- Update to version 0.8.0+git.0.249ba5f:

* Branch version stable-0.8.x
  * Passwordless auth doesn't provide polling numbers
  * Resolve deadlock introduced by Fido auth
  * Implement NGC Passwordless authentication
  * Remove unused commit checklist
  * deps(rust): update bindgen requirement from 0.70.1 to 0.71.1
  * Update libhimmelblau version
  * Custom domains matching
  * Fix IdmapError to indicate the failure
  * Fix Fedora build dependencies
  * Add Fido MFA
  * Add Debian 12 packaging
  * Disable SELinux labeling on build container volume mounts
  * Update github CI dependencies
  * Implement Hello Pin changes via PAM
  * Formatting fix
  * Utilize HimmelblauConfig directly in pam and nss
  * Add config parsing unit tests
  * Fix incorrect default domain
  * Fix config hsm type Tpm error
  * Include multi-domain important info in himmelblau.conf man
  * Update to the latest libhimmelblau
  * Add DAG flow as a fallback for MFA
  * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
  * Update README.md with build requires
  * Enable module for utf8proc-devel in Rocky8
  * Remove the org.samba.himmelblau dbus service
  * Fix missing dependency utf8proc_NFKC_Casefold
  * The tasks daemon needs /etc/groups write access
  * Revert "Fix Ubuntu PAM fallback to password prompt"
  * Fix Ubuntu PAM fallback to password prompt
  * Increase the cache timeout to 5 minutes
  * Always fetch and cache the graph url
  * Package Siemens Linux Entra SSO for Himmelblau
  * Add Kerberos CCache support
  * Update the tasks daemon man page
  * Add a himmelblau.conf man page, and package the man pages
  * Add SLE15SP6 packaging
  * Add Fedora 41 packaging
  * Add Fedora Rawhide packaging
  * Provide enhancement request template
  * Create an issue template
  * Hello support depends on openssl3
  * Fix sshd rpm depends
  * Resolve RPM dependencies automatically
  * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
  * Add openSUSE Tumbleweed packaging
  * Fix RPM packaging placement of systemd files
  * Remove the failed attempt at debian packaging
  * Add stable-0.7.x to CI workflows
  * Version 0.8.0

OBS-URL: https://build.opensuse.org/package/show/network:idm/himmelblau?expand=0&rev=48

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_service

@@ -0,0 +1,31 @@
+<services>
+	<service name="tar_scm" mode="disabled">
+		<param name="url">https://github.com/himmelblau-idm/himmelblau.git</param>
+		<param name="scm">git</param>
+		<param name="revision">stable-0.8.x</param>
+		<param name="versionformat">@PARENT_TAG@+git.@TAG_OFFSET@.%h</param>
+		<param name="versionrewrite-pattern">himmelblau-(.*)</param>
+		<param name="versionrewrite-replacement">\1</param>
+		<param name="filename">himmelblau</param>
+		<param name="exclude">.git</param>
+		<param name="exclude">src/kanidm/Cargo.*</param>
+		<param name="changesgenerate">enable</param>
+	</service>
+	<service name="set_version" mode="disabled">
+		<param name="basename">himmelblau</param>
+		<param name="regex">^himmelblau-([^/]+)</param>
+		<param name="file">himmelblau.spec</param>
+	</service>
+	<service name="recompress" mode="disabled">
+		<param name="file">*.tar</param>
+		<param name="compression">bz2</param>
+	</service>
+	<service name="cargo_vendor" mode="disabled">
+		<param name="srcdir">himmelblau</param>
+		<param name="update">true</param>
+	</service>
+	<service name="cargo_audit" mode="disabled">
+		<param name="srcdir">himmelblau</param>
+                <param name="lockfile">Cargo.lock</param>
+	</service>
+</services>

_servicedata

@@ -0,0 +1,6 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/openSUSE/himmelblau.git</param>
+              <param name="changesrevision">6d2f6450ff3c0c945a884d4b35307e03a035a581</param></service><service name="tar_scm">
+                <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param>
+              <param name="changesrevision">249ba5f5dcd7c9443d9a7448e0130e03ec5907ae</param></service></servicedata>

cargo_config

@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"

himmelblau-0.4.1+git.0.41dd0dc.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dcde73d510f65d5dc329d52d1e2aad3236a30b8831f1043d96aca04686159d5e
+size 17684282

himmelblau-0.4.3+git.2.6379abc.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fb29e33def9c3d5a83f5cb6484d5d886b79c0e8f0ea827586a101c28521001c1
+size 17684265

himmelblau-0.5.0+git.0.22f84f0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:16915f657ac0c69070d9ee24076ed03464b74c16a12c786eec8fb8f3b4e0dcfb
+size 19316045

himmelblau-0.6.0+git.0.b8dae18.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b10796819e6378f44e69ecdda0414460d47beda8dfc48572aa6534e6e3ae43ac
+size 6551922

himmelblau-0.6.14+git.0.bbda0b6.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c63fab4c28e38014c5f9378da0e71076294a9357f5f35177b75c1a94cb1af933
+size 6552319

himmelblau-0.7.13+git.0.d790d31.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:281fc285e2d6b0208ded9794d6470d8802e94853c23c96ed353cb55ab07f0b07
+size 2023784

himmelblau-0.7.5+git.0.8f421b0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:88d6c5b86be18ae64b520dde1be0dfdc0015905e4d4fc4295a06fc548088f19c
+size 2015723

himmelblau-0.7.7+git.0.b48d0bb.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0f1513ae4a551bef1266719826d5a3f07b47c71238fe3b873a492b8607e9576e
+size 2015807

himmelblau-0.7.9+git.0.93655d2.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38e5ec0bdec69e44e09959034c97eb643c4a54df3042b093be94c1d50f6df329
+size 2018082

