diff options
-rw-r--r-- | .SRCINFO | 85 | ||||
-rw-r--r-- | 0001-Use-Arch-Linux-Paths.patch | 454 | ||||
-rw-r--r-- | 0002-Add-Arch-Linux-Platform.patch | 151 | ||||
-rw-r--r-- | 0003-Use-Python-2.patch | 657 | ||||
-rw-r--r-- | 0004-NTP-Fixes.patch | 38 | ||||
-rw-r--r-- | 0005-Fix-nss-includes.patch | 40 | ||||
-rw-r--r-- | 0006-Disable-make-testcert.patch | 24 | ||||
-rw-r--r-- | 0007-Fix-nosetests-path.patch | 25 | ||||
-rw-r--r-- | PKGBUILD | 348 | ||||
-rw-r--r-- | install.freeipa | 47 | ||||
-rw-r--r-- | install.freeipa-server | 34 | ||||
-rwxr-xr-x | sss-auth-setup.py | 338 |
12 files changed, 2241 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..6bc1dd085b57 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,85 @@ +pkgbase = freeipa + pkgdesc = The Identity, Policy, and Audit system + pkgver = 3.3.5 + pkgrel = 1 + url = http://www.freeipa.org/ + arch = i686 + arch = x86_64 + license = GPL + checkdepends = check + checkdepends = python2-nose + makedepends = curl + makedepends = java-runtime>=7 + makedepends = krb5 + makedepends = libunistring + makedepends = nspr + makedepends = nss + makedepends = openssl + makedepends = openldap + makedepends = popt + makedepends = python2 + makedepends = python2-distribute + makedepends = python2-dnspython + makedepends = python2-kerberos + makedepends = python2-krbv + makedepends = python2-ldap + makedepends = python2-lxml + makedepends = python2-memcached + makedepends = python2-m2crypto + makedepends = python2-netaddr + makedepends = python2-nss + makedepends = python2-polib + makedepends = python2-pyasn1 + makedepends = python2-pylint + makedepends = python2-pyopenssl + makedepends = sssd + makedepends = xmlrpc-c + options = !libtool + source = http://www.freeipa.org/downloads/src/freeipa-3.3.5.tar.gz + source = sss-auth-setup.py + source = 0001-Use-Arch-Linux-Paths.patch + source = 0002-Add-Arch-Linux-Platform.patch + source = 0003-Use-Python-2.patch + source = 0004-NTP-Fixes.patch + source = 0005-Fix-nss-includes.patch + source = 0006-Disable-make-testcert.patch + source = 0007-Fix-nosetests-path.patch + sha512sums = 58325e7a619eeb0170dd32a648f22e50c0df2d7bc0a7609b6f0be3b8328890e5e027ba094fd4970ac063544b4d163f4e07ac62c1b358dba5246e148c2fd830b6 + sha512sums = 5f101692e311205b3706642c6f329459646aaa693683ab2d4847bd8a7f464ef99ec617b0422df8e25ec2a0dc3a68cd9bf54db4bb3013b84844df15160716adc8 + sha512sums = 604927b05f248c6ee8a42c87198a3ab05aa2a98b3a8f4b9ee0352e049d9e59195eac2292b609a9f84b176875cd6640d118f7e5c35f74b042f7e03561aafd2c04 + sha512sums = 7bd0dba218626f27f918b9cf15cf25183a90421ee2c792648f36e6cd75cf09f2ff04e30a9419f6033aa4d640fc1f7dcfa973fec9fc2c74354bb1e609621d449b + sha512sums = 872a172451c436fc916b72bc48733905b4f9298ece39ad737f60790e9fe2da896dfd2255f58d7aeb301c9c19a2bb2078684ca8449f9dec5dcb45fc1f5bda7b30 + sha512sums = a70bcc98ea71e8154e7600d6bf7ed8de6bbb73d31b5ccb0b556a538e9cce78fbd71698e3be6cfa33487226e0e79d6fb8ee78d926259a4543fe4300a6b90b9a09 + sha512sums = 294a6e3a09cada150dd0f21c712f312840a882acb067520b70ebd058cd4ee88863a2a828df63efc190c5608ffb0d71d60253883baddeb7487aec7b3d905abb04 + sha512sums = 5bc0afc21a9a178ace728f902422683502b6cf579585bc8feab42d1f7701e8609468e92265b22c7f1f958f0f175f3287ea011e8f149fb30b231708e15b6eefd2 + sha512sums = 0a79540e0df4e7b0fed8fd378411799fc5b2152795e1938df2ee6935e944517cd8c780740e8aec2f718476f3b5bd0a36113b85add04d4bdb180da5ba80c37c50 + +pkgname = freeipa + install = install.freeipa + depends = autofs + depends = bind + depends = certmonger + depends = curl + depends = cyrus-sasl-gssapi + depends = gnupg + depends = iproute2 + depends = nfs-utils + depends = nfsidmap + depends = nss + depends = ntp + depends = oddjob + depends = pam-krb5 + depends = python2-dnspython + depends = python2-kerberos + depends = python2-krbv + depends = python2-ldap + depends = python2-lxml + depends = python2-netaddr + depends = python2-nss + depends = python2-pyopenssl + depends = sssd + depends = wget + depends = xmlrpc-c + backup = etc/ipa/default.conf + backup = etc/ipa/ca.crt + diff --git a/0001-Use-Arch-Linux-Paths.patch b/0001-Use-Arch-Linux-Paths.patch new file mode 100644 index 000000000000..c519500596d6 --- /dev/null +++ b/0001-Use-Arch-Linux-Paths.patch @@ -0,0 +1,454 @@ +From ba36f963a8eac68990459b1e5fc54413584b4fd1 Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:31:08 -0400 +Subject: [PATCH 1/7] Use Arch Linux Paths + +--- + init/systemd/ipa_memcached.service | 2 +- + install/conf/ca_renewal | 2 +- + install/conf/ipa.conf | 2 +- + install/tools/ipa-upgradeconfig | 10 +++++----- + install/tools/man/ipa-upgradeconfig.8 | 2 +- + ipa-client/ipa-install/ipa-client-automount | 4 ++-- + ipa-client/ipa-install/ipa-client-install | 2 +- + ipa-client/ipaclient/ntpconf.py | 2 +- + ipa-client/man/ipa-client-automount.1 | 4 ++-- + ipa-client/man/ipa-client-install.1 | 2 +- + ipapython/certmonger.py | 2 +- + ipapython/platform/base/systemd.py | 22 +++++++++++----------- + ipaserver/install/cainstance.py | 2 +- + ipaserver/install/httpinstance.py | 26 +++++++++++++------------- + ipaserver/install/ipa_backup.py | 10 +++++----- + ipaserver/install/ntpinstance.py | 6 +++--- + 16 files changed, 50 insertions(+), 50 deletions(-) + +diff --git a/init/systemd/ipa_memcached.service b/init/systemd/ipa_memcached.service +index a4857cd..2f73f39 100644 +--- a/init/systemd/ipa_memcached.service ++++ b/init/systemd/ipa_memcached.service +@@ -4,7 +4,7 @@ After=network.target + + [Service] + Type=forking +-EnvironmentFile=/etc/sysconfig/ipa_memcached ++EnvironmentFile=/etc/conf.d/ipa_memcached.conf + PIDFile=/var/run/ipa_memcached/ipa_memcached.pid + ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS + +diff --git a/install/conf/ca_renewal b/install/conf/ca_renewal +index 57a9e9c..449e2de 100644 +--- a/install/conf/ca_renewal ++++ b/install/conf/ca_renewal +@@ -3,4 +3,4 @@ + id=dogtag-ipa-retrieve-agent-submit + ca_is_default=0 + ca_type=EXTERNAL +-ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit ++ca_external_helper=/usr/lib/certmonger/certmonger/dogtag-ipa-retrieve-agent-submit +diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf +index 1a33f62..8184f8a 100644 +--- a/install/conf/ipa.conf ++++ b/install/conf/ipa.conf +@@ -36,7 +36,7 @@ Header unset ETag + FileETag None + + # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package +-# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: ++# should really be fixed by adding this its /etc/httpd/conf/extra/wsgi.conf: + WSGISocketPrefix /run/httpd/wsgi + + +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index 41c5126..c565d27 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -112,7 +112,7 @@ def update_conf(sub_dict, filename, template_filename): + + def find_hostname(): + """Find the hostname currently configured in ipa-rewrite.conf""" +- filename="/etc/httpd/conf.d/ipa-rewrite.conf" ++ filename="/etc/httpd/conf/extra/ipa-rewrite.conf" + + if not ipautil.file_exists(filename): + return None +@@ -135,7 +135,7 @@ def find_autoredirect(fqdn): + + Returns True if autoredirect is enabled, False otherwise + """ +- filename = '/etc/httpd/conf.d/ipa-rewrite.conf' ++ filename = '/etc/httpd/conf/extra/ipa-rewrite.conf' + if os.path.exists(filename): + pattern = "^RewriteRule \^/\$ https://%s/ipa/ui \[L,NC,R=301\]" % fqdn + p = re.compile(pattern) +@@ -1030,9 +1030,9 @@ def main(): + certmap_dir = dsinstance.config_dirname( + dsinstance.realm_to_serverid(api.env.realm)) + +- upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") +- upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") +- upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) ++ upgrade(sub_dict, "/etc/httpd/conf/extra/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") ++ upgrade(sub_dict, "/etc/httpd/conf/extra/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") ++ upgrade(sub_dict, "/etc/httpd/conf/extra/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + if subject_base: + upgrade( + sub_dict, +diff --git a/install/tools/man/ipa-upgradeconfig.8 b/install/tools/man/ipa-upgradeconfig.8 +index 43e2ab9..48bc1b6 100644 +--- a/install/tools/man/ipa-upgradeconfig.8 ++++ b/install/tools/man/ipa-upgradeconfig.8 +@@ -24,7 +24,7 @@ ipa\-upgradeconfig + .SH "DESCRIPTION" + A tool to update the IPA Apache configuration during an upgrade. + +-It examines the VERSION value in the head of \fI/etc/httpd/conf.d/ipa.conf\fR and \fI/etc/httpd/conf.d/ipa\-rewrite.conf\fR and compares this with the templates. If an update is needed then new files are written. ++It examines the VERSION value in the head of \fI/etc/httpd/conf/extra/ipa.conf\fR and \fI/etc/httpd/conf/extra/ipa\-rewrite.conf\fR and compares this with the templates. If an update is needed then new files are written. + + It also will convert a CA configured to be accessible via ports 9443, 9444, 9445 and 9446 to be proxied by the IPA web server on ports 80 and 443. + +diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount +index 62531bf..000de4e 100755 +--- a/ipa-client/ipa-install/ipa-client-automount ++++ b/ipa-client/ipa-install/ipa-client-automount +@@ -39,10 +39,10 @@ from ipapython.ipa_log_manager import * + from