# 389-ds-base 1.4 no longer supports i686 platform, build only client # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 %if 0%{?fedora} >= 28 || 0%{?rhel} > 7 %ifarch %{ix86} %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} %endif %endif # Define ONLY_CLIENT to only make the ipa-client and ipa-python # subpackages %{!?ONLY_CLIENT:%global ONLY_CLIENT 0} %if %{ONLY_CLIENT} %global enable_server_option --disable-server %else %global enable_server_option --enable-server %endif # Build ipatests %if 0%{?rhel} %global with_ipatests 0 %endif %if ! %{ONLY_CLIENT} %{!?with_ipatests:%global with_ipatests 1} %endif %if 0%{?with_ipatests} %global with_ipatests_option --with-ipatests %else %global with_ipatests_option --without-ipatests %endif # lint is not executed during rpmbuild # %%global with_lint 1 %if 0%{?with_lint} %global linter_options --enable-pylint --without-jslint --enable-rpmlint %else %global linter_options --disable-pylint --without-jslint --disable-rpmlint %endif # Include SELinux subpackage %if 0%{?fedora} >= 30 || 0%{?rhel} %global with_selinux 1 %global selinuxtype targeted %global modulename ipa %endif %if 0%{?rhel} %global package_name ipa %global alt_name freeipa %global krb5_version 1.18 %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings %global samba_version 4.7.0 %global selinux_policy_version 3.14.3-21 %global slapi_nis_version 0.56.1-4 %global python_ldap_version 3.1.0-1 %if 0%{?rhel} < 9 # Bug 1929067 - PKI instance creation failed with new 389-ds-base build %global ds_version 1.4.3.16-12 %else %global ds_version 2.0.3-3 %endif # Fix for TLS 1.3 PHA, RHBZ#1775158 %global httpd_version 2.4.37-21 %global systemd_version 239 %else # Fedora %global package_name freeipa %global alt_name ipa # Fix for CVE-2018-20217 %global krb5_version 1.16.1-24 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings %global samba_version 2:4.7.0 # SELinux context for dirsrv unit file, BZ 1820298 %if 0%{?fedora} >= 32 %global selinux_policy_version 3.14.5-39 %else %global selinux_policy_version 3.14.4-52 %endif %global slapi_nis_version 0.56.1 # krb5 can only provide one KDB at a time %if 0%{?fedora} >= 32 %global krb5_kdb_version 8.0 %else %global krb5_kdb_version 7.0 %endif # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 %global python_ldap_version 3.1.0-1 # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609 %if 0%{?fedora} < 34 %global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])} %else %global ds_version 2.0.3-3 %endif # Fix for TLS 1.3 PHA, RHBZ#1775146 %if 0%{?fedora} >= 31 %global httpd_version 2.4.41-9 %else %global httpd_version 2.4.41-6.1 %endif # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. # Some packages don't provide new dist aliases. # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ %{?python_disable_dependency_generator} # Fedora %endif %if 0%{?rhel} == 8 # Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 %global pki_version 10.10.5 %else # Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 %global pki_version 10.10.5 %endif # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-1 # NSS release with fix for p11-kit-proxy issue, affects F28 # https://pagure.io/freeipa/issue/7810 %if 0%{?fedora} == 28 %global nss_version 3.41.0-3 %else %global nss_version 3.41.0-1 %endif # One-Way Trust authenticated by trust secret # https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20 %global sssd_version 1.16.3-2 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') %if 0%{?fedora} >= 33 # systemd with resolved enabled # see https://pagure.io/freeipa/issue/8275 %global systemd_version 246.6-3 %else %global systemd_version 245 %endif %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %define _hardened_build 1 # Work-around fact that RPM SPEC parser does not accept # "Version: 4.8.10.dev202110231104+git" in freeipa.spec.in used for Autoconf string replacement %define IPA_VERSION 4.8.10.dev202110231104+git %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser %endif Name: %{package_name} Version: %{IPA_VERSION} Release: 0%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base License: GPLv3+ URL: http://www.freeipa.org/ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel # For KDB DAL version, make explicit dependency so that increase of version # will cause the build to fail due to unsatisfied dependencies. # DAL version change may cause code crash or memory leaks, it is better to fail early. BuildRequires: krb5-kdb-version = %{krb5_kdb_version} BuildRequires: