|
|
|
|
@@ -24,8 +24,8 @@ License: GPL-3.0-or-later AND LGPL-3.0-or-later
|
|
|
|
|
Group: System/Daemons
|
|
|
|
|
URL: https://github.com/SSSD/sssd
|
|
|
|
|
#Git-Clone: https://github.com/SSSD/sssd
|
|
|
|
|
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
|
|
|
|
|
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
|
|
|
|
|
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0.tar.gz
|
|
|
|
|
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0.tar.gz.asc
|
|
|
|
|
Source3: baselibs.conf
|
|
|
|
|
Source5: %name.keyring
|
|
|
|
|
Source6: sssd.sysusers
|
|
|
|
|
@@ -34,7 +34,6 @@ Patch1: 0001-Remove-versions-checks-that-need-updating-every-iter.patch
|
|
|
|
|
Patch2: 0002-Harden-sssd-ifp.service.patch
|
|
|
|
|
Patch3: 0003-Harden-sssd-kcm.service.patch
|
|
|
|
|
Patch4: 0004-Add-symvers.patch
|
|
|
|
|
Patch5: 0005-sssd-always-print-path-when-config-object-is-rejecte.patch
|
|
|
|
|
|
|
|
|
|
BuildRequires: autoconf >= 2.59
|
|
|
|
|
BuildRequires: automake
|
|
|
|
|
@@ -57,22 +56,19 @@ BuildRequires: nss_wrapper
|
|
|
|
|
BuildRequires: openldap2-devel
|
|
|
|
|
BuildRequires: pam-devel
|
|
|
|
|
BuildRequires: pkg-config >= 0.21
|
|
|
|
|
BuildRequires: python3-wheel
|
|
|
|
|
BuildRequires: python3-setuptools
|
|
|
|
|
BuildRequires: systemd-rpm-macros
|
|
|
|
|
BuildRequires: sysuser-tools
|
|
|
|
|
BuildRequires: uid_wrapper
|
|
|
|
|
BuildRequires: pkgconfig(augeas) >= 1.0.0
|
|
|
|
|
BuildRequires: pkgconfig(collection) >= 0.5.1
|
|
|
|
|
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
|
|
|
|
|
BuildRequires: pkgconfig(dhash) >= 0.4.2
|
|
|
|
|
BuildRequires: pkgconfig(glib-2.0)
|
|
|
|
|
BuildRequires: pkgconfig(ini_config) >= 1.3
|
|
|
|
|
BuildRequires: pkgconfig(ini_config) >= 1.1.0
|
|
|
|
|
BuildRequires: pkgconfig(jansson)
|
|
|
|
|
BuildRequires: pkgconfig(ldb) >= 1.2.0
|
|
|
|
|
BuildRequires: pkgconfig(libcap)
|
|
|
|
|
BuildRequires: pkgconfig(ldb) >= 0.9.2
|
|
|
|
|
BuildRequires: pkgconfig(libcares)
|
|
|
|
|
BuildRequires: pkgconfig(libcrypto) >= 1.0.1
|
|
|
|
|
BuildRequires: pkgconfig(libcrypto)
|
|
|
|
|
%if 0%{?suse_version} >= 1600
|
|
|
|
|
BuildRequires: pkgconfig(libcurl)
|
|
|
|
|
%endif
|
|
|
|
|
@@ -105,7 +101,6 @@ BuildRequires: pkgconfig(uuid)
