[Freeipa-devel] [PATCHES] OTP Patches

Alexander Bokovoy abokovoy at redhat.com
Wed Mar 19 15:37:49 UTC 2014 

On Fri, 21 Feb 2014, Nathaniel McCallum wrote:
>On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote:
>> On Thu, 20 Feb 2014, Nathaniel McCallum wrote:
>> >> > >>There is an error in libotp's find() function which assumes that
>> >> > >>get_basedn() always returns non-NULL value. This is not true for at
>> >> > >>least cn=Directory Manager.
>> >> > >>
>> >> > >>Patch attached.
>> >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket
>> >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop
>> >> > >plugins. I'm getting crash in find() in libotp.c for internal search in
>> >> > >some other conditions but at least user dn now is the correct one.
>> >> > >
>> >> > >Stay tuned.
>> >> > OK, finally I've got it working -- my last patch had error which could
>> >> > be attributed to the late night time.
>> >> >
>> >> > New patch is attached to fix libotp to work properly with empty base dn
>> >> > (such as cn=Directory Manager).
>> >> >
>> >> > Also I'm attaching the patch that sets precedence of schema-compat
>> >> > plugin to 49 (less than default 50). With this patch and 389-ds with
>> >> > patch from ticket 47699 compat tree binds work with OTP.
>> >> >
>> >> > When updated 389-ds-base will be released, we'll need to add Requires:
>> >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat
>> >> > tree binds will not work with OTP but the rest will be working fine.
>> >> >
>> >> > Finally, ACK to all OTP patches.
>> >>
>> >> ACK to both of these patches.
>> >
>> >I've merged the first patch here --
>> >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html
>> >
>> >I just realized the second patch shouldn't be ACK'd until we have a new
>> >389DS release with the fix. When that happens, reissue this patch with
>> >an update versioned require.
>> No, it can be safely merged as 389DS will use default precedence (50) unless
>> the fix is there. So the worst we get is the same as now -- OTP binds
>> will not work over compat tree. And when 389DS will be upgraded, they
>> will start working after 389DS restart.
>
>But this patch doesn't actually do anything until we get the new version
>of 389DS. If we are ever going to add a versioned dependency on the new
>389DS for this feature, it should go in this patch. Otherwise, it is an
>ACK from me.
New 389-DS is in Fedora 20 updates stable and Rawhide already.
389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in
Fedora 20 updates testing, providing multiple policy enhancements that
make possible Apache process to work with kernel-based credentials
caches.

Attached patch makes use of the new packages.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 22d00b5413952f6a6ef2840341dd143999c9ad6e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 19 Mar 2014 17:31:49 +0200
Subject: [PATCH] freeipa.spec.in: update dependencies to 389-ds and
 selinux-policy

389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.

selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.

This change is Fedora 20+.
---
 freeipa.spec.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index c17e939..8658ea8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.2.11
+BuildRequires:  389-ds-base-devel >= 1.3.2.16
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -98,7 +98,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.11
+Requires: 389-ds-base >= 1.3.2.16
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -139,7 +139,7 @@ Requires: python-memcached
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-65
+Requires: selinux-policy >= 3.12.1-135
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.0.4
-- 
1.8.5.3

More information about the Freeipa-devel mailing list