commit 05fffb1524d41d18df6b18c55e88b9ecd8f670aa06c01342306b061a90bfb650 Author: David Mulder Date: Fri Dec 20 15:53:03 2024 +0000 - Update to version 0.8.0+git.0.249ba5f: * Branch version stable-0.8.x * Passwordless auth doesn't provide polling numbers * Resolve deadlock introduced by Fido auth * Implement NGC Passwordless authentication * Remove unused commit checklist * deps(rust): update bindgen requirement from 0.70.1 to 0.71.1 * Update libhimmelblau version * Custom domains matching * Fix IdmapError to indicate the failure * Fix Fedora build dependencies * Add Fido MFA * Add Debian 12 packaging * Disable SELinux labeling on build container volume mounts * Update github CI dependencies * Implement Hello Pin changes via PAM * Formatting fix * Utilize HimmelblauConfig directly in pam and nss * Add config parsing unit tests * Fix incorrect default domain * Fix config hsm type Tpm error * Include multi-domain important info in himmelblau.conf man * Update to the latest libhimmelblau * Add DAG flow as a fallback for MFA * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept` * Update README.md with build requires * Enable module for utf8proc-devel in Rocky8 * Remove the org.samba.himmelblau dbus service * Fix missing dependency utf8proc_NFKC_Casefold * The tasks daemon needs /etc/groups write access * Revert "Fix Ubuntu PAM fallback to password prompt" * Fix Ubuntu PAM fallback to password prompt * Increase the cache timeout to 5 minutes * Always fetch and cache the graph url * Package Siemens Linux Entra SSO for Himmelblau * Add Kerberos CCache support * Update the tasks daemon man page * Add a himmelblau.conf man page, and package the man pages * Add SLE15SP6 packaging * Add Fedora 41 packaging * Add Fedora Rawhide packaging * Provide enhancement request template * Create an issue template * Hello support depends on openssl3 * Fix sshd rpm depends * Resolve RPM dependencies automatically * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4" * Add openSUSE Tumbleweed packaging * Fix RPM packaging placement of systemd files * Remove the failed attempt at debian packaging * Add stable-0.7.x to CI workflows * Version 0.8.0 OBS-URL: https://build.opensuse.org/package/show/network:idm/himmelblau?expand=0&rev=48 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..e46c437 --- /dev/null +++ b/_service @@ -0,0 +1,31 @@ + + + https://github.com/himmelblau-idm/himmelblau.git + git + stable-0.8.x + @PARENT_TAG@+git.@TAG_OFFSET@.%h + himmelblau-(.*) + \1 + himmelblau + .git + src/kanidm/Cargo.* + enable + + + himmelblau + ^himmelblau-([^/]+) + himmelblau.spec + + + *.tar + bz2 + + + himmelblau + true + + + himmelblau + Cargo.lock + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..b4939bf --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/openSUSE/himmelblau.git + 6d2f6450ff3c0c945a884d4b35307e03a035a581 + https://github.com/himmelblau-idm/himmelblau.git + 249ba5f5dcd7c9443d9a7448e0130e03ec5907ae \ No newline at end of file diff --git a/cargo_config b/cargo_config new file mode 100644 index 0000000..6fb4ff4 --- /dev/null +++ b/cargo_config @@ -0,0 +1,5 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" \ No newline at end of file diff --git a/himmelblau-0.4.1+git.0.41dd0dc.tar.bz2 b/himmelblau-0.4.1+git.0.41dd0dc.tar.bz2 new file mode 100644 index 0000000..b2c3de4 --- /dev/null +++ b/himmelblau-0.4.1+git.0.41dd0dc.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dcde73d510f65d5dc329d52d1e2aad3236a30b8831f1043d96aca04686159d5e +size 17684282 diff --git a/himmelblau-0.4.3+git.2.6379abc.tar.bz2 b/himmelblau-0.4.3+git.2.6379abc.tar.bz2 new file mode 100644 index 0000000..ded1139 --- /dev/null +++ b/himmelblau-0.4.3+git.2.6379abc.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb29e33def9c3d5a83f5cb6484d5d886b79c0e8f0ea827586a101c28521001c1 +size 17684265 diff --git a/himmelblau-0.5.0+git.0.22f84f0.tar.bz2 b/himmelblau-0.5.0+git.0.22f84f0.tar.bz2 new file mode 100644 index 0000000..b43b895 --- /dev/null +++ b/himmelblau-0.5.0+git.0.22f84f0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16915f657ac0c69070d9ee24076ed03464b74c16a12c786eec8fb8f3b4e0dcfb +size 19316045 diff --git a/himmelblau-0.6.0+git.0.b8dae18.tar.bz2 b/himmelblau-0.6.0+git.0.b8dae18.tar.bz2 new file mode 100644 index 0000000..010c7e4 --- /dev/null +++ b/himmelblau-0.6.0+git.0.b8dae18.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b10796819e6378f44e69ecdda0414460d47beda8dfc48572aa6534e6e3ae43ac +size 6551922 diff --git a/himmelblau-0.6.14+git.0.bbda0b6.tar.bz2 b/himmelblau-0.6.14+git.0.bbda0b6.tar.bz2 new file mode 100644 index 0000000..2f72f1a --- /dev/null +++ b/himmelblau-0.6.14+git.0.bbda0b6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c63fab4c28e38014c5f9378da0e71076294a9357f5f35177b75c1a94cb1af933 +size 6552319 diff --git a/himmelblau-0.7.13+git.0.d790d31.tar.bz2 b/himmelblau-0.7.13+git.0.d790d31.tar.bz2 new file mode 100644 index 0000000..5ca536f --- /dev/null +++ b/himmelblau-0.7.13+git.0.d790d31.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:281fc285e2d6b0208ded9794d6470d8802e94853c23c96ed353cb55ab07f0b07 +size 2023784 diff --git a/himmelblau-0.7.5+git.0.8f421b0.tar.bz2 b/himmelblau-0.7.5+git.0.8f421b0.tar.bz2 new file mode 100644 index 0000000..31f9dd3 --- /dev/null +++ b/himmelblau-0.7.5+git.0.8f421b0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88d6c5b86be18ae64b520dde1be0dfdc0015905e4d4fc4295a06fc548088f19c +size 2015723 diff --git a/himmelblau-0.7.7+git.0.b48d0bb.tar.bz2 b/himmelblau-0.7.7+git.0.b48d0bb.tar.bz2 new file mode 100644 index 0000000..905dd57 --- /dev/null +++ b/himmelblau-0.7.7+git.0.b48d0bb.