Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 07/24/2014 01:04 PM, Nordgren, Bryce L -FS wrote: One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. I'm running it on F20 because it seemed like the dependencies would make running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you thinking that it might be part of 7.1? We are indeed working into this direction so expectations that it will be in RHEL in 3-4 years are negatively exaggerated. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 24.7.2014 21:52, Lukas Slebodnik wrote: On (24/07/14 13:57), Rob Crittenden wrote: Petr Spacek wrote: On 24.7.2014 18:26, Chris Whittle wrote: Would CentOS7 work with FreeIPA 4? In theory - it could work. However you will have to build few new packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new packages it requires. Please let us know if it works for you. Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude easier than RHEL 6. Sure a lot of packages will need upgrades but nothing on the number in RHEL 6 which represent major package updates. just 6 missing dependenices for RHEL7. http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html also missing: open-sans-fonts fontawesome-fonts ttembed python-lesscpy python-ply It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as well https://copr.fedoraproject.org/coprs/pviktori/freeipa/ LS -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 07/24/2014 07:04 PM, Nordgren, Bryce L -FS wrote: > One of our larger users was in a similar situation a few years ago and > ended up running Fedora until RHEL caught up and then migrating the servers. > > I'm running it on F20 because it seemed like the dependencies would make > running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL > catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the > ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you > thinking that it might be part of 7.1? It might, wait and see :-) Alternatively, you as Lukas pointed out below, preparing a (COPR) repo on top of RHEL-7.0 should be much easier than preparing it on top of RHEL-6.x. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On (24/07/14 13:57), Rob Crittenden wrote: >Petr Spacek wrote: >> On 24.7.2014 18:26, Chris Whittle wrote: >>> Would CentOS7 work with FreeIPA 4? >> >> In theory - it could work. However you will have to build few new >> packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. >> >> I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new >> packages it requires. >> >> Please let us know if it works for you. > >Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude >easier than RHEL 6. Sure a lot of packages will need upgrades but >nothing on the number in RHEL 6 which represent major package updates. > just 6 missing dependenices for RHEL7. http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as well https://copr.fedoraproject.org/coprs/pviktori/freeipa/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Petr Spacek wrote: > On 24.7.2014 18:26, Chris Whittle wrote: >> Would CentOS7 work with FreeIPA 4? > > In theory - it could work. However you will have to build few new > packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. > > I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new > packages it requires. > > Please let us know if it works for you. Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude easier than RHEL 6. Sure a lot of packages will need upgrades but nothing on the number in RHEL 6 which represent major package updates. rob > > Petr^2 Spacek > >> On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden >> wrote: >> >>> Chris Whittle wrote: Is it possible, I've looked around and most everyone says the dependancies are too much outside of what it has. >>> >>> Not without building a whole ton of your own packages. And we're not >>> talking simple, little packages. These would be significant upgrades for >>> which you'd have to manage your own security and bug fixing, forever. >>> >>> On top of that, it is doubtful it has been tested in a sysV init >>> environment. It may work as the previous support is still there, but >>> it's a grey area for sure. >>> I'm about to implement FreeIPA across the CO and would rather do the big upgrade first and not after. >>> >>> One of our larger users was in a similar situation a few years ago and >>> ended up running Fedora until RHEL caught up and then migrating the >>> servers. >>> >>> Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what >>> features you need. >>> >>> rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 24.7.2014 18:26, Chris Whittle wrote: Would CentOS7 work with FreeIPA 4? In theory - it could work. However you will have to build few new packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new packages it requires. Please let us know if it works for you. Petr^2 Spacek On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden wrote: Chris Whittle wrote: Is it possible, I've looked around and most everyone says the dependancies are too much outside of what it has. Not without building a whole ton of your own packages. And we're not talking simple, little packages. These would be significant upgrades for which you'd have to manage your own security and bug fixing, forever. On top of that, it is doubtful it has been tested in a sysV init environment. It may work as the previous support is still there, but it's a grey area for sure. I'm