1 |
# work around gcc 10 build errors |
2 |
%global _legacy_common_support 1 |
3 |
|
4 |
%define major 0 |
5 |
%define libname %mklibname %{name} %{major} |
6 |
%define develname %mklibname %{name} -d |
7 |
|
8 |
%define svrmajor 0 |
9 |
%define svrlibname %mklibname svrcore %{svrmajor} |
10 |
%define svrdevname %mklibname svrcore -d |
11 |
|
12 |
%global pkgname dirsrv |
13 |
|
14 |
%global use_openldap 1 |
15 |
# If perl-Socket-2.000 or newer is available, set 0 to use_Socket6. |
16 |
%global use_Socket6 0 |
17 |
|
18 |
|
19 |
# Following rh/fedora and disabling nunc-stans |
20 |
# https://pagure.io/389-ds-base/issue/49893 |
21 |
# https://bugzilla.redhat.com/show_bug.cgi?id=1614501 |
22 |
# To build without nunc-stans, set 0 to use_nunc_stans. |
23 |
# nunc-stans only builds on x86_64 for now |
24 |
%ifarch x86_64 |
25 |
%global use_nunc_stans 0 |
26 |
%else |
27 |
%global use_nunc_stans 0 |
28 |
%endif |
29 |
|
30 |
%global nunc_stans_ver 0.1.8 |
31 |
|
32 |
# (cg) NB the --with-tmpfiles_d argument below is for user generated config files |
33 |
# created via DSCreate.pm script - i.e. it should be the /etc/ path, NOT %%_tmpfilesdir |
34 |
|
35 |
%global with_tmpfiles_d %{_sysconfdir}/tmpfiles.d} |
36 |
|
37 |
# systemd support |
38 |
%global groupname %{pkgname}.target |
39 |
|
40 |
Summary: 389 Directory Server (base) |
41 |
Name: 389-ds-base |
42 |
Version: 1.4.0.26 |
43 |
%define subrel 2 |
44 |
Release: %mkrel 8 |
45 |
License: GPLv3+ |
46 |
Group: System/Servers |
47 |
URL: http://port389.org/ |
48 |
Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.bz2 |
49 |
# 389-ds-git.sh should be used to generate the source tarball from git |
50 |
Source1: %{name}-git.sh |
51 |
Source2: %{name}-devel.README |
52 |
Source3: https://git.fedorahosted.org/cgit/nunc-stans.git/snapshot/nunc-stans-%{nunc_stans_ver}.tar.bz2 |
53 |
Patch0: 389-ds-base-1.4.0.26-mga-fix-path-to-nss-headers.patch |
54 |
Patch1: 389-ds-base-1.4.0.26-CVE-2019-14824.patch |
55 |
Patch2: c1926dfc6591b55c4d33f9944de4d7ebe077e964.patch |
56 |
Patch3: 0034-CVE-2021-4091-BZ-2030367-double-free-of-the-virtual-.patch |
57 |
|
58 |
Requires: %{libname} = %{version}-%{release} |
59 |
Provides: ldif2ldbm |
60 |
|
61 |
BuildRequires: pkgconfig(nspr) |
62 |
BuildRequires: pkgconfig(nss) |
63 |
BuildRequires: pkgconfig(krb5) |
64 |
%if %{use_openldap} |
65 |
BuildRequires: openldap-devel |
66 |
%else |
67 |
BuildRequires: mozldap-devel |
68 |
%endif |
69 |
BuildRequires: db-devel |
70 |
|
71 |
BuildRequires: pkgconfig(libsasl2) |
72 |
BuildRequires: icu |
73 |
BuildRequires: libicu-devel |
74 |
BuildRequires: pkgconfig(libpcre) |
75 |
BuildRequires: gcc-c++ |
76 |
BuildRequires: doxygen |
77 |
# The following are needed to build the snmp ldap-agent |
78 |
BuildRequires: net-snmp-devel |
79 |
BuildRequires: lm_sensors-devel |
80 |
BuildRequires: bzip2-devel |
81 |
BuildRequires: pkgconfig(zlib) |
82 |
BuildRequires: pkgconfig(openssl) |
83 |