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0f1513ae4a551bef1266719826d5a3f07b47c71238fe3b873a492b8607e9576e +size 2015807 diff --git a/himmelblau-0.7.9+git.0.93655d2.tar.bz2 b/himmelblau-0.7.9+git.0.93655d2.tar.bz2 new file mode 100644 index 0000000..16c70e7 --- /dev/null +++ b/himmelblau-0.7.9+git.0.93655d2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:38e5ec0bdec69e44e09959034c97eb643c4a54df3042b093be94c1d50f6df329 +size 2018082 diff --git a/himmelblau-0.8.0+git.0.249ba5f.tar.bz2 b/himmelblau-0.8.0+git.0.249ba5f.tar.bz2 new file mode 100644 index 0000000..db41d47 --- /dev/null +++ b/himmelblau-0.8.0+git.0.249ba5f.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6eabfadc1f849a90ae5d1630cb6429e7854ef7b42b2e7e1d6e28d3aeb48203f4 +size 2029643 diff --git a/himmelblau.changes b/himmelblau.changes new file mode 100644 index 0000000..d0cfb00 --- /dev/null +++ b/himmelblau.changes @@ -0,0 +1,747 @@ +------------------------------------------------------------------- +Thu Dec 19 22:26:54 UTC 2024 - david.mulder@suse.com + +- Update to version 0.8.0+git.0.249ba5f: + * Branch version stable-0.8.x + * Passwordless auth doesn't provide polling numbers + * Resolve deadlock introduced by Fido auth + * Implement NGC Passwordless authentication + * Remove unused commit checklist + * deps(rust): update bindgen requirement from 0.70.1 to 0.71.1 + * Update libhimmelblau version + * Custom domains matching + * Fix IdmapError to indicate the failure + * Fix Fedora build dependencies + * Add Fido MFA + * Add Debian 12 packaging + * Disable SELinux labeling on build container volume mounts + * Update github CI dependencies + * Implement Hello Pin changes via PAM + * Formatting fix + * Utilize HimmelblauConfig directly in pam and nss + * Add config parsing unit tests + * Fix incorrect default domain + * Fix config hsm type Tpm error + * Include multi-domain important info in himmelblau.conf man + * Update to the latest libhimmelblau + * Add DAG flow as a fallback for MFA + * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept` + * Update README.md with build requires + * Enable module for utf8proc-devel in Rocky8 + * Remove the org.samba.himmelblau dbus service + * Fix missing dependency utf8proc_NFKC_Casefold + * The tasks daemon needs /etc/groups write access + * Revert "Fix Ubuntu PAM fallback to password prompt" + * Fix Ubuntu PAM fallback to password prompt + * Increase the cache timeout to 5 minutes + * Always fetch and cache the graph url + * Package Siemens Linux Entra SSO for Himmelblau + * Add Kerberos CCache support + * Update the tasks daemon man page + * Add a himmelblau.conf man page, and package the man pages + * Add SLE15SP6 packaging + * Add Fedora 41 packaging + * Add Fedora Rawhide packaging + * Provide enhancement request template + * Create an issue template + * Hello support depends on openssl3 + * Fix sshd rpm depends + * Resolve RPM dependencies automatically + * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4" + * Add openSUSE Tumbleweed packaging + * Fix RPM packaging placement of systemd files + * Remove the failed attempt at debian packaging + * Add stable-0.7.x to CI workflows + * Version 0.8.0 + +------------------------------------------------------------------- +Thu Dec 12 15:14:46 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.13+git.0.d790d31: + * Version 0.7.13 + * Fix Fedora build dependencies + * Version 0.7.12 + * Add Debian 12 packaging + * Update github CI dependencies + * Version 0.7.11 + * Implement Hello Pin changes via PAM + * Utilize HimmelblauConfig directly in pam and nss + * Version 0.7.10 + * Add config parsing unit tests + * Fix incorrect default domain + * Fix config hsm type Tpm error + * Include multi-domain important info in himmelblau.conf man + +------------------------------------------------------------------- +Thu Dec 05 14:18:37 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.9+git.0.93655d2: + * Version 0.7.9 + * Update to the latest libhimmelblau + * Version 0.7.8 + * Add a himmelblau.conf man page, and package the man pages + * Add DAG flow as a fallback for MFA + +------------------------------------------------------------------- +Mon Dec 02 16:43:42 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.7+git.0.b48d0bb: + * Version 0.7.7 + * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept` + (bsc#1233949). + * Version 0.7.6 + * Enable module for utf8proc-devel in Rocky8 + +------------------------------------------------------------------- +Mon Nov 25 19:55:22 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.5+git.0.8f421b0: + * Version 0.7.5 + * Remove the org.samba.himmelblau dbus service + +------------------------------------------------------------------- +Mon Nov 25 17:26:11 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.4+git.0.d1291c6: + * Version 0.7.4 + * Fix missing dependency utf8proc_NFKC_Casefold + * Package Siemens Linux Entra SSO for Himmelblau + * Add SLE15SP6 packaging + * Add Fedora 41 packaging + * Add Fedora Rawhide packaging + * The tasks daemon needs /etc/groups write access + * Version 0.7.3 + * Increase the cache timeout to 5 minutes + * Always fetch and cache the graph url + +------------------------------------------------------------------- +Mon Nov 25 14:45:36 UTC 2024 - david.mulder@suse.com + +- Update to version 0.7.2+git.0.c76ac0e: + * Version 0.7.2 + * Hello support depends on openssl3 + * Version 0.7.1 + * Fix sshd rpm depends + * Resolve RPM dependencies automatically + * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4" + * Add openSUSE Tumbleweed packaging + * Fix RPM packaging placement of systemd files + * Remove the failed attempt at debian packaging + * Add stable-0.7.x to CI workflows + * deps(rust): update utoipa requirement from 