ipapython.dn import DN + from ipapython import services as ipaservices + +-AUTOFS_CONF = '/etc/sysconfig/autofs' ++AUTOFS_CONF = '/etc/conf.d/autofs' + NSSWITCH_CONF = '/etc/nsswitch.conf' + AUTOFS_LDAP_AUTH = '/etc/autofs_ldap_auth.conf' +-NFS_CONF = '/etc/sysconfig/nfs' ++NFS_CONF = '/etc/conf.d/nfs' + IDMAPD_CONF = '/etc/idmapd.conf' + + def parse_options(): +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index afed54e..0f42e4b 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -603,7 +603,7 @@ def uninstall(options, env): + # to this version but not unenrolled/enrolled again + # In such case it is OK to fail + restored = fstore.restore_file("/etc/ntp.conf") +- restored |= fstore.restore_file("/etc/sysconfig/ntpd") ++ restored |= fstore.restore_file("/etc/conf.d/ntpd.conf") + if ntp_step_tickers: + restored |= fstore.restore_file("/etc/ntp/step-tickers") + except Exception: +diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py +index 8c4c653..7c95a46 100644 +--- a/ipa-client/ipaclient/ntpconf.py ++++ b/ipa-client/ipaclient/ntpconf.py +@@ -98,7 +98,7 @@ def __write_config(path, content): + def config_ntp(server_fqdn, fstore = None, sysstore = None): + path_step_tickers = "/etc/ntp/step-tickers" + path_ntp_conf = "/etc/ntp.conf" +- path_ntp_sysconfig = "/etc/sysconfig/ntpd" ++ path_ntp_sysconfig = "/etc/conf.d/ntpd.conf" + sub_dict = { } + sub_dict["SERVER"] = server_fqdn + +diff --git a/ipa-client/man/ipa-client-automount.1 b/ipa-client/man/ipa-client-automount.1 +index 5b60503..16ccbea 100644 +--- a/ipa-client/man/ipa-client-automount.1 ++++ b/ipa-client/man/ipa-client-automount.1 +@@ -29,7 +29,7 @@ The automount configuration consists of three files: + .IP o + /etc/nsswitch.conf + .IP o +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + .IP o + /etc/autofs_ldap_auth.conf + +@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default): + .TP + Files that will be configured when using the ldap automount client: + +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + + /etc/autofs_ldap_auth.conf + +diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 +index 3496ee3..38df29f 100644 +--- a/ipa-client/man/ipa-client-install.1 ++++ b/ipa-client/man/ipa-client-install.1 +@@ -202,7 +202,7 @@ Files that will be replaced if they exist and SSSD is not configured (\-\-no\-ss + Files replaced if NTP is enabled: + + /etc/ntp.conf\p +-/etc/sysconfig/ntpd\p ++/etc/conf.d/ntpd.conf\p + /etc/ntp/step\-tickers\p + .TP + Files always created (replacing existing content): +diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py +index 03f4b23..7401ae0 100644 +--- a/ipapython/certmonger.py ++++ b/ipapython/certmonger.py +@@ -298,7 +298,7 @@ def add_principal_to_cas(principal): + If the hostname we were passed to use in ipa-client-install doesn't + match the value of gethostname() then we need to append + -k host/HOSTNAME@REALM to the ca helper defined for +- /usr/libexec/certmonger/ipa-submit. ++ /usr/lib/certmonger/certmonger/ipa-submit. + + We also need to restore this on uninstall. + +diff --git a/ipapython/platform/base/systemd.py b/ipapython/platform/base/systemd.py +index f122018..6f4f6d7 100644 +--- a/ipapython/platform/base/systemd.py ++++ b/ipapython/platform/base/systemd.py +@@ -25,7 +25,7 @@ from ipalib import api + + class SystemdService(base.PlatformService): + SYSTEMD_ETC_PATH = "/etc/systemd/system/" +- SYSTEMD_LIB_PATH = "/lib/systemd/system/" ++ SYSTEMD_LIB_PATH = "/usr/lib/systemd/system/" + SYSTEMD_SRV_TARGET = "%s.target.wants" + + def __init__(self, service_name, systemd_name): +@@ -98,7 +98,7 @@ class SystemdService(base.PlatformService): + + def stop(self, instance_name="", capture_output=True): + instance = self.service_instance(instance_name) +- args = ["/bin/systemctl", "stop", instance] ++ args = ["/usr/bin/systemctl", "stop", instance] + + # The --ignore-dependencies switch is used to avoid possible + # deadlock during the shutdown transaction. For more details, see +@@ -116,7 +116,7 @@ class SystemdService(base.PlatformService): + super(SystemdService, self).stop(instance_name,update_service_list=update_service_list) + + def start(self, instance_name="", capture_output=True, wait=True): +- ipautil.run(["/bin/systemctl", "start", self.service_instance(instance_name)], capture_output=capture_output) ++ ipautil.run(["/usr/bin/systemctl", "start", self.service_instance(instance_name)], capture_output=capture_output) + if 'context' in api.env and api.env.context in ['ipactl', 'installer']: + update_service_list = True + else: +@@ -128,7 +128,7 @@ class SystemdService(base.PlatformService): + def restart(self, instance_name="", capture_output=True, wait=True): + # Restart command is broken before systemd-36-3.fc16 + # If you have older systemd version, restart of dependent services will hang systemd indefinetly +- ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) ++ ipautil.run(["/usr/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) + if wait and self.is_running(instance_name): + self.__wait_for_open_ports(self.service_instance(instance_name)) + +@@ -138,7 +138,7 @@ class SystemdService(base.PlatformService): + while True: + try: + (sout, serr, rcode) = ipautil.run( +- ["/bin/systemctl", "is-active", instance], ++ ["/usr/bin/systemctl", "is-active", instance], + capture_output=True + ) + except ipautil.CalledProcessError as e: +@@ -158,7 +158,7 @@ class SystemdService(base.PlatformService): + def is_installed(self): + installed = True + try: +- (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "list-unit-files", "--full"]) ++ (sout,serr,rcode) = ipautil.run(["/usr/bin/systemctl", "list-unit-files", "--full"]) + if rcode != 0: + installed = False + else: +@@ -173,7 +173,7 @@ class SystemdService(base.PlatformService): + def is_enabled(self, instance_name=""): + enabled = True + try: +- (sout,serr,rcode) = ipautil.run(["/bin/systemctl", "is-enabled", self.service_instance(instance_name)]) ++ (sout,serr,rcode) = ipautil.run(["/usr/bin/systemctl", "is-enabled", self.service_instance(instance_name)]) + if rcode != 0: + enabled = False + except ipautil.CalledProcessError, e: +@@ -218,7 +218,7 @@ class SystemdService(base.PlatformService): + # Link exists and it is broken, make new one + os.unlink(srv_lnk) + os.symlink(self.lib_path, srv_lnk) +- ipautil.run(["/bin/systemctl", "--system", "daemon-reload"]) ++ ipautil.run(["/usr/bin/systemctl", "--system", "daemon-reload"]) + except: + pass + else: +@@ -236,7 +236,7 @@ class SystemdService(base.PlatformService): + if ipautil.dir_exists(srv_tgt): + if os.path.islink(srv_lnk): + os.unlink(srv_lnk) +- ipautil.run(["/bin/systemctl", "--system", "daemon-reload"]) ++ ipautil.run(["/usr/bin/systemctl", "--system", "daemon-reload"]) + except: + pass + else: +@@ -244,13 +244,13 @@ class SystemdService(base.PlatformService): + + def __enable(self, instance_name=""): + try: +- ipautil.run(["/bin/systemctl", "enable", self.service_instance(instance_name)]) ++ ipautil.run(["/usr/bin/systemctl", "enable", self.service_instance(instance_name)]) + except ipautil.CalledProcessError, e: + pass + + def __disable(self, instance_name=""): + try: +- ipautil.run(["/bin/systemctl", "disable", self.service_instance(instance_name)]) ++ ipautil.run(["/usr/bin/systemctl", "disable", self.service_instance(instance_name)]) + except ipautil.CalledProcessError, e: + pass + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 126bbae..a1f729e 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -57,7 +57,7 @@ from ipaserver.install.installutils import stopped_service + from ipaserver.plugins import ldap2 + from ipapython.ipa_log_manager import * + +-HTTPD_CONFD = "/etc/httpd/conf.d/" ++HTTPD_CONFD = "/etc/httpd/conf/extra/" + DEFAULT_DSPORT = dogtag.install_constants.DS_PORT + + PKI_USER = "pkiuser" +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 689e657..d4a3252 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -37,8 +37,8 @@ from ipaserver.install import sysupgrade + from ipalib import api + + HTTPD_DIR = "/etc/httpd" +-SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" +-NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" ++SSL_CONF = HTTPD_DIR + "/conf/extra/ssl.conf" ++NSS_CONF = HTTPD_DIR + "/conf/extra/nss.conf" + + selinux_warning = """ + WARNING: could not set selinux boolean(s) %(var)s to true. The web +@@ -223,7 +223,7 @@ class HTTPInstance(service.Service): + def configure_httpd_ccache(self): + pent = pwd.getpwnam("apache") + ccache = '/tmp/krb5cc_%d' % pent.pw_uid +- filepath = '/etc/sysconfig/httpd' ++ filepath = '/etc/conf.d/apache' + if not os.path.exists(filepath): + # file doesn't exist; create it with correct ownership & mode + open(filepath, 'a').close() +@@ -237,17 +237,17 @@ class HTTPInstance(service.Service): + ipaservices.restore_context(filepath) + + def __configure_http(self): +- target_fname = '/etc/httpd/conf.d/ipa.conf' ++ target_fname = '/etc/httpd/conf/extra/ipa.conf' + http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) +- self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf") ++ self.fstore.backup_file("/etc/httpd/conf/extra/ipa.conf") + http_fd = open(target_fname, "w") + http_fd.write(http_txt) + http_fd.close() + os.chmod(target_fname, 0644) + +- target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf' ++ target_fname = '/etc/httpd/conf/extra/ipa-rewrite.conf' + http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) +- self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") ++ self.fstore.backup_file("/etc/httpd/conf/extra/ipa-rewrite.conf") + http_fd = open(target_fname, "w") + http_fd.write(http_txt) + http_fd.close() +@@ -285,8 +285,8 @@ class HTTPInstance(service.Service): + + def __add_include(self): + """This should run after __set_mod_nss_port so is already backed up""" +- if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0: +- print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF ++ if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf/extra/ipa-rewrite.conf\n</VirtualHost>') != 0: ++ print "Adding Include conf/extra/ipa-rewrite to %s failed." % NSS_CONF + + def __setup_ssl(self): + fqdn = self.fqdn +@@ -425,7 +425,7 @@ class HTTPInstance(service.Service): + if not enabled is None and not enabled: + self.disable() + +- for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: ++ for f in ["/etc/httpd/conf/extra/ipa.conf", SSL_CONF, NSS_CONF]: + try: + self.fstore.restore_file(f) + except ValueError, error: +@@ -433,9 +433,9 @@ class HTTPInstance(service.Service): + pass + + # Remove the configuration files we create +- installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") +- installutils.remove_file("/etc/httpd/conf.d/ipa.conf") +- installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") ++ installutils.remove_file("/etc/httpd/conf/extra/ipa-rewrite.conf") ++ installutils.remove_file("/etc/httpd/conf/extra/ipa.conf") ++ installutils.remove_file("/etc/httpd/conf/extra/ipa-pki-proxy.conf") + + for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: + sebool_state = self.restore_state(var) +diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py +index 12c6215..1fb8334 100644 +--- a/ipaserver/install/ipa_backup.py ++++ b/ipaserver/install/ipa_backup.py +@@ -126,7 +126,7 @@ class Backup(admintool.AdminTool): + '/etc/sysconfig/pki-ca', + '/etc/sysconfig/pki-tomcat', + '/etc/sysconfig/dirsrv', +- '/etc/sysconfig/ntpd', ++ '/etc/conf.d/ntpd.conf', + '/etc/sysconfig/krb5kdc', + '/etc/sysconfig/pki/ca/pki-ca', + '/etc/sysconfig/authconfig', +@@ -140,10 +140,10 @@ class Backup(admintool.AdminTool): + '/etc/security/limits.conf', + '/etc/httpd/conf/password.conf', + '/etc/httpd/conf/ipa.keytab', +- '/etc/httpd/conf.d/ipa-pki-proxy.conf', +- '/etc/httpd/conf.d/ipa-rewrite.conf', +- '/etc/httpd/conf.d/nss.conf', +- '/etc/httpd/conf.d/ipa.conf', ++ '/etc/httpd/conf/extra/ipa-pki-proxy.conf', ++ '/etc/httpd/conf/extra/ipa-rewrite.conf', ++ '/etc/httpd/conf/extra/nss.conf', ++ '/etc/httpd/conf/extra/ipa.conf', + '/etc/ssh/sshd_config', + '/etc/ssh/ssh_config', + '/etc/krb5.conf', +diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py +index f2e8ffe..00615b9 100644 +--- a/ipaserver/install/ntpinstance.py ++++ b/ipaserver/install/ntpinstance.py +@@ -35,7 +35,7 @@ class NTPInstance(service.Service): + def __write_config(self): + + self.fstore.backup_file("/etc/ntp.conf") +- self.fstore.backup_file("/etc/sysconfig/ntpd") ++ self.fstore.backup_file("/etc/conf.d/ntpd.conf") + + # We use the OS variable to point it towards either the rhel + # or fedora pools. Other distros should be added in the future +@@ -99,7 +99,7 @@ class NTPInstance(service.Service): + #read in memory, find OPTIONS, check/change it, then overwrite file + needopts = [ {'val':'-x', 'need':True}, + {'val':'-g', 'need':True} ] +- fd = open("/etc/sysconfig/ntpd", "r") ++ fd = open("/etc/conf.d/ntpd.conf", "r") + lines = fd.readlines() + fd.close() + for line in lines: +@@ -118,7 +118,7 @@ class NTPInstance(service.Service): + + done = False + if newopts: +- fd = open("/etc/sysconfig/ntpd", "w") ++ fd = open("/etc/conf.d/ntpd.conf", "w") + for line in lines: + if not done: + sline = line.strip() +-- +1.9.2 + diff --git a/0002-Add-Arch-Linux-Platform.patch b/0002-Add-Arch-Linux-Platform.patch new file mode 100644 index 000000000000..01c43d44b598 --- /dev/null +++ b/0002-Add-Arch-Linux-Platform.patch @@ -0,0 +1,151 @@ +From 5d78b9364c98435b5f3ee54a27c6c9294366c476 Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:32:33 -0400 +Subject: [PATCH 2/7] Add Arch Linux Platform + +--- + ipapython/platform/archlinux/__init__.py | 40 ++++++++++++++++++++++++++++++++ + ipapython/platform/archlinux/auth.py | 17 ++++++++++++++ + ipapython/platform/fedora16/service.py | 8 +++---- + ipapython/platform/fedora18/__init__.py | 2 +- + ipapython/setup.py | 1 + + ipapython/setup.py.in | 1 + + 6 files changed, 64 insertions(+), 5 deletions(-) + create mode 100644 ipapython/platform/archlinux/__init__.py + create mode 100644 ipapython/platform/archlinux/auth.py + +diff --git a/ipapython/platform/archlinux/__init__.py b/ipapython/platform/archlinux/__init__.py +new file mode 100644 +index 0000000..2b77bcc +--- /dev/null ++++ b/ipapython/platform/archlinux/__init__.py +@@ -0,0 +1,40 @@ ++import os ++ ++from ipapython.platform import fedora18, base ++from ipapython.platform.archlinux.auth import ArchLinuxAuthConfig ++ ++# All what we allow exporting directly from this module ++# Everything else is made available through these symbols when they are ++# directly imported into ipapython.services: ++# authconfig -- class reference for platform-specific implementation of ++# authconfig(8) ++# service -- class reference for platform-specific implementation of a ++# PlatformService class ++# knownservices -- factory instance to access named services IPA cares about, ++# names are ipapython.services.wellknownservices ++# backup_and_replace_hostname -- platform-specific way to set hostname and ++# make it persistent over reboots ++# restore_network_configuration -- platform-specific way of restoring network ++# configuration (e.g. static hostname) ++# restore_context -- platform-sepcific way to restore security context, if ++# applicable ++# check_selinux_status -- platform-specific way to see if SELinux is enabled ++# and restorecon is installed. ++__all__ = ['authconfig', 'service', 'knownservices', ++ 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status', ++ 'restore_network_configuration', 'timedate_services'] ++ ++# Just copy a referential list of timedate services ++timedate_services = list(base.timedate_services) ++ ++def restore_network_configuration(fstore, statestore): ++ filepath = '/etc/hostname' ++ if fstore.has_file(filepath): ++ fstore.restore_file(filepath) ++ ++authconfig = ArchLinuxAuthConfig ++service = fedora18.service ++knownservices = fedora18.knownservices ++backup_and_replace_hostname = fedora18.backup_and_replace_hostname ++restore_context = fedora18.restore_context ++check_selinux_status = fedora18.check_selinux_status +diff --git a/ipapython/platform/archlinux/auth.py b/ipapython/platform/archlinux/auth.py +new file mode 100644 +index 0000000..67ee063 +--- /dev/null ++++ b/ipapython/platform/archlinux/auth.py +@@ -0,0 +1,17 @@ ++from ipapython.platform import base ++ ++class ArchLinuxAuthConfig(base.AuthConfig): ++ """ ++ Arch Linux implementation of the AuthConfig class. ++ ++ The freeipa package includes a sss-auth-setup.py Python 3 script which will ++ set up both the NSS and PAM configuration. However, this script modifies the ++ PAM configuration files directly, so the changes need to be undone before ++ pacman updates anything in /etc/pam.d/ and if any new configuration files ++ are added. ++ ++ It's probably best to have this handled manually. ++ """ ++ ++ def execute(self): ++ raise NotImplementedError +diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py +index edf2d7f..7523761 100644 +--- a/ipapython/platform/fedora16/service.py ++++ b/ipapython/platform/fedora16/service.py +@@ -32,8 +32,8 @@ from ipalib import api + # mapping will be kept in this dictionary + system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservices)) + +-system_units['rpcgssd'] = 'nfs-secure.service' +-system_units['rpcidmapd'] = 'nfs-idmap.service' ++system_units['rpcgssd'] = 'rpc-gssd.service' ++system_units['rpcidmapd'] = 'rpc-idmapd.service' + + # Rewrite dirsrv and pki-tomcatd services as they support instances via separate + # service generator. To make this working, one needs to have both foo@.servic +@@ -144,8 +144,8 @@ class Fedora16CAService(Fedora16Service): + # false positives, so check for existence of our configuration file. + # TODO: Use a cleaner solution + use_proxy = True +- if not (os.path.exists('/etc/httpd/conf.d/ipa.conf') and +- os.path.exists('/etc/httpd/conf.d/ipa-pki-proxy.conf')): ++ if not (os.path.exists('/etc/httpd/conf/extra/ipa.conf') and ++ os.path.exists('/etc/httpd/conf/extra/ipa-pki-proxy.conf')): + root_logger.debug( + 'The httpd proxy is not installed, wait on local port') + use_proxy = False +diff --git a/ipapython/platform/fedora18/__init__.py b/ipapython/platform/fedora18/__init__.py +index d12bdca..2ac882c 100644 +--- a/ipapython/platform/fedora18/__init__.py ++++ b/ipapython/platform/fedora18/__init__.py +@@ -52,7 +52,7 @@ timedate_services = list(base.timedate_services) + def backup_and_replace_hostname(fstore, statestore, hostname): + old_hostname = socket.gethostname() + try: +- ipautil.run(['/bin/hostname', hostname]) ++ ipautil.run(['/usr/bin/hostname', hostname]) + except ipautil.CalledProcessError, e: + print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." % (hostname, str(e)) + +diff --git a/ipapython/setup.py b/ipapython/setup.py +index cb24eee..cffbf6e 100644 +--- a/ipapython/setup.py ++++ b/ipapython/setup.py +@@ -68,6 +68,7 @@ def setup_package(): + packages = [ "ipapython", + "ipapython.platform", + "ipapython.platform.base", ++ "ipapython.platform.archlinux", + "ipapython.platform.fedora16", + "ipapython.platform.fedora18", + "ipapython.platform.redhat" ], +diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in +index d3bbcaf..c7c6845 100644 +--- a/ipapython/setup.py.in ++++ b/ipapython/setup.py.in +@@ -68,6 +68,7 @@ def setup_package(): + packages = [ "ipapython", + "ipapython.platform", + "ipapython.platform.base", ++ "ipapython.platform.archlinux", + "ipapython.platform.fedora16", + "ipapython.platform.fedora18", + "ipapython.platform.redhat" ], +-- +1.9.2 + diff --git a/0003-Use-Python-2.patch b/0003-Use-Python-2.patch new file mode 100644 index 000000000000..f948ee2973cc --- /dev/null +++ b/0003-Use-Python-2.patch @@ -0,0 +1,657 @@ +From df24bf0bad4a41262217e6864c76eae7e09d7bc8 Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:32:58 -0400 +Subject: [PATCH 3/7] Use Python 2 + +--- + checks/check-ra.py | 2 +- + contrib/RHEL4/ipa-client-setup | 2 +- + contrib/RHEL4/setup.py | 2 +- + daemons/ipa-otpd/test.py | 2 +- + doc/examples/python-api.py | 2 +- + install/certmonger/dogtag-ipa-retrieve-agent-submit | 2 +- + install/po/pygettext.py | 2 +- + install/restart_scripts/renew_ca_cert | 2 +- + install/restart_scripts/renew_ra_cert | 2 +- + install/restart_scripts/restart_dirsrv | 2 +- + install/restart_scripts/restart_httpd | 2 +- + install/restart_scripts/restart_pkicad | 2 +- + install/restart_scripts/stop_pkicad | 2 +- + install/share/copy-schema-to-ca.py | 2 +- + install/tools/ipa-adtrust-install | 2 +- + install/tools/ipa-advise | 2 +- + install/tools/ipa-backup | 2 +- + install/tools/ipa-ca-install | 2 +- + install/tools/ipa-compat-manage | 2 +- + install/tools/ipa-csreplica-manage | 2 +- + install/tools/ipa-dns-install | 2 +- + install/tools/ipa-ldap-updater | 2 +- + install/tools/ipa-managed-entries | 2 +- + install/tools/ipa-nis-manage | 2 +- + install/tools/ipa-replica-conncheck | 2 +- + install/tools/ipa-replica-install | 2 +- + install/tools/ipa-replica-manage | 2 +- + install/tools/ipa-replica-prepare | 2 +- + install/tools/ipa-restore | 2 +- + install/tools/ipa-server-certinstall | 2 +- + install/tools/ipa-server-install | 2 +- + install/tools/ipa-upgradeconfig | 2 +- + install/tools/ipactl | 2 +- + ipa | 2 +- + ipa-client/ipa-install/ipa-client-automount | 2 +- + ipa-client/ipa-install/ipa-client-install | 2 +- + ipapython/Makefile | 8 ++++---- + ipapython/py_default_encoding/Makefile | 8 ++++---- + ipapython/setup.py.in | 2 +- + ipapython/test/test_ipautil.py | 2 +- + ipapython/test/test_ipavalidate.py | 2 +- + ipaserver/install/ipa_server_certinstall.py | 2 +- + ipatests/i18n.py | 2 +- + ipatests/ipa-run-tests | 2 +- + ipatests/ipa-test-config | 2 +- + ipatests/ipa-test-task | 2 +- + ipatests/setup.py.in | 2 +- + ipatests/test_ipapython/test_dn.py | 2 +- + lite-server.py | 2 +- + make-lint | 4 ++-- + make-test | 2 +- + make-testcert | 2 +- + makeapi | 2 +- + setup-client.py | 2 +- + setup.py | 2 +- + 55 files changed, 62 insertions(+), 62 deletions(-) + +diff --git a/checks/check-ra.py b/checks/check-ra.py +index 13a4126..a1df50b 100755 +--- a/checks/check-ra.py ++++ b/checks/check-ra.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> + # John Dennis <jdennis@redhat.com> +diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup +index 4d1fead..d8f78c1 100644 +--- a/contrib/RHEL4/ipa-client-setup ++++ b/contrib/RHEL4/ipa-client-setup +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Simo Sorce <ssorce@redhat.com> + # Karl MacMillan <kmacmillan@mentalrootkit.com> + # +diff --git a/contrib/RHEL4/setup.py b/contrib/RHEL4/setup.py +index f535875..5d34930 100644 +--- a/contrib/RHEL4/setup.py ++++ b/contrib/RHEL4/setup.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Copyright (C) 2007 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/daemons/ipa-otpd/test.py b/daemons/ipa-otpd/test.py +index d748c82..824f8a2 100644 +--- a/daemons/ipa-otpd/test.py ++++ b/daemons/ipa-otpd/test.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # + # FreeIPA 2FA companion daemon + # +diff --git a/doc/examples/python-api.py b/doc/examples/python-api.py +index 60578e8..9f315fc 100755 +--- a/doc/examples/python-api.py ++++ b/doc/examples/python-api.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> + # +diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit +index 70cbd82..973af26 100644 +--- a/install/certmonger/dogtag-ipa-retrieve-agent-submit ++++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/po/pygettext.py b/install/po/pygettext.py +index 5293ebf..4e4212e 100755 +--- a/install/po/pygettext.py ++++ b/install/po/pygettext.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + # -*- coding: iso-8859-1 -*- + # Originally written by Barry Warsaw <barry@zope.com> + # +diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert +index b10e4b8..da2253b 100644 +--- a/install/restart_scripts/renew_ca_cert ++++ b/install/restart_scripts/renew_ca_cert +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert +index e541e4b..919f8fc 100644 +--- a/install/restart_scripts/renew_ra_cert ++++ b/install/restart_scripts/renew_ra_cert +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv +index a9bb897..9b22d08 100644 +--- a/install/restart_scripts/restart_dirsrv ++++ b/install/restart_scripts/restart_dirsrv +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd +index 96f80bd..16a41ee 100644 +--- a/install/restart_scripts/restart_httpd ++++ b/install/restart_scripts/restart_httpd +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad +index f840aeb..9a3d480 100644 +--- a/install/restart_scripts/restart_pkicad ++++ b/install/restart_scripts/restart_pkicad +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad +index bbaf889..c275eae 100644 +--- a/install/restart_scripts/stop_pkicad ++++ b/install/restart_scripts/stop_pkicad +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py +index 1888f12..a5646cd 100755 +--- a/install/share/copy-schema-to-ca.py ++++ b/install/share/copy-schema-to-ca.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + + """Copy the IPA schema to the CA directory server instance + +diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install +index fe86a94..e81d0ec 100755 +--- a/install/tools/ipa-adtrust-install ++++ b/install/tools/ipa-adtrust-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + # + # Authors: Sumit Bose <sbose@redhat.com> + # Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com> +diff --git a/install/tools/ipa-advise b/install/tools/ipa-advise +index 4ec3c48..6d0d9b9 100755 +--- a/install/tools/ipa-advise ++++ b/install/tools/ipa-advise +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Tomas Babej <tbabej@redhat.com> + # + # Copyright (C) 2013 Red Hat +diff --git a/install/tools/ipa-backup b/install/tools/ipa-backup +index 5bcaa1d..bcdcb30 100755 +--- a/install/tools/ipa-backup ++++ b/install/tools/ipa-backup +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Rob Crittenden <rcritten@redhat.com> + # + # Copyright (C) 2013 Red Hat +diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install +index bb3e595..26f6993 100755 +--- a/install/tools/ipa-ca-install ++++ b/install/tools/ipa-ca-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Rob Crittenden <rcritten@redhat.com> + # + # Copyright (C) 2011 Red Hat +diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage +index 7061a3e..bdfb718 100755 +--- a/install/tools/ipa-compat-manage ++++ b/install/tools/ipa-compat-manage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: Rob Crittenden <rcritten@redhat.com> + # Authors: Simo Sorce <ssorce@redhat.com> + # +diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage +index ce027be..f2490b9 100755 +--- a/install/tools/ipa-csreplica-manage ++++ b/install/tools/ipa-csreplica-manage +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Rob Crittenden <rcritten@redhat.com> + # + # Based on ipa-replica-manage by Karl MacMillan <kmacmillan@mentalrootkit.com> +diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install +index 37a07f8..d87007d 100755 +--- a/install/tools/ipa-dns-install ++++ b/install/tools/ipa-dns-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Martin Nagy <mnagy@redhat.com> + # Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com> + # +diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater +index 0fc5a5b..98081d7 100755 +--- a/install/tools/ipa-ldap-updater ++++ b/install/tools/ipa-ldap-updater +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: Rob Crittenden <rcritten@redhat.com> + # + # Copyright (C) 2008 Red Hat +diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries +index 2cf37e2..6baae74 100755 +--- a/install/tools/ipa-managed-entries ++++ b/install/tools/ipa-managed-entries +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: Jr Aquino <jr.aquino@citrix.com> + # + # Copyright (C) 2011 Red Hat +diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage +index 71c0761..3320be7 100755 +--- a/install/tools/ipa-nis-manage ++++ b/install/tools/ipa-nis-manage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: Rob Crittenden <rcritten@redhat.com> + # Authors: Simo Sorce <ssorce@redhat.com> + # +diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck +index c861e30..2c92eb9 100755 +--- a/install/tools/ipa-replica-conncheck ++++ b/install/tools/ipa-replica-conncheck +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Martin Kosek <mkosek@redhat.com> + # + # Copyright (C) 2011 Red Hat +diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install +index 4418b41..512a4fb 100755 +--- a/install/tools/ipa-replica-install ++++ b/install/tools/ipa-replica-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> + # + # Copyright (C) 2007 Red Hat +diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage +index 8e0948e..b768ea4 100755 +--- a/install/tools/ipa-replica-manage ++++ b/install/tools/ipa-replica-manage +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> + # + # Copyright (C) 2007 Red Hat +diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare +index 21df341..4f37b4b 100755 +--- a/install/tools/ipa-replica-prepare ++++ b/install/tools/ipa-replica-prepare +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Petr Viktorin <pviktori@redhat.com> + # + # Copyright (C) 2012 Red Hat +diff --git a/install/tools/ipa-restore b/install/tools/ipa-restore +index 604175b..f2572d5 100755 +--- a/install/tools/ipa-restore ++++ b/install/tools/ipa-restore +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Rob Crittenden <rcritten@redhat.com> + # + # Copyright (C) 2013 Red Hat +diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall +index 9bb0ef8..a0013f6 100755 +--- a/install/tools/ipa-server-certinstall ++++ b/install/tools/ipa-server-certinstall +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Jan Cholasta <jcholast@redhat.com> + # + # Copyright (C) 2013 Red Hat +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index dfbbb91..753c7f0 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> + # Simo Sorce <ssorce@redhat.com> + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index c565d27..174ab1b 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/install/tools/ipactl b/install/tools/ipactl +index df0d6f5..48bbab5 100755 +--- a/install/tools/ipactl ++++ b/install/tools/ipactl +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: Simo Sorce <ssorce@redhat.com> + # + # Copyright (C) 2008-2010 Red Hat +diff --git a/ipa b/ipa +index c9b7338..64ceea4 100755 +--- a/ipa ++++ b/ipa +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> +diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount +index 000de4e..050bbf3 100755 +--- a/ipa-client/ipa-install/ipa-client-automount ++++ b/ipa-client/ipa-install/ipa-client-automount +@@ -1,4 +1,4 @@ +-#!/usr/bin/python -E ++#!/usr/bin/python2 -E + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index 0f42e4b..19bfe9c 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # Authors: Simo Sorce <ssorce@redhat.com> + # Karl MacMillan <kmacmillan@mentalrootkit.com> + # +diff --git a/ipapython/Makefile b/ipapython/Makefile +index a09ffd1..d1a3ff5 100644 +--- a/ipapython/Makefile ++++ b/ipapython/Makefile +@@ -1,4 +1,4 @@ +-PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib()") ++PYTHONLIBDIR ?= $(shell python2 -c "from distutils.sysconfig import *; print get_python_lib()") + PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa + CONFIGDIR ?= $(DESTDIR)/etc/ipa + TESTS = $(wildcard test/*.py) +@@ -12,9 +12,9 @@ all: + + install: + if [ "$(DESTDIR)" = "" ]; then \ +- python setup.py install; \ ++ python2 setup.py install; \ + else \ +- python setup.py install --root $(DESTDIR); \ ++ python2 setup.py install --root $(DESTDIR); \ + fi + @for subdir in $(SUBDIRS); do \ + (cd $$subdir && $(MAKE) $@) || exit 1; \ +@@ -42,4 +42,4 @@ maintainer-clean: distclean + test: $(subst .py,.tst,$(TESTS)) + + %.tst: %.py +- python $< ++ python2 $< +diff --git a/ipapython/py_default_encoding/Makefile b/ipapython/py_default_encoding/Makefile +index 7cd1f6c..88f17f7 100644 +--- a/ipapython/py_default_encoding/Makefile ++++ b/ipapython/py_default_encoding/Makefile +@@ -1,15 +1,15 @@ +-PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib()") ++PYTHONLIBDIR ?= $(shell python2 -c "from distutils.sysconfig import *; print get_python_lib()") + PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa + CONFIGDIR ?= $(DESTDIR)/etc/ipa + + all: +- python setup.py build ++ python2 setup.py build + + install: + if [ "$(DESTDIR)" = "" ]; then \ +- python setup.py install; \ ++ python2 setup.py install; \ + else \ +- python setup.py install --root $(DESTDIR); \ ++ python2 setup.py install --root $(DESTDIR); \ + fi + + clean: +diff --git a/ipapython/setup.py.in b/ipapython/setup.py.in +index c7c6845..2860daf 100644 +--- a/ipapython/setup.py.in ++++ b/ipapython/setup.py.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Copyright (C) 2007 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/ipapython/test/test_ipautil.py b/ipapython/test/test_ipautil.py +index ff9f282..abc19b3 100644 +--- a/ipapython/test/test_ipautil.py ++++ b/ipapython/test/test_ipautil.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # + # Copyright (C) 2007 Red Hat + # see file 'COPYING' for use and warranty information +diff --git a/ipapython/test/test_ipavalidate.py b/ipapython/test/test_ipavalidate.py +index 12b1577..3393de0 100644 +--- a/ipapython/test/test_ipavalidate.py ++++ b/ipapython/test/test_ipavalidate.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python2 -E + # + # Copyright (C) 2007 Red Hat + # see file 'COPYING' for use and warranty information +diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py +index 87c4eaf..09d8fba 100644 +--- a/ipaserver/install/ipa_server_certinstall.py ++++ b/ipaserver/install/ipa_server_certinstall.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> + # Jan Cholasta <jcholast@redhat.com> + # +diff --git a/ipatests/i18n.py b/ipatests/i18n.py +index 9c8479b..e0ddfda 100755 +--- a/ipatests/i18n.py ++++ b/ipatests/i18n.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: + # John Dennis <jdennis@redhat.com> + # +diff --git a/ipatests/ipa-run-tests b/ipatests/ipa-run-tests +index 2b61d3c..7e3270b 100755 +--- a/ipatests/ipa-run-tests ++++ b/ipatests/ipa-run-tests +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + # Authors: + # Petr Viktorin <pviktori@redhat.com> +diff --git a/ipatests/ipa-test-config b/ipatests/ipa-test-config +index ea6d2ce..dc94b8a 100755 +--- a/ipatests/ipa-test-config ++++ b/ipatests/ipa-test-config +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + + # Authors: + # Petr Viktorin <pviktori@redhat.com> +diff --git a/ipatests/ipa-test-task b/ipatests/ipa-test-task +index 9daad1c..91bc868 100755 +--- a/ipatests/ipa-test-task ++++ b/ipatests/ipa-test-task +@@ -1,4 +1,4 @@ +-#! /usr/bin/python ++#! /usr/bin/python2 + + # Authors: + # Petr Viktorin <pviktori@redhat.com> +diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in +index afbe9ab..dabf6d9 100644 +--- a/ipatests/setup.py.in ++++ b/ipatests/setup.py.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Copyright (C) 2007 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py +index cdeab93..60802b7 100644 +--- a/ipatests/test_ipapython/test_dn.py ++++ b/ipatests/test_ipapython/test_dn.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + import unittest + from ipapython.dn import * +diff --git a/lite-server.py b/lite-server.py +index e065357..99089b0 100755 +--- a/lite-server.py ++++ b/lite-server.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> +diff --git a/make-lint b/make-lint +index d9c66a8..21d7b53 100755 +--- a/make-lint ++++ b/make-lint +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # + # Authors: + # Jakub Hrozek <jhrozek@redhat.com> +@@ -198,7 +198,7 @@ def find_files(path, basepath): + line = file.readline(128) + file.close() + +- if line[:2] == '#!' and line.find('python') >= 0: ++ if line[:2] == '#!' and line.find('python2') >= 0: + result.append(filepath) + + return result +diff --git a/make-test b/make-test +index b39e4db..1cf5bb3 100755 +--- a/make-test ++++ b/make-test +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + """ + Run IPA unit tests under multiple versions of Python (if present). +diff --git a/make-testcert b/make-testcert +index 19c188a..ff25b39 100755 +--- a/make-testcert ++++ b/make-testcert +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # + # Authors: + # Rob Crittenden <rcritten@redhat.com> +diff --git a/makeapi b/makeapi +index 86907bd..df8497c 100755 +--- a/makeapi ++++ b/makeapi +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + # Authors: + # Rob Crittenden <rcritten@redhat.com> + # John Dennis <jdennis@redhat.com> +diff --git a/setup-client.py b/setup-client.py +index 332d292..a424440 100755 +--- a/setup-client.py ++++ b/setup-client.