BuildRequires: tcp_wrappers |
84 |
# the following is for the pam passthru auth plug-in |
85 |
BuildRequires: pam-devel |
86 |
BuildRequires: systemd-units |
87 |
BuildRequires: pkgconfig(systemd) |
88 |
|
89 |
# For cockpit |
90 |
BuildRequires: rsync |
91 |
|
92 |
# this is needed for using semanage from our setup scripts |
93 |
Requires: policycoreutils-python-utils |
94 |
|
95 |
Requires(post): rpm-helper >= %{rpmhelper_required_version} |
96 |
Requires(preun): rpm-helper >= %{rpmhelper_required_version} |
97 |
Requires(pre): %{_sbindir}/useradd |
98 |
Requires(pre): %{_sbindir}/groupadd |
99 |
|
100 |
|
101 |
# the following are needed for some of our scripts |
102 |
%if %{use_openldap} |
103 |
Requires: openldap-clients |
104 |
%else |
105 |
Requires: mozldap-tools |
106 |
%endif |
107 |
|
108 |
# this is needed to setup SSL if you are not using the |
109 |
# administration server package |
110 |
Requires: nss |
111 |
|
112 |
# these are not found by the auto-dependency method |
113 |
# they are required to support the mandatory LDAP SASL mechs |
114 |
Requires: sasl-plug-gssapi |
115 |
Requires: sasl-plug-digestmd5 |
116 |
|
117 |
# this is needed for verify-db.pl |
118 |
Requires: db5-utils |
119 |
|
120 |
# for the init script |
121 |
Requires(post): systemd-units |
122 |
Requires(preun): systemd-units |
123 |
Requires(postun): systemd-units |
124 |
|
125 |
%description |
126 |
389 Directory Server is an LDAPv3 compliant server. The base package includes |
127 |
the LDAP server and command line utilities for server administration. |
128 |
|
129 |
%package -n %{libname} |
130 |
Summary: Core libraries for 389 Directory Server |
131 |
Group: System/Servers |
132 |
BuildRequires: pkgconfig(nspr) |
133 |
BuildRequires: pkgconfig(nss) |
134 |
%if %{use_openldap} |
135 |
BuildRequires: openldap-devel |
136 |
%else |
137 |
BuildRequires: mozldap-devel |
138 |
%endif |
139 |
BuildRequires: db-devel |
140 |
BuildRequires: pkgconfig(libsasl2) |
141 |
BuildRequires: libicu-devel |
142 |
BuildRequires: pkgconfig(libpcre) |
143 |
BuildRequires: pkgconfig(talloc) |
144 |
BuildRequires: pkgconfig(libevent) |
145 |
BuildRequires: pkgconfig(tevent) |
146 |
BuildRequires: libcrack-devel |
147 |
|
148 |
%description -n %{libname} |
149 |
Core libraries for the 389 Directory Server base package. These libraries |
150 |
are used by the main package and the -devel package. This allows the -devel |
151 |
package to be installed with just the -libs package and without the main package. |
152 |
|
153 |
%package -n %{develname} |
154 |
Summary: Development libraries for 389 Directory Server |
155 |
Group: System/Libraries |
156 |
Requires: nspr-devel |
157 |
Requires: nss-devel |
158 |
%if %{use_openldap} |
159 |
Requires: openldap-devel |
160 |
%else |
161 |
Requires: mozldap-devel |
162 |
%endif |
163 |
|
164 |
%if %{use_nunc_stans} |
165 |
Requires: talloc-devel |
166 |
Requires: event-devel |
167 |
Requires: tevent-devel |