4.0.0 to 4.2.0 + * deps(rust): update hashbrown requirement from 0.14.0 to 0.15.1 + * Remove missing feature causing warnings + * deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4 + * Specify scopes when making an SSO request + * Implement logon script for ensuring compliance + * Option for adding Entra Id users to local groups + * Configure EL sshd with ChallengeResponseAuthentication yes + * Add rocky 8 packaging + * Add RPM packaging for EL9 + * Modify Ubuntu defaults to fix snaps + * Resolve Libreoffice fails to start on Ubuntu + * Minor formatting fix + * Revert RwLock -> Arc change in idmap + * Ignore broker scopes requests for now + * Ensure every file specifies the proper license + * postinst should not fail on patch or apparmor update + * Install pam module to additional location via make + * Add sshd config to the Makefile + * Don't use sudo in postinst/postrm scripts for deb + * PAM should be placed first in the stack + * Add the libutf8proc-dev dep for deb + * Match the object ID of the fake user and group + * Make it possible to stop the broker service + * Move sshd config into it's own debian package + * Allow the graph to start w/out network + * Add hello_pin_min_length conf option + * Don't attempt SFA fallback if AADSTSError + * Have libhimmelblau handle the DAG fallback + * Add a warning to user that SSH needs restarted + * Ensure local users are ignored when CN mapping + * Ensure DAG is rejected if lifetime expires + * Rework the poll logic to resolve timeout issues + * Add a sshd soft depends for the deb package + * CN name mapping in PAM and NSS + * Make CN an optional home directory attribute + * Remove the sssd build dependencies + * Configuration patches for himmelblau on Debian + * Simplify PAM get_item_string calls + * Bug in pam which needs defended against + * Fix deb build by adding Broker service file + * WIP: Install Ubuntu unix-chkpwd apparmor deps + * Ensure make install places pam_himmelblau correctly + * Add Ubuntu pam-config for pam_himmelblau + * Never return Err(PAM_SUCCESS) from get_user + * Never return the Pam result from get_user() + * Revert "Speed up nss requests w/out auth attempt" + * Speed up nss requests w/out auth attempt + * Fix some broker responses + * Fixes for the dbus broker + * Attempt to fix the cargo version in launchpad build + * Makefile typo fixes + * Version 0.7.0 + * Add libdbus-1-dev dep + * Improve the README installation instructions + * Add `make install` command + * Improve Debian/Ubuntu install instructions + * Fix tag push permissions for tag-version workflow + * Add a version check script + * Remove the rustc dependency, breaking rustup + * Add a debug option to the config + * DBus requires that the service file match the name + * Add a pam option for the OpenSSH 2876 workaround + * Update to the latest libhimmelblau + +------------------------------------------------------------------- +Tue Oct 22 16:22:21 UTC 2024 - david.mulder@suse.com + +- Update to version 0.6.14+git.0.bbda0b6: + * Version 0.6.14 + * postinst should not fail on patch or apparmor update + * Version 0.6.13 + * Don't use sudo in postinst/postrm scripts for deb + * Version 0.6.12 + * PAM should be placed first in the stack + * Match the object ID of the fake user and group + * Version 0.6.11 + * Move sshd config into it's own debian package + * Version 0.6.10 + * Allow the graph to start w/out network + * Add hello_pin_min_length conf option + * Version 0.6.9 + * Don't attempt SFA fallback if AADSTSError + * Have libhimmelblau handle the DAG fallback + * Add a warning to user that SSH needs restarted + * Version 0.6.8 + * Ensure local users are ignored when CN mapping + * Ensure DAG is rejected if lifetime expires + * Version 0.6.7 + * Rework the poll logic to resolve timeout issues + * Version 0.6.6 + * Add a sshd soft depends for the deb package + * CN name mapping in PAM and NSS + * Version 0.6.5 + * Make CN an optional home directory attribute + * Version 0.6.4 + * Add Ubuntu pam-config for pam_himmelblau + * Configuration patches for himmelblau on Debian + * Version 0.6.3 + * Bug in pam which needs defended against + * Version 0.6.2 + * Never return the Pam result from get_user() + * Correct installation directory of the deb pam module + * Makefile typo fixes + * Add libdbus-1-dev dep + * Version 0.6.1 + * Debian build requires libdbus-1-dev + +------------------------------------------------------------------- +Wed Oct 02 20:29:43 UTC 2024 - david.mulder@suse.com + +- Update to version 0.6.0+git.0.b8dae18: + * Attempt to fix the cargo version in launchpad build + * Add branch stable-0.6.x to the workflows + * Install the pam module to the proper location + * Update README.md + * Add a debug option to the config + * Add a pam option for the OpenSSH 2876 workaround + * Update to the latest libhimmelblau + * Authorize all users when pam_allow_groups is empty + * Fix clippy warnings + * Fix pam echo not displayed via ssh + * Fix pam failure to register Pin following mfa poll + * Fork from kanidm + * Version 0.6.0 + * Add cargo deb build + * Version 0.5.3 + * Improve the README installation instructions + * Add `make install` command + * Improve Debian/Ubuntu install instructions + * Fix tag push permissions for tag-version workflow + * Version 0.5.2 + * Add a version check script + * Version 0.5.1 + * Remove the rustc dependency, breaking rustup + * Added Debian packaging workflow and files + +------------------------------------------------------------------- +Thu Sep 12 00:22:33 UTC 2024 - William Brown + +- explicitly depend on cargo to pull in latest compiler revision + +------------------------------------------------------------------- +Wed Sep 04 14:16:35 