himmelblau.changes

@@ -0,0 +1,747 @@
+-------------------------------------------------------------------
+Thu Dec 19 22:26:54 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.8.0+git.0.249ba5f:
+  * Branch version stable-0.8.x
+  * Passwordless auth doesn't provide polling numbers
+  * Resolve deadlock introduced by Fido auth
+  * Implement NGC Passwordless authentication
+  * Remove unused commit checklist
+  * deps(rust): update bindgen requirement from 0.70.1 to 0.71.1
+  * Update libhimmelblau version
+  * Custom domains matching
+  * Fix IdmapError to indicate the failure
+  * Fix Fedora build dependencies
+  * Add Fido MFA
+  * Add Debian 12 packaging
+  * Disable SELinux labeling on build container volume mounts
+  * Update github CI dependencies
+  * Implement Hello Pin changes via PAM
+  * Formatting fix
+  * Utilize HimmelblauConfig directly in pam and nss
+  * Add config parsing unit tests
+  * Fix incorrect default domain
+  * Fix config hsm type Tpm error
+  * Include multi-domain important info in himmelblau.conf man
+  * Update to the latest libhimmelblau
+  * Add DAG flow as a fallback for MFA
+  * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
+  * Update README.md with build requires
+  * Enable module for utf8proc-devel in Rocky8
+  * Remove the org.samba.himmelblau dbus service
+  * Fix missing dependency utf8proc_NFKC_Casefold
+  * The tasks daemon needs /etc/groups write access
+  * Revert "Fix Ubuntu PAM fallback to password prompt"
+  * Fix Ubuntu PAM fallback to password prompt
+  * Increase the cache timeout to 5 minutes
+  * Always fetch and cache the graph url
+  * Package Siemens Linux Entra SSO for Himmelblau
+  * Add Kerberos CCache support
+  * Update the tasks daemon man page
+  * Add a himmelblau.conf man page, and package the man pages
+  * Add SLE15SP6 packaging
+  * Add Fedora 41 packaging
+  * Add Fedora Rawhide packaging
+  * Provide enhancement request template
+  * Create an issue template
+  * Hello support depends on openssl3
+  * Fix sshd rpm depends
+  * Resolve RPM dependencies automatically
+  * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
+  * Add openSUSE Tumbleweed packaging
+  * Fix RPM packaging placement of systemd files
+  * Remove the failed attempt at debian packaging
+  * Add stable-0.7.x to CI workflows
+  * Version 0.8.0
+
+-------------------------------------------------------------------
+Thu Dec 12 15:14:46 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.13+git.0.d790d31:
+  * Version 0.7.13
+  * Fix Fedora build dependencies
+  * Version 0.7.12
+  * Add Debian 12 packaging
+  * Update github CI dependencies
+  * Version 0.7.11
+  * Implement Hello Pin changes via PAM
+  * Utilize HimmelblauConfig directly in pam and nss
+  * Version 0.7.10
+  * Add config parsing unit tests
+  * Fix incorrect default domain
+  * Fix config hsm type Tpm error
+  * Include multi-domain important info in himmelblau.conf man
+
+-------------------------------------------------------------------
+Thu Dec 05 14:18:37 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.9+git.0.93655d2:
+  * Version 0.7.9
+  * Update to the latest libhimmelblau
+  * Version 0.7.8
+  * Add a himmelblau.conf man page, and package the man pages
+  * Add DAG flow as a fallback for MFA
+
+-------------------------------------------------------------------
+Mon Dec 02 16:43:42 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.7+git.0.b48d0bb:
+  * Version 0.7.7
+  * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
+    (bsc#1233949).
+  * Version 0.7.6
+  * Enable module for utf8proc-devel in Rocky8
+
+-------------------------------------------------------------------
+Mon Nov 25 19:55:22 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.5+git.0.8f421b0:
+  * Version 0.7.5
+  * Remove the org.samba.himmelblau dbus service
+
+-------------------------------------------------------------------
+Mon Nov 25 17:26:11 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.4+git.0.d1291c6:
+  * Version 0.7.4
+  * Fix missing dependency utf8proc_NFKC_Casefold
+  * Package Siemens Linux Entra SSO for Himmelblau
+  * Add SLE15SP6 packaging
+  * Add Fedora 41 packaging
+  * Add Fedora Rawhide packaging
+  * The tasks daemon needs /etc/groups write access
+  * Version 0.7.3
+  * Increase the cache timeout to 5 minutes
+  * Always fetch and cache the graph url
+
+-------------------------------------------------------------------
+Mon Nov 25 14:45:36 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.7.2+git.0.c76ac0e:
+  * Version 0.7.2
+  * Hello support depends on openssl3
+  * Version 0.7.1
+  * Fix sshd rpm depends
+  * Resolve RPM dependencies automatically
+  * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
+  * Add openSUSE Tumbleweed packaging
+  * Fix RPM packaging placement of systemd files
+  * Remove the failed attempt at debian packaging
+  * Add stable-0.7.x to CI workflows
+  * deps(rust): update utoipa requirement from 4.0.0 to 4.2.0
+  * deps(rust): update hashbrown requirement from 0.14.0 to 0.15.1
+  * Remove missing feature causing warnings
+  * deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4
+  * Specify scopes when making an SSO request
+  * Implement logon script for ensuring compliance
+  * Option for adding Entra Id users to local groups
+  * Configure EL sshd with ChallengeResponseAuthentication yes
+  * Add rocky 8 packaging
+  * Add RPM packaging for EL9
+  * Modify Ubuntu defaults to fix snaps
+  * Resolve Libreoffice fails to start on Ubuntu
+  * Minor formatting fix
+  * Revert RwLock -> Arc<Mutex> change in idmap
+  * Ignore broker scopes requests for now
+  * Ensure every file specifies the proper license
+  * postinst should not fail on patch or apparmor update
+  * Install pam module to additional location via make
+  * Add sshd config to the Makefile
+  * Don't use sudo in postinst/postrm scripts for deb
+  * PAM should be placed first in the stack
+  * Add the libutf8proc-dev dep for deb
+  * Match the object ID of the fake user and group
+  * Make it possible to stop the broker service
+  * Move sshd config into it's own debian package