krb5-devel >= %{krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: gcc BuildRequires: make BuildRequires: pkgconfig BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: gettext BuildRequires: gettext-devel BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: systemd >= %{systemd_version} # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd BuildRequires: nspr-devel BuildRequires: openssl-devel BuildRequires: libini_config-devel BuildRequires: cyrus-sasl-devel %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= %{ds_version} BuildRequires: samba-devel >= %{samba_version} BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libuuid-devel BuildRequires: libpwquality-devel BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} BuildRequires: nodejs(abi) # use old dependency on RHEL 8 for now %if 0%{?rhel} BuildRequires: uglify-js %else BuildRequires: python3-rjsmin %endif BuildRequires: libverto-devel BuildRequires: libunistring-devel # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 # 0.13.0-2: fix for missing dependency on python-six BuildRequires: python3-lesscpy >= 0.13.0-2 BuildRequires: cracklib-dicts # ONLY_CLIENT %endif # # Build dependencies for makeapi/makeaci # BuildRequires: python3-cffi BuildRequires: python3-dns BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-libsss_nss_idmap BuildRequires: python3-netaddr >= %{python_netaddr_version} BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules BuildRequires: python3-six BuildRequires: python3-psutil # # Build dependencies for wheel packaging and PyPI upload # %if 0%{?with_wheels} BuildRequires: dbus-glib-devel BuildRequires: libffi-devel BuildRequires: python3-tox %if 0%{?fedora} <= 28 BuildRequires: python3-twine %else BuildRequires: twine %endif BuildRequires: python3-wheel # with_wheels %endif # # Build dependencies for lint and fastcheck # %if 0%{?with_lint} BuildRequires: git %if 0%{?fedora} < 34 # jsl is orphaned in Fedora 34+ BuildRequires: jsl %endif BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm BuildRequires: keyutils BuildRequires: python3-augeas BuildRequires: python3-cffi BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dateutil BuildRequires: python3-dbus BuildRequires: python3-dns >= 1.15 BuildRequires: python3-docker BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-jinja2 BuildRequires: python3-jwcrypto >= 0.4.2 BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-lib389 >= %{ds_version} BuildRequires: python3-libipa_hbac BuildRequires: python3-libsss_nss_idmap BuildRequires: python3-lxml BuildRequires: python3-netaddr >= %{python_netaddr_version} BuildRequires: python3-netifaces BuildRequires: python3-paste BuildRequires: python3-pexpect BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-polib BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules BuildRequires: python3-pycodestyle # .wheelconstraints.in limits pylint version in Azure and tox tests BuildRequires: python3-pylint BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-qrcode-core >= 5.0.0 BuildRequires: python3-samba BuildRequires: python3-six BuildRequires: python3-sss BuildRequires: python3-sss-murmur BuildRequires: python3-sssdconfig >= %{sssd_version} BuildRequires: python3-systemd BuildRequires: python3-yaml BuildRequires: python3-yubico # with_lint %endif # # Build dependencies for unit tests # %if ! %{ONLY_CLIENT} BuildRequires: libcmocka-devel # Required by ipa_kdb_tests BuildRequires: krb5-server >= %{krb5_version} # ONLY_CLIENT %endif # # Build dependencies for SELinux policy # %if 0%{?with_selinux} BuildRequires: selinux-policy-devel %endif %description IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). %if ! %{ONLY_CLIENT} %package server Summary: The IPA authentication server Group: System Environment/Base Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: python3-ldap >= %{python_ldap_version} Requires: 389-ds-base >= %{ds_version} Requires: openldap-clients > 2.4.35-4 Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: httpd >= %{httpd_version} Requires(preun): python3 Requires(postun): python3 Requires: python3-gssapi >= 1.2.0-5 Requires: python3-systemd Requires: python3-mod_wsgi Requires: mod_auth_gssapi >= 1.5.0 Requires: mod_ssl >= %{httpd_version} Requires: mod_session >= %{httpd_version} # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 Requires: mod_lookup_identity >= 0.9.9 Requires: acl Requires: systemd-units >= %{systemd_version} Requires(pre): systemd-units >= %{systemd_version} Requires(post): systemd-units >= %{systemd_version} Requires(preun): systemd-units >= %{systemd_version} Requires(postun): systemd-units >= %{systemd_version} Requires(pre): shadow-utils Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} Requires: pki-ca >= %{pki_version} Requires: pki-kra >= %{pki_version} Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= %{certmonger_version} Requires(pre): 389-ds-base >= %{ds_version} Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl Requires: softhsm >= 2.0.0rc1-1 Requires: p11-kit Requires: %{etc_systemd_dir} Requires: gzip Requires: oddjob # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} Requires: libpwquality Requires: cracklib-dicts Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server Obsoletes: %{alt_name}-server < %{version} # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux < 3.3.0 # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server <= 4.2.0 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to # member. Conflicts: nss-pam-ldapd < 0.8.4 %description server IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. %package -n python3-ipaserver Summary: Python libraries used by IPA server Group: System Environment/Libraries BuildArch: noarch %{?python_provide:%python_provide python3-ipaserver} Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} # we need pre-requires since earlier versions may break upgrade Requires(pre): python3-ldap >= %{python_ldap_version} Requires: python3-augeas Requires: python3-custodia >= 0.3.1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-ipaclient = %{version}-%{release} Requires: python3-kdcproxy >= 0.3 Requires: python3-lxml Requires: python3-pki >= %{pki_version} Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-sssdconfig >= %{sssd_version} Requires: python3-psutil Requires: rpm-libs # Indirect dependency: use newer urllib3 with TLS 1.3 PHA support %if 0%{?rhel} Requires: python3-urllib3 >= 1.24.2-3 %else Requires: python3-urllib3 >= 1.25.7 %endif %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. %package server-common Summary: Common files used by IPA server Group: System Environment/Base BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= %{httpd_version} Requires: systemd-units >= %{systemd_version} Provides: %{alt_name}-server-common = %{version} Conflicts: %{alt_name}-server-common Obsoletes: %{alt_name}-server-common < %{version} %description server-common IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. %package server-dns Summary: IPA integrated DNS server with support for automatic DNSSEC signing Group: System Environment/Base BuildArch: noarch Requires: %{name}-server = %{version}-%{release} Requires: bind-dyndb-ldap >= 11.0-2 Requires: bind >= 9.11.0-6.P2 Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2 Requires: bind-pkcs11-utils >= 9.11.0-6.P2 %if 0%{?fedora} >= 32 # See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 Requires: opendnssec >= 2.1.6-5 %else Requires: opendnssec >= 1.4.6-4 %endif %{?systemd_requires} Provides: %{alt_name}-server-dns = %{version} Conflicts: %{alt_name}-server-dns Obsoletes: %{alt_name}-server-dns < %{version} # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server <= 4.2.0 %description server-dns IPA integrated DNS server with support for automatic DNSSEC signing. Integrated DNS server is BIND 9. OpenDNSSEC provides key management. %package server-trust-ad Summary: Virtual package to install packages required for Active Directory trusts Group: System Environment/Base Requires: %{name}-server = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap Requires(post): python3 Requires: python3-samba Requires: python3-libsss_nss_idmap Requires: python3-sss # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # on the installes where server-trust-ad subpackage is installed because # IPA AD trusts cannot be used at the same time with the locator plugin # since Winbindd will be configured in a different mode Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives Requires(preun): %{_sbindir}/update-alternatives Provides: %{alt_name}-server-trust-ad = %{version} Conflicts: %{alt_name}-server-trust-ad Obsoletes: %{alt_name}-server-trust-ad < %{version} %description server-trust-ad Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once. # ONLY_CLIENT %endif %package client Summary: IPA authentication for use on clients Group: System Environment/Base Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-gssapi >= 1.2.0-5 Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ldap >= %{python_ldap_version} Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} Requires: authselect >= 0.4-2 Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service %if 0%{?fedora} >= 29 Requires: hostname %else Requires: initscripts %endif Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd-ipa >= %{sssd_version} Requires: certmonger >= %{certmonger_version} Requires: nss-tools >= %{nss_version} Requires: bind-utils Requires: oddjob-mkhomedir Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils Requires: sssd-tools >= %{sssd_version} Requires(post): policycoreutils Provides: %{alt_name}-client = %{version} Conflicts: %{alt_name}-client Obsoletes: %{alt_name}-client < %{version} Provides: %{alt_name}-admintools = %{version} Conflicts: %{alt_name}-admintools Obsoletes: %{alt_name}-admintools < 4.4.1 Obsoletes: %{name}-admintools < 4.4.1 Provides: %{name}-admintools = %{version}-%{release} %description client IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. This package provides command-line tools for IPA administrators. %package client-samba Summary: Tools to configure Samba on IPA client Group: System Environment/Base Requires: %{name}-client = %{version}-%{release} Requires: python3-samba Requires: samba-client Requires: samba-winbind Requires: samba-common-tools Requires: samba Requires: sssd-winbind-idmap Requires: tdb-tools Requires: cifs-utils %description client-samba This package provides command-line tools to deploy Samba domain member on the machine enrolled into a FreeIPA environment %package client-epn Summary: Tools to configure Expiring Password Notification in IPA Group: System Environment/Base Requires: systemd-units >= %{systemd_version} Requires(post): systemd-units >= %{systemd_version} Requires(preun): systemd-units >= %{systemd_version} Requires(postun): systemd-units >= %{systemd_version} Requires: %{name}-client = %{version}-%{release} %description client-epn This package provides a service to collect and send expiring password notifications via email (SMTP). %package -n python3-ipaclient Summary: Python libraries used by IPA client Group: System Environment/Libraries BuildArch: noarch %{?python_provide:%python_provide python3-ipaclient} Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-augeas Requires: python3-dns >= 1.15 Requires: python3-jinja2 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. %package client-common Summary: Common files used by IPA client Group: System Environment/Base BuildArch: noarch Provides: %{alt_name}-client-common = %{version} Conflicts: %{alt_name}-client-common Obsoletes: %{alt_name}-client-common < %{version} # python2-ipa* packages are no longer available in 4.8. Obsoletes: python2-ipaclient < 4.8.0-1 Obsoletes: python2-ipalib < 4.8.0-1 Obsoletes: python2-ipaserver < 4.8.0-1 Obsoletes: python2-ipatests < 4.8.0-1 %description client-common IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. %package python-compat Summary: Compatiblity package for Python libraries used by IPA Group: System Environment/Libraries BuildArch: noarch Obsoletes: %{name}-python < 4.2.91 Provides: %{name}-python = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Provides: %{alt_name}-python-compat = %{version} Conflicts: %{alt_name}-python-compat Obsoletes: %{alt_name}-python-compat < %{version} Obsoletes: %{alt_name}-python < 4.2.91 Provides: %{alt_name}-python = %{version} %description python-compat IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This is a compatibility package to accommodate %{name}-python split into python3-ipalib and %{name}-common. Packages still depending on %{name}-python should be fixed to depend on python2-ipaclient or %{name}-common instead. %package -n python3-ipalib Summary: Python3 libraries used by IPA Group: System Environment/Libraries BuildArch: noarch %{?python_provide:%python_provide python3-ipalib} Provides: python3-ipapython = %{version}-%{release} %{?python_provide:%python_provide python3-ipapython} Provides: python3-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python3-ipaplatform} Requires: %{name}-common = %{version}-%{release} # we need pre-requires since earlier versions may break upgrade Requires(pre): python3-ldap >= %{python_ldap_version} Requires: gnupg2 Requires: keyutils Requires: python3-cffi Requires: python3-cryptography >= 1.6 Requires: python3-dateutil Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-jwcrypto >= 0.4.2 Requires: python3-libipa_hbac Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-netifaces >= 0.10.4 Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-pyusb Requires: python3-qrcode-core >= 5.0.0 Requires: python3-requests Requires: python3-setuptools Requires: python3-six Requires: python3-sss-murmur Requires: python3-yubico >= 1.3.2-7 %description -n python3-ipalib IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are using IPA with Python 3, you need to install this package. %package common Summary: Common files used by IPA Group: System Environment/Libraries BuildArch: noarch Conflicts: %{name}-python < 4.2.91 Provides: %{alt_name}-common = %{version} Conflicts: %{alt_name}-common Obsoletes: %{alt_name}-common < %{version} Conflicts: %{alt_name}-python < %{version} %if 0%{?with_selinux} # This ensures that the *-selinux package and all it’s dependencies are not # pulled into containers and other systems that do not use SELinux. The # policy defines types and file contexts for client and server. Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %endif %description common IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are using IPA, you need to install this package. %if 0%{?with_ipatests} %package -n python3-ipatests Summary: IPA tests and test tools BuildArch: noarch %{?python_provide:%python_provide python3-ipatests} Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables Requires: ldns-utils Requires: crypto-policies-scripts Requires: python3-coverage Requires: python3-cryptography >= 1.6 Requires: python3-pexpect Requires: python3-polib Requires: python3-pytest >= 3.9.1 Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: python3-sssdconfig >= %{sssd_version} Requires: tar Requires: xz Requires: openssh-clients Requires: sshpass %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This package contains tests that verify IPA functionality under Python 3. # with_ipatests %endif %if 0%{?with_selinux} # SELinux subpackage %package selinux Summary: FreeIPA SELinux policy BuildArch: noarch Requires: %{name}-server = %{version}-%{release} Requires: selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype} %{?selinux_requires} %description selinux Custom SELinux policy module # with_selinux %endif %prep %setup -n freeipa-%{version} -q %build # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH export PYTHON=%{__python3} autoreconf -ivf %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ %{linter_options} # run build in default dir # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 %make_build -Onone %check make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} %install # Please put as much logic as possible into make install. It allows: # - easier porting to other distributions # - rapid devel & install cycle using make install # (instead of full RPM build and installation each time) # # All files and directories created by spec install should be marked as ghost. # (These are typically configuration files created by IPA installer.) # All other artifacts should be created by make install. %make_install %if 0%{?with_ipatests} mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task # with_ipatests %endif # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; %find_lang %{gettext_domain} %if ! %{ONLY_CLIENT} # Remove .la files from libtool - we don't want to package # these files rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la rm %{buildroot}/%{plugin_dir}/libipa_winsync.la rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la rm %{buildroot}/%{plugin_dir}/libipa_uuid.la rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la rm %{buildroot}/%{plugin_dir}/libipa_lockout.la rm %{buildroot}/%{plugin_dir}/libipa_cldap.la rm %{buildroot}/%{plugin_dir}/libipa_dns.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # ONLY_CLIENT %endif /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt %if ! %{ONLY_CLIENT} mkdir -p %{buildroot}%{_sysconfdir}/cron.d # ONLY_CLIENT %endif %clean rm -rf %{buildroot} %if ! %{ONLY_CLIENT} %post server # NOTE: systemd specific section /bin/systemctl --system daemon-reload 2>&1 || : # END if [ $1 -gt 1 ] ; then /bin/systemctl condrestart certmonger.service 2>&1 || : fi /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd %tmpfiles_create ipa.conf %posttrans server # don't execute upgrade and restart of IPA when server is not installed %{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # This is necessary for Fedora system upgrades which by default # work with the network being offline /bin/systemctl