UTC 2024 - david.mulder@suse.com + +- Update to version 0.5.0+git.0.22f84f0: + * Update workflows for 0.5.x + * Update Debian dependencies in README.md + * Compilation fails on Ubuntu, missing ldb header + * Fix base32 with kandim updates + * deps(rust): update base32 requirement from ^0.4.0 to ^0.5.0 + * deps(rust): update scim_proto requirement from ^0.2.1 to ^1.3.2 + * deps(rust): update bindgen requirement from 0.69.4 to 0.70.1 + * Fix CI failures caused by cargo 1.80.1 + * Update to libhimmelblau version 0.2.9 + * deps(rust): update rusqlite requirement from ^0.31.0 to ^0.32.0 + * deps(rust): update tonic requirement from 0.11.0 to 0.12.0 + * update libnss requirement from 0.7.0 to 0.8.0 + * Switch to using libhimmelblau + * himmelblaud stops working after suspend + * Update required packages for tumbleweed + * Disable the SFA fallback by default + * Fix ConsolidatedTelephony MFA method + * Use the group ID for the name if no display name + * Use latest msal with MFA fixes + * PhoneAppNotification is not a cred request algorithm + * The polling_interval is in milliseconds, not seconds + * OneWaySMS is additionally a valid OTP + * Relicensing as GPL3, as SSSD source inclusion requires + * Utilize the graph code in msal + * config: Remove comments about experimental policy enforement + * Remove the experimental policy code from the id provider + * Fix a refresh token leak in debug from msal + * Correct README details + * Always normalize idmap upn inputs + * Add video links to the README + * Minor updates to the Contributing section + * Add a Installation section to the README + * Add the new SSSD idmap build deps to the README + * Add a section about donations + * Include the Samba Technical matrix channel + * Add github workflows for the 0.4.x branch + * Version 0.5.0 bump for main + +------------------------------------------------------------------- +Mon Jul 15 15:07:32 UTC 2024 - david.mulder@suse.com + +- Update to version 0.4.3+git.2.6379abc: + * Specifically use msal 0.2.6 + * Version 0.4.3 + * update libnss requirement from 0.7.0 to 0.8.0 + * himmelblaud stops working after suspend + * Version 0.4.2 + * Fix ConsolidatedTelephony MFA method + +------------------------------------------------------------------- +Wed May 29 19:35:33 UTC 2024 - david.mulder@suse.com + +- Update to version 0.4.1+git.0.41dd0dc: + * Version 0.4.1 + * Use latest msal with MFA fixes + * PhoneAppNotification is not a cred request algorithm + * The polling_interval is in milliseconds, not seconds + * OneWaySMS is additionally a valid OTP + * Relicensing as GPL3, as SSSD source inclusion requires + +------------------------------------------------------------------- +Wed May 22 22:10:10 UTC 2024 - david.mulder@suse.com + +- Update to version 0.4.0+git.4.63e3704: + * Fix a refresh token leak in debug from msal + +------------------------------------------------------------------- +Wed May 22 14:28:10 UTC 2024 - david.mulder@suse.com + +- Update to version 0.4.0+git.2.7b57f5e: + * Always normalize idmap upn inputs + +------------------------------------------------------------------- +Mon May 20 19:23:30 UTC 2024 - david.mulder@suse.com + +- Update to version 0.4.0+git.0.69b64fe: + * Add github workflows for the 0.4.x branch + * Do not append to pam_allow_groups automatically + * Pam Allow Groups must be specified by Object ID + * Request the correct resource and permissions + * Improve error output on group lookup failure + * When faking a uuid for NSS, use a random uuid + * Fix clippy warning about inefficient use of clone() + * Remove the initial uid hack, use name mapping + * Don't stop an MR based on a clippy warning + * Update Kanidm tracking + * Modify CI workflows to handle idmap build + * Add CI job for cargo test + * Test the new and legacy idmapping + * Ensure duplicate providers are not started + * Use the SSSD Idmap code in Himmelblau + * Specify in conf that pam_allow_groups is required + * Remove code duplication in Hello PIN auth + * Fix Device authentication failed after enrollment + * Update the base64urlsafedata version + * Update README.md with Matrix contact info + * Version 0.4.0 + +------------------------------------------------------------------- +Wed May 15 15:19:43 UTC 2024 - david.mulder@suse.com + +- Update to version 0.3.4+git.0.01d099f: + * Version 0.3.4 + * Only remove cached user if it doesn't exist + * Use existing user token at refresh + * Always use the spn of the user for nss requests + * Generate a fake user token to please SSH + * Fix aad-tool to handle MFA + * Fix lib_crypto version + * Fix user dropping from NSS + +------------------------------------------------------------------- +Fri May 10 18:59:23 UTC 2024 - david.mulder@suse.com + +- Himmelblau requires libopenssl-3 for PRT messages. + +------------------------------------------------------------------- +Thu May 09 19:34:59 UTC 2024 - david.mulder@suse.com + +- Update to version 0.3.3+git.0.c2197d7: + * Correct the debug messages for Hello skip + * Version 0.3.3 + * Allow disabling Hello PIN auth for enrolled users + * Add an option for disabling Windows Hello + * Remove the TODO doc from stable branch + * config: Remove comments about experimental policy enforement + +------------------------------------------------------------------- +Tue May 07 18:19:29 UTC 2024 - david.mulder@suse.com + +- Update to version 0.3.2+git.0.de9f5b5: + * Version 0.3.2 + * Fix Hello PIN Authentication error, no nonce + +------------------------------------------------------------------- +Mon Apr 29 19:43:17 UTC 2024 - david.mulder@suse.com + +- Update to version 0.3.1+git.0.359a8d0: + * Add github workflows for the 0.3.x branch + * Fallback to