+  * Allow the graph to start w/out network
+  * Add hello_pin_min_length conf option
+  * Don't attempt SFA fallback if AADSTSError
+  * Have libhimmelblau handle the DAG fallback
+  * Add a warning to user that SSH needs restarted
+  * Ensure local users are ignored when CN mapping
+  * Ensure DAG is rejected if lifetime expires
+  * Rework the poll logic to resolve timeout issues
+  * Add a sshd soft depends for the deb package
+  * CN name mapping in PAM and NSS
+  * Make CN an optional home directory attribute
+  * Remove the sssd build dependencies
+  * Configuration patches for himmelblau on Debian
+  * Simplify PAM get_item_string calls
+  * Bug in pam which needs defended against
+  * Fix deb build by adding Broker service file
+  * WIP: Install Ubuntu unix-chkpwd apparmor deps
+  * Ensure make install places pam_himmelblau correctly
+  * Add Ubuntu pam-config for pam_himmelblau
+  * Never return Err(PAM_SUCCESS) from get_user
+  * Never return the Pam result from get_user()
+  * Revert "Speed up nss requests w/out auth attempt"
+  * Speed up nss requests w/out auth attempt
+  * Fix some broker responses
+  * Fixes for the dbus broker
+  * Attempt to fix the cargo version in launchpad build
+  * Makefile typo fixes
+  * Version 0.7.0
+  * Add libdbus-1-dev dep
+  * Improve the README installation instructions
+  * Add `make install` command
+  * Improve Debian/Ubuntu install instructions
+  * Fix tag push permissions for tag-version workflow
+  * Add a version check script
+  * Remove the rustc dependency, breaking rustup
+  * Add a debug option to the config
+  * DBus requires that the service file match the name
+  * Add a pam option for the OpenSSH 2876 workaround
+  * Update to the latest libhimmelblau
+
+-------------------------------------------------------------------
+Tue Oct 22 16:22:21 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.6.14+git.0.bbda0b6:
+  * Version 0.6.14
+  * postinst should not fail on patch or apparmor update
+  * Version 0.6.13
+  * Don't use sudo in postinst/postrm scripts for deb
+  * Version 0.6.12
+  * PAM should be placed first in the stack
+  * Match the object ID of the fake user and group
+  * Version 0.6.11
+  * Move sshd config into it's own debian package
+  * Version 0.6.10
+  * Allow the graph to start w/out network
+  * Add hello_pin_min_length conf option
+  * Version 0.6.9
+  * Don't attempt SFA fallback if AADSTSError
+  * Have libhimmelblau handle the DAG fallback
+  * Add a warning to user that SSH needs restarted
+  * Version 0.6.8
+  * Ensure local users are ignored when CN mapping
+  * Ensure DAG is rejected if lifetime expires
+  * Version 0.6.7
+  * Rework the poll logic to resolve timeout issues
+  * Version 0.6.6
+  * Add a sshd soft depends for the deb package
+  * CN name mapping in PAM and NSS
+  * Version 0.6.5
+  * Make CN an optional home directory attribute
+  * Version 0.6.4
+  * Add Ubuntu pam-config for pam_himmelblau
+  * Configuration patches for himmelblau on Debian
+  * Version 0.6.3
+  * Bug in pam which needs defended against
+  * Version 0.6.2
+  * Never return the Pam result from get_user()
+  * Correct installation directory of the deb pam module
+  * Makefile typo fixes
+  * Add libdbus-1-dev dep
+  * Version 0.6.1
+  * Debian build requires libdbus-1-dev
+
+-------------------------------------------------------------------
+Wed Oct 02 20:29:43 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.6.0+git.0.b8dae18:
+  * Attempt to fix the cargo version in launchpad build
+  * Add branch stable-0.6.x to the workflows
+  * Install the pam module to the proper location
+  * Update README.md
+  * Add a debug option to the config
+  * Add a pam option for the OpenSSH 2876 workaround
+  * Update to the latest libhimmelblau
+  * Authorize all users when pam_allow_groups is empty
+  * Fix clippy warnings
+  * Fix pam echo not displayed via ssh
+  * Fix pam failure to register Pin following mfa poll
+  * Fork from kanidm
+  * Version 0.6.0
+  * Add cargo deb build
+  * Version 0.5.3
+  * Improve the README installation instructions
+  * Add `make install` command
+  * Improve Debian/Ubuntu install instructions
+  * Fix tag push permissions for tag-version workflow
+  * Version 0.5.2
+  * Add a version check script
+  * Version 0.5.1
+  * Remove the rustc dependency, breaking rustup
+  * Added Debian packaging workflow and files
+
+-------------------------------------------------------------------
+Thu Sep 12 00:22:33 UTC 2024 - William Brown <william.brown@suse.com>
+
+- explicitly depend on cargo to pull in latest compiler revision
+
+-------------------------------------------------------------------
+Wed Sep 04 14:16:35 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.5.0+git.0.22f84f0:
+  * Update workflows for 0.5.x
+  * Update Debian dependencies in README.md
+  * Compilation fails on Ubuntu, missing ldb header
+  * Fix base32 with kandim updates
+  * deps(rust): update base32 requirement from ^0.4.0 to ^0.5.0
+  * deps(rust): update scim_proto requirement from ^0.2.1 to ^1.3.2
+  * deps(rust): update bindgen requirement from 0.69.4 to 0.70.1
+  * Fix CI failures caused by cargo 1.80.1
+  * Update to libhimmelblau version 0.2.9
+  * deps(rust): update rusqlite requirement from ^0.31.0 to ^0.32.0
+  * deps(rust): update tonic requirement from 0.11.0 to 0.12.0
+  * update libnss requirement from 0.7.0 to 0.8.0
+  * Switch to using libhimmelblau
+  * himmelblaud stops working after suspend
+  * Update required packages for tumbleweed
+  * Disable the SFA fallback by default
+  * Fix ConsolidatedTelephony MFA method
+  * Use the group ID for the name if no display name
+  * Use latest msal with MFA fixes
+  * PhoneAppNotification is not a cred request algorithm
+  * The polling_interval is in milliseconds, not seconds
+  * OneWaySMS is additionally a valid OTP
+  * Relicensing as GPL3, as SSSD source inclusion requires
+  * Utilize the graph code in msal
+  * config: Remove comments about experimental policy enforement
+  * Remove the experimental policy code from the id provider