168 |
%endif |
169 |
|
170 |
Requires: %{libname} = %{version}-%{release} |
171 |
Provides: %{develname} = %{version}-%{release} |
172 |
|
173 |
|
174 |
%description -n %{develname} |
175 |
Development Libraries and headers for the 389 Directory Server base package. |
176 |
|
177 |
%package snmp |
178 |
Summary: SNMP Agent for 389 Directory Server |
179 |
Group: System/Servers |
180 |
Requires: %{name} = %{version}-%{release} |
181 |
|
182 |
|
183 |
%description snmp |
184 |
SNMP Agent for the 389 Directory Server base package. |
185 |
|
186 |
%package -n cockpit-389-ds |
187 |
Summary: Cockpit UI Plugin for configuring and administering the 389 Directory Server |
188 |
BuildArch: noarch |
189 |
#Requires: cockpit |
190 |
Requires: python%{python3_pkgversion} |
191 |
#Requires: python%%{python3_pkgversion}-lib389 |
192 |
|
193 |
%description -n cockpit-389-ds |
194 |
A cockpit UI Plugin for configuring and administering the 389 Directory Server. |
195 |
|
196 |
%package -n %{svrlibname} |
197 |
Summary: Secure PIN handling using NSS crypto |
198 |
License: MPLv2.0 |
199 |
Group: System/Libraries |
200 |
Epoch: 1 |
201 |
Conflicts: %{_lib}389-ds-base0 < %{version} |
202 |
|
203 |
%description -n %{svrlibname} |
204 |
svrcore provides applications with several ways to handle secure PIN storage |
205 |
e.g. in an application that must be restarted, but needs the PIN to unlock the |
206 |
private key and other crypto material, without user intervention. svrcore uses |
207 |
the facilities provided by NSS. |
208 |
|
209 |
%package -n %{svrdevname} |
210 |
Summary: Development files for svrcore |
211 |
License: MPLv2.0 |
212 |
Group: Development/Other |
213 |
Epoch: 1 |
214 |
Requires: %{svrlibname} = 1:%{version}-%{release} |
215 |
Provides: svrcore-devel = 1:%{version}-%{release} |
216 |
Conflicts: %{_lib}389-ds-base-devel < %{version} |
217 |
|
218 |
%description -n %{svrdevname} |
219 |
Development libraries and headers for svrcore. |
220 |
|
221 |
%prep |
222 |
%setup -q -n %{name}-%{version} -a 3 |
223 |
%if %{use_nunc_stans} |
224 |
%setup -q -n %{name}-%{version} -T -D -b 3 |
225 |
%endif |
226 |
%autopatch -p1 |
227 |
cp %{_sourcedir}/%{name}-devel.README README.devel |
228 |
|
229 |
|
230 |
# Make sure python3 is used in shebangs |
231 |
# FIX ME!! This should be fixed in the source code !!! |
232 |
sed -r -i '1s|^#!\s*/usr/bin.*python.*|#!%{__python3}|' ldap/admin/src/scripts/*.py |
233 |
|
234 |
|
235 |
%build |
236 |
%serverbuild |
237 |
autoreconf -vfi |
238 |
|
239 |
%if %{use_nunc_stans} |
240 |
pushd ../nunc-stans-%{nunc_stans_ver} |
241 |
autoreconf -fi |
242 |
%configure --with-fhs --libdir=%{_libdir}/%{pkgname} |
243 |
%make_build |
244 |
mkdir -p lib |
245 |
cp .libs/libnunc-stans.so.0.0.0 lib/libnunc-stans.so |
246 |
mkdir -p include/nunc-stans |
247 |
cp nunc-stans.h include/nunc-stans/nunc-stans.h |
248 |
popd |
249 |
%endif |
250 |
|
251 |
%if %{use_openldap} |
252 |
OPENLDAP_FLAG="--with-openldap" |