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> +diff --git a/setup.py b/setup.py +index 4a01b1e..af7964d 100755 +--- a/setup.py ++++ b/setup.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python2 + + # Authors: + # Jason Gerard DeRose <jderose@redhat.com> +-- +1.9.2 + diff --git a/0004-NTP-Fixes.patch b/0004-NTP-Fixes.patch new file mode 100644 index 000000000000..3cbf2a21f3c3 --- /dev/null +++ b/0004-NTP-Fixes.patch @@ -0,0 +1,38 @@ +From 2b3e1e8cf40dd1ea203da3f50625277c5f9c253b Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:33:44 -0400 +Subject: [PATCH 4/7] NTP Fixes + +--- + ipa-client/ipaclient/ntpconf.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py +index 7c95a46..4a39200 100644 +--- a/ipa-client/ipaclient/ntpconf.py ++++ b/ipa-client/ipaclient/ntpconf.py +@@ -109,9 +109,9 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None): + if os.path.exists(path_step_tickers): + config_step_tickers = True + ns = ipautil.template_str(ntp_step_tickers, sub_dict) +- __backup_config(path_step_tickers, fstore) +- __write_config(path_step_tickers, ns) +- ipaservices.restore_context(path_step_tickers) ++ #__backup_config(path_step_tickers, fstore) ++ #__write_config(path_step_tickers, ns) ++ #ipaservices.restore_context(path_step_tickers) + + if sysstore: + module = 'ntp' +@@ -146,7 +146,7 @@ def synconce_ntp(server_fqdn): + if os.path.exists(ntpdate): + # retry several times -- logic follows /etc/init.d/ntpdate + # implementation +- cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn] ++ cmd = [ntpdate, "-s", "-b", "-v", server_fqdn] + for retry in range(0, 3): + try: + ipautil.run(cmd) +-- +1.9.2 + diff --git a/0005-Fix-nss-includes.patch b/0005-Fix-nss-includes.patch new file mode 100644 index 000000000000..9291e511baec --- /dev/null +++ b/0005-Fix-nss-includes.patch @@ -0,0 +1,40 @@ +From e4a871010d86affbf1a3e9d29bf3ec366056f55a Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:34:03 -0400 +Subject: [PATCH 5/7] Fix nss includes + +--- + util/ipa_pwd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c +index 761d1ef..4363706 100644 +--- a/util/ipa_pwd.c ++++ b/util/ipa_pwd.c +@@ -27,10 +27,10 @@ + #include <stdio.h> + #include <time.h> + #include <ctype.h> +-#include <nss3/nss.h> +-#include <nss3/nssb64.h> +-#include <nss3/hasht.h> +-#include <nss3/pk11pub.h> ++#include <nss/nss.h> ++#include <nss/nssb64.h> ++#include <nss/hasht.h> ++#include <nss/pk11pub.h> + #include <errno.h> + #include "ipa_pwd.h" + +@@ -159,7 +159,7 @@ static int ipapwd_gentime_cmp(const void *p1, const void *p2) + + #define SHA_SALT_LENGTH 8 + +-/* SHA*_LENGTH leghts come from nss3/hasht.h */ ++/* SHA*_LENGTH leghts come from nss/hasht.h */ + #define SHA_HASH_MAX_LENGTH SHA512_LENGTH + + static int ipapwd_hash_type_to_alg(char *hash_type, +-- +1.9.2 + diff --git a/0006-Disable-make-testcert.patch b/0006-Disable-make-testcert.patch new file mode 100644 index 000000000000..120e30f8f2f5 --- /dev/null +++ b/0006-Disable-make-testcert.patch @@ -0,0 +1,24 @@ +From e4288e533f9dc3111d4b552b51b9e236459c7415 Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:34:24 -0400 +Subject: [PATCH 6/7] Disable make testcert + +--- + Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile b/Makefile +index eeeb605..c80ff33 100644 +--- a/Makefile ++++ b/Makefile +@@ -110,7 +110,6 @@ lint: bootstrap-autogen + + + test: +- ./make-testcert + ./make-test + + release-update: +-- +1.9.2 + diff --git a/0007-Fix-nosetests-path.patch b/0007-Fix-nosetests-path.patch new file mode 100644 index 000000000000..fe90c757f913 --- /dev/null +++ b/0007-Fix-nosetests-path.patch @@ -0,0 +1,25 @@ +From 9a3ed6203f651568f2f02debbaa223cb3e95fcfc Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:34:55 -0400 +Subject: [PATCH 7/7] Fix nosetests path + +--- + make-test | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/make-test b/make-test +index 1cf5bb3..23a5790 100755 +--- a/make-test ++++ b/make-test +@@ -12,7 +12,7 @@ from subprocess import call + + versions = ('2.4', '2.5', '2.6', '2.7') + python = '/usr/bin/python' +-nose = '/usr/bin/nosetests' ++nose = '/usr/bin/nosetests2' + ran = [] + fail = [] + +-- +1.9.2 + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..934eb4705bed --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,348 @@ +# Maintainer: Jan Cholasta <grubber at grubber cz> +# Contributor: Xiao-Long Chen <chenxiaolong@cxl.epac.to> + +# Based on commit b9a15de92091334a6ff3fc9074655f6e5d9f24dd from the fedpkg +# master branch for freeipa. + +# NOTE: ntp, autofs, and ntp support is currently broken because the formats of +# the /etc/conf.d/ configuration files in Arch Linux differ from the formats of +# Fedora's /etc/sysconfig/ configuration files. + +# Active directory trusts will not (probably never) work in Arch. It requires a +# heavily patched version of Samba 4, which uses MIT Kerberos instead of +# Heimdal. (Fedora went through 174 releases to get this working O_O) + +# Client only, for now +build_server=false + +# AUR workaround +pkgname=freeipa + +pkgbase=freeipa +: && pkgname=('freeipa') + +if [ "x${build_server}" == "xtrue" ]; then + pkgname+=('freeipa-server') +fi + +pkgver=3.3.5 +pkgrel=1 +pkgdesc="The Identity, Policy, and Audit system" +arch=('i686' 'x86_64') +url="http://www.freeipa.org/" +license=('GPL') + +# Client dependencies +makedepends=() + +# FreeIPA server dependencies +if [ "x${build_server}" == "xtrue" ]; then + makedepends+=('389-ds-base' + #'libwbclient' + 'samba' + 'svrcore' + 'talloc' + 'tevent') + + # SELinux dependencies + #makedepends+=('selinux-refpolicy-arch' + # 'selinux-usr-checkpolicy' + # 'selinux-usr-policycoreutils') +fi + +# Other dependencies +makedepends+=('curl' + 'java-runtime>=7' + 'krb5' + 'libunistring' + 'nspr' + 'nss' + 'openssl' + 'openldap' + 'popt' + 'python2' + 'python2-distribute' + 'python2-dnspython' + 'python2-kerberos' + 'python2-krbv' + 'python2-ldap' + 'python2-lxml' + 'python2-memcached' + 'python2-m2crypto' + 'python2-netaddr' + 'python2-nss' + 'python2-polib' + 'python2-pyasn1' + 'python2-pylint' + 'python2-pyopenssl' + # Red Hat specific + #'python2-rhsm' + 'sssd' + 'xmlrpc-c') + +# Dependencies for "make check" +checkdepends=('check' 'python2-nose') + +options=('!libtool') +source=("http://www.freeipa.org/downloads/src/freeipa-${pkgver}.tar.gz" + 'sss-auth-setup.py' + '0001-Use-Arch-Linux-Paths.patch' + '0002-Add-Arch-Linux-Platform.patch' + '0003-Use-Python-2.patch' + '0004-NTP-Fixes.patch' + '0005-Fix-nss-includes.patch' + '0006-Disable-make-testcert.patch' + '0007-Fix-nosetests-path.patch') +sha512sums=('58325e7a619eeb0170dd32a648f22e50c0df2d7bc0a7609b6f0be3b8328890e5e027ba094fd4970ac063544b4d163f4e07ac62c1b358dba5246e148c2fd830b6' + '5f101692e311205b3706642c6f329459646aaa693683ab2d4847bd8a7f464ef99ec617b0422df8e25ec2a0dc3a68cd9bf54db4bb3013b84844df15160716adc8' + '604927b05f248c6ee8a42c87198a3ab05aa2a98b3a8f4b9ee0352e049d9e59195eac2292b609a9f84b176875cd6640d118f7e5c35f74b042f7e03561aafd2c04' + '7bd0dba218626f27f918b9cf15cf25183a90421ee2c792648f36e6cd75cf09f2ff04e30a9419f6033aa4d640fc1f7dcfa973fec9fc2c74354bb1e609621d449b' + '872a172451c436fc916b72bc48733905b4f9298ece39ad737f60790e9fe2da896dfd2255f58d7aeb301c9c19a2bb2078684ca8449f9dec5dcb45fc1f5bda7b30' + 'a70bcc98ea71e8154e7600d6bf7ed8de6bbb73d31b5ccb0b556a538e9cce78fbd71698e3be6cfa33487226e0e79d6fb8ee78d926259a4543fe4300a6b90b9a09' + '294a6e3a09cada150dd0f21c712f312840a882acb067520b70ebd058cd4ee88863a2a828df63efc190c5608ffb0d71d60253883baddeb7487aec7b3d905abb04' + '5bc0afc21a9a178ace728f902422683502b6cf579585bc8feab42d1f7701e8609468e92265b22c7f1f958f0f175f3287ea011e8f149fb30b231708e15b6eefd2' + '0a79540e0df4e7b0fed8fd378411799fc5b2152795e1938df2ee6935e944517cd8c780740e8aec2f718476f3b5bd0a36113b85add04d4bdb180da5ba80c37c50') + +build() { + cd "${srcdir}/${pkgbase}-${pkgver}" + + # Change Fedora's paths to the equivalents in Arch Linux + patch -p1 -i "${srcdir}/0001-Use-Arch-Linux-Paths.patch" + # Make slight changes to Fedora 18's platform code (systemd service names, + # /bin/ -> /usr/bin/, etc) and add a minimal Arch Linux platform that + # calls most of Fedora 18's platform, except for AuthConfig + patch -p1 -i "${srcdir}/0002-Add-Arch-Linux-Platform.patch" + # FreeIPA hasn't been ported to Python 3, so the code must be modified to + # run /usr/bin/python2 + patch -p1 -i "${srcdir}/0003-Use-Python-2.patch" + # Arch Linux's ntp does not accept the '-U' parameter and does not have a + # /etc/sysconfig/ configuration files, so the relevant code must be removed + patch -p1 -i "${srcdir}/0004-NTP-Fixes.patch" + # Arch Linux's nss package installs the header files to /usr/include/nss/ + # instead of /usr/include/nss3/ + patch -p1 -i "${srcdir}/0005-Fix-nss-includes.patch" + # make-testcert requires a running certificate server to work properly + patch -p1 -i "${srcdir}/0006-Disable-make-testcert.patch" + # Arch Linux's python2-nose package installs