|
|
|
|
|
# Package contains just config files, not needed for build.
|
|
|
|
|
#!BuildIgnore: libldap-data
|
|
|
|
|
%endif
|
|
|
|
|
%sysusers_requires
|
|
|
|
|
%{?systemd_ordering}
|
|
|
|
|
%sysusers_requires
|
|
|
|
|
Requires(pre): permissions
|
|
|
|
|
@@ -131,7 +126,6 @@ Obsoletes: sssd-common < %version-%release
|
|
|
|
|
%define mcpath %sssdstatedir/mc
|
|
|
|
|
%define deskprofilepath %sssdstatedir/deskprofile
|
|
|
|
|
%define ldbdir %(pkg-config ldb --variable=modulesdir)
|
|
|
|
|
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
|
|
|
|
|
|
|
|
|
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
|
|
|
|
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
|
|
|
|
@@ -145,11 +139,11 @@ Requires(post): update-alternatives
|
|
|
|
|
Requires(postun): update-alternatives
|
|
|
|
|
|
|
|
|
|
%description
|
|
|
|
|
A set of daemons to manage access to remote directories and
|
|
|
|
|
authentication mechanisms. sssd provides an NSS and PAM interfaces
|
|
|
|
|
toward the system and a pluggable backend system to connect to
|
|
|
|
|
multiple different account sources. It is also the basis to provide
|
|
|
|
|
client auditing and policy services for projects like FreeIPA.
|
|
|
|
|
Provides a set of daemons to manage access to remote directories and
|
|
|
|
|
authentication mechanisms. It provides an NSS and PAM interface toward
|
|
|
|
|
the system and a pluggable backend system to connect to multiple different
|
|
|
|
|
account sources. It is also the basis to provide client auditing and policy
|
|
|
|
|
services for projects like FreeIPA.
|
|
|
|
|
|
|
|
|
|
%package ad
|
|
|
|
|
Summary: The ActiveDirectory backend plugin for sssd
|
|
|
|
|
@@ -159,8 +153,9 @@ Requires: %name-krb5-common = %version-%release
|
|
|
|
|
Requires: adcli
|
|
|
|
|
|
|
|
|
|
%description ad
|
|
|
|
|
A back-end provider that the SSSD can utilize to fetch identity data
|
|
|
|
|
from, and authenticate with, an Active Directory server.
|
|
|
|
|
Provides the Active Directory back end that the SSSD can utilize to
|
|
|
|
|
fetch identity data from and authenticate against an Active Directory
|
|
|
|
|
server.
|
|
|
|
|
|
|
|
|
|
%package dbus
|
|
|
|
|
Summary: The D-Bus responder of sssd
|
|
|
|
|
@@ -169,7 +164,7 @@ Group: System/Base
|
|
|
|
|
Requires: %name = %version
|
|
|
|
|
|
|
|
|
|
%description dbus
|
|
|
|
|
D-Bus responder of sssd, called InfoPipe, which allows
|
|
|
|
|
Provides the D-Bus responder of sssd, called InfoPipe, which allows
|
|
|
|
|
information from sssd to be transmitted over the system bus.
|
|
|
|
|
|
|
|
|
|
%package polkit-rules
|
|
|
|
|
@@ -195,8 +190,8 @@ Obsoletes: %name-ipa-provider < %version-%release
|
|
|
|
|
Provides: %name-ipa-provider = %version-%release
|
|
|
|
|
|
|
|
|
|
%description ipa
|
|
|
|
|
A back-end provider that the SSSD can utilize to fetch identity data
|
|
|
|
|
from, and authenticate with, an IPA server.
|
|
|
|
|
Provides the IPA back end that the SSSD can utilize to fetch identity
|
|
|
|
|
data from and authenticate against an IPA server.
|
|
|
|
|
|
|
|
|
|
%package kcm
|
|
|
|
|
Summary: SSSD's Kerberos cache manager
|
|
|
|
|
@@ -215,8 +210,8 @@ Group: System/Daemons
|
|
|
|
|
Requires: %name-krb5-common = %version-%release
|
|
|
|
|
|
|
|
|
|
%description krb5
|
|
|
|
|
A back-end provider that the SSSD can utilize to authenticate against
|
|
|
|
|
a Kerberos server.
|
|
|
|
|
Provides the Kerberos back end that the SSSD can utilize authenticate
|
|
|
|
|
against a Kerberos server.
