On 10/05/2015 05:00 PM, Timo Aaltonen wrote:
I'm not sure if the goal is to be able to build IPA on Debian from
git/tarballs, but here's a list of what would need to be fixed first to
- places where usernames have been hardcoded need something like
apache -> www-data in:
this can be extracted to ipaplatform/base/constants.py
named -> bind in:
this is quite tricky,
for named_user the right location is to ipaplatform/base/constants.py
for service, you can look in ipaplatform/redhat/services.py there is
already mapping named to named.pkcs11, we can do something similar in
debian platform specification, debian_system_units['named'] = 'bind.service'
However if you want to replace named with bind completely, it requires
much more changes.
- config/service files that use hardcoded paths in them need to be moved
to a template, and use paths.py macros:
- same but with hardcoded usernames
A discussion with other developer is needed how to resolve these files
- ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
because libapache2-mod-nss doesn't enable it on install (can't remember
why, but there was a good reason..)
We did installer changes, Honza may know if this is possible.
- various places using Fedora-specific libpaths (/usr/lib vs.
/usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see
I might be wrong, but I found different issues:
this affects update files, and the same issue is for ldif files
We can replace path '/var/lib(64)' with substitute variable in those
files, and create a platform specific method to determine the correct
path, or just substitute with value from ipaplatform/base/paths
Here for libpath we can use ipaplatform task.py or path.py if it is enough
The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths
IMO here also default pools should be excluded to constants as a list of
ntp servers per platform.
- ntp daemon defaults use a different variable name (OPTIONS vs
NTPD_OPTS), and quotes (" vs. ')
OPTIONS can be excluded to ipaplatform/constants.py
Probably the " or ' issue can be handled in the same way
- "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
'conf.d' on Fedora and then conf-enabled on Debian
The solution here can be augeas, but I'm not sure if we will able to
move to augeas soon enough.
- install/share/bind.named.conf.template needs to drop the default zone
on Debian, since that's already configured via includes (-> bind fails
to start), so a template file with an exception for Debian would fix it
This is the same issue as with ipa.conf
- Makefile needs to use --install-layout=deb for setup.py
- ipa-client/ipa-install/ipa-client-automount needs to check for
variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
Leaving this for others.
There.. that should be all I think :) Oh, forgot that currently dnssec
needs to be disabled by some heavy patching, because 9.10.x isn't
I'm willing to send patch to disable DNSSEC installation if you want.
Is there a chance to get 9.10.x with pkcs11 support?
Can you please open a ticket?
Thank you for this investigation
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code