+  * Fix a refresh token leak in debug from msal
+  * Correct README details
+  * Always normalize idmap upn inputs
+  * Add video links to the README
+  * Minor updates to the Contributing section
+  * Add a Installation section to the README
+  * Add the new SSSD idmap build deps to the README
+  * Add a section about donations
+  * Include the Samba Technical matrix channel
+  * Add github workflows for the 0.4.x branch
+  * Version 0.5.0 bump for main
+
+-------------------------------------------------------------------
+Mon Jul 15 15:07:32 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.4.3+git.2.6379abc:
+  * Specifically use msal 0.2.6
+  * Version 0.4.3
+  * update libnss requirement from 0.7.0 to 0.8.0
+  * himmelblaud stops working after suspend
+  * Version 0.4.2
+  * Fix ConsolidatedTelephony MFA method
+
+-------------------------------------------------------------------
+Wed May 29 19:35:33 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.4.1+git.0.41dd0dc:
+  * Version 0.4.1
+  * Use latest msal with MFA fixes
+  * PhoneAppNotification is not a cred request algorithm
+  * The polling_interval is in milliseconds, not seconds
+  * OneWaySMS is additionally a valid OTP
+  * Relicensing as GPL3, as SSSD source inclusion requires
+
+-------------------------------------------------------------------
+Wed May 22 22:10:10 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.4.0+git.4.63e3704:
+  * Fix a refresh token leak in debug from msal
+
+-------------------------------------------------------------------
+Wed May 22 14:28:10 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.4.0+git.2.7b57f5e:
+  * Always normalize idmap upn inputs
+
+-------------------------------------------------------------------
+Mon May 20 19:23:30 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.4.0+git.0.69b64fe:
+  * Add github workflows for the 0.4.x branch
+  * Do not append to pam_allow_groups automatically
+  * Pam Allow Groups must be specified by Object ID
+  * Request the correct resource and permissions
+  * Improve error output on group lookup failure
+  * When faking a uuid for NSS, use a random uuid
+  * Fix clippy warning about inefficient use of clone()
+  * Remove the initial uid hack, use name mapping
+  * Don't stop an MR based on a clippy warning
+  * Update Kanidm tracking
+  * Modify CI workflows to handle idmap build
+  * Add CI job for cargo test
+  * Test the new and legacy idmapping
+  * Ensure duplicate providers are not started
+  * Use the SSSD Idmap code in Himmelblau
+  * Specify in conf that pam_allow_groups is required
+  * Remove code duplication in Hello PIN auth
+  * Fix Device authentication failed after enrollment
+  * Update the base64urlsafedata version
+  * Update README.md with Matrix contact info
+  * Version 0.4.0
+
+-------------------------------------------------------------------
+Wed May 15 15:19:43 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.3.4+git.0.01d099f:
+  * Version 0.3.4
+  * Only remove cached user if it doesn't exist
+  * Use existing user token at refresh
+  * Always use the spn of the user for nss requests
+  * Generate a fake user token to please SSH
+  * Fix aad-tool to handle MFA
+  * Fix lib_crypto version
+  * Fix user dropping from NSS
+
+-------------------------------------------------------------------
+Fri May 10 18:59:23 UTC 2024 - david.mulder@suse.com
+
+- Himmelblau requires libopenssl-3 for PRT messages.
+
+-------------------------------------------------------------------
+Thu May 09 19:34:59 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.3.3+git.0.c2197d7:
+  * Correct the debug messages for Hello skip
+  * Version 0.3.3
+  * Allow disabling Hello PIN auth for enrolled users
+  * Add an option for disabling Windows Hello
+  * Remove the TODO doc from stable branch
+  * config: Remove comments about experimental policy enforement
+
+-------------------------------------------------------------------
+Tue May 07 18:19:29 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.3.2+git.0.de9f5b5:
+  * Version 0.3.2
+  * Fix Hello PIN Authentication error, no nonce
+
+-------------------------------------------------------------------
+Mon Apr 29 19:43:17 UTC 2024 - david.mulder@suse.com
+
+- Update to version 0.3.1+git.0.359a8d0:
+  * Add github workflows for the 0.3.x branch
+  * Fallback to SFA first if MFA fails Browse files
+  * deps(rust): update libnss requirement from 0.6.0 to 0.7.0
+  * deps(rust): update webauthn-rs-proto requirement from 0.4.8 to 0.5.0
+  * Fix deadlock caused by client write lock
+  * Add rid idmapping (replacing existing idmap)
+  * Additional debug for Hello auth
+  * Make proto Cargo.toml a physical file
+  * Push the clippy arg count limit a little higher
+  * Version 0.3.0
+  * Windows Hello PIN implementation
+  * deps(rust): update hostname requirement from ^0.3.1 to ^0.4.0
+  * Enable actions on stable branches
+  * Prevent dependabot from updating opentelemetry
+  * Revert "deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)"
+  * deps(rust): update reqwest requirement from ^0.11.18 to ^0.12.2 (#95)
+  * deps(rust): update lru requirement from ^0.8.0 to ^0.12.3 (#94)
+  * deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)
+  * deps(rust): update num_enum requirement from ^0.5.11 to ^0.7.2 (#92)
+  * deps(rust): update tonic requirement from 0.10.2 to 0.11.0 (#91)
+  * Use the Kanidm MFA patches
+  * deps(rust): update libnss requirement from 0.5.0 to 0.6.0 (#90)
+  * deps(rust): update tracing-opentelemetry requirement (#89)
+  * deps(rust): update rusqlite requirement from ^0.28.0 to ^0.31.0 (#88)
+  * deps(rust): update clap requirement from ^3.2 to ^4.5 (#87)
+  * deps(rust): update kanidm-hsm-crypto requirement from ^0.1.6 to ^0.2.0 (#86)
+  * Update dependabot.yml
+  * Add missing db dependency on sketching
+  * Set the workspace resolver version to 2
+  * Init the kanidm submodule during workflows
+  * Ignore clippy blocks_in_conditions warning in daemon
+  * Add build/clippy/dependabot_automerge workflows
+  * deps(rust): update opentelemetry-otlp requirement from 0.13.0 to 0.15.0