|
|
|
|
|
|
|
|
|
|
%package krb5-common
|
|
|
|
|
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
|
|
|
|
|
@@ -237,8 +232,8 @@ Group: System/Daemons
|
|
|
|
|
Requires: %name-krb5-common = %version-%release
|
|
|
|
|
|
|
|
|
|
%description ldap
|
|
|
|
|
A back-end provider that the SSSD can utilize to fetch identity data
|
|
|
|
|
from, and authenticate with, an LDAP server.
|
|
|
|
|
Provides the LDAP back end that the SSSD can utilize to fetch
|
|
|
|
|
identity data from and authenticate against an LDAP server.
|
|
|
|
|
|
|
|
|
|
%package proxy
|
|
|
|
|
Summary: The proxy backend plugin for sssd
|
|
|
|
|
@@ -246,8 +241,8 @@ License: GPL-3.0-or-later
|
|
|
|
|
Group: System/Daemons
|
|
|
|
|
|
|
|
|
|
%description proxy
|
|
|
|
|
A back-end provider which can be used to wrap existing NSS and/or PAM
|
|
|
|
|
modules to leverage SSSD caching. (This can replace nscd.)
|
|
|
|
|
Provides the proxy back end which can be used to wrap an existing NSS
|
|
|
|
|
and/or PAM modules to leverage SSSD caching.
|
|
|
|
|
|
|
|
|
|
%package tools
|
|
|
|
|
Summary: Commandline tools for sssd
|
|
|
|
|
@@ -257,7 +252,7 @@ Requires: python3-sssd-config = %version-%release
|
|
|
|
|
Requires: sssd = %version
|
|
|
|
|
|
|
|
|
|
%description tools
|
|
|
|
|
The packages contains command-line tools for managing users and groups using
|
|
|
|
|
The packages contains commandline tools for managing users and groups using
|
|
|
|
|
the "local" id provider of the System Security Services Daemon (sssd).
|
|
|
|
|
|
|
|
|
|
%package winbind-idmap
|
|
|
|
|
@@ -274,7 +269,7 @@ License: LGPL-3.0-or-later
|
|
|
|
|
Group: System/Libraries
|
|
|
|
|
|
|
|
|
|
%description -n libsss_certmap0
|
|
|
|
|
A utility library for FreeIPA to map certificates.
|
|
|
|
|
A utility library for FreeIPA to map certs.
|
|
|
|
|
|
|
|
|
|
%package -n libsss_certmap-devel
|
|
|
|
|
Summary: Development files for the FreeIPA certmap library
|
|
|
|
|
@@ -283,7 +278,7 @@ Group: Development/Libraries/C and C++
|
|
|
|
|
Requires: libsss_certmap0 = %version
|
|
|
|
|
|
|
|
|
|
%description -n libsss_certmap-devel
|
|
|
|
|
A utility library for FreeIPA to map certificates.
|
|
|
|
|
A utility library for FreeIPA to map certs.
|
|
|
|
|
|
|
|
|
|
%package -n libipa_hbac0
|
|
|
|
|
Summary: FreeIPA HBAC Evaluator library
|
|
|
|
|
@@ -347,6 +342,7 @@ Requires: libsss_nss_idmap0 = %version
|
|
|
|
|
%description -n libsss_nss_idmap-devel
|
|
|
|
|
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
|
|
|
|
|
|
|
|
|
|
%if 0%{?suse_version} < 1600
|
|
|
|
|
%package -n libsss_simpleifp0
|
|
|
|
|
Summary: The SSSD D-Bus responder helper library
|
|
|
|
|
License: GPL-3.0-or-later
|
|
|
|
|
@@ -369,6 +365,7 @@ Requires: libsss_simpleifp0 = %version
|
|
|
|
|
This subpackage provides the development files for sssd's simpleifp,
|
|
|
|
|
a library that simplifies the D-Bus API for the SSSD InfoPipe
|
|
|
|
|
responder.