start network-online.target # Restart IPA processes. This must be also run in postrans so that plugins # and software is in consistent state. This will also perform the # system upgrade. # NOTE: systemd specific section /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 if [ $? -eq 0 ]; then /bin/systemctl restart ipa.service >/dev/null fi fi # END %preun server if [ $1 = 0 ]; then # NOTE: systemd specific section /bin/systemctl --quiet stop ipa.service || : /bin/systemctl --quiet disable ipa.service || : /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd # END fi %pre server # Stop ipa_kpasswd if it exists before upgrading so we don't have a # zombie process when we're done. if [ -e /usr/sbin/ipa_kpasswd ]; then # NOTE: systemd specific section /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : # END fi %pre server-common # create users and groups # create kdcproxy group and user getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy # create ipaapi group and user getent group ipaapi >/dev/null || groupadd -f -r ipaapi getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi # add apache to ipaaapi group id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi %post server-dns %systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service %preun server-dns %systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service %postun server-dns %systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null fi fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd %posttrans server-trust-ad %{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi %preun server-trust-ad if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fi # ONLY_CLIENT %endif %preun client-epn %systemd_preun ipa-epn.service %systemd_preun ipa-epn.timer %postun client-epn %systemd_postun ipa-epn.service %systemd_postun ipa-epn.timer %post client-epn %systemd_post ipa-epn.service %systemd_post ipa-epn.timer %post client if [ $1 -gt 1 ] ; then # Has the client been configured? restore=0 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew cat /etc/krb5.conf >> /etc/krb5.conf.ipanew mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf fi fi if [ $restore -ge 2 ]; then if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem fi %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" fi fi fi %if 0%{?with_selinux} # SELinux contexts are saved so that only affected files can be # relabeled after the policy module installation %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux semodule -d ipa_custodia &> /dev/null || true; %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{modulename} semodule -e ipa_custodia &> /dev/null || true; fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} # with_selinux %endif %triggerin client -- openssh-server < 8.2 # Has the client been configured? restore=0 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then sed -r ' /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then sed -ri ' s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ ' /etc/ssh/sshd_config.ipanew elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then sed -ri ' s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ ' /etc/ssh/sshd_config.ipanew elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then sed -ri ' s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ ' /etc/ssh/sshd_config.ipanew fi mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config /bin/systemctl condrestart sshd.service 2>&1 || : fi fi %triggerin client -- openssh-server >= 8.2 # Has the client been configured? restore=0 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then # If the snippet already exists, skip if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf # Remove the values from sshd_conf sed -ri ' /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d ' /etc/ssh/sshd_config /bin/systemctl condrestart sshd.service 2>&1 || : fi # If the snippet has been created, ensure that it is included # either by /etc/ssh/sshd_config.d/*.conf or directly if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then # Include the snippet echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config fi fi fi fi %if ! %{ONLY_CLIENT} %files server %doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-backup %{_sbindir}/ipa-restore %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-kra-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install %{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall %{_sbindir}/ipa-server-upgrade %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries %{_sbindir}/ipactl %{_sbindir}/ipa-advise %{_sbindir}/ipa-cacert-manage %{_sbindir}/ipa-winsync-migrate %{_sbindir}/ipa-pkinit-manage %{_sbindir}/ipa-crlgen-manage %{_sbindir}/ipa-cert-fix %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-custodia-check %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-httpd-pwdreader %{_libexecdir}/ipa/ipa-pki-retrieve-key %{_libexecdir}/ipa/ipa-pki-wait-running %{_libexecdir}/ipa/ipa-otpd %{_libexecdir}/ipa/ipa-print-pac %dir %{_libexecdir}/ipa/custodia %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf %dir %{_libexecdir}/ipa/certmonger %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section %attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa-otpd.socket %attr(644,root,root) %{_unitdir}/ipa-otpd@.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so %attr(755,root,root) %{plugin_dir}/libipa_winsync.so %attr(755,root,root) %{plugin_dir}/libipa_repl_version.so %attr(755,root,root) %{plugin_dir}/libipa_uuid.so %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so %attr(755,root,root) %{plugin_dir}/libipa_lockout.so %attr(755,root,root) %{plugin_dir}/libipa_dns.so %attr(755,root,root) %{plugin_dir}/libipa_range_check.so %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so %attr(755,root,root) %{plugin_dir}/libtopology.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1* %{_mandir}/man1/ipa-replica-install.1* %{_mandir}/man1/ipa-replica-manage.1* %{_mandir}/man1/ipa-csreplica-manage.1* %{_mandir}/man1/ipa-server-certinstall.1* %{_mandir}/man1/ipa-server-install.1* %{_mandir}/man1/ipa-server-upgrade.1* %{_mandir}/man1/ipa-ca-install.1* %{_mandir}/man1/ipa-kra-install.1* %{_mandir}/man1/ipa-compat-manage.1* %{_mandir}/man1/ipa-nis-manage.1* %{_mandir}/man1/ipa-managed-entries.1* %{_mandir}/man1/ipa-ldap-updater.1* %{_mandir}/man8/ipactl.8* %{_mandir}/man1/ipa-backup.1* %{_mandir}/man1/ipa-restore.1* %{_mandir}/man1/ipa-advise.1* %{_mandir}/man1/ipa-otptoken-import.1* %{_mandir}/man1/ipa-cacert-manage.1* %{_mandir}/man1/ipa-winsync-migrate.1* %{_mandir}/man1/ipa-pkinit-manage.1* %{_mandir}/man1/ipa-crlgen-manage.1* %{_mandir}/man1/ipa-cert-fix.1* %files -n python3-ipaserver %doc README.md Contributors.txt %license COPYING %{python3_sitelib}/ipaserver %{python3_sitelib}/ipaserver-*.egg-info %files server-common %doc README.md Contributors.txt %license COPYING %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf # NOTE: systemd specific section %{_tmpfilesdir}/ipa.conf %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END %{_usr}/share/ipa/wsgi.py* %{_usr}/share/ipa/kdcproxy.wsgi %{_usr}/share/ipa/ipaca*.ini %{_usr}/share/ipa/*.ldif %exclude %{_datadir}/ipa/ipa-cldap-conf.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/README %{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ssbrowser.html %{_usr}/share/ipa/html/unauthorized.html %dir %{_usr}/share/ipa/migration %{_usr}/share/ipa/migration/index.html %{_usr}/share/ipa/migration/migration.py* %dir %{_usr}/share/ipa/ui %{_usr}/share/ipa/ui/index.html %{_usr}/share/ipa/ui/reset_password.html %{_usr}/share/ipa/ui/sync_otp.html %{_usr}/share/ipa/ui/*.ico %{_usr}/share/ipa/ui/*.css %dir %{_usr}/share/ipa/ui/css %{_usr}/share/ipa/ui/css/*.css %dir %{_usr}/share/ipa/ui/js %dir %{_usr}/share/ipa/ui/js/dojo %{_usr}/share/ipa/ui/js/dojo/dojo.js %dir %{_usr}/share/ipa/ui/js/libs %{_usr}/share/ipa/ui/js/libs/*.js %dir %{_usr}/share/ipa/ui/js/freeipa %{_usr}/share/ipa/ui/js/freeipa/app.js %{_usr}/share/ipa/ui/js/freeipa/core.js %dir %{_usr}/share/ipa/ui/js/plugins %dir %{_usr}/share/ipa/ui/images %{_usr}/share/ipa/ui/images/*.jpg %{_usr}/share/ipa/ui/images/*.png %dir %{_usr}/share/ipa/wsgi %{_usr}/share/ipa/wsgi/plugins.py* %dir %{_sysconfdir}/ipa %dir %{_sysconfdir}/ipa/html %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf %ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf %ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy %attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds %ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish %ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia %dir %{_usr}/share/ipa/schema.d %attr(0644,root,root) %{_usr}/share/ipa/schema.d/README %attr(0644,root,root) %{_usr}/share/ipa/gssapi.login %{_usr}/share/ipa/ipakrb5.aug %files server-dns %doc README.md Contributors.txt %license COPYING %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_sbindir}/ipa-dns-install %{_mandir}/man1/ipa-dns-install.1* %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service %files server-trust-ad %doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-adtrust-install %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %attr(755,root,root) %{plugin_dir}/libipa_cldap.so %{_datadir}/ipa/ipa-cldap-conf.ldif %{_mandir}/man1/ipa-adtrust-install.1* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf %%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains # ONLY_CLIENT %endif %files client %doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-client-install %{_sbindir}/ipa-client-automount %{_sbindir}/ipa-certupdate %{_sbindir}/ipa-getkeytab %{_sbindir}/ipa-rmkeytab %{_sbindir}/ipa-join %{_bindir}/ipa %config %{_sysconfdir}/bash_completion.d %config %{_sysconfdir}/sysconfig/certmonger %{_mandir}/man1/ipa.1* %{_mandir}/man1/ipa-getkeytab.1* %{_mandir}/man1/ipa-rmkeytab.1* %{_mandir}/man1/ipa-client-install.1* %{_mandir}/man1/ipa-client-automount.1* %{_mandir}/man1/ipa-certupdate.1* %{_mandir}/man1/ipa-join.1* %files client-samba %doc README.md Contributors.txt %license COPYING %{_sbindir}/ipa-client-samba %{_mandir}/man1/ipa-client-samba.1* %files client-epn %doc README.md Contributors.txt %dir %{_sysconfdir}/ipa/epn %license COPYING %{_sbindir}/ipa-epn %{_mandir}/man1/ipa-epn.1* %{_mandir}/man5/epn.conf.5* %attr(644,root,root) %{_unitdir}/ipa-epn.service %attr(644,root,root) %{_unitdir}/ipa-epn.timer %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template %files -n python3-ipaclient %doc README.md Contributors.txt %license COPYING %dir %{python3_sitelib}/ipaclient %{python3_sitelib}/ipaclient/*.py %{python3_sitelib}/ipaclient/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/install %{python3_sitelib}/ipaclient/install/*.py %{python3_sitelib}/ipaclient/install/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/plugins %{python3_sitelib}/ipaclient/plugins/*.py %{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/remote_plugins %{python3_sitelib}/ipaclient/remote_plugins/*.py %{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/remote_plugins/2_* %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* %dir %{python3_sitelib}/ipaclient/csrgen %dir %{python3_sitelib}/ipaclient/csrgen/profiles %{python3_sitelib}/ipaclient/csrgen/profiles/*.json %dir %{python3_sitelib}/ipaclient/csrgen/rules %{python3_sitelib}/ipaclient/csrgen/rules/*.json %dir %{python3_sitelib}/ipaclient/csrgen/templates %{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl %{python3_sitelib}/ipaclient-*.egg-info %files client-common %doc README.md Contributors.txt %license COPYING %dir %attr(0755,root,root) %{_sysconfdir}/ipa/ %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb # old dbm format %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db # new sql format %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt %ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit %dir %{_localstatedir}/lib/ipa-client %dir %{_localstatedir}/lib/ipa-client/pki %dir %{_localstatedir}/lib/ipa-client/sysrestore %{_mandir}/man5/default.conf.5* %dir %{_usr}/share/ipa/client %{_usr}/share/ipa/client/*.template %files python-compat %doc README.md Contributors.txt %license COPYING %files common -f %{gettext_domain}.lang %doc README.md Contributors.txt %license COPYING %dir %{_usr}/share/ipa %files -n python3-ipalib %doc README.md Contributors.txt %license COPYING %{python3_sitelib}/ipapython/ %{python3_sitelib}/ipalib/ %{python3_sitelib}/ipaplatform/ %{python3_sitelib}/ipapython-*.egg-info %{python3_sitelib}/ipalib-*.egg-info %{python3_sitelib}/ipaplatform-*.egg-info %if 0%{?with_ipatests} %files -n python3-ipatests %doc README.md Contributors.txt %license COPYING %{python3_sitelib}/ipatests %{python3_sitelib}/ipatests-*.egg-info %{_bindir}/ipa-run-tests-3 %{_bindir}/ipa-test-config-3 %{_bindir}/ipa-test-task-3 %{_bindir}/ipa-run-tests-%{python3_version} %{_bindir}/ipa-test-config-%{python3_version} %{_bindir}/ipa-test-task-%{python3_version} %{_bindir}/ipa-run-tests %{_bindir}/ipa-test-config %{_bindir}/ipa-test-task %{_mandir}/man1/ipa-run-tests.1* %{_mandir}/man1/ipa-test-config.1* %{_mandir}/man1/ipa-test-task.1* # with_ipatests %endif %if 0%{?with_selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} # with_selinux %endif %changelog * Tue Nov 26 2013 Petr Viktorin - 4.8.10.dev202110231104+git- - Remove changelog. The history is kept in Git, downstreams have own logs. # note, this entry is here to placate tools that expect a non-empty changelog