201..26e12d1 100644 --- a/src/back-sch.h +++ b/src/back-sch.h @@ -131,6 +131,10 @@ void idview_process_overrides(struct backend_search_cbdata *cbdata, Slapi_Entry *entry); void idview_replace_target_dn(char **target, char **idview); void idview_replace_filter(struct backend_search_cbdata *cbdata); +/* Takes struct berval value of an attribute attr_name and replaces it with an override + * Returns 0 if no override was found, 1 for 'uid' replacement, 2 for ipaAnchorUUID replacement */ +int idview_replace_bval_by_override(const char *bval_usage, const char *attr_name, + struct berval *bval, struct backend_search_cbdata *cbdata); #endif #endif commit 778c95866f28d894822e37223b69816981d29529 Author: Alexander Bokovoy Date: Tue Oct 28 10:09:47 2014 +0200 ID views: ignore searches for views outside the subtrees of schema-compat sets schema-compat plugin may provide multiple disjoint subtrees which can be used to request overridden entries by prefixing the subtree suffix with a cn=,cn=views, As subtrees may be disjoint, we cannot rely on the common suffix. Thus, any attempt to replace target DN and update filter terms must only be done once we are sure the search will be done in the subtree. This optimization prevents mistakenly changing the search filter when FreeIPA and SSSD search for the ID overrides themselves, as the same structure of the target DN is used for cn=views,cn=accounts,$SUFFIX subtree in FreeIPA. This subtree is never handled by slapi-nis and should be ignored. https://bugzilla.redhat.com/show_bug.cgi?id=1157989 diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index 5a2b450..a56a9e9 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config->override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, + "Overriding the filter %s with %s=%*s from the override %s\n.", + filter_type, filter_type, bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); break; } } @@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config->override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, + "Overriding the filter %s with %s=%*s from the override %s\n.", + filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, + bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b * * Note that in reality we don't use original value of the uid/cn attribue. Instead, we use ipaAnchorUUID * to refer to the original entry. */ -extern char * -slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t bufsize ); void idview_replace_filter(struct backend_search_cbdata *cbdata) { From tjaalton at moszumanska.debian.org Thu Apr 2 11:25:54 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 11:25:54 +0000 Subject: [Pkg-freeipa-devel] slapi-nis: Changes to 'refs/tags/debian/0.54.2-1' Message-ID: Tag 'debian/0.54.2-1' created by Timo Aaltonen at 2015-04-02 06:24 +0000 tagging package slapi-nis version debian/0.54.2-1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVHOC2AAoJEMtwMWWoiYTc2UAQAJ6quNOnrRVsn/2QYxkZ8AjA Jsri0v2QNQ58heuGcngCYTAVBmKYvHiEInkfMhos0NqBRDuM3CfClvO7CfiSrPh7 knyLSZoGEFH76AiiEaPq20QsZaMr1frd4dLaQlQ7KxcHH2Ynht1LZ6zVET9M0n3r QMR8u2LQGLhDRDVymG+l3XZF2OPUqu1kBfKNOlExFIujmDIPMc7h+bMQ3pTJ8A2K QJ5lB+1VZb4KiTrDpuvGc14Yuc5aylGx3itHrDHkgX99Ze2WR0Z8keG8+4uv/8uL P1Qe3X47lWbbulGnxmafE11vHJgOBEq5cdWDHgnFNDvZE0I/5+tA1mgR33QGOPJD Mql6qpiC9Gn7wK44lRn9sVvz4DuW2181qax2pr7rD2UnPdX5oeNOXV4LG8DGyIC0 sqnJV2keCGSQcnOs/ntlMIFgsxWlB2m1WOja92qC1r822103TTnNjArx3Yx7xocB uPtp1e+kZojkrjovid56xDXlGvr7S+C5GNfc9bjeBH50+zIjZaTLJY+uBfBNCAuP oBQPNOUKufIqXfX5iix2KfJPE685lD187Fa6IgD7JTxGm88hYhh52r+JVn2CB2J5 X08uZN7NedfKV0e1SgARD6oZpr7CDpiGCDPSfnFWB8jLRTMoRiKjKsySXS9syhql i65FMd7MrxPwnYitTQGZ =yXMu -----END PGP SIGNATURE----- Changes since debian/0.54-1: Alexander Bokovoy (8): ID views: ignore searches for views outside the subtrees of schema-compat sets schema-compat: support ID overrides in bind callback Tag slapi-nis 0.54.1 Use slapi_entry_find_attr instead of slapi_entry_attr_exists schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain users via NSS nss: make sure to remember the length of reallocated buffer Make sure default buffer for nsswitch operations is big enough Tag release 0.54.2 Timo Aaltonen (3): Merge branch 'upstream' update the changelog releasing package slapi-nis version 0.54.2-1 --- configure.ac | 3 debian/changelog | 8 + doc/ipa/sch-ipa.txt | 14 ++ slapi-nis.spec | 11 ++ src/back-sch-idview.c | 86 ++++++++++++----- src/back-sch-nss.c | 250 +++++++++++++++++++++++++++++++++++++++++++------- src/back-sch.c | 150 +++++++++++++++++++++++++----- src/back-sch.h | 9 + src/plug-sch.c | 3 src/plugin.h | 1 10 files changed, 448 insertions(+), 87 deletions(-) --- From ftpmaster at ftp-master.debian.org Thu Apr 2 11:27:43 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 02 Apr 2015 11:27:43 +0000 Subject: [Pkg-freeipa-devel] Processing of slapi-nis_0.54.2-1_amd64.changes Message-ID: slapi-nis_0.54.2-1_amd64.changes uploaded successfully to localhost along with the files: slapi-nis_0.54.2-1.dsc slapi-nis_0.54.2.orig.tar.gz slapi-nis_0.54.2-1.debian.tar.xz slapi-nis_0.54.2-1_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Thu Apr 2 11:33:44 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 02 Apr 2015 11:33:44 +0000 Subject: [Pkg-freeipa-devel] slapi-nis_0.54.2-1_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 02 Apr 2015 09:24:07 +0300 Source: slapi-nis Binary: slapi-nis Architecture: source amd64 Version: 0.54.2-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: slapi-nis - NIS Server and Schema Compatibility plugins for 389 Directory Ser Closes: 781346 Changes: slapi-nis (0.54.2-1) unstable; urgency=medium . * New upstream bugfix release - CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() (Closes: #781346) Checksums-Sha1: db2dd9340df412bb7d0eeb0c518dcb1aca25021c 2045 slapi-nis_0.54.2-1.dsc 8abaea152e80082afad7f722f9e07832edba2793 596236 slapi-nis_0.54.2.orig.tar.gz 895053a2498ecc0d56bd162530459621060fec50 3216 slapi-nis_0.54.2-1.debian.tar.xz 46428471cace104a6fdcfb2f3bdf67fa62f1bd01 91084 slapi-nis_0.54.2-1_amd64.deb Checksums-Sha256: 2f173bcf30b7d3c8264ca8a85ae97c44b1e8320b130ab8029e9c9f80daec1d38 2045 slapi-nis_0.54.2-1.dsc 6894bf0eef5d9d27b584fc64d74bcf0849cc6f7cdbc7c288558235fda7d4a83b 596236 slapi-nis_0.54.2.orig.tar.gz 025a4e237e20936cb59d29877c3c47ef8ff03590e1b930a16ce6a06df7223cc5 3216 slapi-nis_0.54.2-1.debian.tar.xz 949cbc6553fc48d58e299cfecb76f1f35c4fd2f5de920f5d5a883f82e1649b8b 91084 slapi-nis_0.54.2-1_amd64.deb Files: feb55786ec4f9d1d222f0dd03299de3f 2045 net optional slapi-nis_0.54.2-1.dsc 6b396b7a95c19eafb0dbaae5016a1603 596236 net optional slapi-nis_0.54.2.orig.tar.gz a239d02b931409f3668e5c36765cf82c 3216 net optional slapi-nis_0.54.2-1.debian.tar.xz de6e5c792d4342d91c9d9a61caeda315 91084 net optional slapi-nis_0.54.2-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVHScVAAoJEMtwMWWoiYTczKgQAINWcIV80HGuA5WYSyaN8hUt J6aBUi2B5j2aeVo1J63ErhBEjFq0MPru8AgI+mVN+RVMYGFD7wiJuCmnyao6Lvgv QlRyTtZE+N26xj3KXmMw+LyF8qoD7qjXKkd84w1EDfxz/7KP1iIizaOdCfpcISPo P1h/uzyr981HA90w9fHNlMw3ZypW8dReV9Zhue0ge0nNmcarv4IVn+12XO8JNPvU nMkjj/ZMksVqSNHhZmC5IWr46zEuW1h3RGP3TAUyQBBRvhgGE35QQXB5WhBa0lpP cuku6xABz9GJjcEst6wgvsytjWmOuaIoZIfPo0i5X3yfCV5U4x+j2QbKGORJ5lj0 H4J58dgsXp6vAXMVtItWU/6NjLXkwY9wNkp2nzlJk6zh+CsMf8B4y5UZyA61t1Gx 02NXmKrlzIrrNaUME7DNdMozb7XJKQnGfcE4fxF2hQbkQgCL2YKQf4rVGJf8xM8D 5Vg756ofX35cfdWF8la4vkWL+668SREWn2L123Tseipbar75sI6CTJ+ZaPoLZdFo H/rXGUEmu0bsDjN3WZTiGK5debDcgLZbPLzCHkKVyJYvFZLtHJBkMjVajG4aV9OF 0IJAB45lw2wWyRZjn9L7N3p27FSl/KjFSmAiOC2c5flsbEJglOwgGL6DOF3vOdLe Gwu0tfg5aCFHSRQXU4sA =9h9i -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Thu Apr 2 11:36:05 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 02 Apr 2015 11:36:05 +0000 Subject: [Pkg-freeipa-devel] Bug#781346: marked as done (slapi-nis: CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r()) References: <20150327190334.17020.33078.reportbug@eldamar.local> Message-ID: Your message dated Thu, 02 Apr 2015 11:33:44 +0000 with message-id and subject line Bug#781346: fixed in slapi-nis 0.54.2-1 has caused the Debian Bug report #781346, regarding slapi-nis: CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 781346: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781346 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Salvatore Bonaccorso Subject: slapi-nis: CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() Date: Fri, 27 Mar 2015 20:03:34 +0100 Size: 2219 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#781346: fixed in slapi-nis 0.54.2-1 Date: Thu, 02 Apr 2015 11:33:44 +0000 Size: 5433 URL: From tjaalton at debian.org Thu Apr 2 12:03:36 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 15:03:36 +0300 Subject: [Pkg-freeipa-devel] Bug#781346: Bug#781346: slapi-nis: CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() In-Reply-To: <20150327190334.17020.33078.reportbug@eldamar.local> References: <20150327190334.17020.33078.reportbug@eldamar.local> Message-ID: <551D3018.30406@debian.org> On 27.03.2015 21:03, Salvatore Bonaccorso wrote: > Source: slapi-nis > Version: 0.54-1 > Severity: grave > Tags: security upstream fixed-upstream > > Hi Timo, > > the following vulnerability was published for slapi-nis. I was not > able to verify the issue itself but only checked patch-wise. > > CVE-2015-0283[0]: > infinite loop in getgrnam_r() and getgrgid_r() > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-0283 > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1195729 So I pushed a new upstream version instead of pulling commits, since upstream said it needed all (four) commits between 0.54.1..0.54.2. And .1 brought only two commits more. But this could be dropped from jessie too if necessary, there are no packages that depend on it. -- t From tjaalton at moszumanska.debian.org Thu Apr 2 14:16:35 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 02 Apr 2015 14:16:35 +0000 Subject: [Pkg-freeipa-devel] dogtag-pki: Changes to 'pristine-tar' Message-ID: dogtag-pki_10.2.1.orig.tar.xz.delta |binary dogtag-pki_10.2.1.orig.tar.xz.id | 1 + 2 files changed, 1 insertion(+) New commits: commit 3cd102d3b59ce6523a47192ac2be453bc9bd3fa9 Author: Timo Aaltonen Date: Thu Apr 2 15:50:28 2015 +0300 pristine-tar data for dogtag-pki_10.2.1.orig.tar.xz diff --git a/dogtag-pki_10.2.1.orig.tar.xz.delta b/dogtag-pki_10.2.1.orig.tar.xz.delta new file mode 100644 index 0000000..4670dd6 Binary files /dev/null and b/dogtag-pki_10.2.1.orig.tar.xz.delta differ diff --git a/dogtag-pki_10.2.1.orig.tar.xz.id b/dogtag-pki_10.2.1.orig.tar.xz.id new file mode 100644 index 0000000..a63fcae --- /dev/null +++ b/dogtag-pki_10.2.1.orig.tar.xz.id @@ -0,0 +1 @@ +2b496b25701c71fedf6b0d0bc5bb6454b10fe6c6 From owner at bugs.debian.org Thu Apr 2 16:45:07 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 02 Apr 2015 16:45:07 +0000 Subject: [Pkg-freeipa-devel] Processed: block References: <201504021838.37547.holger@layer-acht.org> Message-ID: Processing commands for control at bugs.debian.org: > block 781607 by 781739 Bug #781607 [freeipa] freeipa: please package new upstream version 781607 was blocked by: 780354 781607 was not blocking any bugs. Added blocking bug(s) of 781607: 781739 > thanks Stopping processing here. Please contact me if you need assistance. -- 781607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781607 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From noreply at release.debian.org Sat Apr 4 04:39:03 2015 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Sat, 04 Apr 2015 04:39:03 +0000 Subject: [Pkg-freeipa-devel] slapi-nis is marked for autoremoval from testing Message-ID: slapi-nis 0.54-1 is marked for autoremoval from testing on 2015-04-19 It is affected by these RC bugs: 781346: slapi-nis: CVE-2015-0283: infinite loop in getgrnam_r() and getgrgid_r() From anbe at debian.org Tue Apr 7 20:44:48 2015 From: anbe at debian.org (Andreas Beckmann) Date: Tue, 07 Apr 2015 22:44:48 +0200 Subject: [Pkg-freeipa-devel] Bug#781114: freeipa-client: unowned files after purge (policy 6.8, 10.8) Message-ID: <20150407204448.10988.50440.reportbug@zam581.zam.kfa-juelich.de> Followup-For: Bug #781114 Control: found -1 4.0.5-4 The attempt to fix this caused a regression during purge: Removing freeipa-client (4.0.5-4) ... Purging configuration files for freeipa-client (4.0.5-4) ... rmdir: failed to remove '/etc/pki/nssdb': No such file or directory dpkg: error processing package freeipa-client (--purge): subprocess installed post-removal script returned error exit status 1 Errors were encountered while processing: freeipa-client Also a more proper way to fix this would be to ship the /etc/pki directory in the package and let dpkg care for creation and removal. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-server_4.0.5-4.log.gz Type: application/gzip Size: 74814 bytes Desc: not available URL: From owner at bugs.debian.org Tue Apr 7 20:48:09 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Tue, 07 Apr 2015 20:48:09 +0000 Subject: [Pkg-freeipa-devel] Processed: Re: freeipa-client: unowned files after purge (policy 6.8, 10.8) References: <20150407204448.10988.50440.reportbug@zam581.zam.kfa-juelich.de> <201503241816.10525.holger@layer-acht.org> Message-ID: Processing control commands: > found -1 4.0.5-4 Bug #781114 {Done: Timo Aaltonen } [freeipa-client] freeipa-client: unowned files after purge (policy 6.8, 10.8) Marked as found in versions freeipa/4.0.5-4; no longer marked as fixed in versions freeipa/4.0.5-4 and reopened. -- 781114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781114 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From owner at bugs.debian.org Wed Apr 8 16:21:14 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 08 Apr 2015 16:21:14 +0000 Subject: [Pkg-freeipa-devel] Processed: affects 781114, found 749317 in 2015.04.04, found 672183 in 0.12.45 ... References: <1428509798-412-bts-anbe@debian.org> Message-ID: Processing commands for control at bugs.debian.org: > affects 781114 + freeipa-server Bug #781114 [freeipa-client] freeipa-client: unowned files after purge (policy 6.8, 10.8) Added indication that 781114 affects freeipa-server > found 749317 2015.04.04 Bug #749317 [debian-security-support] debian-security-support: unowned directory after purge: /var/lib/debian-security-support/ Marked as found in versions debian-security-support/2015.04.04. > found 672183 0.12.45 Bug #672183 [apt-build] apt-build: unowned files after purge (policy 6.8, 10.8) Marked as found in versions apt-build/0.12.45. > retitle 672183 apt-build: unowned files after purge (policy 6.8, 10.8): /var/cache/apt-build/* Bug #672183 [apt-build] apt-build: unowned files after purge (policy 6.8, 10.8) Changed Bug title to 'apt-build: unowned files after purge (policy 6.8, 10.8): /var/cache/apt-build/*' from 'apt-build: unowned files after purge (policy 6.8, 10.8)' > thanks Stopping processing here. Please contact me if you need assistance. -- 672183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672183 749317: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749317 781114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781114 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From noreply at release.debian.org Wed Apr 8 16:39:15 2015 From: noreply at release.debian.org (Debian testing watch) Date: Wed, 08 Apr 2015 16:39:15 +0000 Subject: [Pkg-freeipa-devel] slapi-nis 0.54.2-1 MIGRATED to testing Message-ID: FYI: The status of the slapi-nis source package in Debian's testing distribution has changed. Previous version: 0.54-1 Current version: 0.54.2-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From holger at layer-acht.org Wed Apr 1 13:02:40 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 1 Apr 2015 15:02:40 +0200 Subject: [Pkg-freeipa-devel] Processed: Re: Bug#781607: freeipa: please package new upstream version In-Reply-To: <1427891106.1699106.248030881.247D6F8C@webmail.messagingengine.com> References: <201504011206.47528.holger@layer-acht.org> <1427891106.1699106.248030881.247D6F8C@webmail.messagingengine.com> Message-ID: <201504011502.44139.holger@layer-acht.org> Hi Ond?ej, On Mittwoch, 1. April 2015, Ond?ej Sur? wrote: > I suggest we wait for jessie release that is so close now and I will > upgrade softhsm directly in unstable then. Sounds good? sounds great, thanks for the heads up! cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From tjaalton at debian.org Thu Apr 9 11:37:00 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 09 Apr 2015 14:37:00 +0300 Subject: [Pkg-freeipa-devel] selinux-policy-dev build-dependency In-Reply-To: <201503241819.44207.holger@layer-acht.org> References: <201503241819.44207.holger@layer-acht.org> Message-ID: <5526645C.8000909@debian.org> On 24.03.2015 19:19, Holger Levsen wrote: > Hi, > > freeipa build-depends on selinux-policy-dev, which is not available in jessie. > Does it really use some bits of selinux? > And what's your recommendation regarding backports? If you just want to backport the client, then there are a bunch of build-deps to drop anyway, this being one of them. And set ONLY_CLIENT=1 in debian/rules. that said, looks like the server builds without selinux-policy-dev now -- t From tjaalton at moszumanska.debian.org Thu Apr 9 12:42:38 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 09 Apr 2015 12:42:38 +0000 Subject: [Pkg-freeipa-devel] dogtag-pki: Changes to 'master-next' Message-ID: New branch 'master-next' available with the following commits: commit 320872a6ee019553566750f178b3e7289b1119fc Author: Timo Aaltonen Date: Tue Apr 7 10:32:03 2015 +0300 pki-server.install: Add sbin/pki-server. commit 59ed408a39647cb1d29896fe1a6f310993ae7f4e Author: Timo Aaltonen Date: Tue Apr 7 10:31:33 2015 +0300 fix-jackson-paths.diff: Dropped, obsolete. Refresh other patches to drop unused jackson includes. commit d9d30e7a241a9863d95f285ad52a6a28b4f2d235 Merge: 1ebd8d1 babd6e2 Author: Timo Aaltonen Date: Thu Apr 2 17:12:49 2015 +0300 Merge tag 'DOGTAG_10_2_2_FEDORA_22_20150318' into master-next Build for 10.2.2-1 for Fedora 22 commit 1ebd8d1241dc5b6e2bf7bfa4bcb5d9205406ae82 Author: Timo Aaltonen Date: Thu Apr 2 17:12:16 2015 +0300 control: Add python-sphinx to build-depends. commit b209c68fe7b3895f72f38d4b7d261f308ab6bfda Author: Timo Aaltonen Date: Thu Apr 2 17:11:51 2015 +0300 pki-tools.install: Add pki-ca-profile manpage. commit 64eb7c4319182d896f5821a7b8b97c253e742c35 Author: Timo Aaltonen Date: Thu Apr 2 16:22:28 2015 +0300 control: Drop libcrypt-ssleay-perl and libxml-perl from depends. commit cf5950c6e4ef3e8841ae25f1f0644df731b7559d Author: Timo Aaltonen Date: Thu Apr 2 16:21:27 2015 +0300 update changelog, refresh patches and drop upstream ones commit e18a73da109246469aeaaf2164c4f5fd9a5134d3 Merge: e8c9fc7 1676336 Author: Timo Aaltonen Date: Thu Apr 2 15:31:06 2015 +0300 Merge branch 'experimental' into master-next commit babd6e2bc75d89a5f7e5400b11751c5a52bfb1d1 Author: Matthew Harmsen Date: Wed Mar 18 09:35:28 2015 -0600 Fix for pylint 1.3 --> 1.4 Placing 'ldap' on the whitelist was insufficient for the Fedora 22 i686 platform, therefore, ldap was added to 'ignored-modules'. commit fa260ee8023c37936d432e52e69ade02a43cecee Author: Matthew Harmsen Date: Tue Mar 17 23:43:03 2015 -0600 Fix for pylint 1.3 --> 1.4 (e1101 - no member on all C extension) - Reference: http://stackoverflow.com/questions/28437071/pylint-1-4-reports-e1101no-member-on-all-c-extensions commit 0e118a4888caafccdd0a9268c958015d43db19d4 Author: Matthew Harmsen Date: Tue Mar 17 19:50:46 2015 -0600 Removed problematic header file from CMakeLists.txt file that prevented compilation on Fedora 22. commit a097ce0437449c4ef9d580a2f7fc3e94d5c26a8d Author: Matthew Harmsen Date: Tue Mar 17 14:56:06 2015 -0600 Fixed development script. commit 67b24a0d3bd8fb11b359c0ebf5106544495fbe72 Author: Matthew Harmsen Date: Tue Mar 17 14:39:32 2015 -0600 Update release number for release build (10.2.2) commit 87ffc7a341860f3f1ece434e90e4bc33a02b8155 Author: Jack Magne Date: Thu Mar 12 19:08:41 2015 -0700 NISTSP8000 feature. Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg . commit f98e599b1e95572a589b8813bc6cb0c2e70fdd0b Author: Fraser Tweedale Date: Mon Mar 16 02:15:39 2015 -0400 Store groups on AuthToken and update group evaluator Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174 commit a44ccf872262b1289cd2577a6ba55071066a5209 Author: Matthew Harmsen Date: Fri Mar 13 16:53:52 2015 -0600 Allow use of secure LDAPS connection - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap commit a54e29d5be1b38158cc44a8bdeda5dcb96fd4096 Author: Niranjan Mallapadi Date: Thu Mar 12 17:35:40 2015 +0530 Update pki-qe-tools.jar file Add generateDualCRMFRequest.java and Certificate_Record.java commit a1b68d34a82d0a27e2c5eccdcb8d4e866ddfd602 Author: Niranjan Mallapadi Date: Thu Mar 12 17:35:03 2015 +0530 Port legacy clone drm tests to beaker commit 22ab9648aa88af7d75f5bdd4490ce9444ee6dd67 Author: Niranjan Mallapadi Date: Mon Mar 9 17:02:40 2015 +0530 Adding legacy ipa-tests and ca-clone tests commit 84610884fa52ad47599d2e78eaecb339f081b1ee Author: Matthew Harmsen Date: Tue Mar 3 15:18:39 2015 -0700 PKI TRAC Ticket #1284 - pkispawn URL redirect issue (simple fix) commit 69640a184ab10d78d57d5c3cd235eefc752bb859 Author: Matthew Harmsen Date: Thu Mar 5 11:09:47 2015 -0700 Update compose_functions development script to account for remote tarballs and patches PKI TRAC Ticket #1211 - New release overwrites old source tarball commit 9bccfa9fcf2ea8361f1a32ea89ec69d37a4e43a8 Author: Endi S. Dewata Date: Tue Feb 24 21:02:13 2015 -0500 Fixed CMake issues on F22. Some CMake scripts have been updated to work on both F21 and F22. https://fedorahosted.org/pki/ticket/1281 commit f39e3387f8a671ef97a08d1c0c3e4b2b6fd65ad3 Author: Jack Magne Date: Mon Oct 13 13:40:59 2014 -0700 Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883). First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point. commit 7b1d897ba4cf9de1459d2aad37e969ce9a93a05a Author: Endi S. Dewata Date: Fri Feb 27 09:35:11 2015 -0500 Fixed systemd errors/warnings after upgrade. The spec file has been modified to reload systemd daemon after upgrade to avoid errors/warnings when executing systemd commands. https://fedorahosted.org/pki/ticket/1255 commit 5aafc086ce6467b652b5a7c26a494a921b980833 Author: Matthew Harmsen Date: Thu Feb 26 23:55:47 2015 -0700 Fix for developer script on Fedora 21. commit 538e71e1c90ec536fc984c7db0c33a8f29920ebc Author: