Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-08-09 Thread Dmitri Pal

On 07/24/2014 01:04 PM, Nordgren, Bryce L -FS wrote:

One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the servers.

I'm running it on F20 because it seemed like the dependencies would make running it on 
CentOS 7 a pile of pain I didn't need. I do think "RHEL catching up" will 
probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to run FreeIPA 4.0.0 is 
likely to be a moot point by then. Or are you thinking that it might be part of 7.1?


We are indeed working into this direction so expectations that it will 
be in RHEL in 3-4 years are negatively exaggerated.




Bryce





This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-25 Thread Petr Vobornik

On 24.7.2014 21:52, Lukas Slebodnik wrote:

On (24/07/14 13:57), Rob Crittenden wrote:

Petr Spacek wrote:

On 24.7.2014 18:26, Chris Whittle wrote:

Would CentOS7 work with FreeIPA 4?


In theory - it could work. However you will have to build few new
packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap.

I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new
packages it requires.

Please let us know if it works for you.


Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude
easier than RHEL 6. Sure a lot of packages will need upgrades but
nothing on the number in RHEL 6 which represent major package updates.


just 6 missing dependenices for RHEL7.
http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html


also missing:

open-sans-fonts
fontawesome-fonts
ttembed
python-lesscpy
python-ply  



It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as
well https://copr.fedoraproject.org/coprs/pviktori/freeipa/

LS




--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-25 Thread Martin Kosek
On 07/24/2014 07:04 PM, Nordgren, Bryce L -FS wrote:
> One of our larger users was in a similar situation a few years ago and
> ended up running Fedora until RHEL caught up and then migrating the servers.
> 
> I'm running it on F20 because it seemed like the dependencies would make 
> running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL 
> catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the 
> ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you 
> thinking that it might be part of 7.1?

It might, wait and see :-) Alternatively, you as Lukas pointed out below,
preparing a (COPR) repo on top of RHEL-7.0 should be much easier than preparing
it on top of RHEL-6.x.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Lukas Slebodnik
On (24/07/14 13:57), Rob Crittenden wrote:
>Petr Spacek wrote:
>> On 24.7.2014 18:26, Chris Whittle wrote:
>>> Would CentOS7 work with FreeIPA 4?
>> 
>> In theory - it could work. However you will have to build few new
>> packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap.
>> 
>> I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new
>> packages it requires.
>> 
>> Please let us know if it works for you.
>
>Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude
>easier than RHEL 6. Sure a lot of packages will need upgrades but
>nothing on the number in RHEL 6 which represent major package updates.
>
just 6 missing dependenices for RHEL7.
http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html

It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as
well https://copr.fedoraproject.org/coprs/pviktori/freeipa/

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Rob Crittenden
Petr Spacek wrote:
> On 24.7.2014 18:26, Chris Whittle wrote:
>> Would CentOS7 work with FreeIPA 4?
> 
> In theory - it could work. However you will have to build few new
> packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap.
> 
> I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new
> packages it requires.
> 
> Please let us know if it works for you.

Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude
easier than RHEL 6. Sure a lot of packages will need upgrades but
nothing on the number in RHEL 6 which represent major package updates.

rob

> 
> Petr^2 Spacek
> 
>> On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden 
>> wrote:
>>
>>> Chris Whittle wrote:
 Is it possible, I've looked around and most everyone says the
 dependancies are too much outside of what it has.
>>>
>>> Not without building a whole ton of your own packages. And we're not
>>> talking simple, little packages. These would be significant upgrades for
>>> which you'd have to manage your own security and bug fixing, forever.
>>>
>>> On top of that, it is doubtful it has been tested in a sysV init
>>> environment. It may work as the previous support is still there, but
>>> it's a grey area for sure.
>>>
 I'm about to implement FreeIPA across the CO and would rather do the
 big
 upgrade first and not after.
>>>
>>> One of our larger users was in a similar situation a few years ago and
>>> ended up running Fedora until RHEL caught up and then migrating the
>>> servers.
>>>
>>> Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what
>>> features you need.
>>>
>>> rob
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Petr Spacek

On 24.7.2014 18:26, Chris Whittle wrote:

Would CentOS7 work with FreeIPA 4?


In theory - it could work. However you will have to build few new packages, 
including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap.


I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new 
packages it requires.


Please let us know if it works for you.

Petr^2 Spacek


On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden 
wrote:


Chris Whittle wrote:

Is it possible, I've looked around and most everyone says the
dependancies are too much outside of what it has.


Not without building a whole ton of your own packages. And we're not
talking simple, little packages. These would be significant upgrades for
which you'd have to manage your own security and bug fixing, forever.

On top of that, it is doubtful it has been tested in a sysV init
environment. It may work as the previous support is still there, but
it's a grey area for sure.