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%package -n libsss_sudo
|
|
|
|
|
Summary: A library to allow communication between sudo and SSSD
|
|
|
|
|
@@ -428,6 +425,9 @@ export PATH="$PATH:/usr/sbin"
|
|
|
|
|
|
|
|
|
|
autoreconf -fiv
|
|
|
|
|
%configure \
|
|
|
|
|
--runstatedir=%{_rundir} \
|
|
|
|
|
--disable-rpath \
|
|
|
|
|
--disable-static \
|
|
|
|
|
--with-db-path="%dbpath" \
|
|
|
|
|
--with-pipe-path="%pipepath" \
|
|
|
|
|
--with-pubconf-path="%pubconfpath" \
|
|
|
|
|
@@ -435,7 +435,7 @@ autoreconf -fiv
|
|
|
|
|
--with-environment-file="%_sysconfdir/sysconfig/sssd" \
|
|
|
|
|
--with-initscript=systemd \
|
|
|
|
|
--with-syslog=journald \
|
|
|
|
|
--with-pid-path="%_rundir/sssd/" \
|
|
|
|
|
--with-pid-path="%_rundir" \
|
|
|
|
|
--enable-nsslibdir="%_libdir" \
|
|
|
|
|
--enable-pammoddir="%_pam_moduledir" \
|
|
|
|
|
--with-ldb-lib-dir="%ldbdir" \
|
|
|
|
|
@@ -449,15 +449,16 @@ autoreconf -fiv
|
|
|
|
|
--with-subid
|
|
|
|
|
%else
|
|
|
|
|
--with-selinux=no \
|
|
|
|
|
--with-semanage=no \
|
|
|
|
|
--with-libsifp \
|
|
|
|
|
--with-files-provider
|
|
|
|
|
%endif
|
|
|
|
|
%make_build all
|
|
|
|
|
%make_build all runstatedir=%{_rundir}
|
|
|
|
|
|
|
|
|
|
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
|
|
|
|
|
|
|
|
|
|
%install
|
|
|
|
|
# sss_obfuscate is compatible with both Python 2 and 3
|
|
|
|
|
# sss_obfuscate is compatible with both python 2 and 3
|
|
|
|
|
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
|
|
|
|
|
%make_install dbuspolicydir=%_datadir/dbus-1/system.d
|
|
|
|
|
b="%buildroot"
|
|
|
|
|
@@ -491,14 +492,14 @@ find "$b" -type f -name "*.la" -print -delete
|
|
|
|
|
%find_lang %name --all-name
|
|
|
|
|
|
|
|
|
|
# dummy target for cifs-idmap-plugin
|
|
|
|
|
mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
|
|
|
|
|
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
|
|
|
|
|
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
|
|
|
|
|
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
|
|
|
|
|
%python3_fix_shebang
|
|
|
|
|
%if 0%{?suse_version} > 1600
|
|
|
|
|
%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
|
|
|
|
%elif 0%{?suse_version} == 1600
|
|
|
|
|
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
|
|
|
|
|
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
|
|
|
|
|
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
|
|
|
|
|
@@ -567,7 +568,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li
|
|
|
|
|
|
|
|
|
|
%postun
|
|
|
|
|
/sbin/ldconfig
|
|
|
|
|
if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
|
|
|
|
|
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
|
|
|
|
|
"%_sbindir/pam-config" -d --sss || :
|
|
|
|
|
fi
|
|
|
|
|
# del_postun includes a try-restart
|
|
|
|
|
@@ -583,18 +584,23 @@ if [ ! -f "%cifs_idmap_lib" ]; then
|
|
|
|
|
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
%ldconfig_scriptlets -n libsss_certmap0
|
|
|
|
|
%ldconfig_scriptlets -n libipa_hbac0
|
|
|
|
|
%ldconfig_scriptlets -n libsss_idmap0
|
|
|
|
|
%ldconfig_scriptlets -n libsss_nss_idmap0
|
|
|
|
|
%if 0%{?suse_version} < 1600
|
|
|
|
|
%ldconfig_scriptlets -n libsss_simpleifp0
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%verifyscript
|
|
|
|
|
%verify_permissions -e %_libexecdir/%{name}/selinux_child
|
|
|
|
|
%verify_permissions -e %_libexecdir/%{name}/sssd_pam
|
|
|
|
|
|
|
|
|
|
%post -n libsss_certmap0 -p /sbin/ldconfig
|
|
|
|
|
%postun -n libsss_certmap0 -p /sbin/ldconfig
|
|
|
|
|
%post -n libipa_hbac0 -p /sbin/ldconfig
|
|
|
|
|
%postun -n libipa_hbac0 -p /sbin/ldconfig
|
|
|
|
|
%post -n libsss_idmap0 -p /sbin/ldconfig
|
|
|
|
|
%postun -n libsss_idmap0 -p /sbin/ldconfig
|
|
|
|
|
%post -n libsss_nss_idmap0 -p /sbin/ldconfig
|
|
|
|
|
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
|
|
|
|
|
%if 0%{?suse_version} < 1600
|
|
|
|
|
%post -n libsss_simpleifp0 -p /sbin/ldconfig
|
|
|
|
|
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%triggerun -- %name < %version-%release