+  * deps(rust): update opentelemetry_sdk requirement from 0.20.0 to 0.22.1
+  * deps(rust): update base64 requirement from ^0.21.5 to ^0.22.0
+  * deps(rust): update notify-debouncer-full requirement from 0.1 to 0.3
+  * deps(rust): update systemd-journal-logger requirement
+  * Create dependabot.yml
+  * Add MFA capabilities
+  * Update to the latest Kanidm reqs
+  * Always force MFA when enrolling the device
+  * Update to latest msal
+
+-------------------------------------------------------------------
+Thu Feb 29 20:14:08 UTC 2024 - dmulder@suse.com
+
+- Himmelblau provides the features found in aad-auth packages from
+  other distros.
+
+-------------------------------------------------------------------
+Tue Feb 20 21:07:56 UTC 2024 - dmulder@suse.com
+
+- Update to version 0.2.0+git.4.904b915:
+  * Update to latest msal
+  * Version 0.2.0
+  * Himmelblau now authenticates only to configured domains
+  * Remove reference to python-msal dep in README
+  * Use the external MSAL crate for auth
+  * Rename msal in prep for external msal crate
+  * msal: Remove python msal bindings
+  * msal: Rust msal
+  * Point Cargo.toml to new project home
+  * config: Write domain join to server specific config
+  * idprovider: Invalidate cached user if PRT req fails
+  * idprovider: Pass the keystore to the auth function
+  * Update daemon from kanidm
+  * test: Add a pause to ensure tasks daemon sees himmelblau
+  * Update kanidm submodule
+  * config: Include domain sections in configured domains
+  * msal: Add acquire_token_by_refresh_token
+  * enrollment: Authentication fixes
+  * tests: Create the hsm-pin directory
+  * idprovider: Add domain join debug
+  * cargo: Use relative paths and remove most symlinks
+  * idprovider: Allow group search when device is authenticated
+  * msal: Move the application reqs from misc to msal::application
+  * msal: Move user reqs from misc to msal::user
+  * Remove duplicates from allow_groups during enrollment
+  * Remove device enrollment from TODO
+  * Implement Device enrollment
+  * enrollment: Add the nonce service request
+  * enrollment: Add enrollment service discovery
+  * Implement ConfidentialClientApplication for enrollment
+  * daemon: Fix inverted logic on cache dir check
+  * nss: Use upstream nss package
+  * idprovider: Provider auth needs to point to just the host
+  * config: Consistently use the config file provided to the daemon
+  * cargo: Use relative paths and remove most symlinks
+  * clippy: Add kanidm's clippy config
+  * config: Only check for tenant_id, authority, graph if necessary
+  * Update README.md
+  * Update version to 0.1.2
+  * config: Fix typos in the config file
+  * Make most params to acquire_token_interactive optional
+  * Config can take defaults
+  * cli: Add missing cli opt file
+  * cli: Improve aad-tool options and interface
+  * Update README.md
+  * tests: Fix tasks daemon name typo
+  * Remove MFA from TODO
+
+-------------------------------------------------------------------
+Fri Dec 22 18:07:18 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.1.1+git.10.4aa76b7:
+  * daemon: Fix inverted logic on cache dir check
+  * nss: Use upstream nss package
+  * idprovider: Provider auth needs to point to just the host
+  * config: Consistently use the config file provided to the daemon
+  * cargo: Use relative paths and remove most symlinks
+  * clippy: Add kanidm's clippy config
+  * config: Only check for tenant_id, authority, graph if necessary
+  * Correct the cargo version
+
+-------------------------------------------------------------------
+Mon Nov 13 19:12:05 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.1.1+git.0.6d2f645:
+  * config: Remove comments about experimental policy enforement
+  * config: Fix typos in the config file
+
+-------------------------------------------------------------------
+Tue Sep 26 13:22:40 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
+
+- Reduce size of expanded scriptlets by reducing %service_* calls
+- Wrap descriptions
+
+-------------------------------------------------------------------
+Thu Sep 14 17:16:34 UTC 2023 - david.mulder@suse.com
+
+- Update to version 0.1.0+git.2.2391ac0:
+  * Update version to 0.1.0
+  * Update the README
+  * idprovider: Fix mixed case auth failure
+  * daemon: Port daemon changes from kanidm
+  * provider: Skip provider init on silent auth and offline
+  * daemon: Run himmelblaud as non-root dynamic user
+
+-------------------------------------------------------------------
+Tue Sep 12 21:12:46 UTC 2023 - david.mulder@suse.com
+
+- Update to version 0.0.4+git.50.112df77:
+  * Always match DAG where present
+  * Prohibit authentication with changing IDs
+
+-------------------------------------------------------------------
+Fri Sep 08 14:16:20 UTC 2023 - david.mulder@suse.com
+
+- Update to version 0.0.4+git.42.d641c8b:
+  * Run cargo fmt and cargo clippy
+  * Implement DeviceAuthorizationGrant for MFA
+  * test: Initialize the pam_allow_groups with users
+  * Use new pam state machine in himmelblau
+  * Remove the non-functional device enrollment
+  * TODO: New details regarding MS auth cache
+  * daemon: Implement pam allow groups
+  * Code rearrangement
+
+-------------------------------------------------------------------
+Thu Aug 10 14:55:54 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.4+git.30.26c26e7:
+  * aad-tool: Disable enrollment by default
+  * provider: Fetch GECOS from old token on silent acquire
+  * msal: Add bindings for device auth flow
+  * Add debug for local user ignore
+  * provider: Only retry auth if we're sure group read was requested
+  * provider: Provide user token refresh
+  * provider: Cause unix_group_get to respond with BadRequest
+  * provider: Implement provider_authenticate
+
+-------------------------------------------------------------------
+Tue Aug 08 19:29:40 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.4+git.9.a7c5ac2:
+  * osc breaks with workspace errors using symlinks
+  * gp: Disable MDM policies by default
+
+-------------------------------------------------------------------