I'm about to implement FreeIPA across the CO and would rather do the big
upgrade first and not after.


One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the
servers.

Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what
features you need.

rob
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a091164..6b1f0a9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -4,6 +4,7 @@
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global POLICYCOREUTILSVER 2.1.12-5
 %global gettext_domain ipa
+%define _hardened_build 1
 
 Name:   freeipa
 Version:__VERSION__
@@ -17,18 +18,13 @@ Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.3
+BuildRequires:  389-ds-base-devel >= 1.3.2.16
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
-%if 0%{?fedora} >= 18
 BuildRequires:  samba-devel >= 2:4.0.5-1
 BuildRequires:  samba-python
 BuildRequires:  libwbclient-devel
-%else
-BuildRequires:  samba4-devel >= 4.0.0-139
-BuildRequires:  samba4-python
-%endif
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 %endif # ONLY_CLIENT
@@ -53,7 +49,7 @@ BuildRequires:  python-setuptools
 BuildRequires:  python-krbV
 BuildRequires:  python-nss
 BuildRequires:  python-netaddr
-BuildRequires:  python-kerberos
+BuildRequires:  python-kerberos >= 1.1-14
 BuildRequires:  python-rhsm
 BuildRequires:  pyOpenSSL
 BuildRequires:  pylint
@@ -63,20 +59,19 @@ BuildRequires:  python-memcached
 BuildRequires:  sssd >= 1.9.2
 BuildRequires:  python-lxml
 BuildRequires:  python-pyasn1 >= 0.0.9a
+BuildRequires:  python-qrcode
 BuildRequires:  python-dns
 BuildRequires:  m2crypto
 BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_nss_idmap-devel
 BuildRequires:  java-1.7.0-openjdk
+BuildRequires:  rhino
 BuildRequires:  libverto-devel
 BuildRequires:  systemd
 BuildRequires:  libunistring-devel
-
-# Find out Kerberos middle version to infer ABI changes in DAL driver
-# We cannot load DAL driver into KDC with wrong ABI.
-# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
-%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
+BuildRequires:  python-lesscpy
+BuildRequires:  python-yubico
 
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -91,50 +86,32 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.19
 Requires: openldap-clients > 2.4.35-4
-%if 0%{?fedora} == 18
-Requires: nss >= 3.14.3-2
-Requires: nss-tools >= 3.14.3-2
-%else
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
-%endif
-%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
-%else
-%if 0%{krb5_dal_version} == 3
-# krb5 1.11 bumped DAL interface major version, a rebuild is needed
-Requires: krb5-server < 1.11
-Requires: krb5-server >= 1.10
-%else
-Requires: krb5-server >= 1.10
-%endif
-%endif
+Requires: krb5-server >= 1.11.5-3
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-%if 0%{?fedora} >= 18
 Requires: mod_auth_kerb >= 5.4-16
-%else
-Requires: mod_auth_kerb >= 5.4-8
-%endif
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1
 Requires: memcached
 Requires: python-memcached
+Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-65
+Requi

Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Nordgren, Bryce L -FS
One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the servers.

I'm running it on F20 because it seemed like the dependencies would make 
running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catching 
up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to 
run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you thinking 
that it might be part of 7.1?

Bryce





This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Chris Whittle
Would CentOS7 work with FreeIPA 4?


On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden 
wrote:

> Chris Whittle wrote:
> > Is it possible, I've looked around and most everyone says the
> > dependancies are too much outside of what it has.
>
> Not without building a whole ton of your own packages. And we're not
> talking simple, little packages. These would be significant upgrades for
> which you'd have to manage your own security and bug fixing, forever.
>
> On top of that, it is doubtful it has been tested in a sysV init
> environment. It may work as the previous support is still there, but
> it's a grey area for sure.
>
> > I'm about to implement FreeIPA across the CO and would rather do the big
> > upgrade first and not after.
>
> One of our larger users was in a similar situation a few years ago and
> ended up running Fedora until RHEL caught up and then migrating the
> servers.
>
> Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what
> features you need.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Rob Crittenden
Chris Whittle wrote:
> Is it possible, I've looked around and most everyone says the
> dependancies are too much outside of what it has.

Not without building a whole ton of your own packages. And we're not
talking simple, little packages. These would be significant upgrades for
which you'd have to manage your own security and bug fixing, forever.

On top of that, it is doubtful it has been tested in a sysV init
environment. It may work as the previous support is still there, but
it's a grey area for sure.

> I'm about to implement FreeIPA across the CO and would rather do the big
> upgrade first and not after. 

One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the servers.

Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what
features you need.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


[Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

2014-07-24 Thread Chris Whittle
Is it possible, I've looked around and most everyone says the dependancies
are too much outside of what it has.

I'm about to implement FreeIPA across the CO and would rather do the big
upgrade first and not after.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project