SFA first if MFA fails Browse files + * deps(rust): update libnss requirement from 0.6.0 to 0.7.0 + * deps(rust): update webauthn-rs-proto requirement from 0.4.8 to 0.5.0 + * Fix deadlock caused by client write lock + * Add rid idmapping (replacing existing idmap) + * Additional debug for Hello auth + * Make proto Cargo.toml a physical file + * Push the clippy arg count limit a little higher + * Version 0.3.0 + * Windows Hello PIN implementation + * deps(rust): update hostname requirement from ^0.3.1 to ^0.4.0 + * Enable actions on stable branches + * Prevent dependabot from updating opentelemetry + * Revert "deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)" + * deps(rust): update reqwest requirement from ^0.11.18 to ^0.12.2 (#95) + * deps(rust): update lru requirement from ^0.8.0 to ^0.12.3 (#94) + * deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93) + * deps(rust): update num_enum requirement from ^0.5.11 to ^0.7.2 (#92) + * deps(rust): update tonic requirement from 0.10.2 to 0.11.0 (#91) + * Use the Kanidm MFA patches + * deps(rust): update libnss requirement from 0.5.0 to 0.6.0 (#90) + * deps(rust): update tracing-opentelemetry requirement (#89) + * deps(rust): update rusqlite requirement from ^0.28.0 to ^0.31.0 (#88) + * deps(rust): update clap requirement from ^3.2 to ^4.5 (#87) + * deps(rust): update kanidm-hsm-crypto requirement from ^0.1.6 to ^0.2.0 (#86) + * Update dependabot.yml + * Add missing db dependency on sketching + * Set the workspace resolver version to 2 + * Init the kanidm submodule during workflows + * Ignore clippy blocks_in_conditions warning in daemon + * Add build/clippy/dependabot_automerge workflows + * deps(rust): update opentelemetry-otlp requirement from 0.13.0 to 0.15.0 + * deps(rust): update opentelemetry_sdk requirement from 0.20.0 to 0.22.1 + * deps(rust): update base64 requirement from ^0.21.5 to ^0.22.0 + * deps(rust): update notify-debouncer-full requirement from 0.1 to 0.3 + * deps(rust): update systemd-journal-logger requirement + * Create dependabot.yml + * Add MFA capabilities + * Update to the latest Kanidm reqs + * Always force MFA when enrolling the device + * Update to latest msal + +------------------------------------------------------------------- +Thu Feb 29 20:14:08 UTC 2024 - dmulder@suse.com + +- Himmelblau provides the features found in aad-auth packages from + other distros. + +------------------------------------------------------------------- +Tue Feb 20 21:07:56 UTC 2024 - dmulder@suse.com + +- Update to version 0.2.0+git.4.904b915: + * Update to latest msal + * Version 0.2.0 + * Himmelblau now authenticates only to configured domains + * Remove reference to python-msal dep in README + * Use the external MSAL crate for auth + * Rename msal in prep for external msal crate + * msal: Remove python msal bindings + * msal: Rust msal + * Point Cargo.toml to new project home + * config: Write domain join to server specific config + * idprovider: Invalidate cached user if PRT req fails + * idprovider: Pass the keystore to the auth function + * Update daemon from kanidm + * test: Add a pause to ensure tasks daemon sees himmelblau + * Update kanidm submodule + * config: Include domain sections in configured domains + * msal: Add acquire_token_by_refresh_token + * enrollment: Authentication fixes + * tests: Create the hsm-pin directory + * idprovider: Add domain join debug + * cargo: Use relative paths and remove most symlinks + * idprovider: Allow group search when device is authenticated + * msal: Move the application reqs from misc to msal::application + * msal: Move user reqs from misc to msal::user + * Remove duplicates from allow_groups during enrollment + * Remove device enrollment from TODO + * Implement Device enrollment + * enrollment: Add the nonce service request + * enrollment: Add enrollment service discovery + * Implement ConfidentialClientApplication for enrollment + * daemon: Fix inverted logic on cache dir check + * nss: Use upstream nss package + * idprovider: Provider auth needs to point to just the host + * config: Consistently use the config file provided to the daemon + * cargo: Use relative paths and remove most symlinks + * clippy: Add kanidm's clippy config + * config: Only check for tenant_id, authority, graph if necessary + * Update README.md + * Update version to 0.1.2 + * config: Fix typos in the config file + * Make most params to acquire_token_interactive optional + * Config can take defaults + * cli: Add missing cli opt file + * cli: Improve aad-tool options and interface + * Update README.md + * tests: Fix tasks daemon name typo + * Remove MFA from TODO + +------------------------------------------------------------------- +Fri Dec 22 18:07:18 UTC 2023 - dmulder@suse.com + +- Update to version 0.1.1+git.10.4aa76b7: + * daemon: Fix inverted logic on cache dir check + * nss: Use upstream nss package + * idprovider: Provider auth needs to point to just the host + * config: Consistently use the config file provided to the daemon + * cargo: Use relative paths and remove most symlinks + * clippy: Add kanidm's clippy config + * config: Only check for tenant_id, authority, graph if necessary + * Correct the cargo version + +------------------------------------------------------------------- +Mon Nov 13 19:12:05 UTC 2023 - dmulder@suse.com + +- Update to version 0.1.1+git.0.6d2f645: + * config: Remove comments about experimental policy enforement + * config: Fix typos in the config file + +------------------------------------------------------------------- +Tue Sep 26 13:22:40 UTC 2023 - Jan Engelhardt + +- Reduce size of expanded scriptlets by reducing %service_* calls +- Wrap descriptions + +------------------------------------------------------------------- +Thu Sep 14 17:16:34 UTC 2023 - david.mulder@suse.com + +- Update to version 0.1.0+git.2.2391ac0: + * Update version to 0.1.0 + * Update the README + * idprovider: Fix mixed case auth failure + * daemon: Port daemon changes from kanidm + * provider: Skip provider init on silent auth and offline + * daemon: Run himmelblaud as non-root dynamic user + +------------------------------------------------------------------- +Tue Sep 12 21:12:46 UTC 2023 - david.mulder@suse.com + +- Update to version 0.0.4+git.50.112df77: + * Always match DAG where present + * Prohibit authentication with changing IDs + +------------------------------------------------------------------- +Fri Sep 08 14:16:20 UTC 2023 - david.mulder@suse.com + +- Update to version 0.0.4+git.42.d641c8b: + * Run cargo fmt and cargo clippy + * Implement DeviceAuthorizationGrant for MFA + * test: Initialize the pam_allow_groups with users + * Use new pam state machine in himmelblau + * Remove the non-functional device enrollment + * TODO: New details regarding MS auth cache + * daemon: Implement pam allow groups + * Code rearrangement + +------------------------------------------------------------------- +Thu Aug 10 14:55:54 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.30.26c26e7: + * aad-tool: Disable enrollment by default + * provider: Fetch GECOS from old token on silent acquire + * msal: Add bindings for device auth flow + * Add debug for local user ignore + * provider: Only retry auth if we're sure group read was requested + * provider: Provide user token refresh + * provider: Cause unix_group_get to respond with BadRequest + * provider: Implement provider_authenticate + +------------------------------------------------------------------- +Tue Aug 08 19:29:40 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.9.a7c5ac2: + * osc breaks with workspace errors using symlinks + * gp: Disable MDM policies by default + +------------------------------------------------------------------- +Mon Aug 07 20:31:52 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.3.b500f1f: + * Update serde version + * Update version to 0.0.4 + * Only build necessary bits of kanidm proto + * Add cache operations to daemon and aad-tool + * tests: Include local cache of rust deps + * cache: Use the kanidm cache backend + +------------------------------------------------------------------- +Mon Jul 31 21:16:59 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.10.761b4d2: + * gp: Apply chromium policies + * gp: Implement Group Policy object listing + * test: Fix build test failure + * tests: Return the correct error code from tests + * test: Separate project build from docker build + * tests: Deploy config when testing + +------------------------------------------------------------------- +Tue Jul 18 18:54:07 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.3.f0883b1: + * nss: Fix misaligned pointer dereference errors + * Fix code links + +------------------------------------------------------------------- +Mon Jul 17 19:43:26 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.1.e6847eb: + * Revert "nss: Use kanidm nss code" + * Update lib versions to match package version + * Shallow clone kanidm for pam/nss + * tests: Fix tar recursion + +------------------------------------------------------------------- +Fri Jul 14 17:23:46 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.22.1c3ce4b: + * Remove symlinks and just point to kanidm sources + * nss: Use kanidm nss code + * Add submodule commands to main Makefile + * pam: Use kanidm pam code, glue into himmelblau + * TODO: Only auth to configured domains + +------------------------------------------------------------------- +Mon Jul 10 21:19:19 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.15.d42b114: + * aad-tool: Enroll via the daemon + * config: Add func for requesting configured socket path + * aad-tool: Improve enroll options + +------------------------------------------------------------------- +Mon Jul 10 19:23:50 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.11.91df240: + * daemon: Add a systemd service + * daemon: Don't request group read scope if using Intune + * TODO: Mention the work needed for the cache + * README: Include homedir creation instructions + * daemon: If auth fails, indicate the user + +------------------------------------------------------------------- +Fri Jul 07 16:18:10 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.6.de1afd6: + * test: Ensure invalid users aren't cached + * test: Skip getent group tests failing due to nss issue + * tests: Add nss tests + * tests: Test pam auth + * msal: Allow fetching auth url + +------------------------------------------------------------------- +Wed Jun 28 16:55:26 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.0.5bfbedd: + * cache: Make the cache persistent + * TODO: Cannot fudge an initial nss request + * Use tracing for debug instead of log + * aad-tool: Fix some build warnings + * aad-tool: Add TODO comments regarding enrollment issues + * aad-tool: Always use interactive enrollment + * fix readme + * aad-tool: Save the device_id after enrollment + * aad-tool: Cannot enroll in Intune Portal directly + * aad-tool: Parse the enrollment response + * aad-tool: Add a enroll command for Azure AD device + * memcache: Only append existing group member if missing + * himmelblaud: Fix login when Intune errors on group read + * memcache: Create a memcache for user and group caching + * TODO: Group memberships + * TODO: NSS requests via GET reqs + * config: Include default for authority_host + * config: Specify constants for defaults + * Cleanup the build depencencies + * TODO: Fix the headings + * TODO: Add major reqs section + * Cause the odc provider to supply the authority_host + * TODO: Use tracing module + * Include offline logon in todo list + * Add a TODO list + * Discover the tenant_id in the same manner as Intune + * himmelblaud: Debug for unknown user/group + * himmelblaud: Fix failure to cache user + * himmelblaud: Pam Allowed and Sessions stubs + * himmelblaud: Implement NssGroupByGid and NssAccountByUid + * himmelblaud: Implement group lookups + * Include the gecos in the mem cache + * Use config for shell, homedir, uid range, tenant + * Improve Developer Readme + * config: Config should not default app_id + * Remove invalid comment + * himmelblaud: Return with failure without tenant_id + * config: Move the config to unix_common module + * himmelblaud: Make the socket path configurable + * himmelblaud: Use Intune portal when app_id unset + +------------------------------------------------------------------- +Fri Jun 02 21:16:00 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.1+git.15.f9a024e: + * Generate unix uid/gid + * himmelblaud: Stubs for NssGroupByName and NssGroups + * himmelblaud: Fix auth failure error message + * himmelblaud: Open socket with permissions for users to read/write + * msal: Fix nssaccountbyname lookup + * himmelblaud: Improve logging + * Include systemd journal logging + * msal: Fix failure parsing user token dict + * Implement simple NssAccountByName + * Implement basic NssAccounts request + * pam: Fix unused variable warning + * himmelblaud: Rewrite the daemon in Rust + * msal: Add a simple rust binding to python msal + * Remove the python daemon in favor of Rust + +------------------------------------------------------------------- +Fri May 26 20:48:17 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.1+git.0.56eb9f0: + * himmelblaud: Implement nss lookups in the daemon + * himmelblaud: Allow anyone to r/w the socket + * himmelblaud: Implement simple nss getpwent name + * pam: Remove account allowed and being session impl + * unix_common: UID and GID need not match + * himmelblaud: Improve the debug output + * himmelblaud: Remove stdout debug since logging to journald + * himmelblaud: Log to the systemd journal + * nss: Add the nss module + * Improve directory structure + diff --git a/himmelblau.spec b/himmelblau.spec new file mode 100644 index 0000000..0376690 --- /dev/null +++ b/himmelblau.spec @@ -0,0 +1,259 @@ +# +# spec file for package himmelblau +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: himmelblau +Version: 0.8.0+git.0.249ba5f +Release: 0 +Summary: Interoperability suite for Microsoft Azure Entra Id +License: GPL-3.0-or-later +URL: https://github.com/himmelblau-idm/himmelblau +Group: Productivity/Networking/Security +Source: %{name}-%{version}.tar.bz2 +Source1: vendor.tar.zst +Source2: cargo_config +BuildRequires: binutils +BuildRequires: cargo +BuildRequires: cargo-packaging +BuildRequires: clang-devel +BuildRequires: dbus-1-devel +BuildRequires: krb5-devel +BuildRequires: libcap-devel +BuildRequires: libclang13 +BuildRequires: libdhash-devel +BuildRequires: libopenssl-3-devel +BuildRequires: pam-devel +BuildRequires: patchelf +BuildRequires: pcre2-devel +BuildRequires: sqlite3-devel +BuildRequires: tpm2-0-tss-devel +BuildRequires: utf8proc-devel +%if 0%{?sle_version} > 150600 +BuildRequires: atk-devel +BuildRequires: cairo-devel +BuildRequires: gdk-pixbuf-devel +BuildRequires: gobject-introspection-devel +BuildRequires: gtk3-devel +BuildRequires: libsoup-devel +BuildRequires: libudev-devel +BuildRequires: mercurial +BuildRequires: pango-devel +BuildRequires: python3-gyp +BuildRequires: webkit2gtk3-devel +%endif +BuildRequires: systemd-devel +ExclusiveArch: %{rust_tier1_arches} +Recommends: libnss_himmelblau2 +Recommends: pam-himmelblau +Provides: aad-cli +Provides: aad-common +Provides: authd +Provides: authd-msentraid +%if 0%{?is_opensuse} +Suggests: himmelblau-sso +%endif +Requires: man +# This is necessary to prevent users from installing Himmelblau along side +# Microsoft's Broker, as these will conflict. +Provides: microsoft-identity-broker + +%description +Himmelblau is an interoperability suite for Microsoft Azure Entra Id, +which allows users to sign into a Linux machine using Azure +Entra Id credentials. + +%package -n pam-himmelblau +Summary: Azure Entra Id authentication PAM module +Requires: %{name} = %{version} +Provides: libpam-aad +Suggests: himmelblau-sshd-config + +%description -n pam-himmelblau +Himmelblau is an interoperability suite for Microsoft Azure Entra Id, +which allows users to sign into a Linux machine using Azure +Entra Id credentials. + +%package -n libnss_himmelblau2 +Summary: Azure Entra Id authentication NSS module +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig +Requires: %{name} +Provides: libnss-aad +Provides: nss-himmelblau + +%description -n libnss_himmelblau2 +Himmelblau is an interoperability suite for Microsoft Azure Entra Id, +which allows users to sign into a Linux machine using Azure +Entra Id credentials. + +%package -n himmelblau-sshd-config +Summary: Azure Entra Id SSHD Configuration +Requires: %{name} = %{version} +Requires: openssh-server +BuildRequires: openssh-server +BuildArch: noarch + +%description -n himmelblau-sshd-config +Himmelblau is an interoperability suite for Microsoft Azure Entra Id, +which allows users to sign into a Linux machine using Azure +Entra Id credentials. + +%if 0%{?is_opensuse} +# SLE doesn't provide python3-pydbus +%package -n himmelblau-sso +Summary: Azure Entra Id Firefox SSO Configuration +Requires: %{name} = %{version} +Requires: MozillaFirefox +Requires: python3-pydbus +Provides: linux-entra-sso + +%description -n himmelblau-sso +Himmelblau is an interoperability suite for Microsoft Azure Entra Id, +which allows users to sign into a Linux machine using Azure +Entra Id credentials. +%endif + +%post -n libnss_himmelblau2 -p /sbin/ldconfig +%postun -n libnss_himmelblau2 -p /sbin/ldconfig + +%prep +%autosetup -a1 +install -D -m 644 %{SOURCE2} .cargo/config + +%build +# Dependencies for interative Hello PIN changes aren't present prior to 15.6 +%if 0%{?sle_version} <= 150600 +%{cargo_build} +%else +%{cargo_build} --features interactive +%endif + +%check + +%{cargo_test} + +%install +install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau +cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf +cp target/release/libnss_%{name}.so target/release/libnss_%{name}.so.2 +install -D -d -m 0755 %{buildroot}/%{_libdir} +strip --strip-unneeded target/release/libnss_himmelblau.so.2 +patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2 +install -m 0755 target/release/libnss_%{name}.so.2 %{buildroot}/%{_libdir} +install -D -d -m 0755 %{buildroot}/%{_pam_moduledir} +strip --strip-unneeded target/release/libpam_himmelblau.so +install -m 0755 target/release/libpam_%{name}.so %{buildroot}/%{_pam_moduledir}/pam_%{name}.so +install -D -d -m 0755 %{buildroot}%{_sbindir} +strip --strip-unneeded target/release/himmelblaud +strip --strip-unneeded target/release/himmelblaud_tasks +strip --strip-unneeded target/release/broker +install -m 0755 target/release/himmelblaud %{buildroot}/%{_sbindir} +install -m 0755 target/release/himmelblaud_tasks %{buildroot}/%{_sbindir} +install -m 0755 target/release/broker %{buildroot}/%{_sbindir} +pushd %{buildroot}%{_sbindir} +ln -s himmelblaud rchimmelblaud +ln -s himmelblaud_tasks rchimmelblaud_tasks +ln -s broker rcbroker +popd +install -D -d -m 0755 %{buildroot}%{_bindir} +strip --strip-unneeded target/release/aad-tool +install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir} +install -D -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service +install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service +install -D -d -m 0755 %{buildroot}%{_datarootdir}/dbus-1/services +install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}%{_datarootdir}/dbus-1/services/ +install -D -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d +install -m 0644 %{_builddir}/%{name}-%{version}/platform/el/sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf +install -D -d -m 0755 %{buildroot}%{_sysconfdir}/krb5.conf.d +install -m 0644 %{_builddir}/%{name}-%{version}/src/config/krb5_himmelblau.conf %{buildroot}%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf + +# Firefox Single Sign On +%if 0%{?is_opensuse} +install -m 0755 %{_builddir}/%{name}-%{version}/src/sso/src/linux-entra-sso.py %{buildroot}/%{_bindir}/linux-entra-sso +sed -i 's/#!\/usr\/bin\/env python3/#!\/usr\/bin\/python3/' %{buildroot}/%{_bindir}/linux-entra-sso +install -D -d -m 0755 %{buildroot}%{_libdir}/mozilla/native-messaging-hosts +install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/linux_entra_sso.json %{buildroot}%{_libdir}/mozilla/native-messaging-hosts/ +install -D -d -m 0755 %{buildroot}%{_sysconfdir}/firefox/policies +install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/policies.json %{buildroot}%{_sysconfdir}/firefox/policies/ +%endif + +# Man pages +install -D -d -m 0755 %{buildroot}%{_mandir}/man1 +install -D -d -m 0755 %{buildroot}%{_mandir}/man5 +install -D -d -m 0755 %{buildroot}%{_mandir}/man8 +install -m 0644 %{_builddir}/%{name}-%{version}/man/man1/aad-tool.1 %{buildroot}%{_mandir}/man1/ +install -m 0644 %{_builddir}/%{name}-%{version}/man/man5/himmelblau.conf.5 %{buildroot}%{_mandir}/man5/ +install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud.8 %{buildroot}%{_mandir}/man8/ +install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud_tasks.8 %{buildroot}%{_mandir}/man8/ + +%pre +%service_add_pre himmelblaud.service himmelblaud-tasks.service + +%post +%service_add_post himmelblaud.service himmelblaud-tasks.service + +%preun +%service_del_preun himmelblaud.service himmelblaud-tasks.service + +%postun +%service_del_postun himmelblaud.service himmelblaud-tasks.service + +%files +%dir %{_sysconfdir}/himmelblau +%config(noreplace) %{_sysconfdir}/himmelblau/himmelblau.conf +%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf +%{_sbindir}/himmelblaud +%{_sbindir}/rchimmelblaud +%{_sbindir}/himmelblaud_tasks +%{_sbindir}/rchimmelblaud_tasks +%{_sbindir}/broker +%{_sbindir}/rcbroker +%{_bindir}/aad-tool +%{_unitdir}/himmelblaud.service +%{_unitdir}/himmelblaud-tasks.service +%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service +%{_mandir}/man1/aad-tool.1* +%{_mandir}/man5/himmelblau.conf.5* +%{_mandir}/man8/himmelblaud.8* +%{_mandir}/man8/himmelblaud_tasks.8* + +%files -n libnss_himmelblau2 +%{_libdir}/libnss_%{name}.so.* + +%files -n pam-himmelblau +%{_pam_moduledir}/pam_%{name}.so + +%files -n himmelblau-sshd-config +# openssh-server doesn't own /etc/ssh/sshd_config.d before 15.5 +%if 0%{?sle_version} <= 150500 +%dir %{_sysconfdir}/ssh/sshd_config.d +%endif +%config %{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf + +%if 0%{?is_opensuse} +%files -n himmelblau-sso +%{_bindir}/linux-entra-sso +%dir %{_libdir}/mozilla +%dir %{_libdir}/mozilla/native-messaging-hosts +%{_libdir}/mozilla/native-messaging-hosts/linux_entra_sso.json +%dir %{_sysconfdir}/firefox +%dir %{_sysconfdir}/firefox/policies +%config %{_sysconfdir}/firefox/policies/policies.json +%endif + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..67b090a --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:acce5e6eea59be7ad31183508ca8d402ac9c0b48ad4fc7299472445e9098aa46 +size 51639675