Endi S. Dewata Date: Thu Jan 29 03:08:25 2015 -0500 Updated CRMFPopClient parameter handling. The CRMFPopClient has been modified to use Apache Commons CLI library to handle the parameters. The help message has been rewritten to make it more readable. The submitRequest() will now display the error reason. The options in ClientCertRequestCLI have been simplified. A new option was added to generate CRMF request without POP. https://fedorahosted.org/pki/ticket/1074 commit 705084a0021e161f1b4cea25dbaf622cfe68c47e Author: Ade Lee Date: Wed Feb 11 16:28:50 2015 -0500 Add granularity to token termination in TPS BZ 1163987. Added revocation checks to optionally revoke expired certs, and handle cases where certs are shared on multiple tokens. commit 3b6664da6c762a592573d5fa05043ecca20bf7a7 Author: Ade Lee Date: Thu Feb 5 11:48:27 2015 -0500 Bugzilla 1134405 - CRL publishing fails after Java heap out of memory error Added fix from hot fix. commit 9e2be082c37d55fc0b487ba2fe89341f48c48647 Author: Asha Akkiangady Date: Tue Feb 24 11:54:12 2015 -0500 CA and SUBCA scep tests using sscep. commit e5f4b484c518cc507bd314a2b654a049023a46ae Author: Niranjan Mallapadi Date: Tue Feb 24 10:38:31 2015 +0530 Port TKS legacy tests to beaker commit 57e90f62dd46ba26d855a19208ee426340184d3b Author: Niranjan Mallapadi Date: Mon Feb 23 20:10:42 2015 +0530 Update rhcs-shared.sh with more shared functions Add functions related to creating directory user and functions related tps commit 88c44e8ea7c9583a552340141f2c4df07f5dab7b Author: Asha Akkiangady Date: Mon Feb 16 18:53:29 2015 -0500 CA renewal manual, directory authenticated and sslclient self renewal tests. Subca usergroup tests and new tests added to ca's usergroup. commit 6d278c63f41ae998feedc2885e95fcfaa38ee46a Author: Niranjan Mallapadi Date: Mon Feb 16 20:44:52 2015 +0530 Port OCSP legacy tests beaker framewokr Some minor fixes to CA EE tests commit 944372f857cd631c2cfc51ed7d090912fc2516ff Author: Endi S. Dewata Date: Thu Jan 29 21:50:46 2015 -0500 Refactored OCSPClient. The OCSPClient CLI has been refactored into an OCSPProcessor utility class such that the functionality can be reused. https://fedorahosted.org/pki/ticket/1202 commit 98b2407eef642cd95296c972393b0c0db46230be Author: Christina Fu Date: Wed Feb 11 11:56:29 2015 -0800 ticket#822 creates root CA subject DN when renewing with empty params.name in orig profile commit cdad249ce00305a165d272d86f100d05edf97db2 Author: Endi S. Dewata Date: Wed Feb 11 13:57:44 2015 -0500 Refactored LDAPDatabase.createFilter(). The createFilter() method in LDAPDatabase has been changed to construct an LDAP filter based on a keyword and a set of attributes with their values. This will allow searching the database based on specific attribute values. The subclasses of LDAPDatabase have been updated accordingly. https://fedorahosted.org/pki/ticket/1164 commit 91c77390474d67cfd0c15b8b3377997b3f0cd38a Author: Christina Fu Date: Fri Jan 30 10:36:45 2015 -0800 Ticket#1028 Phase1:TPS rewrite: provide externalReg functionality commit 44ffed301e9b4267718f3f8e9f3fcc5f666d8e5c Author: Endi S. Dewata Date: Fri Feb 6 13:08:16 2015 -0500 Fixed additional pylint warnings. The pki CLI has been modified to remove additional pylint warnings that appear on Fedora 22. https://fedorahosted.org/pki/ticket/703 commit 2d33053b87a225dc9887a735108bb62269eafe60 Author: Endi S. Dewata Date: Wed Jan 14 10:36:37 2015 -0500 Fixed problem cloning Dogtag 10.1.x to 10.2.x. The JSON format of security domain info has changed between Dogtag 10.1.x and 10.2.x, so the Python client library has been changed to accommodate both formats. https://fedorahosted.org/pki/ticket/1235 commit dfe55982eb50750fc1e65bce312d884b1604f0b4 Author: Endi S. Dewata Date: Fri Jan 30 15:49:27 2015 -0500 Fixed pylint report. Previously pylint report was saved it into a file which may not be accessible on a build system. The pylint-build-scan.sh has been changed to display the report so it will appear in the build log. The pylint configuration has also been modified to disable C and R messages by default. This way when other errors or warnings occur the build will fail without having to check for specific codes. Some Python codes have been modified to reduce the number of pylint warnings. https://fedorahosted.org/pki/ticket/703 commit 8fc5acb72ac9fdbc70b8a6e7242890f9dbeccf56 Author: Endi S. Dewata Date: Mon Feb 2 14:43:16 2015 -0500 Added missing python-lxml build dependency. The python-lxml is actually needed to avoid pylint failures during build so it has been added as a build dependency. https://fedorahosted.org/pki/ticket/1252 commit fb77f0de6d3ae097f71434ed547f3490bfc48dd2 Author: Endi S. Dewata Date: Fri Jan 30 15:49:27 2015 -0500 Updated Resteasy and Jackson dependencies In Fedora 22 the Resteasy package has been split into several subpackages. The pki-core.spec has been modified to depend on more specific Resteasy packages which depend only on Jackson 1.x. The classpaths and various scripts have been modified to remove unused references to Jackson 2.x. https://fedorahosted.org/pki/ticket/1254 commit c416878297b365f018983e4d62ba9bcb9404f218 Author: Niranjan Mallapadi Date: Tue Feb 3 17:51:49 2015 +0530 Add Legacy drm-logs and some subca tests Sub CA cert-enrollment, profiles and logs are added DRM logs are added Signed-off-by: Niranjan Mallapadi commit 73cd00cf53815b523b114d108abd077cdb97094e Author: Roshni Pattath Date: Mon Feb 2 13:10:36 2015 -0500 Modified test-ids commit 6d46be4ebf4cbbe3114f3b39394f4e8ac2d701ad Author: Roshni Pattath Date: Mon Feb 2 11:30:38 2015 -0500 Subca legacy tests Related changes to Makefile, runtest, rhcs-shared and create role users commit ffdea31833332a5ed853700fac2186bfa37638a7 Author: Niranjan Mallapadi Date: Thu Jan 29 18:10:40 2015 +0530 Add legacy drm tests commit 1d23b03170ba615003d4b7d5d42bbc5de6d12f0d Author: Niranjan Mallapadi Date: Thu Jan 29 17:20:40 2015 +0530 Add legacy CA logs tests commit 64441cd0333ffd19ddbf5b0d22711650541fabbb Author: Niranjan Mallapadi Date: Thu Jan 29 17:16:15 2015 +0530 Add legacy cert-enrollment tests commit 7f742c4968b22bde4b2464df65dec88d23463788 Author: Niranjan Mallapadi Date: Thu Jan 29 17:06:48 2015 +0530 Add CA Profiles legacy tests commit 7de81fedeba1a3904c127dc612a937903e622d81 Author: Endi S. Dewata Date: Tue Jan 27 00:35:59 2015 -0500 Refactored CRMFPopClient. The CRMFPopClient has been refactored such that it is easier to understand and reuse. The code has been fixed such that it can read a normal PEM transport certificate. It also has been fixed to parse the request submission result properly. The client-cert-request CLI command was modified to support CRMF requests. The MainCLI and ClientConfig were modified to accept a security token name. The pki_java_command_wrapper.in was modified to include the Apache Commons IO library. https://fedorahosted.org/pki/ticket/1074 commit 22ff1fbd2de37395e219a7e7362722517a3f4dc3 Author: Endi S. Dewata Date: Fri Jan 23 13:23:53 2015 -0500 Disabling subsystem on selftest failure. The SelfTestSubsystem has been modified such that if the selftest fails it will invoke the pki-server CLI to undeploy and disable the failing subsystem. The Tomcat instance and other subsystems not depending on this subsystem will continue to run. Once the problem is fixed, the admin can enable the subsystem again with the pki-server CLI. https://fedorahosted.org/pki/ticket/745 commit 3294ac64d9e71f76309d2cc12a2c256838fe8666 Author: Endi S. Dewata Date: Tue Jan 20 22:11:50 2015 -0500 Added server management CLI. A new pki-server CLI has been added to manage the instances and subsystems using the server management library. This CLI manages the system files directly, so it can only be run locally on the server by the system administrator. The autoDeploy setting in server.xml has been enabled by default. An upgrade script has been added to enable the autoDeploy setting in existing instances. https://fedorahosted.org/pki/ticket/1183 commit a578cf649c0c41676677cf0a6ede03ea8d6fedb7 Author: Endi S. Dewata Date: Sat Oct 11 13:18:45 2014 -0400 Added server management library. The PKISubsystem and PKIInstance classes used by the upgrade framework have been converted into a server management library. They have been enhanced to provide the following functionalities: * starting and stopping instances * enabling and disabling subsystems * checking instance and subsystem statuses The validate() invocation has been moved out of the constructors into the upgrade framework such that these objects can be created to represent subsystems and instances that do not exist yet. https://fedorahosted.org/pki/ticket/1183 commit 2d574090ba49eec9647b78b44d841a6d6026dccf Author: Endi S. Dewata Date: Sun Oct 12 00:16:55 2014 -0400 Moved web application deployment locations. Currently web applications are deployed into Host's appBase (i.e. /webapps). To allow better control of individual subsystem deployments, the web applications have to be moved out of the appBase so that the autoDeploy can work properly later. This patch moves the common web applications to / common/webapps and subsystem web applications to / /webapps. An upgrade script has been added to update existing deployments. https://fedorahosted.org/pki/ticket/1183 commit 8bafe7988740ce078eac8624121459b5357a7501 Author: Roshni Pattath Date: Thu Jan 22 17:10:51 2015 -0500 CA EE OCSP and related java files commit 98315fc0fb56030b5b99616f52e16a1cbbd5056c Author: Roshni Pattath Date: Wed Jan 21 16:06:27 2015 -0500 crlissuingpoint dir was spelled wrong in Makefile and runtest.sh commit b1fa2b492c5d7710297c102aaad30ae1d7d14405 Author: Roshni Pattath Date: Wed Jan 21 15:55:49 2015 -0500 Fixed some typos in Makefile and runtest.sh commit 08562edc81e9631a6d4a2c7afe70c6c661f19bd9 Author: Endi S. Dewata Date: Tue Jan 20 14:47:59 2015 -0500 Fixed exception chains in ConfigurationUtils. The ConfigurationUtils has been modified such that if an exception is triggered by another exception the exceptions will be chained. https://fedorahosted.org/pki/ticket/915 commit 802f7471d5ee65e3c4d99b528bb6d8526c277185 Author: Endi S. Dewata Date: Tue Jan 20 09:25:32 2015 -0500 Added support for exception chains in EBaseException. The EBaseException has been modified to provide constructors that can be used to chain the cause of the exception. This way the root cause of the exception can be traced back to help troubleshooting. Some codes have been modified to utilize the proper exception chaining as examples. https://fedorahosted.org/pki/ticket/915 commit deb188bffd38f82396c47411381a875020ca748b Author: Endi S. Dewata Date: Tue Jan 20 09:25:32 2015 -0500 Removed unnecessary EBaseException constructor. The EBaseException(String msgFormat, String param) constructor has been removed because it's only used once and can be substituted with another constructor. All subclasses of EBaseException have been updated accordingly. https://fedorahosted.org/pki/ticket/915 commit 82e0e34e350929b2139f7c0a20c0c3a00d7fcf92 Author: Roshni Pattath Date: Tue Jan 20 16:33:31 2015 -0500 CA Admin Porting tests Internaldb, authplugin, acl, crlissuing point, agent-crl, publishing commit b54b03f461b6e0657270c0affa64a00cef1b3f37 Author: Matthew Harmsen Date: Mon Jan 19 16:36:59 2015 -0700 Synced spec files with DOGTAG_10_2_RHEL_BRANCH commit 8edbdcb5dc369c430c5b1fdd8831152e5706d17e Author: Matthew Harmsen Date: Thu Jan 8 16:59:52 2015 -0700 Updated version number to 10.2.2-0.1 commit 1d9e4e14f996380ec81d905e8f69435986648e26 Author: Matthew Harmsen Date: Thu Jan 8 15:35:16 2015 -0700 Updated version number to 10.2.2-0.1 commit 16763369a9358d30419dff86c293313a25ee6bf9 Author: Matthew Harmsen Date: Thu Jan 8 14:54:33 2015 -0700 Update release number for release build (10.2.1-1) commit 0b6cfad8f1c566bc296ee8bd8be8b84e14b31ae6 Author: Matthew Harmsen Date: Wed Jan 7 16:04:45 2015 -0700 Fixed bash syntax error - Bugzilla Bug #1147924 - dogtag: syntax errors in /usr/share/pki/scripts/operations commit 9e8c5189ab6cce6ded77316439b9fee92e27487c Author: Fraser Tweedale Date: Thu Oct 30 01:58:15 2014 -0400 Enable Authority Key Identifier CRL extension by default RFC 5280 states: Conforming CRL issuers are REQUIRED to include the authority key identifier (Section 5.2.1) and the CRL number (Section 5.2.3) extensions in all CRLs issued. Accordingly, update CS.cfg so that the Authority Key Identifier extension is enabled by default. commit 422c1392992b28d41d8e4fe037acb6b1117345da Author: Asha Akkiangady Date: Tue Jan 6 15:21:04 2015 -0500 Installer tests for CA, KRA, OCSP and TKS. commit 4efce3c2a3bfb69068208ca0e06ea8235befdbb8 Author: Roshni Pattath Date: Mon Jan 5 12:40:39 2015 -0500 Minor changes relating to CI modifications commit 4c910296a6c6c8bf74fbdace740680db2f1fecab Author: Christina Fu Date: Tue Dec 2 14:38:08 2014 -0800 Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDF - this patch does not include TPS side of changes: (#865 needs to be rewritten in Java) commit 00b1c33272900613687448ccab7809ba794679f6 Author: Matthew Harmsen Date: Tue Dec 16 15:55:20 2014 -0700 Update dependencies - PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 - PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. - Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies commit 21d831010a7e0fe8d21e1ee286eb654bad6a21e3 Author: Jack Magne Date: Thu Dec 11 20:20:40 2014 -0800 Fix-for-Bug-1170867-TPS-Installation-Failed Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos. commit 4083b0d6fd3af89cf638224d0081d9dd76eb1192 Author: Christina Fu Date: Tue Dec 16 16:58:11 2014 -0800 Ticket 1180 RFE: show link to request record from cert display commit 6c0b6628e51bec01884174001f34dfce5e28c75d Author: Christina Fu Date: Tue Dec 16 15:39:41 2014 -0800 Ticket 1173 Directory-based renewal evaluator fails authorization commit cdebcd5a05544dfde1b904c3fc99ce97fa68fb98 Author: Fraser Tweedale Date: Thu Dec 4 02:01:38 2014 -0500 Decode challengePassword attribute as DirectoryString The PKCS #9 challengePassword attribute has DirectoryString syntax. Dogtag currently attempts only to decode it as a PrintableString, causing failures when the attribute is encoded as a UTF8String. Add method DerValue.getDirectoryString() to decode any of the valid DirectoryString encodings and update ChallengePassword to use it. https://fedorahosted.org/pki/ticket/1221 commit 8f06f412bedc992ea030ec6d548f35de966b0ff5 Author: Ade Lee Date: Fri Dec 12 15:27:09 2014 -0500 Require resteasy sub modules for F22+ commit 5d82ad42001875e28a48ba374d4a467c9ec91f5c Author: Endi S. Dewata Date: Tue Dec 2 17:25:55 2014 -0500 Added rangeUnit property to certificate profiles. A new optional property has been added to certificate profiles to specify the range unit. The default range unit is 'day'. The code has been modified to use the Calendar API to calculate the end of validity range based on the range unit. https://fedorahosted.org/pki/ticket/1226 commit aab703ab457ff02d8623933a15574a556dae5e99 Author: Matthew Harmsen Date: Fri Dec 12 14:51:02 2014 -0700 Modified RHEL Source URL to prevent potential collisions with Fedora releases - PKI TRAC #1211 - New release overwrites old source tarball commit bd411710a735f49147fa085fda000857a5370627 Author: Endi S. Dewata Date: Wed Nov 26 03:19:35 2014 -0500 Cleaned up clone installation code. The code in ConfigurationUtils has been cleaned up and reformatted to improve readability. commit 78371f0ecd801ccfb1a637ba8dd95a7f4dd051b9 Author: Endi S. Dewata Date: Wed Nov 26 03:19:35 2014 -0500 Fixed problem importing renewed system certificate. Previously during clone installation if the PKCS12 file contains both expired and renewed certificates the code might incorrectly import the expired certificate instead of the renewed one, thus failing the installation. The code has been fixed to validate the certificates in the PKCS12 file such that only the valid ones will be imported into the clone. https://fedorahosted.org/pki/ticket/1093 commit 96f61e1c7e73c91400c2364009dfb1742b509ced Author: Niranjan Mallapadi Date: Mon Dec 8 22:01:44 2014 +0530 comment lines which add cer to TEMP NSS DB Modify generate_new_cert function to comment out the lines which add the CA signing cert and user/server cert to Temp NSS DB commit 492180494f5db82ded637c9a12666e4df4a4bda1 Author: Niranjan Mallapadi Date: Mon Dec 8 19:24:57 2014 +0530 Add CA Legacy profile tests commit 713f1840695c684a63898e29524946c01f1d55a0 Author: Asha Akkiangady Date: Sat Dec 6 08:13:56 2014 -0500 CLI user-add and ca-user-add tests modified to have random strings generated with openssl rand and $RANDOM. commit 7ed1c2e78f7531821c7e5a998b97ee1b7fb6b5a8 Author: Roshni Pattath Date: Fri Dec 5 12:19:51 2014 -0500 Some updates to the script for certutil commit 335046c3a66f1eaad159ab60b6731a81ad67946a Author: Roshni Pattath Date: Fri Dec 5 12:15:55 2014 -0500 Changed the CA Host parameter commit f955714b64a41026915ce328484181d76e456318 Author: Fraser Tweedale Date: Thu Sep 25 01:39:40 2014 -0400 Fix BasicConstraints min/max path length check The BasicConstraintsExtConstraint min/max path length validity check ensures that the max length is greater than the min length, however, when a negative value is used to represent "no max", the check fails. Only compare the min and max length if the max length is non-negative. Ticket #1035 commit d9e1069c748b06ccd1261bebdebfb748df7344a2 Author: Matthew Harmsen Date: Thu Dec 4 14:29:43 2014 -0700 Spec file changes to support the following issues: - Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default (cfu) - PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) - TLS Compliance commit e8d1af05925ca06d568e49f89cf107d97baeb36d Author: Matthew Harmsen Date: Thu Dec 4 11:21:09 2014 -0700 Fix spec file to address the following ticket: - PKI Trac Ticket #1211 - New release overwrites old source tarball commit cc8e2ebf392468831428601403f6e0ca7507c11a Author: Matthew Harmsen Date: Mon Dec 1 12:49:10 2014 -0700 Remove legacy multilib JNI_JAR_DIR logic * Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not found (cherry picked from commit d7a0807b7493fc3d86900ee4aaf8199efd824907) Conflicts: base/java-tools/templates/pki_java_command_wrapper.in base/java-tools/templates/pretty_print_cert_command_wrapper.in base/java-tools/templates/pretty_print_crl_command_wrapper.in base/server/python/pki/server/deployment/pkiparser.py base/server/scripts/operations (cherry picked from commit c8d73ade2c651fd5ca01226c89d5d19828bfc9b7) commit 7eb362d4955a12835479d2bfaa7d364ea4cd7e1f Author: Roshni Pattath Date: Thu Dec 4 11:55:08 2014 -0500 Removed reference to files that are not added to git commit 5503f04f3e06e69ec9de837ff83d50a6db9a6ddc Author: Roshni Pattath Date: Thu Dec 4 01:27:12 2014 -0500 KRA group test scripts and CI changes commit d92c531cf02c900bf952e654b6b9bb753acfe3b1 Author: Roshni Pattath Date: Wed Dec 3 22:30:52 2014 -0500 Changes to Makefile and runtest.sh Included files relating to bug verification commit ea3e179baf473b159942cdc0246226c4561fb754 Author: Roshni Pattath Date: Wed Dec 3 22:22:02 2014 -0500 RHEL 7.1 bug verification automation commit cda03aebb5245701f95ca5c929dc2e9b626eacbf Author: Niranjan Mallapadi Date: Mon Dec 1 19:45:47 2014 +0530 Minor changes to pki-ca-cert-cli-release & revoke commit 85d77cfea7d52baecac73d09940cd8aee1c9e224 Author: Niranjan Mallapadi Date: Mon Dec 1 16:42:52 2014 +0530 Add minor fixes to cert-release-hold and revoke In pki cert-revoke, comment the SUBCA test, because when jobs are ran in parallel, this can go for a very big loop. commit 4c27c392f634a86f25909c53e48f1dfb9e34a9e1 Author: Niranjan Mallapadi Date: Mon Dec 1 15:25:36 2014 +0530 Minor fixes to pki-cert.sh commit e5a9fd0427bd4546fe53f0f63569d6fbe9e27af3 Author: Niranjan Mallapadi Date: Mon Dec 1 15:24:52 2014 +0530 Minor fixes to pki-cert-cli-lib.sh commit 1e9024758746b879a013099a3873a68d9d9fb9d0 Author: Niranjan Mallapadi Date: Mon Dec 1 15:24:22 2014 +0530 Modify ca profile cli's tests with minor changes commit 4ca08a3c42352b4baf7b99e7bc4a03240ebebcca Author: Niranjan Mallapadi Date: Wed Nov 26 21:24:25 2014 +0530 emove /dev/urandom from kra-key-cli commit 6b1d5758fd906e7f2b5a4b64a5318647af9d3836 Author: Niranjan Mallapadi Date: Wed Nov 26 21:19:55 2014 +0530 Remove /dev/urandom from key-cli commit 3b7a8fcc533a212af06fa7a8b00dda01b57cc66a Author: Niranjan Mallapadi Date: Wed Nov 26 18:03:49 2014 +0530 Remove /dev/urandom from ca-cert-cli Replace /dev/urandom for junk characters with openssl rand and user $RANDOM for random integer values commit e1b4f5b01e2632e24e6d13ce6f7381c5f7e9b293 Author: Niranjan Mallapadi Date: Wed Nov 26 17:40:05 2014 +0530 Replace /dev/urandom with openssl rand commit cfeb77bb5d79f0e131948e864a1dcba2451758f6 Author: Endi S. Dewata Date: Fri Nov 21 18:45:08 2014 -0500 Improvements for KeyClient.archive_encrypted_data(). The archive_encrypted_data() in KeyClient has been modified to have a default value for the algorithm OID and to take a nonce IV object instead of the base-64 encoded value. https://fedorahosted.org/pki/ticket/1155 https://fedorahosted.org/pki/ticket/1156 commit 93a8a1f66b401d6a8f46a14d1143feb1ade21de9 Author: Endi S. Dewata Date: Fri Nov 21 16:16:33 2014 -0500 Removed profile input/output IDs from CLI output. From tjaalton at moszumanska.debian.org Thu Apr 9 14:33:14 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 09 Apr 2015 14:33:14 +0000 Subject: [Pkg-freeipa-devel] freeipa: Changes to 'master' Message-ID: debian/changelog | 9 +++++++++ debian/control | 1 - debian/freeipa-client.dirs | 1 + debian/freeipa-client.postrm | 2 -- 4 files changed, 10 insertions(+), 3 deletions(-) New commits: commit 244e2a207b3c70c732c23eaaf58dee29a9db32eb Author: Timo Aaltonen Date: Thu Apr 9 17:27:11 2015 +0300 releasing package freeipa version 4.0.5-5 diff --git a/debian/changelog b/debian/changelog index 19c373c..645af02 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,11 @@ -freeipa (4.0.5-5) UNRELEASED; urgency=medium +freeipa (4.0.5-5) unstable; urgency=medium * control: Drop selinux-policy-dev from build-depends, not needed anymore. * client.dirs,postrm: Drop removing /etc/pki/nssdb from postrm and let dpkg handle it. (Closes: #781114) - -- Timo Aaltonen Thu, 09 Apr 2015 14:39:31 +0300 + -- Timo Aaltonen Thu, 09 Apr 2015 17:16:37 +0300 freeipa (4.0.5-4) unstable; urgency=medium commit ee71be0e108a4daaa643cba0451f6a6853b44984 Author: Timo Aaltonen Date: Thu Apr 9 17:13:38 2015 +0300 client.dirs,postrm: Drop removing /etc/pki/nssdb from postrm and let dpkg handle it. (Closes: #781114) diff --git a/debian/changelog b/debian/changelog index 36e035b..19c373c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ freeipa (4.0.5-5) UNRELEASED; urgency=medium * control: Drop selinux-policy-dev from build-depends, not needed anymore. + * client.dirs,postrm: Drop removing /etc/pki/nssdb from postrm and let + dpkg handle it. (Closes: #781114) -- Timo Aaltonen Thu, 09 Apr 2015 14:39:31 +0300 diff --git a/debian/freeipa-client.dirs b/debian/freeipa-client.dirs index fb10645..e5c26bf 100644 --- a/debian/freeipa-client.dirs +++ b/debian/freeipa-client.dirs @@ -1,2 +1,3 @@ etc/ipa +etc/pki/nssdb var/lib/ipa-client/sysrestore diff --git a/debian/freeipa-client.postrm b/debian/freeipa-client.postrm index 2585426..65d1d9a 100644 --- a/debian/freeipa-client.postrm +++ b/debian/freeipa-client.postrm @@ -7,8 +7,6 @@ if [ "$1" = purge ]; then rm -f /etc/pki/nssdb/cert8.db \ /etc/pki/nssdb/key3.db \ /etc/pki/nssdb/secmod.db - rmdir /etc/pki/nssdb - rmdir /etc/pki fi #DEBHELPER# commit 781bdc91964dec687e30cc20366b0f6f53d409c9 Author: Timo Aaltonen Date: Thu Apr 9 14:39:34 2015 +0300 control: Drop selinux-policy-dev from build-depends, not needed anymore. diff --git a/debian/changelog b/debian/changelog index 248b601..36e035b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +freeipa (4.0.5-5) UNRELEASED; urgency=medium + + * control: Drop selinux-policy-dev from build-depends, not needed + anymore. + + -- Timo Aaltonen Thu, 09 Apr 2015 14:39:31 +0300 + freeipa (4.0.5-4) unstable; urgency=medium * control: Fix freeipa-tests depends. diff --git a/debian/control b/debian/control index 461b5b6..96a34a6 100644 --- a/debian/control +++ b/debian/control @@ -52,7 +52,6 @@ Build-Depends: python-yubico, rhino, samba-dev, - selinux-policy-dev, systemd, uuid-dev Standards-Version: 3.9.6 From tjaalton at moszumanska.debian.org Thu Apr 9 14:33:29 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Thu, 09 Apr 2015 14:33:29 +0000 Subject: [Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.0.5-5' Message-ID: Tag 'debian/4.0.5-5' created by Timo Aaltonen at 2015-04-09 14:27 +0000 tagging package freeipa version debian/4.0.5-5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVJow/AAoJEMtwMWWoiYTcELcP/RajWRoFeqMholdQS0ZUlBc2 2y3n70QILXJdxnOkPg9m4mWfftg4XBmU4pXOTNOhVyclK/el+jtLvxYwAqvgkkzs sCwfEFXi99pHwijZZx9RnITqrt39BzCP40G95XvI19OUL4WAsqePnYcBqPKlPSSK dxIjQE0cjsbnq7qz8p3JxiUv2T5QbZsOcsQM7vvdhlzBerNOVHxWziOVIBAMHNWc iRhZWOpjsn7JEwNlPsu13Mo9TwTE4WlNwpkOZV6gJk5Oe3631PtTECs8hl38+E5r b0vZCNZoMeiimGLeht3d+Mm3qKvXgow8aecNyGBft5dLXK1g7ZAOF/Vup57z8gLt eLfoC67JT8DxD2jhD8EBBgUGVZgjDMywPEj4nhvi7ydH/GNy0peJcg3db1H/E1E4 cmjH6Y5Sbx4MaZPDr2ggErQ32CmomSRn8Dn6gVpi2UcDzV7aO38IbX0HU45V+dgQ KO+M6kAe1Jg019yYjGGK7tSj0O6e5cyttEvk1zM6oyKc5Zkk9ex9dtEAsELOayg0 B8gugNr6OD21rCKd87IX2Wfrx0O5AsbzzzqEanW3IbJ9MSyc1AYJWVfXLC1amseP FlixsUyV1NCDyfiKSBIYyboe0QqTEIUjtCQPiIc9HRBH0aTX9JAzd3I1NaW7SpJZ /RW1o1faNXDXiPHWb+Ke =Q515 -----END PGP SIGNATURE----- Changes since debian/4.0.5-4: Timo Aaltonen (3): control: Drop selinux-policy-dev from build-depends, not needed anymore. client.dirs,postrm: Drop removing /etc/pki/nssdb from postrm and let dpkg handle it. (Closes: #781114) releasing package freeipa version 4.0.5-5 --- debian/changelog | 9 +++++++++ debian/control | 1 - debian/freeipa-client.dirs | 1 + debian/freeipa-client.postrm | 2 -- 4 files changed, 10 insertions(+), 3 deletions(-) --- From ftpmaster at ftp-master.debian.org Thu Apr 9 14:34:07 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 09 Apr 2015 14:34:07 +0000 Subject: [Pkg-freeipa-devel] Processing of freeipa_4.0.5-5_amd64.changes Message-ID: freeipa_4.0.5-5_amd64.changes uploaded successfully to localhost along with the files: freeipa_4.0.5-5.dsc freeipa_4.0.5.orig.tar.gz freeipa_4.0.5-5.debian.tar.xz freeipa-server_4.0.5-5_amd64.deb freeipa-server-trust-ad_4.0.5-5_amd64.deb freeipa-client_4.0.5-5_amd64.deb freeipa-admintools_4.0.5-5_amd64.deb freeipa-tests_4.0.5-5_amd64.deb python-freeipa_4.0.5-5_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Thu Apr 9 15:34:35 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 09 Apr 2015 15:34:35 +0000 Subject: [Pkg-freeipa-devel] freeipa_4.0.5-5_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 09 Apr 2015 17:16:37 +0300 Source: freeipa Binary: freeipa-server freeipa-server-trust-ad freeipa-client freeipa-admintools freeipa-tests python-freeipa Architecture: source amd64 Version: 4.0.5-5 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: freeipa-admintools - FreeIPA centralized identity framework -- admintools freeipa-client - FreeIPA centralized identity framework -- client freeipa-server - FreeIPA centralized identity framework -- server freeipa-server-trust-ad - FreeIPA centralized identity framework -- AD trust installer freeipa-tests - FreeIPA centralized identity framework -- tests python-freeipa - FreeIPA centralized identity framework -- Python modules Closes: 781114 Changes: freeipa (4.0.5-5) unstable; urgency=medium . * control: Drop selinux-policy-dev from build-depends, not needed anymore. * client.dirs,postrm: Drop removing /etc/pki/nssdb from postrm and let dpkg handle it. (Closes: #781114) Checksums-Sha1: 3a3ae6731ca66b4fb469c1f4b0efc283c0921c5d 2969 freeipa_4.0.5-5.dsc 1b690aae94b34e81a612363a4624994f14ffd79f 4730699 freeipa_4.0.5.orig.tar.gz 0bc71e7eac24a91104d3c9d3c32c7f1e6a945ee9 22560 freeipa_4.0.5-5.debian.tar.xz a408a4197e25384cb463592b6d3ca66568fff86b 690228 freeipa-server_4.0.5-5_amd64.deb b80051a057e90200e8e3cc0b594546bef65fcf2b 78196 freeipa-server-trust-ad_4.0.5-5_amd64.deb 3cb9162afc3ce10a56b9064a45661f1dae856a75 83300 freeipa-client_4.0.5-5_amd64.deb 10011c4e8edeed269567b8a1a527b87e60496adb 13414 freeipa-admintools_4.0.5-5_amd64.deb cf80367acae2fa8291725be42750f424415a8a62 221204 freeipa-tests_4.0.5-5_amd64.deb 1404dd89c132db8e31f0e4f978f69c2c4437c2e0 518986 python-freeipa_4.0.5-5_amd64.deb Checksums-Sha256: 22ef45ae2a20a5edb22cf04b4642cff0b8761f3e27617a3ea7998c1ec7d96267 2969 freeipa_4.0.5-5.dsc fa95de2b99d242a4a794d316bc272333e954eefd2857ebdac7380ceabca5c8cd 4730699 freeipa_4.0.5.orig.tar.gz e130a1a3022f3d40abcb6ec185838953f26e782b7250a3ca7dbdaa326783ae6f 22560 freeipa_4.0.5-5.debian.tar.xz f9b422cd10192046108b53dbbff7225a9b58c8ecd6afe81f84bb9da3f08bc56d 690228 freeipa-server_4.0.5-5_amd64.deb 709da26de83ef1d6bb0723eaf0589b032d0ef7a4ae842c45ba05345ff274433a 78196 freeipa-server-trust-ad_4.0.5-5_amd64.deb 4f81daa9582f99aee50ea15b912edcbba58eb6181910c80f8530f286ed0b8799 83300 freeipa-client_4.0.5-5_amd64.deb 9667c9b39f6dd074dcb314b21291148d3746abc7d0badb67937e00d5232c172b 13414 freeipa-admintools_4.0.5-5_amd64.deb 247cfe82ee583856dc6555a41f5ca5c6f54e541e814899860d9a823f83b9be9d 221204 freeipa-tests_4.0.5-5_amd64.deb 243237a50665ef73fc31514621a123c27a7ee5fcb8c9ff07cc33ff94752c2af0 518986 python-freeipa_4.0.5-5_amd64.deb Files: 21eef8d2be74f65c7ae45c70c89a5feb 2969 net extra freeipa_4.0.5-5.dsc dc0ebfe24a20bd850641df05ff0a7268 4730699 net extra freeipa_4.0.5.orig.tar.gz 5d2567b10608a4d3ef47da0d09f73376 22560 net extra freeipa_4.0.5-5.debian.tar.xz 1aeb1753191b18ac6c4129d6ec3d5880 690228 net extra freeipa-server_4.0.5-5_amd64.deb 4f02aaa94c4bad334bcabd01a191031a 78196 net extra freeipa-server-trust-ad_4.0.5-5_amd64.deb 5e51830de778230ec23d552744511920 83300 net extra freeipa-client_4.0.5-5_amd64.deb 3973f66592b9f378d617a62ddcb19fef 13414 net extra freeipa-admintools_4.0.5-5_amd64.deb 83b5e7737b2d8514014391d07ff6f215 221204 net extra freeipa-tests_4.0.5-5_amd64.deb b3503e264c38b98a35d2d5701c802f3e 518986 python extra python-freeipa_4.0.5-5_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVJo2EAAoJEMtwMWWoiYTcfsgP/AoQw1pJuS69SX9tue9X6x44 Y2ENNmJvIeDLgwOCdSYuZgEGqEHHmTXthNCBjdlY9hDgDPajYBnh82eAmt/ZVxdA mQFsjgbDp3RDluZeEmEzLv1jkKHK7ZM8RzBZN6lnri/Qs9RmYGpmOdUrwueLbYT9 8za8/tGLs5vFibzYAJsO05KIIUmvG2XukRZMqn8Fa2LJEncJu9EvHrXEzzTKhgDu fe4LPQlDI9ce5nUjE0oac0rtAD6MvBJmWbKDsE37JXh7P/KJUzMOQ17zxVdtl2T3 chc18t8+7qTavv9aeWsjN5iRfnAfjXFNlQknh85UvKDr9Piy4JAoHYAq9XEI4/ty TBffepjdewa5FlNw/Yn6uHRFXULNOQ6YZI2c2mWxHsDn7x+GGEk4Y0bxVCFKVkdf U6eZZ+8rUVimJqDCB2zz5bsEflsV2fBoEoXL6VEoIUa2kHUdpvOfEAuhW1n2nTI/ Oq6ODI0ukxgfXczpiu+ZgE37LViO0mum5F3PLi8c/0bO/9FIptf+uAWcTzsiW4vE F2yOxKRJdZIKx3L+19j+skVHGmDMdpsz4fMtMvpoqi8o1GVpoqwg8jtYK83ZS/WG cwIf/WciH1xbJrOtBsWiykS+JcSaPSQNik0C8XMRsKXqIBqEiyOV7HwqCm+4hBJL fluqzugq2ggJ+xYmXjmw =uhcD -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Thu Apr 9 15:39:13 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 09 Apr 2015 15:39:13 +0000 Subject: [Pkg-freeipa-devel] Bug#781114: marked as done (freeipa-client: unowned files after purge (policy 6.8, 10.8)) References: <201503241816.10525.holger@layer-acht.org> Message-ID: Your message dated Thu, 09 Apr 2015 15:34:35 +0000 with message-id and subject line Bug#781114: fixed in freeipa 4.0.5-5 has caused the Debian Bug report #781114, regarding freeipa-client: unowned files after purge (policy 6.8, 10.8) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 781114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781114 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Holger Levsen Subject: freeipa-client: unowned files after purge (policy 6.8, 10.8) Date: Tue, 24 Mar 2015 18:16:08 +0100 Size: 143428 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#781114: fixed in freeipa 4.0.5-5 Date: Thu, 09 Apr 2015 15:34:35 +0000 Size: 7290 URL: From elbrus at debian.org Mon Apr 13 17:49:10 2015 From: elbrus at debian.org (Paul Gevers) Date: Mon, 13 Apr 2015 19:49:10 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552B9015.6070204@aixigo.de> References: <552B9015.6070204@aixigo.de> Message-ID: <552C0196.4050401@debian.org> Hi Harald, On 13-04-15 11:44, Harald Dunkel wrote: > would it be reasonable to hope for a backport of freeipa-\ > server to Jessie? I may have missed something, but I don't think we have started the Jessie backports yet. Or do you mean something else? Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From tjaalton at debian.org Tue Apr 14 05:41:16 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Tue, 14 Apr 2015 08:41:16 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552C0196.4050401@debian.org> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> Message-ID: <552CA87C.6030309@debian.org> On 13.04.2015 20:49, Paul Gevers wrote: > Hi Harald, > > On 13-04-15 11:44, Harald Dunkel wrote: >> would it be reasonable to hope for a backport of freeipa-\ >> server to Jessie? > > I may have missed something, but I don't think we have started the > Jessie backports yet. Or do you mean something else? Server backport isn't too useful before replicas work, and that needs libldap built against nss. Until that you're limited to single-server setups. -- t From harald.dunkel at aixigo.de Tue Apr 14 09:15:37 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Tue, 14 Apr 2015 11:15:37 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552CA87C.6030309@debian.org> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> Message-ID: <552CDAB9.6040204@aixigo.de> Hi Timo, On 04/14/15 07:41, Timo Aaltonen wrote: > On 13.04.2015 20:49, Paul Gevers wrote: >> Hi Harald, >> >> On 13-04-15 11:44, Harald Dunkel wrote: >>> would it be reasonable to hope for a backport of freeipa-\ >>> server to Jessie? >> >> I may have missed something, but I don't think we have started the >> Jessie backports yet. Or do you mean something else? > > Server backport isn't too useful before replicas work, and that needs > libldap built against nss. Until that you're limited to single-server > setups. > Of course I recognized that freeipa has a pretty huge list of versioned dependencies. Is there something that would be too difficult to backport to Jessie? I really would like to avoid choosing another Linux distro for such a major infrastructure component. Regards Harri From tjaalton at debian.org Tue Apr 14 10:01:31 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Tue, 14 Apr 2015 13:01:31 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552CDAB9.6040204@aixigo.de> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> <552CDAB9.6040204@aixigo.de> Message-ID: <552CE57B.1050002@debian.org> On 14.04.2015 12:15, Harald Dunkel wrote: > Hi Timo, > > On 04/14/15 07:41, Timo Aaltonen wrote: >> On 13.04.2015 20:49, Paul Gevers wrote: >>> Hi Harald, >>> >>> On 13-04-15 11:44, Harald Dunkel wrote: >>>> would it be reasonable to hope for a backport of freeipa-\ >>>> server to Jessie? >>> >>> I may have missed something, but I don't think we have started the >>> Jessie backports yet. Or do you mean something else? >> >> Server backport isn't too useful before replicas work, and that needs >> libldap built against nss. Until that you're limited to single-server >> setups. >> > > Of course I recognized that freeipa has a pretty huge list > of versioned dependencies. Is there something that would be > too difficult to backport to Jessie? No, dogtag, bind-dyndb-ldap and freeipa itself should be all that's needed, if you're ok with the single-server limitation. Patching openldap to build libldap-nss-2.4-2 (or such) isn't trivial, as the nss build would need patches of it's own (or lots of ifdefs) http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=592250ebfbcc7aa47f22bf1f8613fe20f33fd39a > I really would like to avoid choosing another Linux distro > for such a major infrastructure component. I think a CentOS install would be the best bet for now. -- t From holger at layer-acht.org Wed Apr 15 13:00:21 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 15 Apr 2015 15:00:21 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552CE57B.1050002@debian.org> References: <552B9015.6070204@aixigo.de> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> Message-ID: <201504151500.23915.holger@layer-acht.org> Hi Timo, On Dienstag, 14. April 2015, Timo Aaltonen wrote: > >> Server backport isn't too useful before replicas work, and that needs > >> libldap built against nss. Until that you're limited to single-server > >> setups. uhm. > No, dogtag, bind-dyndb-ldap and freeipa itself should be all that's > needed, if you're ok with the single-server limitation. we that working here... > Patching openldap to build libldap-nss-2.4-2 (or such) isn't trivial, as > the nss build would need patches of it's own (or lots of ifdefs) which component needs openlda? freeipa uses the 389ds ldap service so I'm a bit surprised by this... > I think a CentOS install would be the best bet for now. I'd be glad to work on overcoming this... cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From tjaalton at debian.org Wed Apr 15 13:18:50 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 15 Apr 2015 16:18:50 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <201504151500.23915.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> <201504151500.23915.holger@layer-acht.org> Message-ID: <552E653A.1040209@debian.org> On 15.04.2015 16:00, Holger Levsen wrote: > Hi Timo, > > On Dienstag, 14. April 2015, Timo Aaltonen wrote: >>>> Server backport isn't too useful before replicas work, and that needs >>>> libldap built against nss. Until that you're limited to single-server >>>> setups. > > uhm. > >> No, dogtag, bind-dyndb-ldap and freeipa itself should be all that's >> needed, if you're ok with the single-server limitation. > > we that working here... > >> Patching openldap to build libldap-nss-2.4-2 (or such) isn't trivial, as >> the nss build would need patches of it's own (or lots of ifdefs) > > which component needs openlda? freeipa uses the 389ds ldap service so I'm a > bit surprised by this... ldaps:// access uses libldap + gnutls on Debian, but libldap + moznss on Fedora world, and the latter is what Freeipa expects when setting up replicas. >> I think a CentOS install would be the best bet for now. > > I'd be glad to work on overcoming this... http://www.freeipa.org/page/V4/Replica_Promotion Simo Sorce on #freeipa is glad to help you get going ;) The GSSAPI part could be finished earlier than the rest of the replica install rewrite. but this all has an "optimistic" release goal of 4.2, so later this year maybe. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From holger at layer-acht.org Wed Apr 15 13:22:30 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 15 Apr 2015 15:22:30 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552E653A.1040209@debian.org> References: <552B9015.6070204@aixigo.de> <201504151500.23915.holger@layer-acht.org> <552E653A.1040209@debian.org> Message-ID: <201504151522.33528.holger@layer-acht.org> Hi, On Mittwoch, 15. April 2015, Timo Aaltonen wrote: > ldaps:// access uses libldap + gnutls on Debian, but libldap + moznss on > Fedora world, and the latter is what Freeipa expects when setting up > replicas. I see. I thought Debians freeipa server would use the same libs as Fedoras... can't the Debian packages be build using libldap + moznss on Debian too? > >> I think a CentOS install would be the best bet for now. > > I'd be glad to work on overcoming this... > http://www.freeipa.org/page/V4/Replica_Promotion > > Simo Sorce on #freeipa is glad to help you get going ;) The GSSAPI part > could be finished earlier than the rest of the replica install rewrite. thanks for the pointers! > but this all has an "optimistic" release goal of 4.2, so later this year > maybe. ui, that's a rather long roadmap :/ cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From tjaalton at debian.org Wed Apr 15 13:37:24 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 15 Apr 2015 16:37:24 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <201504151522.33528.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <201504151500.23915.holger@layer-acht.org> <552E653A.1040209@debian.org> <201504151522.33528.holger@layer-acht.org> Message-ID: <552E6994.3000602@debian.org> On 15.04.2015 16:22, Holger Levsen wrote: > Hi, > > On Mittwoch, 15. April 2015, Timo Aaltonen wrote: >> ldaps:// access uses libldap + gnutls on Debian, but libldap + moznss on >> Fedora world, and the latter is what Freeipa expects when setting up >> replicas. > > I see. I thought Debians freeipa server would use the same libs as Fedoras... > can't the Debian packages be build using libldap + moznss on Debian too? That's "separate libldap built against nss" again.. I'm not going to put effort on that anymore, and it wouldn't help jessie either. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From harald.dunkel at aixigo.de Wed Apr 15 13:42:52 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Wed, 15 Apr 2015 15:42:52 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552CE57B.1050002@debian.org> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> Message-ID: <20150415154252.6f6026a2@dpcl082.ac.aixigo.de> Hi Timo, On Tue, 14 Apr 2015 13:01:31 +0300 Timo Aaltonen wrote: > On 14.04.2015 12:15, Harald Dunkel wrote: > > I really would like to avoid choosing another Linux distro > > for such a major infrastructure component. > > I think a CentOS install would be the best bet for now. > > Would it be possible to migrate the database from Centos' to Debian's ipa later? Regards Harri -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From holger at layer-acht.org Wed Apr 15 13:40:21 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 15 Apr 2015 15:40:21 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552E6994.3000602@debian.org> References: <552B9015.6070204@aixigo.de> <201504151522.33528.holger@layer-acht.org> <552E6994.3000602@debian.org> Message-ID: <201504151540.23859.holger@layer-acht.org> Hi, On Mittwoch, 15. April 2015, Timo Aaltonen wrote: > That's "separate libldap built against nss" again.. I'm not going to put > effort on that anymore, and it wouldn't help jessie either. ah. so the steps would be: a.) build libldap against nss b.) rebuild freeipa-server against that libldap c.) enjoy a freeipa server captable of replication ? I agree this is not suitable for Debian's jessie-backports but it would be useful to have such a repo. cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From holger at layer-acht.org Wed Apr 15 13:46:16 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 15 Apr 2015 15:46:16 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552E6994.3000602@debian.org> References: <552B9015.6070204@aixigo.de> <201504151522.33528.holger@layer-acht.org> <552E6994.3000602@debian.org> Message-ID: <201504151546.18424.holger@layer-acht.org> On Mittwoch, 15. April 2015, Timo Aaltonen wrote: > That's "separate libldap built against nss" again.. I'm not going to put > effort on that anymore, and it wouldn't help jessie either. for the record, this is "#725153: migrate to libnss3". -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From tjaalton at debian.org Wed Apr 15 14:10:27 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 15 Apr 2015 17:10:27 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <20150415154252.6f6026a2@dpcl082.ac.aixigo.de> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> <20150415154252.6f6026a2@dpcl082.ac.aixigo.de> Message-ID: <552E7153.9030205@debian.org> On 15.04.2015 16:42, Harald Dunkel wrote: > Hi Timo, > > On Tue, 14 Apr 2015 13:01:31 +0300 > Timo Aaltonen wrote: > >> On 14.04.2015 12:15, Harald Dunkel wrote: >>> I really would like to avoid choosing another Linux distro >>> for such a major infrastructure component. >> >> I think a CentOS install would be the best bet for now. >> >> > > Would it be possible to migrate the database from Centos' > to Debian's ipa later? I don't see why not. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From tjaalton at debian.org Wed Apr 15 14:11:30 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 15 Apr 2015 17:11:30 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <201504151540.23859.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <201504151522.33528.holger@layer-acht.org> <552E6994.3000602@debian.org> <201504151540.23859.holger@layer-acht.org> Message-ID: <552E7192.6030105@debian.org> On 15.04.2015 16:40, Holger Levsen wrote: > Hi, > > On Mittwoch, 15. April 2015, Timo Aaltonen wrote: >> That's "separate libldap built against nss" again.. I'm not going to put >> effort on that anymore, and it wouldn't help jessie either. > > ah. so the steps would be: > > a.) build libldap against nss > b.) rebuild freeipa-server against that libldap From what I can tell it's a runtime thing, so no need to rebuild freeipa/389 against the new libldap, but guess it doesn't matter at that point. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From holger at layer-acht.org Wed Apr 15 16:45:39 2015 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 15 Apr 2015 18:45:39 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <201504151546.18424.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> Message-ID: <201504151845.50064.holger@layer-acht.org> Hi, this has become off-topic for debian-backports so please don't include debian- backports at lists.debian.org in your replies. On Mittwoch, 15. April 2015, Holger Levsen wrote: > On Mittwoch, 15. April 2015, Timo Aaltonen wrote: > > That's "separate libldap built against nss" again.. I'm not going to put > > effort on that anymore, and it wouldn't help jessie either. to build the openldap package against libnss3-dev, one has to: - in debian/control: replace the build-dependency on libgnutls28-dev with libnss3-dev - in debian/configure.options: use --with-tls=moznss (instead of --with-tls) and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere. With that the build still fails with smbk5pwd.c:1073:4: warning: too many arguments for format [-Wformat-extra- args] smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used [-Wunused-but- set-variable] dummy_ad; ^ Makefile:50: recipe for target 'smbk5pwd.lo' failed make[2]: *** [smbk5pwd.lo] Error 1 make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd- modules/smbk5pwd' but that should be easy to work around by not building the slapd packages or contrib modules (as freeipa-server users wont need slapd anyway...) I haven't done this now, but will update this bug once I've done so. (Which might take some weeks...) cheers, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 828 bytes Desc: This is a digitally signed message part. URL: From owner at bugs.debian.org Wed Apr 15 16:48:05 2015 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 15 Apr 2015 16:48:05 +0000 Subject: [Pkg-freeipa-devel] Bug#725153: Info received ( freeipa-server backport to Jessie?) References: <201504151845.50064.holger@layer-acht.org> Message-ID: Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian OpenLDAP Maintainers If you wish to submit further information on this problem, please send it to 725153 at bugs.debian.org. Please do not send mail to owner at bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 725153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725153 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From tjaalton at debian.org Wed Apr 15 18:31:17 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 15 Apr 2015 21:31:17 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <201504151845.50064.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> <201504151845.50064.holger@layer-acht.org> Message-ID: <552EAE75.6050003@debian.org> On 15.04.2015 19:45, Holger Levsen wrote: > Hi, > > this has become off-topic for debian-backports so please don't include debian- > backports at lists.debian.org in your replies. > > On Mittwoch, 15. April 2015, Holger Levsen wrote: >> On Mittwoch, 15. April 2015, Timo Aaltonen wrote: >>> That's "separate libldap built against nss" again.. I'm not going to put >>> effort on that anymore, and it wouldn't help jessie either. > > to build the openldap package against libnss3-dev, one has to: > > - in debian/control: replace the build-dependency on libgnutls28-dev with > libnss3-dev > - in debian/configure.options: use --with-tls=moznss (instead of --with-tls) > and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr > LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere. > > With that the build still fails with > > smbk5pwd.c:1073:4: warning: too many arguments for format [-Wformat-extra- > args] > smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used [-Wunused-but- > set-variable] > dummy_ad; > ^ > Makefile:50: recipe for target 'smbk5pwd.lo' failed > make[2]: *** [smbk5pwd.lo] Error 1 > make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd- > modules/smbk5pwd' > > but that should be easy to work around by not building the slapd packages or > contrib modules (as freeipa-server users wont need slapd anyway...) > > I haven't done this now, but will update this bug once I've done so. (Which > might take some weeks...) You probably need the Fedora patches too: http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=592250ebfbcc7aa47f22bf1f8613fe20f33fd39a From ryan at nardis.ca Thu Apr 16 23:32:54 2015 From: ryan at nardis.ca (Ryan Tandy) Date: Thu, 16 Apr 2015 16:32:54 -0700 Subject: [Pkg-freeipa-devel] [Pkg-openldap-devel] Bug#725153: freeipa-server backport to Jessie? In-Reply-To: <201504151845.50064.holger@layer-acht.org> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> <201504151845.50064.holger@layer-acht.org> Message-ID: <20150416233254.GB19259@comet> On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote: >to build the openldap package against libnss3-dev, one has to: > >- in debian/control: replace the build-dependency on libgnutls28-dev with >libnss3-dev >- in debian/configure.options: use --with-tls=moznss (instead of --with-tls) >and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr >LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere. > >With that the build still fails with > >smbk5pwd.c:1073:4: warning: too many arguments for format [-Wformat-extra- >args] >smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used [-Wunused-but- >set-variable] > dummy_ad; > ^ >Makefile:50: recipe for target 'smbk5pwd.lo' failed >make[2]: *** [smbk5pwd.lo] Error 1 >make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd- >modules/smbk5pwd' > >but that should be easy to work around by not building the slapd packages or >contrib modules (as freeipa-server users wont need slapd anyway...) The attached debdiff replaces gnutls with nss but continues building smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd included. I didn't try importing Fedora's patches, but noted that several were upstreamed already, and more were submitted and await review. Looks like Debian's nss doesn't support loading PEM certificates at runtime yet: #726116. My knee-jerk reaction is that I dislike the idea of changing the default libldap to moznss before resolving that. Migrating slapd's server certificates and CA certificates mentioned in ldap.conf is possible, with some work; but we'd also be breaking any clients configured for particular PEM certificates. It would be a lot nicer if existing setups could keep working. I only spent a few minutes on this, didn't look yet at whether building a second libldap for freeipa's use is feasible. Timo, how far did you get on that when you looked at it previously? Also, do you know anything about the thought process behind the recent (and then reverted) switch to openssl in Fedora? Are they planning to move away from moznss? -------------- next part -------------- diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog --- openldap-2.4.40+dfsg/debian/changelog +++ openldap-2.4.40+dfsg/debian/changelog @@ -1,3 +1,15 @@ +openldap (2.4.40+dfsg-1+moznss) UNRELEASED; urgency=medium + + * Build against NSS instead of GnuTLS. + - debian/control: Build-Depend on libnss3-dev and pkg-config. + - debian/configure.options: Configure with moznss. + - debian/patches/openldap-autoconf-pkgconfig-nss.patch: Import Fedora + patch to use pkg-config for NSS library detection. + - debian/patches/smbk5pwd-gnutls.patch: smbk5pwd hasn't been ported to + moznss. Keep building it with nettle. + + -- Ryan Tandy Thu, 16 Apr 2015 13:28:15 -0700 + openldap (2.4.40+dfsg-1) unstable; urgency=medium * Remove inetorgperson.schema from the upstream source. Replace it with a diff -u openldap-2.4.40+dfsg/debian/configure.options openldap-2.4.40+dfsg/debian/configure.options --- openldap-2.4.40+dfsg/debian/configure.options +++ openldap-2.4.40+dfsg/debian/configure.options @@ -176,7 +176,7 @@ # --with-threads with threads [auto] --with-threads # --with-tls with TLS/SSL support auto|openssl|gnutls|moznss [auto] ---with-tls=gnutls +--with-tls=moznss # --with-yielding-select with implicitly yielding select [auto] # --with-mp with multiple precision statistics auto|longlong|long|bignum|gmp [auto] # --with-odbc with specific ODBC support iodbc|unixodbc|odbc32|auto [auto] diff -u openldap-2.4.40+dfsg/debian/control openldap-2.4.40+dfsg/debian/control --- openldap-2.4.40+dfsg/debian/control +++ openldap-2.4.40+dfsg/debian/control @@ -11,11 +11,11 @@ Build-Depends: debhelper (>= 8.9.0~), dpkg-dev (>= 1.16.1), libdb5.3-dev, nettle-dev, - libgnutls28-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0), + libnss3-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0), libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3), libwrap0-dev, perl, po-debconf, quilt (>= 0.46-7), groff-base, time, heimdal-multidev, - dh-autoreconf + dh-autoreconf, pkg-config Build-Conflicts: libbind-dev, bind-dev, libicu-dev, autoconf2.13 Standards-Version: 3.9.1 Homepage: http://www.openldap.org/ diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series --- openldap-2.4.40+dfsg/debian/patches/series +++ openldap-2.4.40+dfsg/debian/patches/series @@ -26,0 +27,2 @@ +openldap-autoconf-pkgconfig-nss.patch +smbk5pwd-gnutls only in patch2: unchanged: --- openldap-2.4.40+dfsg.orig/debian/patches/openldap-autoconf-pkgconfig-nss.patch +++ openldap-2.4.40+dfsg/debian/patches/openldap-autoconf-pkgconfig-nss.patch @@ -0,0 +1,48 @@ +Use pkg-config for Mozilla NSS library detection + +Author: Jan Vcelak + +--- + configure.in | 22 +++++----------------- + 1 file changed, 5 insertions(+), 17 deletions(-) + +diff --git a/configure.in b/configure.in +index ecffe30..2a9cfb4 100644 +--- a/configure.in ++++ b/configure.in +@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then + fi + fi + +-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 +-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs +-dnl are not in the default system location + if test $ol_link_tls = no ; then + if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then +- have_moznss=no +- AC_CHECK_HEADERS([nssutil.h]) +- if test "$ac_cv_header_nssutil_h" = yes ; then +- AC_CHECK_LIB([nss3], [NSS_Initialize], +- [ have_moznss=yes ], [ have_moznss=no ]) +- fi ++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no]) + +- if test "$have_moznss" = yes ; then ++ if test $have_moznss = yes ; then + ol_with_tls=moznss + ol_link_tls=yes +- AC_DEFINE(HAVE_MOZNSS, 1, +- [define if you have MozNSS]) +- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" +- else +- if test $ol_with_tls = moznss ; then +- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)]) +- fi ++ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS]) ++ TLS_LIBS="$MOZNSS_LIBS" ++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" + fi + fi + fi +-- +1.7.11.7 only in patch2: unchanged: --- openldap-2.4.40+dfsg.orig/debian/patches/smbk5pwd-gnutls +++ openldap-2.4.40+dfsg/debian/patches/smbk5pwd-gnutls @@ -0,0 +1,11 @@ +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -28,7 +28,7 @@ + CC = gcc + OPT = -g -O2 -Wall + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. +-DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW ++DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW -UHAVE_MOZNSS -DHAVE_GNUTLS + INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) + # put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356 + LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) From tjaalton at debian.org Fri Apr 17 04:45:24 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Fri, 17 Apr 2015 07:45:24 +0300 Subject: [Pkg-freeipa-devel] [Pkg-openldap-devel] Bug#725153: freeipa-server backport to Jessie? In-Reply-To: <20150416233254.GB19259@comet> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> <201504151845.50064.holger@layer-acht.org> <20150416233254.GB19259@comet> Message-ID: <55308FE4.4090900@debian.org> On 17.04.2015 02:32, Ryan Tandy wrote: > On Wed, Apr 15, 2015 at 06:45:39PM +0200, Holger Levsen wrote: >> to build the openldap package against libnss3-dev, one has to: >> >> - in debian/control: replace the build-dependency on libgnutls28-dev with >> libnss3-dev >> - in debian/configure.options: use --with-tls=moznss (instead of >> --with-tls) >> and also add the line "CPPFLAGS=-I/usr/include/nss\ -I/usr/include/nspr >> LDFLAGS=-L/usr/lib/x86_64-linux-gnu/nss" somewhere. >> >> With that the build still fails with >> >> smbk5pwd.c:1073:4: warning: too many arguments for format >> [-Wformat-extra- >> args] >> smbk5pwd.c:968:2: warning: variable 'dummy_ad' set but not used >> [-Wunused-but- >> set-variable] >> dummy_ad; >> ^ >> Makefile:50: recipe for target 'smbk5pwd.lo' failed >> make[2]: *** [smbk5pwd.lo] Error 1 >> make[2]: Leaving directory './openldap-2.4.40+dfsg/contrib/slapd- >> modules/smbk5pwd' >> >> but that should be easy to work around by not building the slapd >> packages or >> contrib modules (as freeipa-server users wont need slapd anyway...) > > The attached debdiff replaces gnutls with nss but continues building > smbk5pwd with nettle. AFAICT the result works properly, smbk5pwd included. > > I didn't try importing Fedora's patches, but noted that several were > upstreamed already, and more were submitted and await review. > > Looks like Debian's nss doesn't support loading PEM certificates at > runtime yet: #726116. My knee-jerk reaction is that I dislike the idea > of changing the default libldap to moznss before resolving that. > Migrating slapd's server certificates and CA certificates mentioned in > ldap.conf is possible, with some work; but we'd also be breaking any > clients configured for particular PEM certificates. It would be a lot > nicer if existing setups could keep working. > > I only spent a few minutes on this, didn't look yet at whether building > a second libldap for freeipa's use is feasible. Timo, how far did you > get on that when you looked at it previously? Actually, I pushed a hacked up libldap to my openldap git on alioth yesterday, but forgot to update this bug, oops git://git.debian.org/git/users/tjaalton/openldap.git it doesn't build anything other than libldap & ldap-utils, and includes the applicable Fedora patches (yes three of them were upstream already) minus autoconf one which gave me some pain. If it's ok for you, we could have a branch on the official pkg repo so folks that need to build their own packages could use that as the base. I don't think fixing this bug by switching to build against moznss makes much sense for Debian, because the need for it is going away once Freeipa ditches using ldap+tls connections altogether which is currently only used in the replication process. Once that's rewritten and using GSSAPI (in 4.2?) we'd be fine. That might still leave plain 389-ds-base multimaster replication in the dust though, but I'm not interested in that personally.. Building a second libldap against moznss might be possible, but looks icky.. > Also, do you know anything about the thought process behind the recent > (and then reverted) switch to openssl in Fedora? Are they planning to > move away from moznss? Nah I guess that was some kind of frustration by the maintainer, did that without any discussion and it caused some "concern" on #freeipa at the time :) -- t From ryan at nardis.ca Fri Apr 17 18:54:11 2015 From: ryan at nardis.ca (Ryan Tandy) Date: Fri, 17 Apr 2015 11:54:11 -0700 Subject: [Pkg-freeipa-devel] [Pkg-openldap-devel] Bug#725153: freeipa-server backport to Jessie? In-Reply-To: <55308FE4.4090900@debian.org> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> <201504151845.50064.holger@layer-acht.org> <20150416233254.GB19259@comet> <55308FE4.4090900@debian.org> Message-ID: <20150417185411.GD16299@comet> On Fri, Apr 17, 2015 at 07:45:24AM +0300, Timo Aaltonen wrote: >Actually, I pushed a hacked up libldap to my openldap git on alioth >yesterday, but forgot to update this bug, oops > >git://git.debian.org/git/users/tjaalton/openldap.git > >it doesn't build anything other than libldap & ldap-utils, and includes >the applicable Fedora patches (yes three of them were upstream already) >minus autoconf one which gave me some pain. If it's ok for you, we could >have a branch on the official pkg repo so folks that need to build their >own packages could use that as the base. Something like a "moznss" branch parallel to master? I don't have any problem with that. FWIW, the autoconf patch worked for me once I added Build-Depends: pkg-config. >I don't think fixing this bug by switching to build against moznss makes >much sense for Debian, because the need for it is going away once >Freeipa ditches using ldap+tls connections altogether which is currently >only used in the replication process. Once that's rewritten and using >GSSAPI (in 4.2?) we'd be fine. OK. >That might still leave plain 389-ds-base multimaster replication in the >dust though, but I'm not interested in that personally.. Building a >second libldap against moznss might be possible, but looks icky.. Icky indeed. Based on what you wrote above, sounds like that probably won't be worth the effort, if it won't be needed in future. So as I understand it: this bug is basically wontfix in the official package at this point; you're (already?) providing an unofficial nss-libldap that freeipa users can drop in to replace the gnutls-libldap; and nothing has to be rebuilt to take advantage of that. Do I have that right? From tjaalton at debian.org Tue Apr 21 11:12:18 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Tue, 21 Apr 2015 14:12:18 +0300 Subject: [Pkg-freeipa-devel] [Pkg-openldap-devel] Bug#725153: freeipa-server backport to Jessie? In-Reply-To: <20150417185411.GD16299@comet> References: <552B9015.6070204@aixigo.de> <552E6994.3000602@debian.org> <201504151546.18424.holger@layer-acht.org> <201504151845.50064.holger@layer-acht.org> <20150416233254.GB19259@comet> <55308FE4.4090900@debian.org> <20150417185411.GD16299@comet> Message-ID: <55363092.9060405@debian.org> On 17.04.2015 21:54, Ryan Tandy wrote: > On Fri, Apr 17, 2015 at 07:45:24AM +0300, Timo Aaltonen wrote: >> Actually, I pushed a hacked up libldap to my openldap git on alioth >> yesterday, but forgot to update this bug, oops >> >> git://git.debian.org/git/users/tjaalton/openldap.git >> >> it doesn't build anything other than libldap & ldap-utils, and includes >> the applicable Fedora patches (yes three of them were upstream already) >> minus autoconf one which gave me some pain. If it's ok for you, we could >> have a branch on the official pkg repo so folks that need to build their >> own packages could use that as the base. > > Something like a "moznss" branch parallel to master? I don't have any > problem with that. Ok, I'll push something at some point. > FWIW, the autoconf patch worked for me once I added Build-Depends: > pkg-config. ha, stupid me then.. the error message I got wasn't too obvious >> That might still leave plain 389-ds-base multimaster replication in the >> dust though, but I'm not interested in that personally.. Building a >> second libldap against moznss might be possible, but looks icky.. > > Icky indeed. Based on what you wrote above, sounds like that probably > won't be worth the effort, if it won't be needed in future. > > So as I understand it: this bug is basically wontfix in the official > package at this point; you're (already?) providing an unofficial > nss-libldap that freeipa users can drop in to replace the > gnutls-libldap; and nothing has to be rebuilt to take advantage of that. > Do I have that right? Well, my quick testing shows that a simple library swap isn't enough, but 389 probably needs a rebuild against the new lib. Or replication fails because of something unrelated to this.. don't have much time to test anything in the next couple of weeks. -- t From harald.dunkel at aixigo.de Thu Apr 23 06:23:36 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 23 Apr 2015 08:23:36 +0200 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <552CE57B.1050002@debian.org> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> Message-ID: <20150423082336.415d07d0@dpcl082.ac.aixigo.de> Hi Timo, On Tue, 14 Apr 2015 13:01:31 +0300 Timo Aaltonen wrote: > On 14.04.2015 12:15, Harald Dunkel wrote: > > Hi Timo, > > > > > > Of course I recognized that freeipa has a pretty huge list > > of versioned dependencies. Is there something that would be > > too difficult to backport to Jessie? > > No, dogtag, bind-dyndb-ldap and freeipa itself should be all that's > needed, if you're ok with the single-server limitation. > Building freeipa for Jessie was easy. Question: Are the "Debian" changes to freeipa supposed to be included into the official release at freeipa.org? Do they care about freeipa for Debian? Regards Harri From tjaalton at debian.org Thu Apr 23 06:37:21 2015 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 23 Apr 2015 09:37:21 +0300 Subject: [Pkg-freeipa-devel] freeipa-server backport to Jessie? In-Reply-To: <20150423082336.415d07d0@dpcl082.ac.aixigo.de> References: <552B9015.6070204@aixigo.de> <552C0196.4050401@debian.org> <552CA87C.6030309@debian.org> <552CDAB9.6040204@aixigo.de> <552CE57B.1050002@debian.org> <20150423082336.415d07d0@dpcl082.ac.aixigo.de> Message-ID: <55389321.9040307@debian.org> On 23.04.2015 09:23, Harald Dunkel wrote: > Hi Timo, > > On Tue, 14 Apr 2015 13:01:31 +0300 > Timo Aaltonen wrote: > >> On 14.04.2015 12:15, Harald Dunkel wrote: >>> Hi Timo, >>> >>> >>> Of course I recognized that freeipa has a pretty huge list >>> of versioned dependencies. Is there something that would be >>> too difficult to backport to Jessie? >> >> No, dogtag, bind-dyndb-ldap and freeipa itself should be all that's >> needed, if you're ok with the single-server limitation. >> > > Building freeipa for Jessie was easy. > > Question: Are the "Debian" changes to freeipa supposed to be > included into the official release at freeipa.org? Do they > care about freeipa for Debian? They do care. ipaplatform/base/paths.py was created to ease porting. The Debian platform module just needs to be sent for review along with the rest of the changes, and some rewritten first to hardcode less stuff. -- t