nosetests as + # /usr/bin/nosetests2 + patch -p1 -i "${srcdir}/0007-Fix-nosetests-path.patch" + + export SUPPORTED_PLATFORM=archlinux + export PYTHON=python2 + + # Force regeneration of platform support + rm ipapython/services.py + + make version-update + + pushd ipa-client + ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin + popd + + if [ "x${build_server}" == "xtrue" ]; then + pushd daemons + ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin --with-openldap + popd + + pushd install + ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin + popd + + make IPA_VERSION_IS_GIT_SNAPSHOT=no all + else + make IPA_VERSION_IS_GIT_SNAPSHOT=no client + fi +} + +check() { + cd "${srcdir}/${pkgbase}-${pkgver}" + # Tests require FreeIPA to be installed and set up + #make test +} + +# All files are in freeipa package. This one is here only for the dependencies. +package_freeipa-server() { + : && pkgdesc="The IPA authentication server" + depends=("freeipa=${pkgver}-${pkgrel}" + '389-ds-base' + 'acl' + 'apache' + 'cyrus-sasl-gssapi' + 'keyutils' + 'krb5' + 'memcached' + 'mod_auth_kerb' + 'mod_nss' + 'mod_wsgi' + 'nss' + 'ntp' + 'openldap' + 'python2-dnspython' + 'python2-krbv' + 'python2-ldap' + 'python2-memcached' + 'python2-pyasn1' + 'slapi-nis' + 'systemd' + 'tomcat7' + 'zip') + optdepends=('python2-m2crypto: For Microsoft Active Directory trusts' + 'samba: For Microsoft Active Directory trusts' + 'sssd: For Microsoft Active Directory trusts') + backup=('etc/ipa/html/browserconfig.html' + 'etc/ipa/html/ffconfig.js' + 'etc/ipa/html/ffconfig_page.js' + 'etc/ipa/html/ipa_error.css' + 'etc/ipa/html/ssbrowser.html' + 'etc/ipa/html/unauthorized.html') + # Backup files created by this package + backup+=('etc/httpd/conf/extra/ipa-rewrite.conf' + 'etc/httpd/conf/extra/ipa.conf' + 'etc/httpd/conf/extra/ipa-pki-proxy.conf' + 'usr/share/ipa/html/ca.crt') + install=install.freeipa-server + + # SELinux dependencies + #depends+=("freeipa-server-selinux=${pkgver}-${pkgrel}" + # 'selinux-refpolicy-arch' + # 'selinux-usr-policycoreutils') + + # Conflicts with mod_ssl, but that is a part of the apache package + #conflicts=('mod_ssl') +} + +package_freeipa() { + : && pkgdesc="IPA authentication for use on clients" + depends=('autofs' + 'bind' + 'certmonger' + 'curl' + 'cyrus-sasl-gssapi' + 'gnupg' + 'iproute2' + 'nfs-utils' + 'nfsidmap' + 'nss' + 'ntp' + 'oddjob' + 'pam-krb5' + 'python2-dnspython' + 'python2-kerberos' + 'python2-krbv' + 'python2-ldap' + 'python2-lxml' + 'python2-netaddr' + 'python2-nss' + 'python2-pyopenssl' + 'sssd' + 'wget' + 'xmlrpc-c') + backup=('etc/ipa/default.conf' + 'etc/ipa/ca.crt') + install=install.freeipa + + # authconfig is Fedora specific + #depends+=('authconfig') + + install -dm755 "${pkgdir}/usr/bin/" + install -m755 "${srcdir}/sss-auth-setup.py" \ + "${pkgdir}/usr/bin/sss-auth-setup" + + cd "${srcdir}/${pkgbase}-${pkgver}" + + export SUPPORTED_PLATFORM=archlinux + export PYTHON=python2 + + # Force regeneration of platform support + rm ipapython/services.py + + if [ "x${build_server}" == "xtrue" ]; then + make install DESTDIR="${pkgdir}" + else + make client-install DESTDIR="${pkgdir}" + fi + + if [ "x${build_server}" == "xtrue" ]; then + # Some user-modifiable HTML files are provided. Move these to /etc and link + # back. + install -dm755 "${pkgdir}/etc/ipa/html/" + install -dm755 "${pkgdir}/var/cache/ipa/sysrestore/" + install -dm755 "${pkgdir}/var/cache/ipa/sysupgrade/" + install -dm755 "${pkgdir}/usr/share/ipa/html/" + ln -s ../../../../etc/ipa/html/ffconfig.js \ + "${pkgdir}/usr/share/ipa/html/ffconfig.js" + ln -s ../../../../etc/ipa/html/ffconfig_page.js \ + "${pkgdir}/usr/share/ipa/html/ffconfig_page.js" + ln -s ../../../../etc/ipa/html/ssbrowser.html \ + "${pkgdir}/usr/share/ipa/html/ssbrowser.html" + ln -s ../../../../etc/ipa/html/unauthorized.html \ + "${pkgdir}/usr/share/ipa/html/unauthorized.html" + ln -s ../../../../etc/ipa/html/browserconfig.html \ + "${pkgdir}/usr/share/ipa/html/browserconfig.html" + ln -s ../../../../etc/ipa/html/ipa_error.css \ + "${pkgdir}/usr/share/ipa/html/ipa_error.css" + + # So we can own our Apache configuration + install -dm755 "${pkgdir}/etc/httpd/conf/extra/" + touch "${pkgdir}/etc/httpd/conf/extra/ipa.conf" + touch "${pkgdir}/etc/httpd/conf/extra/ipa-pki-proxy.conf" + touch "${pkgdir}/etc/httpd/conf/extra/ipa-rewrite.conf" + install -dm755 "${pkgdir}/usr/share/ipa/html/" + touch "${pkgdir}/usr/share/ipa/html/ca.crt" + touch "${pkgdir}/usr/share/ipa/html/configure.jar" + touch "${pkgdir}/usr/share/ipa/html/kerberosauth.xpi" + touch "${pkgdir}/usr/share/ipa/html/krb.con" + touch "${pkgdir}/usr/share/ipa/html/krb.js" + touch "${pkgdir}/usr/share/ipa/html/krb5.ini" + touch "${pkgdir}/usr/share/ipa/html/krbrealm.con" + touch "${pkgdir}/usr/share/ipa/html/preferences.html" + + # systemd service + install -dm755 "${pkgdir}/usr/lib/systemd/system/" + install -m644 \ + init/systemd/ipa.service \ + init/systemd/ipa_memcached.service \ + "${pkgdir}/usr/lib/systemd/system/" + + # Configuration files + install -dm755 "${pkgdir}/etc/conf.d/" + install -m644 init/ipa_memcached.conf \ + "${pkgdir}/etc/conf.d/" + + # /run + install -dm755 "${pkgdir}/run/" + install -dm700 "${pkgdir}/run/ipa/" + install -dm700 "${pkgdir}/run/ipa_memcached/" + + # systemd tmpfiles.d configuration + install -dm755 "${pkgdir}/usr/lib/tmpfiles.d/" + install -m644 init/systemd/ipa.conf.tmpfiles \ + "${pkgdir}/usr/lib/tmpfiles.d/ipa.conf" + + # bash completion configuration files + install -dm755 "${pkgdir}/etc/bash_completion.d/" + install -m644 contrib/completion/ipa.bash_completion \ + "${pkgdir}/etc/bash_completion.d/ipa" + + # Web UI plugin dir + install -dm755 "${pkgdir}/usr/share/ipa/ui/js/plugins/" + + # Backup directory + install -dm755 "${pkgdir}/var/lib/ipa/backup/" + fi + + install -dm755 "${pkgdir}/var/lib/ipa-client/sysrestore/" + + # /etc/ipa/ is needed for ipa-client-install + install -dm755 "${pkgdir}/etc/ipa/" + + # Fix filenames + pushd "${pkgdir}/usr/lib/python2.7/site-packages/" + mv ipapython-${pkgver}*-py2.7.egg-info ipapython-${pkgver}-py2.7.egg-info + popd + + find "${pkgdir}/" \( -name '*.pyc' -o -name '*.pyo' \) -delete + + # Not packaging the tests for now + find "${pkgdir}/" -type f | grep '\.py' | grep ipatests | xargs rm -f +} diff --git a/install.freeipa b/install.freeipa new file mode 100644 index 000000000000..4d2bd0e9788a --- /dev/null +++ b/install.freeipa @@ -0,0 +1,47 @@ +post_upgrade() { + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + + if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then + if ! grep -Eq '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null; then + echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew + cat /etc/krb5.conf >> /etc/krb5.conf.ipanew + mv /etc/krb5.conf.ipanew /etc/krb5.conf + fi + fi + + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' \ + && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' \ + | awk '{print $1}') + + if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -Eq '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + fi + fi +} diff --git a/install.freeipa-server b/install.freeipa-server new file mode 100644 index 000000000000..08aa85b15e74 --- /dev/null +++ b/install.freeipa-server @@ -0,0 +1,34 @@ +post_install() { + # Fedora updates systemd and attempts to restart the service, but Arch usually + # does not do this. + #systemctl --system daemon-reload + + echo "Please install the optional dependencies to set up trusts for Microsoft's" + echo "Active Directory. The winbind_krb5_locator.so plugin in the samba package" + echo "will also have to be removed." + echo + echo "IMPORTANT: You MUST include the following files in /etc/httpd/httpd.conf after" + echo "running ipa-server-install if you want web access to the administration GUI:" + echo " /etc/httpd/conf/extra/ipa-rewrite.conf" + echo " /etc/httpd/conf/extra/ipa.conf" + echo " /etc/httpd/conf/extra/ipa-pki-proxy.conf" +} + +post_upgrade() { + # Update FreeIPA's configuration. It is safe to run even when the + # configuration files do not need to be updated. + ipa-upgradeconfig + ipa-ldap-updater --upgrade +} + +post_remove() { + # Remove %ghost'ed (from Fedora's spec) files + rm -vf \ + /usr/share/ipa/html/configure.jar \ + /usr/share/ipa/html/kerberosauth.xpi \ + /usr/share/ipa/html/krb.con \ + /usr/share/ipa/html/krb.js \ + /usr/share/ipa/html/krb5.ini \ + /usr/share/ipa/html/krbrealm.con \ + /usr/share/ipa/html/preferences.html +} diff --git a/sss-auth-setup.py b/sss-auth-setup.py new file mode 100755 index 000000000000..efc6eadcd624 --- /dev/null +++ b/sss-auth-setup.py @@ -0,0 +1,338 @@ +#!