Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 07/24/2014 01:04 PM, Nordgren, Bryce L -FS wrote: One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. I'm running it on F20 because it seemed like the dependencies would make running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you thinking that it might be part of 7.1? We are indeed working into this direction so expectations that it will be in RHEL in 3-4 years are negatively exaggerated. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 24.7.2014 21:52, Lukas Slebodnik wrote: On (24/07/14 13:57), Rob Crittenden wrote: Petr Spacek wrote: On 24.7.2014 18:26, Chris Whittle wrote: Would CentOS7 work with FreeIPA 4? In theory - it could work. However you will have to build few new packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new packages it requires. Please let us know if it works for you. Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude easier than RHEL 6. Sure a lot of packages will need upgrades but nothing on the number in RHEL 6 which represent major package updates. just 6 missing dependenices for RHEL7. http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html also missing: open-sans-fonts fontawesome-fonts ttembed python-lesscpy python-ply It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as well https://copr.fedoraproject.org/coprs/pviktori/freeipa/ LS -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 07/24/2014 07:04 PM, Nordgren, Bryce L -FS wrote: > One of our larger users was in a similar situation a few years ago and > ended up running Fedora until RHEL caught up and then migrating the servers. > > I'm running it on F20 because it seemed like the dependencies would make > running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL > catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the > ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you > thinking that it might be part of 7.1? It might, wait and see :-) Alternatively, you as Lukas pointed out below, preparing a (COPR) repo on top of RHEL-7.0 should be much easier than preparing it on top of RHEL-6.x. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On (24/07/14 13:57), Rob Crittenden wrote: >Petr Spacek wrote: >> On 24.7.2014 18:26, Chris Whittle wrote: >>> Would CentOS7 work with FreeIPA 4? >> >> In theory - it could work. However you will have to build few new >> packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. >> >> I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new >> packages it requires. >> >> Please let us know if it works for you. > >Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude >easier than RHEL 6. Sure a lot of packages will need upgrades but >nothing on the number in RHEL 6 which represent major package updates. > just 6 missing dependenices for RHEL7. http://www.redhat.com/archives/freeipa-users/2014-July/msg00083.html It is very easy to prepare them in COPR and build FreeIPA-4.0 for el7 as well https://copr.fedoraproject.org/coprs/pviktori/freeipa/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Petr Spacek wrote: > On 24.7.2014 18:26, Chris Whittle wrote: >> Would CentOS7 work with FreeIPA 4? > > In theory - it could work. However you will have to build few new > packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. > > I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new > packages it requires. > > Please let us know if it works for you. Right. In theory building 4.0.0 on RHEL 7 would be orders of magnitude easier than RHEL 6. Sure a lot of packages will need upgrades but nothing on the number in RHEL 6 which represent major package updates. rob > > Petr^2 Spacek > >> On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden >> wrote: >> >>> Chris Whittle wrote: Is it possible, I've looked around and most everyone says the dependancies are too much outside of what it has. >>> >>> Not without building a whole ton of your own packages. And we're not >>> talking simple, little packages. These would be significant upgrades for >>> which you'd have to manage your own security and bug fixing, forever. >>> >>> On top of that, it is doubtful it has been tested in a sysV init >>> environment. It may work as the previous support is still there, but >>> it's a grey area for sure. >>> I'm about to implement FreeIPA across the CO and would rather do the big upgrade first and not after. >>> >>> One of our larger users was in a similar situation a few years ago and >>> ended up running Fedora until RHEL caught up and then migrating the >>> servers. >>> >>> Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what >>> features you need. >>> >>> rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
On 24.7.2014 18:26, Chris Whittle wrote:
Would CentOS7 work with FreeIPA 4?
In theory - it could work. However you will have to build few new packages,
including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap.
I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new
packages it requires.
Please let us know if it works for you.
Petr^2 Spacek
On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden
wrote:
Chris Whittle wrote:
Is it possible, I've looked around and most everyone says the
dependancies are too much outside of what it has.
Not without building a whole ton of your own packages. And we're not
talking simple, little packages. These would be significant upgrades for
which you'd have to manage your own security and bug fixing, forever.
On top of that, it is doubtful it has been tested in a sysV init
environment. It may work as the previous support is still there, but
it's a grey area for sure.
I'm about to implement FreeIPA across the CO and would rather do the big
upgrade first and not after.
One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the
servers.
Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what
features you need.
rob
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a091164..6b1f0a9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -4,6 +4,7 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.12-5
%global gettext_domain ipa
+%define _hardened_build 1
Name: freeipa
Version:__VERSION__
@@ -17,18 +18,13 @@ Source0:freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.3
+BuildRequires: 389-ds-base-devel >= 1.3.2.16
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
-%if 0%{?fedora} >= 18
BuildRequires: samba-devel >= 2:4.0.5-1
BuildRequires: samba-python
BuildRequires: libwbclient-devel
-%else
-BuildRequires: samba4-devel >= 4.0.0-139
-BuildRequires: samba4-python
-%endif
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
%endif # ONLY_CLIENT
@@ -53,7 +49,7 @@ BuildRequires: python-setuptools
BuildRequires: python-krbV
BuildRequires: python-nss
BuildRequires: python-netaddr
-BuildRequires: python-kerberos
+BuildRequires: python-kerberos >= 1.1-14
BuildRequires: python-rhsm
BuildRequires: pyOpenSSL
BuildRequires: pylint
@@ -63,20 +59,19 @@ BuildRequires: python-memcached
BuildRequires: sssd >= 1.9.2
BuildRequires: python-lxml
BuildRequires: python-pyasn1 >= 0.0.9a
+BuildRequires: python-qrcode
BuildRequires: python-dns
BuildRequires: m2crypto
BuildRequires: check
BuildRequires: libsss_idmap-devel
BuildRequires: libsss_nss_idmap-devel
BuildRequires: java-1.7.0-openjdk
+BuildRequires: rhino
BuildRequires: libverto-devel
BuildRequires: systemd
BuildRequires: libunistring-devel
-
-# Find out Kerberos middle version to infer ABI changes in DAL driver
-# We cannot load DAL driver into KDC with wrong ABI.
-# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
-%global krb5_dal_version %{expand:%(echo "#include "|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
+BuildRequires: python-lesscpy
+BuildRequires: python-yubico
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -91,50 +86,32 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.3
+Requires: 389-ds-base >= 1.3.2.19
Requires: openldap-clients > 2.4.35-4
-%if 0%{?fedora} == 18
-Requires: nss >= 3.14.3-2
-Requires: nss-tools >= 3.14.3-2
-%else
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
-%endif
-%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
-%else
-%if 0%{krb5_dal_version} == 3
-# krb5 1.11 bumped DAL interface major version, a rebuild is needed
-Requires: krb5-server < 1.11
-Requires: krb5-server >= 1.10
-%else
-Requires: krb5-server >= 1.10
-%endif
-%endif
+Requires: krb5-server >= 1.11.5-3
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-%if 0%{?fedora} >= 18
Requires: mod_auth_kerb >= 5.4-16
-%else
-Requires: mod_auth_kerb >= 5.4-8
-%endif
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
Requires: python-pyasn1
Requires: memcached
Requires: python-memcached
+Requires: dbus-python
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-65
+Requi
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. I'm running it on F20 because it seemed like the dependencies would make running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catching up" will probably be a 3-4 year proposition (i.e., RHEL 8), so the ability to run FreeIPA 4.0.0 is likely to be a moot point by then. Or are you thinking that it might be part of 7.1? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Would CentOS7 work with FreeIPA 4? On Thu, Jul 24, 2014 at 11:23 AM, Rob Crittenden wrote: > Chris Whittle wrote: > > Is it possible, I've looked around and most everyone says the > > dependancies are too much outside of what it has. > > Not without building a whole ton of your own packages. And we're not > talking simple, little packages. These would be significant upgrades for > which you'd have to manage your own security and bug fixing, forever. > > On top of that, it is doubtful it has been tested in a sysV init > environment. It may work as the previous support is still there, but > it's a grey area for sure. > > > I'm about to implement FreeIPA across the CO and would rather do the big > > upgrade first and not after. > > One of our larger users was in a similar situation a few years ago and > ended up running Fedora until RHEL caught up and then migrating the > servers. > > Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what > features you need. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Chris Whittle wrote: > Is it possible, I've looked around and most everyone says the > dependancies are too much outside of what it has. Not without building a whole ton of your own packages. And we're not talking simple, little packages. These would be significant upgrades for which you'd have to manage your own security and bug fixing, forever. On top of that, it is doubtful it has been tested in a sysV init environment. It may work as the previous support is still there, but it's a grey area for sure. > I'm about to implement FreeIPA across the CO and would rather do the big > upgrade first and not after. One of our larger users was in a similar situation a few years ago and ended up running Fedora until RHEL caught up and then migrating the servers. Another option is to use IPA 3.3 in RHEL/CentOS 7, depending on what features you need. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5
Is it possible, I've looked around and most everyone says the dependancies are too much outside of what it has. I'm about to implement FreeIPA across the CO and would rather do the big upgrade first and not after. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