+Mon Aug 07 20:31:52 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.4+git.3.b500f1f:
+  * Update serde version
+  * Update version to 0.0.4
+  * Only build necessary bits of kanidm proto
+  * Add cache operations to daemon and aad-tool
+  * tests: Include local cache of rust deps
+  * cache: Use the kanidm cache backend
+
+-------------------------------------------------------------------
+Mon Jul 31 21:16:59 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.3+git.10.761b4d2:
+  * gp: Apply chromium policies
+  * gp: Implement Group Policy object listing
+  * test: Fix build test failure
+  * tests: Return the correct error code from tests
+  * test: Separate project build from docker build
+  * tests: Deploy config when testing
+
+-------------------------------------------------------------------
+Tue Jul 18 18:54:07 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.3+git.3.f0883b1:
+  * nss: Fix misaligned pointer dereference errors
+  * Fix code links
+
+-------------------------------------------------------------------
+Mon Jul 17 19:43:26 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.3+git.1.e6847eb:
+  * Revert "nss: Use kanidm nss code"
+  * Update lib versions to match package version
+  * Shallow clone kanidm for pam/nss
+  * tests: Fix tar recursion
+
+-------------------------------------------------------------------
+Fri Jul 14 17:23:46 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.2+git.22.1c3ce4b:
+  * Remove symlinks and just point to kanidm sources
+  * nss: Use kanidm nss code
+  * Add submodule commands to main Makefile
+  * pam: Use kanidm pam code, glue into himmelblau
+  * TODO: Only auth to configured domains
+
+-------------------------------------------------------------------
+Mon Jul 10 21:19:19 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.2+git.15.d42b114:
+  * aad-tool: Enroll via the daemon
+  * config: Add func for requesting configured socket path
+  * aad-tool: Improve enroll options
+
+-------------------------------------------------------------------
+Mon Jul 10 19:23:50 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.2+git.11.91df240:
+  * daemon: Add a systemd service
+  * daemon: Don't request group read scope if using Intune
+  * TODO: Mention the work needed for the cache
+  * README: Include homedir creation instructions
+  * daemon: If auth fails, indicate the user
+
+-------------------------------------------------------------------
+Fri Jul 07 16:18:10 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.2+git.6.de1afd6:
+  * test: Ensure invalid users aren't cached
+  * test: Skip getent group tests failing due to nss issue
+  * tests: Add nss tests
+  * tests: Test pam auth
+  * msal: Allow fetching auth url
+
+-------------------------------------------------------------------
+Wed Jun 28 16:55:26 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.2+git.0.5bfbedd:
+  * cache: Make the cache persistent
+  * TODO: Cannot fudge an initial nss request
+  * Use tracing for debug instead of log
+  * aad-tool: Fix some build warnings
+  * aad-tool: Add TODO comments regarding enrollment issues
+  * aad-tool: Always use interactive enrollment
+  * fix readme
+  * aad-tool: Save the device_id after enrollment
+  * aad-tool: Cannot enroll in Intune Portal directly
+  * aad-tool: Parse the enrollment response
+  * aad-tool: Add a enroll command for Azure AD device
+  * memcache: Only append existing group member if missing
+  * himmelblaud: Fix login when Intune errors on group read
+  * memcache: Create a memcache for user and group caching
+  * TODO: Group memberships
+  * TODO: NSS requests via GET reqs
+  * config: Include default for authority_host
+  * config: Specify constants for defaults
+  * Cleanup the build depencencies
+  * TODO: Fix the headings
+  * TODO: Add major reqs section
+  * Cause the odc provider to supply the authority_host
+  * TODO: Use tracing module
+  * Include offline logon in todo list
+  * Add a TODO list
+  * Discover the tenant_id in the same manner as Intune
+  * himmelblaud: Debug for unknown user/group
+  * himmelblaud: Fix failure to cache user
+  * himmelblaud: Pam Allowed and Sessions stubs
+  * himmelblaud: Implement NssGroupByGid and NssAccountByUid
+  * himmelblaud: Implement group lookups
+  * Include the gecos in the mem cache
+  * Use config for shell, homedir, uid range, tenant
+  * Improve Developer Readme
+  * config: Config should not default app_id
+  * Remove invalid comment
+  * himmelblaud: Return with failure without tenant_id
+  * config: Move the config to unix_common module
+  * himmelblaud: Make the socket path configurable
+  * himmelblaud: Use Intune portal when app_id unset
+
+-------------------------------------------------------------------
+Fri Jun 02 21:16:00 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.1+git.15.f9a024e:
+  * Generate unix uid/gid
+  * himmelblaud: Stubs for NssGroupByName and NssGroups
+  * himmelblaud: Fix auth failure error message
+  * himmelblaud: Open socket with permissions for users to read/write
+  * msal: Fix nssaccountbyname lookup
+  * himmelblaud: Improve logging
+  * Include systemd journal logging
+  * msal: Fix failure parsing user token dict
+  * Implement simple NssAccountByName
+  * Implement basic NssAccounts request
+  * pam: Fix unused variable warning
+  * himmelblaud: Rewrite the daemon in Rust
+  * msal: Add a simple rust binding to python msal
+  * Remove the python daemon in favor of Rust
+
+-------------------------------------------------------------------
+Fri May 26 20:48:17 UTC 2023 - dmulder@suse.com
+
+- Update to version 0.0.1+git.0.56eb9f0:
+  * himmelblaud: Implement nss lookups in the daemon
+  * himmelblaud: Allow anyone to r/w the socket
+  * himmelblaud: Implement simple nss getpwent name
+  * pam: Remove account allowed and being session impl
+  * unix_common: UID and GID need not match
+  * himmelblaud: Improve the debug output
+  * himmelblaud: Remove stdout debug since logging to journald
+  * himmelblaud: Log to the systemd journal
+  * nss: Add the nss module
+  * Improve directory structure
+