/usr/bin/env python3 + +# Written by: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +# License: GPLv3 + +import base64 +import hashlib +import os +import re +import shutil + +nss_databases = ['passwd', 'group', 'services', 'netgroup', 'automount'] + +PAM_CONFIG_DIR = '/etc/pam.d/' + +def nss_enable_sss(): + if os.path.exists("/etc/nsswitch.conf.sss_tmp"): + os.remove("/etc/nsswitch.conf.sss_tmp") + + # Backup /etc/nsswitch.conf + shutil.copyfile("/etc/nsswitch.conf", "/etc/nsswitch.conf.sss_bak") + + nsswitch_orig = open("/etc/nsswitch.conf", 'r') + nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w') + + while True: + current_line = nsswitch_orig.readline() + if not current_line: + break + + if current_line != '\n' and current_line.split()[0][:-1] in nss_databases: + if "sss" in current_line: + print("sss is already enabled for the NSS " + + current_line.split()[0][:-1] + " database") + else: + print("Enabling sss support for the NSS " + + current_line.split()[0][:-1] + " database...") + if current_line[-1] == '\n': + current_line = current_line[:-1] + " sss\n" + else: + current_line += " sss" + + # Write new file + nsswitch_new.write(current_line) + + nsswitch_orig.close() + nsswitch_new.close() + + # Replace original /etc/nsswitch.conf + shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf") + +def nss_disable_sss(): + if os.path.exists("/etc/nsswitch.conf.sss_tmp"): + os.remove("/etc/nsswitch.conf.sss_tmp") + + nsswitch_orig = open("/etc/nsswitch.conf", 'r') + nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w') + + while True: + current_line = nsswitch_orig.readline() + if not current_line: + break + + if current_line != '\n' and current_line.split()[0][:-1] in nss_databases: + if "sss" in current_line: + print("Disabling sss for the NSS " + + current_line.split()[0][:-1] + " database...") + current_line = re.sub(r"[ \t]+sss[ \t]*", ' ', current_line) + # Remove extra spaces + current_line = re.sub(r"[ \t]+\n", '\n', current_line) + + # Write new file + nsswitch_new.write(current_line) + + nsswitch_orig.close() + nsswitch_new.close() + + # Replace original /etc/nsswitch.conf + shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf") + +def pam_check_header(pam_config): + pam_file = open(PAM_CONFIG_DIR + pam_config, 'r') + + inside_header = False + has_header = False + sha512sum = '' + base64enc = '' + returned = None + + while True: + current_line = pam_file.readline() + if not current_line: + break + + if current_line == '\n' or current_line == '# \n': + continue + + if current_line == '# -----BEGIN PAM BACKUP-----\n': + inside_header = True + + elif current_line == '# -----END PAM BACKUP-----\n': + if not inside_header: + # Invalid because the begin line is missing + returned = ('INVALID', None, None) + break + + has_header = True + break + + elif inside_header: + if current_line.startswith('# Hash: '): + sha512sum = current_line[8:-1] + elif current_line.startswith('# Data: '): + base64enc = current_line[8:-1] + else: + # Invalid because unknown data is in the header + returned = ('INVALID', None, None) + break + + pam_file.close() + + if has_header: + if sha512sum == hashlib.sha512(base64.b64decode(base64enc)).hexdigest(): + returned = ('VALID', sha512sum, base64enc) + else: + # Invalid because the checksum of the data does not match the hash + returned = ('INVALID', None, None) + + if not returned: + returned = ('NONE', None, None) + + return returned + +def pam_config_setup(pam_config): + pam_file_orig = open(PAM_CONFIG_DIR + pam_config, 'r') + pam_file_new = open(PAM_CONFIG_DIR + pam_config + '.sss_tmp', 'a') + + while True: + current_line = pam_file_orig.readline() + if not current_line: + break + + if current_line.startswith('#%PAM-1.0'): + continue + + if current_line != '\n' and current_line[0] != '#': + current_line_split = current_line.split() + + # Change 'required' to 'sufficient' for the pam_unix.so module + if current_line_split[2] == "pam_unix.so" and current_line_split[1] == "required": + #pam_file_new.write(current_line.replace("required", "sufficient")) + pam_file_new.write(current_line_split[0] + "\t\tinclude\t\tsss\n") + continue + + pam_file_new.write(current_line) + + pam_file_orig.close() + pam_file_new.close() + +def pam_enable_sss(): + print('Enabling sssd support in:') + + rows, columns = os.popen('stty size', 'r').read().split() + columns = int(columns) - 3 + + for fullpath, directories, files in os.walk(PAM_CONFIG_DIR): + files.sort() + for pam_config in files: + if pam_config == 'sss' or pam_config == 'sss.bak' or \ + pam_config.startswith('.') or pam_config.endswith('~'): + continue + + status = pam_check_header(pam_config)[0] + if status == 'NONE': + status_msg = 'done' + elif status == 'VALID': + status_msg = 'already enabled (skipping)' + elif status == 'INVALID': + status_msg = 'invalid backup header (skipping)' + + pam_config_path = PAM_CONFIG_DIR + pam_config + + if status == 'NONE': + pam_file = open(pam_config_path, 'rb') + + raw_content = pam_file.read() + sha512sum = hashlib.sha512(raw_content).hexdigest() + base64enc_raw = base64.b64encode(raw_content) + base64enc = base64enc_raw.decode('ascii') + + pam_file.close() + + tmp_file = open(pam_config_path + '.sss_tmp', 'w') + + tmp_file.write('#%PAM-1.0\n') + tmp_file.write('# -----BEGIN PAM BACKUP-----\n') + tmp_file.write('# Hash: ' + sha512sum + '\n') + tmp_file.write('# \n') + tmp_file.write('# Data: ' + base64enc + '\n') + tmp_file.write('# -----END PAM BACKUP-----\n') + tmp_file.write('\n') + + tmp_file.close() + + pam_config_setup(pam_config) + + shutil.move(pam_config_path + '.sss_tmp', pam_config_path) + + if len(pam_config_path + status_msg) > columns: + print(pam_config_path) + print(('{:>%is} ' % columns + 2).format(status_msg)) + else: + print((' {:<%is}{:>%is} ' % \ + (len(pam_config_path), columns - len(pam_config_path))). \ + format(pam_config_path, status_msg)) + + if os.path.exists(PAM_CONFIG_DIR + 'sss'): + print('%ssss already exists. Moving it to %ssss.bak' % \ + (PAM_CONFIG_DIR, PAM_CONFIG_DIR)) + shutil.move(PAM_CONFIG_DIR + 'sss', PAM_CONFIG_DIR + 'sss.bak') + + pam_sss = open(PAM_CONFIG_DIR + 'sss', 'w') + # Auth + pam_sss.write("auth sufficient pam_unix.so nullok try_first_pass\n") + pam_sss.write("auth sufficient pam_sss.so use_first_pass\n") + pam_sss.write("auth required pam_deny.so\n") + # Account + pam_sss.write("account required pam_unix.so\n") + pam_sss.write("#account [default=bad success=ok user_unknown=ignore] pam_sss.so\n") + pam_sss.write("account optional pam_sss.so\n") + # Password + pam_sss.write("password sufficient pam_unix.so try_first_pass nullok sha512 shadow\n") + pam_sss.write("password sufficient pam_sss.so use_authtok\n") + pam_sss.write("password required pam_deny.so\n") + # Session + pam_sss.write("session required pam_unix.so\n") + pam_sss.write("session optional pam_sss.so\n") + pam_sss.close() + +def pam_disable_sss(): + print('Disabling sssd support in:') + + rows, columns = os.popen('stty size', 'r').read().split() + columns = int(columns) - 3 + + for fullpath, directories, files in os.walk(PAM_CONFIG_DIR): + files.sort() + for pam_config in files: + if pam_config == 'sss' or pam_config == 'sss.bak' or \ + pam_config.startswith('.') or pam_config.endswith('~'): + continue + + status, sha512sum, base64enc = pam_check_header(pam_config) + if status == 'NONE': + status_msg = 'already disabled (skipping)' + elif status == 'VALID': + status_msg = 'done' + elif status == 'INVALID': + status_msg = 'invalid backup header (skipping)' + + pam_config_path = PAM_CONFIG_DIR + pam_config + + if status == 'VALID': + pam_file = open(pam_config_path + '.sss_tmp', 'wb') + pam_file.write(base64.b64decode(base64enc)) + pam_file.close() + shutil.move(pam_config_path + '.sss_tmp', pam_config_path) + + if len(pam_config_path + status_msg) > columns: + print(pam_config_path) + print(('{:>%is} ' % columns + 2).format(status_msg)) + else: + print((' {:<%is}{:>%is} ' % \ + (len(pam_config_path), columns - len(pam_config_path))). \ + format(pam_config_path, status_msg)) + + if os.path.exists(PAM_CONFIG_DIR + 'sss'): + os.remove(PAM_CONFIG_DIR + 'sss') + +def parse_arguments(): + import argparse + import textwrap + + arg_parser = argparse.ArgumentParser() + arg_parser.formatter_class = argparse.RawDescriptionHelpFormatter + arg_parser.description = textwrap.dedent(""" + Arch Linux sssd authentication setup helper for PAM and NSS + ----------------------------------------------------------- + """) + + nss_group = arg_parser.add_mutually_exclusive_group() + nss_group.add_argument("--enable-nss", + help="Enable support for SSSD in NSS", + action="store_true", + dest="nss_action", + default=None) + nss_group.add_argument("--disable-nss", + help="Disable support for SSSD in NSS", + action="store_false", + dest="nss_action", + default=None) + + pam_group = arg_parser.add_mutually_exclusive_group() + pam_group.add_argument("--enable-pam", + help="Enable support for SSSD in PAM", + action="store_true", + dest="pam_action", + default=None) + pam_group.add_argument("--disable-pam", + help="Disable support for SSSD in PAM", + action="store_false", + dest="pam_action", + default=None) + + args = arg_parser.parse_args() + + if args.nss_action == None and args.pam_action == None: + print("No action given!") + exit(1) + + if os.getuid() != 0: + print("sss-auth-setup must be run as root!") + exit(1) + + if args.nss_action != None: + if args.nss_action: + nss_enable_sss() + else: + nss_disable_sss() + + if args.pam_action != None: + if args.pam_action: + pam_enable_sss() + else: + pam_disable_sss() + +if __name__ == "__main__": + parse_arguments() |