about to implement FreeIPA across the CO and would rather do the big upgrade first and not after. One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what features you need. rob diff --git a/freeipa.spec.in b/freeipa.spec.in index a091164..6b1f0a9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -4,6 +4,7 @@ %global plugin_dir %{_libdir}/dirsrv/plugins %global POLICYCOREUTILSVER 2.1.12-5 %global gettext_domain ipa +%define _hardened_build 1 Name: freeipa Version:__VERSION__ @@ -17,18 +18,13 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.1.3 +BuildRequires: 389-ds-base-devel >= 1.3.2.16 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units -%if 0%{?fedora} >= 18 BuildRequires: samba-devel >= 2:4.0.5-1 BuildRequires: samba-python BuildRequires: libwbclient-devel -%else -BuildRequires: samba4-devel >= 4.0.0-139 -BuildRequires: samba4-python -%endif BuildRequires: libtalloc-devel BuildRequires: libtevent-devel %endif # ONLY_CLIENT @@ -53,7 +49,7 @@ BuildRequires: python-setuptools BuildRequires: python-krbV BuildRequires: python-nss BuildRequires: python-netaddr -BuildRequires: python-kerberos +BuildRequires: python-kerberos >= 1.1-14 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint @@ -63,20 +59,19 @@ BuildRequires: python-memcached BuildRequires: sssd >= 1.9.2 BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a +BuildRequires: python-qrcode BuildRequires: python-dns BuildRequires: m2crypto BuildRequires: check BuildRequires: libsss_idmap-devel BuildRequires: libsss_nss_idmap-devel BuildRequires: java-1.7.0-openjdk +BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: systemd BuildRequires: libunistring-devel - -# Find out Kerberos middle version to infer ABI changes in DAL driver -# We cannot load DAL driver into KDC with wrong ABI. -# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18 -%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)} +BuildRequires: python-lesscpy +BuildRequires: python-yubico %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -91,50 +86,32 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.1.3 +Requires: 389-ds-base >= 1.3.2.19 Requires: openldap-clients > 2.4.35-4 -%if 0%{?fedora} == 18 -Requires: nss >= 3.14.3-2 -Requires: nss-tools >= 3.14.3-2 -%else Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 -%endif -%if 0%{?krb5_dal_version} >= 4 -Requires: krb5-server >= 1.11.2-1 -%else -%if 0%{krb5_dal_version} == 3 -# krb5 1.11 bumped DAL interface major version, a rebuild is needed -Requires: krb5-server < 1.11 -Requires: krb5-server >= 1.10 -%else -Requires: krb5-server >= 1.10 -%endif -%endif +Requires: krb5-server >= 1.11.5-3 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -%if 0%{?fedora} >= 18 Requires: mod_auth_kerb >= 5.4-16 -%else -Requires: mod_auth_kerb >= 5.4-8 -%endif -Requires: mod_nss >= 1.0.8-24 +Requires: mod_nss >= 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 Requires: memcached Requires: python-memcached +Requires: dbus-python Requires: systemd-units >= 38 Requires(pre): systemd-units Requires(post): systemd-units -Requires: selinux-policy >= 3.12.1-65 +Requi
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. I'm running it on F20 because it seemed like the dependencies would make running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you thinking that it might be part of 7.1? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Would CentOS7 work with FreeIPA 4? On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden wrote: > Chris Whittle wrote: > > Is it possible, I've looked around and most everyone says the > > dependancies are too much outside of what it has. > > Not without building a whole ton of your own packages. And we're not > talking simple, little packages. These would be significant upgrades for > which you'd have to manage your own security and bug fixing, forever. > > On top of that, it is doubtful it has been tested in a sysV init > environment. It may work as the previous support is still there, but > it's a grey area for sure. > > > I'm about to implement FreeIPA across the CO and would rather do the big > > upgrade first and not after. > > One of our larger users was in a similar situation a few years ago and > ended up running Fedora until RHEL caught up and then migrating the > servers. > > Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what > features you need. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Chris Whittle wrote: > Is it possible, I've looked around and most everyone says the > dependancies are too much outside of what it has. Not without building a whole ton of your own packages. And we're not talking simple, little packages. These would be significant upgrades for which you'd have to manage your own security and bug fixing, forever. On top of that, it is doubtful it has been tested in a sysV init environment. It may work as the previous support is still there, but it's a grey area for sure. > I'm about to implement FreeIPA across the CO and would rather do the big > upgrade first and not after. One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what features you need. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Is it possible, I've looked around and most everyone says the dependancies are too much outside of what it has. I'm about to implement FreeIPA across the CO and would rather do the big upgrade first and not after. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project