On Fri, 21 Feb 2014, Nathaniel McCallum wrote:
On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote:
On Thu, 20 Feb 2014, Nathaniel McCallum wrote:
>> > >>There is an error in libotp's find() function which assumes that
>> > >>get_basedn() always returns non-NULL value. This is not true for at
>> > >>least cn=Directory Manager.
>> > >>
>> > >>Patch attached.
>> > >More fixes required, now that Thierry produced the fix for 389-ds ticket
>> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop
>> > >plugins. I'm getting crash in find() in libotp.c for internal search in
>> > >some other conditions but at least user dn now is the correct one.
>> > >
>> > >Stay tuned.
>> > OK, finally I've got it working -- my last patch had error which could
>> > be attributed to the late night time.
>> >
>> > New patch is attached to fix libotp to work properly with empty base dn
>> > (such as cn=Directory Manager).
>> >
>> > Also I'm attaching the patch that sets precedence of schema-compat
>> > plugin to 49 (less than default 50). With this patch and 389-ds with
>> > patch from ticket 47699 compat tree binds work with OTP.
>> >
>> > When updated 389-ds-base will be released, we'll need to add Requires:
>> > to our RPM spec to depend on it. Without the updated 389-ds-base compat
>> > tree binds will not work with OTP but the rest will be working fine.
>> >
>> > Finally, ACK to all OTP patches.
>>
>> ACK to both of these patches.
>
>I've merged the first patch here --
>https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html
>
>I just realized the second patch shouldn't be ACK'd until we have a new
>389DS release with the fix. When that happens, reissue this patch with
>an update versioned require.
No, it can be safely merged as 389DS will use default precedence (50) unless
the fix is there. So the worst we get is the same as now -- OTP binds
will not work over compat tree. And when 389DS will be upgraded, they
will start working after 389DS restart.
But this patch doesn't actually do anything until we get the new version
of 389DS. If we are ever going to add a versioned dependency on the new
389DS for this feature, it should go in this patch. Otherwise, it is an
ACK from me.
New 389-DS is in Fedora 20 updates stable and Rawhide already.
389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in
Fedora 20 updates testing, providing multiple policy enhancements that
make possible Apache process to work with kernel-based credentials
caches.
Attached patch makes use of the new packages.
--
/ Alexander Bokovoy
>From 22d00b5413952f6a6ef2840341dd143999c9ad6e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <[email protected]>
Date: Wed, 19 Mar 2014 17:31:49 +0200
Subject: [PATCH] freeipa.spec.in: update dependencies to 389-ds and
selinux-policy
389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.
selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.
This change is Fedora 20+.
---
freeipa.spec.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c17e939..8658ea8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -21,7 +21,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.2.11
+BuildRequires: 389-ds-base-devel >= 1.3.2.16
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -98,7 +98,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.11
+Requires: 389-ds-base >= 1.3.2.16
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -139,7 +139,7 @@ Requires: python-memcached
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-65
+Requires: selinux-policy >= 3.12.1-135
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.0.4
--
1.8.5.3
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