253 |
%endif |
254 |
%{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"} |
255 |
# hack hack hack https://bugzilla.redhat.com/show_bug.cgi?id=833529 |
256 |
NSSARGS="--with-svrcore-inc=%{_includedir} --with-svrcore-lib=%{_libdir} --with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss" |
257 |
%if %{use_nunc_stans} |
258 |
NUNC_STANS_FLAGS="--enable-nunc-stans --with-nunc-stans=../nunc-stans-%{nunc_stans_ver}" |
259 |
%endif |
260 |
%configure --enable-autobind $OPENLDAP_FLAG $TMPFILES_FLAG \ |
261 |
--with-systemdsystemunitdir=%{_unitdir} \ |
262 |
--with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ |
263 |
--with-systemdgroupname=%{groupname} $NSSARGS \ |
264 |
--with-perldir=/usr/bin \ |
265 |
--with-systemdgroupname=%{groupname} $NSSARGS $NUNC_STANS_FLAGS \ |
266 |
--with-systemd |
267 |
|
268 |
# Generate symbolic info for debuggers |
269 |
export XCFLAGS=$RPM_OPT_FLAGS |
270 |
|
271 |
|
272 |
%make_build |
273 |
|
274 |
|
275 |
%install |
276 |
%if %{use_nunc_stans} |
277 |
pushd ../nunc-stans-%{nunc_stans_ver} |
278 |
%make_install |
279 |
rm -rf %{buildroot}%{_includedir} %{buildroot}%{_datadir} \ |
280 |
%{buildroot}%{_libdir}/%{pkgname}/pkgconfig |
281 |
popd |
282 |
%endif |
283 |
|
284 |
%make_install |
285 |
|
286 |
mkdir -p %{buildroot}%{_logdir}/%{pkgname} |
287 |
mkdir -p %{buildroot}/var/lib/%{pkgname} |
288 |
mkdir -p %{buildroot}/var/lock/%{pkgname} |
289 |
|
290 |
# Cockpit directory and file list |
291 |
find %{buildroot}%{_datadir}/cockpit/389-console -type d | sed -e "s@%{buildroot}@@" | sed -e 's/^/\%dir /' > cockpit.list |
292 |
find %{buildroot}%{_datadir}/cockpit/389-console -type f | sed -e "s@%{buildroot}@@" >> cockpit.list |
293 |
echo "%{_datadir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml" >> cockpit.list |
294 |
|
295 |
#remove libtool archives and static libs |
296 |
find %{buildroot} -type f -name "*.la" -delete |
297 |
find %{buildroot} -type f -name "*.a" -delete |
298 |
|
299 |
# make sure perl scripts have a proper shebang |
300 |
sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' %{buildroot}%{_datadir}/%{pkgname}/script-templates/template-*.pl |
301 |
|
302 |
%pre |
303 |
# Add the dirsrv user and group accounts |
304 |
%_pre_useradd %{pkgname} %{_localstatedir}/lib/%{pkgname} /sbin/nologin |
305 |
%_pre_groupadd %{pkgname} %{_localstatedir}/lib/%{pkgname} /sbin/nologin |
306 |
|
307 |
|
308 |
%post |
309 |
output=/dev/null |
310 |
# We need to do this because the BS doesn't accept the way Fedora (upstream) and others do it. |
311 |
if [ $1 = 1 ] ; then |
312 |
mkdir -p %{_sysconfdir}/systemd/system/%{groupname}.wants |
313 |
fi |
314 |
# reload to pick up any changes to systemd files |
315 |
%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : |
316 |
# reload to pick up any shared lib changes |
317 |
|
318 |
# find all instances |
319 |
instances="" # instances that require a restart after upgrade |
320 |