himmelblau.spec

@@ -0,0 +1,259 @@
+#
+# spec file for package himmelblau
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           himmelblau
+Version:        0.8.0+git.0.249ba5f
+Release:        0
+Summary:        Interoperability suite for Microsoft Azure Entra Id
+License:        GPL-3.0-or-later
+URL:            https://github.com/himmelblau-idm/himmelblau
+Group:          Productivity/Networking/Security
+Source:         %{name}-%{version}.tar.bz2
+Source1:        vendor.tar.zst
+Source2:        cargo_config
+BuildRequires:  binutils
+BuildRequires:  cargo
+BuildRequires:  cargo-packaging
+BuildRequires:  clang-devel
+BuildRequires:  dbus-1-devel
+BuildRequires:  krb5-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libclang13
+BuildRequires:  libdhash-devel
+BuildRequires:  libopenssl-3-devel
+BuildRequires:  pam-devel
+BuildRequires:  patchelf
+BuildRequires:  pcre2-devel
+BuildRequires:  sqlite3-devel
+BuildRequires:  tpm2-0-tss-devel
+BuildRequires:  utf8proc-devel
+%if 0%{?sle_version} > 150600
+BuildRequires:  atk-devel
+BuildRequires:  cairo-devel
+BuildRequires:  gdk-pixbuf-devel
+BuildRequires:  gobject-introspection-devel
+BuildRequires:  gtk3-devel
+BuildRequires:  libsoup-devel
+BuildRequires:  libudev-devel
+BuildRequires:  mercurial
+BuildRequires:  pango-devel
+BuildRequires:  python3-gyp
+BuildRequires:  webkit2gtk3-devel
+%endif
+BuildRequires:  systemd-devel
+ExclusiveArch:  %{rust_tier1_arches}
+Recommends:     libnss_himmelblau2
+Recommends:     pam-himmelblau
+Provides:       aad-cli
+Provides:       aad-common
+Provides:       authd
+Provides:       authd-msentraid
+%if 0%{?is_opensuse}
+Suggests:       himmelblau-sso
+%endif
+Requires:       man
+# This is necessary to prevent users from installing Himmelblau along side
+# Microsoft's Broker, as these will conflict.
+Provides:       microsoft-identity-broker
+
+%description
+Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
+which allows users to sign into a Linux machine using Azure
+Entra Id credentials.
+
+%package -n pam-himmelblau
+Summary:        Azure Entra Id authentication PAM module
+Requires:       %{name} = %{version}
+Provides:       libpam-aad
+Suggests:       himmelblau-sshd-config
+
+%description -n pam-himmelblau
+Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
+which allows users to sign into a Linux machine using Azure
+Entra Id credentials.
+
+%package -n libnss_himmelblau2
+Summary:        Azure Entra Id authentication NSS module
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+Requires:       %{name}
+Provides:       libnss-aad
+Provides:       nss-himmelblau
+
+%description -n libnss_himmelblau2
+Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
+which allows users to sign into a Linux machine using Azure
+Entra Id credentials.
+
+%package -n himmelblau-sshd-config
+Summary:        Azure Entra Id SSHD Configuration
+Requires:       %{name} = %{version}
+Requires:       openssh-server
+BuildRequires:  openssh-server
+BuildArch:      noarch
+
+%description -n himmelblau-sshd-config
+Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
+which allows users to sign into a Linux machine using Azure
+Entra Id credentials.
+
+%if 0%{?is_opensuse}
+# SLE doesn't provide python3-pydbus
+%package -n himmelblau-sso
+Summary:        Azure Entra Id Firefox SSO Configuration
+Requires:       %{name} = %{version}
+Requires:       MozillaFirefox
+Requires:       python3-pydbus
+Provides:       linux-entra-sso
+
+%description -n himmelblau-sso
+Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
+which allows users to sign into a Linux machine using Azure
+Entra Id credentials.
+%endif
+
+%post   -n libnss_himmelblau2 -p /sbin/ldconfig
+%postun -n libnss_himmelblau2 -p /sbin/ldconfig
+
+%prep
+%autosetup -a1
+install -D -m 644 %{SOURCE2} .cargo/config
+
+%build
+# Dependencies for interative Hello PIN changes aren't present prior to 15.6
+%if 0%{?sle_version} <= 150600
+%{cargo_build}
+%else
+%{cargo_build} --features interactive
+%endif
+
+%check
+
+%{cargo_test}
+
+%install
+install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau
+cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf
+cp target/release/libnss_%{name}.so target/release/libnss_%{name}.so.2
+install -D -d -m 0755 %{buildroot}/%{_libdir}
+strip --strip-unneeded target/release/libnss_himmelblau.so.2
+patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2
+install -m 0755 target/release/libnss_%{name}.so.2 %{buildroot}/%{_libdir}