|
|
|
|
|
# sssd takes care of upgrading the database but it doesn't handle downgrades.
|
|
|
|
|
# Clear caches when downgrading the package, which may have an
|
|
|
|
|
@@ -697,7 +703,6 @@ fi
|
|
|
|
|
%_unitdir/sssd-ssh.service
|
|
|
|
|
%_unitdir/sssd-sudo.socket
|
|
|
|
|
%_unitdir/sssd-sudo.service
|
|
|
|
|
%_sysusersdir/*sssd*
|
|
|
|
|
%_bindir/sss_ssh_*
|
|
|
|
|
%_sbindir/sssd
|
|
|
|
|
%if 0%{?suse_version} < 1600
|
|
|
|
|
@@ -748,19 +753,19 @@ fi
|
|
|
|
|
%dir %_libdir/%name/modules/
|
|
|
|
|
%_libdir/%name/modules/libsss_autofs.so
|
|
|
|
|
%_libdir/libsss_sudo.so
|
|
|
|
|
%ldbdir/
|
|
|
|
|
%ldbdir/memberof.so
|
|
|
|
|
%dir %_libexecdir/%name/
|
|
|
|
|
%_libexecdir/%name/p11_child
|
|
|
|
|
%_libexecdir/%name/sssd_autofs
|
|
|
|
|
%_libexecdir/%name/sssd_be
|
|
|
|
|
%_libexecdir/%name/sssd_nss
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
|
|
|
|
|
%_libexecdir/%name/sssd_ssh
|
|
|
|
|
%_libexecdir/%name/sssd_sudo
|
|
|
|
|
%_libexecdir/%name/sss_signal
|
|
|
|
|
%_libexecdir/%name/sssd_check_socket_activated_responders
|
|
|
|
|
%if 0%{?suse_version} >= 1600
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
|
|
|
|
|
%endif
|
|
|
|
|
%dir %sssdstatedir
|
|
|
|
|
%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
|
|
|
|
|
@@ -892,8 +897,8 @@ fi
|
|
|
|
|
%dir %_libdir/%name/
|
|
|
|
|
%_libdir/%name/libsss_krb5_common.so
|
|
|
|
|
%dir %_libexecdir/%name/
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
|
|
|
|
|
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
|
|
|
|
|
|
|
|
|
|
%files polkit-rules
|
|
|
|
|
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
|
|
|
|
|
@@ -934,8 +939,9 @@ fi
|
|
|
|
|
%python3_sitelib/sssd/
|
|
|
|
|
|
|
|
|
|
%files winbind-idmap
|
|
|
|
|
%dir %_libdir/samba/
|
|
|
|
|
%_libdir/samba/idmap/
|
|
|
|
|
%dir %_libdir/samba
|
|
|
|
|
%dir %_libdir/samba/idmap
|
|
|
|
|
%_libdir/samba/idmap/sss.so
|
|
|
|
|
%_mandir/man8/idmap_sss.8*
|
|
|
|
|
|
|
|
|
|
%files -n libipa_hbac0
|
|
|
|
|
|