ninst=0 # number of instances found in total |
321 |
if [ -n "$DEBUGPOSTTRANS" ] ; then |
322 |
output=$DEBUGPOSTTRANS |
323 |
fi |
324 |
echo looking for services in %{_sysconfdir}/systemd/system/%{groupname}.wants/* >> $output 2>&1 || : |
325 |
for service in %{_sysconfdir}/systemd/system/%{groupname}.wants/* ; do |
326 |
if [ ! -f "$service" ] ; then continue ; fi # in case nothing matches |
327 |
inst=`echo $service | sed -e 's,%{_sysconfdir}/systemd/system/%{groupname}.wants/,,'` |
328 |
echo found instance $inst - getting status >> $output 2>&1 || : |
329 |
if %{_bindir}/systemctl -q is-active $inst ; then |
330 |
echo instance $inst is running >> $output 2>&1 || : |
331 |
instances="$instances $inst" |
332 |
else |
333 |
echo instance $inst is not running >> $output 2>&1 || : |
334 |
fi |
335 |
ninst=`expr $ninst + 1` |
336 |
done |
337 |
if [ $ninst -eq 0 ] ; then |
338 |
echo no instances to upgrade >> $output 2>&1 || : |
339 |
exit 0 # have no instances to upgrade - just skip the rest |
340 |
fi |
341 |
# shutdown all instances |
342 |
echo shutting down all instances . . . >> $output 2>&1 || : |
343 |
for inst in $instances ; do |
344 |
echo stopping instance $inst >> $output 2>&1 || : |
345 |
/bin/systemctl stop $inst >> $output 2>&1 || : |
346 |
done |
347 |
echo remove pid files . . . >> $output 2>&1 || : |
348 |
%{_bindir}/rm -f /run/%{pkgname}*.pid /run/%{pkgname}*.startpid |
349 |
|
350 |
|
351 |
# do the upgrade |
352 |
echo upgrading instances . . . >> $output 2>&1 || : |
353 |
DEBUGPOSTSETUPOPT=`/usr/bin/echo $DEBUGPOSTSETUP | /usr/bin/sed -e "s/[^d]//g"` |
354 |
if [ -n "$DEBUGPOSTSETUPOPT" ] ; then |
355 |
%{_sbindir}/setup-ds.pl -l $output -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || : |
356 |
else |
357 |
%{_sbindir}/setup-ds.pl -l $output -u -s General.UpdateMode=offline >> $output 2>&1 || : |
358 |
fi |
359 |
|
360 |
# restart instances that require it |
361 |
for inst in $instances ; do |
362 |
echo restarting instance $inst >> $output 2>&1 || : |
363 |
%{_bindir}/systemctl start $inst >> $output 2>&1 || : |
364 |
done |
365 |
|
366 |
%preun |
367 |
if [ $1 -eq 0 ]; then # Final removal |
368 |
# Package removal, not upgrade |
369 |
# remove instance specific service files/links |
370 |
rm -rf %{_sysconfdir}/systemd/system/%{groupname}.wants/* > /dev/null 2>&1 || : |
371 |
fi |
372 |
|
373 |
%postun |
374 |
if [ $1 = 0 ]; then # Final removal |
375 |
rm -rf /run/%{pkgname} |
376 |
fi |
377 |
%_postun_userdel %{pkgname} |
378 |
%_postun_groupdel %{pkgname} |
379 |
|
380 |
%preun snmp |
381 |
%_preun_service %{pkgname}-snmp.service %{groupname} |
382 |
|
383 |
%post snmp |
384 |
%_post_service %{pkgname}-snmp |
385 |
|
386 |
%files |
387 |
%license LICENSE LICENSE.GPLv3+ LICENSE.openssl |
388 |
%doc README.devel README.md |
389 |
%dir %{_sysconfdir}/%{pkgname} |
390 |
%dir %{_sysconfdir}/%{pkgname}/schema |
391 |
%config(noreplace)%{_sysconfdir}/%{pkgname}/schema/*.ldif |
392 |