+install -D -d -m 0755 %{buildroot}/%{_pam_moduledir}
+strip --strip-unneeded target/release/libpam_himmelblau.so
+install -m 0755 target/release/libpam_%{name}.so %{buildroot}/%{_pam_moduledir}/pam_%{name}.so
+install -D -d -m 0755 %{buildroot}%{_sbindir}
+strip --strip-unneeded target/release/himmelblaud
+strip --strip-unneeded target/release/himmelblaud_tasks
+strip --strip-unneeded target/release/broker
+install -m 0755 target/release/himmelblaud %{buildroot}/%{_sbindir}
+install -m 0755 target/release/himmelblaud_tasks %{buildroot}/%{_sbindir}
+install -m 0755 target/release/broker %{buildroot}/%{_sbindir}
+pushd %{buildroot}%{_sbindir}
+ln -s himmelblaud rchimmelblaud
+ln -s himmelblaud_tasks rchimmelblaud_tasks
+ln -s broker rcbroker
+popd
+install -D -d -m 0755 %{buildroot}%{_bindir}
+strip --strip-unneeded target/release/aad-tool
+install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir}
+install -D -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service
+install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service
+install -D -d -m 0755 %{buildroot}%{_datarootdir}/dbus-1/services
+install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}%{_datarootdir}/dbus-1/services/
+install -D -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d
+install -m 0644 %{_builddir}/%{name}-%{version}/platform/el/sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf
+install -D -d -m 0755 %{buildroot}%{_sysconfdir}/krb5.conf.d
+install -m 0644 %{_builddir}/%{name}-%{version}/src/config/krb5_himmelblau.conf %{buildroot}%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf
+
+# Firefox Single Sign On
+%if 0%{?is_opensuse}
+install -m 0755 %{_builddir}/%{name}-%{version}/src/sso/src/linux-entra-sso.py %{buildroot}/%{_bindir}/linux-entra-sso
+sed -i 's/#!\/usr\/bin\/env python3/#!\/usr\/bin\/python3/' %{buildroot}/%{_bindir}/linux-entra-sso
+install -D -d -m 0755 %{buildroot}%{_libdir}/mozilla/native-messaging-hosts
+install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/linux_entra_sso.json %{buildroot}%{_libdir}/mozilla/native-messaging-hosts/
+install -D -d -m 0755 %{buildroot}%{_sysconfdir}/firefox/policies
+install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/policies.json %{buildroot}%{_sysconfdir}/firefox/policies/
+%endif
+
+# Man pages
+install -D -d -m 0755 %{buildroot}%{_mandir}/man1
+install -D -d -m 0755 %{buildroot}%{_mandir}/man5
+install -D -d -m 0755 %{buildroot}%{_mandir}/man8
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man1/aad-tool.1 %{buildroot}%{_mandir}/man1/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man5/himmelblau.conf.5 %{buildroot}%{_mandir}/man5/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud.8 %{buildroot}%{_mandir}/man8/
+install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud_tasks.8 %{buildroot}%{_mandir}/man8/
+
+%pre
+%service_add_pre himmelblaud.service himmelblaud-tasks.service
+
+%post
+%service_add_post himmelblaud.service himmelblaud-tasks.service
+
+%preun
+%service_del_preun himmelblaud.service himmelblaud-tasks.service
+
+%postun
+%service_del_postun himmelblaud.service himmelblaud-tasks.service
+
+%files
+%dir %{_sysconfdir}/himmelblau
+%config(noreplace) %{_sysconfdir}/himmelblau/himmelblau.conf
+%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf
+%{_sbindir}/himmelblaud
+%{_sbindir}/rchimmelblaud
+%{_sbindir}/himmelblaud_tasks
+%{_sbindir}/rchimmelblaud_tasks
+%{_sbindir}/broker
+%{_sbindir}/rcbroker
+%{_bindir}/aad-tool
+%{_unitdir}/himmelblaud.service
+%{_unitdir}/himmelblaud-tasks.service
+%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service
+%{_mandir}/man1/aad-tool.1*
+%{_mandir}/man5/himmelblau.conf.5*
+%{_mandir}/man8/himmelblaud.8*
+%{_mandir}/man8/himmelblaud_tasks.8*
+
+%files -n libnss_himmelblau2
+%{_libdir}/libnss_%{name}.so.*
+
+%files -n pam-himmelblau
+%{_pam_moduledir}/pam_%{name}.so
+
+%files -n himmelblau-sshd-config
+# openssh-server doesn't own /etc/ssh/sshd_config.d before 15.5
+%if 0%{?sle_version} <= 150500
+%dir %{_sysconfdir}/ssh/sshd_config.d
+%endif
+%config %{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf
+
+%if 0%{?is_opensuse}
+%files -n himmelblau-sso
+%{_bindir}/linux-entra-sso
+%dir %{_libdir}/mozilla
+%dir %{_libdir}/mozilla/native-messaging-hosts
+%{_libdir}/mozilla/native-messaging-hosts/linux_entra_sso.json
+%dir %{_sysconfdir}/firefox
+%dir %{_sysconfdir}/firefox/policies
+%config %{_sysconfdir}/firefox/policies/policies.json
+%endif
+
+%changelog