%dir %{_sysconfdir}/%{pkgname}/config |
393 |
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/slapd-collations.conf |
394 |
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/certmap.conf |
395 |
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/template-initconfig |
396 |
%config(noreplace)%{_sysconfdir}/sysconfig/%{pkgname} |
397 |
%config(noreplace)%{_sysconfdir}/sysconfig/%{pkgname}.systemd |
398 |
%{_datadir}/%{pkgname} |
399 |
%{_unitdir}/%{pkgname}.target |
400 |
%{_unitdir}/%{pkgname}@.service |
401 |
%{_bindir}/* |
402 |
%{_sbindir}/* |
403 |
%{_libdir}/%{pkgname}/perl |
404 |
%{_libdir}/%{pkgname}/python |
405 |
%{_libdir}/%{pkgname}/plugins/*.so |
406 |
%{_libexecdir}/ds_selinux_enabled |
407 |
%{_libexecdir}/ds_selinux_port_query |
408 |
%{_libexecdir}/ds_systemd_ask_password_acl |
409 |
%{_prefix}/lib/sysctl.d/* |
410 |
%{_prefix}/share/gdb/auto-load/usr/sbin/ns-slapd-gdb.py |
411 |
%dir %{_localstatedir}/lib/%{pkgname} |
412 |
%dir %{_logdir}/%{pkgname} |
413 |
%ghost %dir %{_localstatedir}/lock/%{pkgname} |
414 |
%{_mandir}/man1/* |
415 |
%{_mandir}/man5/* |
416 |
%{_mandir}/man8/* |
417 |
%exclude %{_sbindir}/ldap-agent* |
418 |
%exclude %{_mandir}/man1/ldap-agent.1.* |
419 |
|
420 |
%files -n %{develname} |
421 |
%license LICENSE LICENSE.GPLv3+ LICENSE.openssl |
422 |
%doc README.devel README.md |
423 |
%{_includedir}/%{pkgname} |
424 |
%{_libdir}/%{pkgname}/libslapd.so |
425 |
%{_libdir}/%{pkgname}/libsds.so |
426 |
%{_libdir}/%{pkgname}/libldaputil.so |
427 |
%{_libdir}/%{pkgname}/libns-dshttpd.so |
428 |
# It seems these files are always built regardless the global setting. |
429 |
# %%if %%{use_nunc_stans} |
430 |
%{_libdir}/%{pkgname}/libnunc-stans.so |
431 |
# %%endif |
432 |
%{_libdir}/pkgconfig/* |
433 |
%exclude %{_libdir}/pkgconfig/svrcore.pc |
434 |
|
435 |
%files -n %{svrlibname} |
436 |
%license src/svrcore/LICENSE |
437 |
%doc src/svrcore/README |
438 |
%{_libdir}/libsvrcore.so.%{svrmajor}{,.*} |
439 |
|
440 |
%files -n %{svrdevname} |
441 |
%license src/svrcore/LICENSE |
442 |
%doc src/svrcore/README |
443 |
%{_includedir}/svrcore.h |
444 |
%{_libdir}/libsvrcore.so |
445 |
%{_libdir}/pkgconfig/svrcore.pc |
446 |
|
447 |
%files -n %{libname} |
448 |
%license LICENSE LICENSE.GPLv3+ LICENSE.openssl |
449 |
%doc README.md |
450 |
%{_libdir}/%{pkgname}/libslapd.so.* |
451 |
%{_libdir}/%{pkgname}/libsds.so.* |
452 |
%{_libdir}/%{pkgname}/libldaputil.so.* |
453 |
%{_libdir}/%{pkgname}/libns-dshttpd-%{version}.so |
454 |
# %%if %%{use_nunc_stans} |
455 |
%{_libdir}/%{pkgname}/libnunc-stans.so.* |
456 |
# %%endif |
457 |
|
458 |
%files snmp |
459 |
%license LICENSE LICENSE.GPLv3+ LICENSE.openssl |
460 |
%doc README.md |
461 |
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf |
462 |
%{_unitdir}/%{pkgname}-snmp.service |
463 |
%{_sbindir}/ldap-agent* |
464 |
%{_mandir}/man1/ldap-agent.1.* |
465 |
|
466 |
%files -n cockpit-389-ds -f cockpit.list |
467 |
%doc README.md |