[Freeipa-users] Deploying FreeIPA 1.2.2 on RHEL 5

Fri Nov 6 21:11:40 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/05/2009 04:14 PM, Loris Santamaria wrote:
> El jue, 05-11-2009 a las 15:38 -0500, Sam Hartsfield escribió:
>> Hello,
>>
>> I am interested in deploying FreeIPA along with my company's software
>> to allow us to implement Single Sign On. All of our software is
>> deployed on Red Hat Enterprise Linux, so I would like to get the
>> FreeIPA server to run there (on RHEL 5). I am aware of Red Hat IPA,
>> but if I'm not mistaken, it is based on an earlier version that does
>> not have the ability to sync to Active Directory.
>>
>> Most of the dependencies are available either from the official
>> package repositories or from EPEL, and Fedora/389 Directory Server has
>> its own repository for Enterpise Linux. However, there are two
>> packages that are unavailable: 'mod_nss >= 1.0.7-2' and 'slapi-nis'.
> 
> One could just use the relevant .src.rpm from Fedora and recompile them
> on RHEL. At least I did that with no problems (*) whatsoever several
> times with the .src.rpms from Fedora 9 an 10
> 
> You can't use directly rpms from Fedora 11 because the formath has
> changed slightly, but you can install the .src.rpm in Fedora, and copy
> the contents (spec, sources and patches) to RHEL to rebuild it.
> 

How to make a RHEL SRPM in Fedora in a few easy steps. (All of the below
commands must be run on Fedora)

Prerequisites:
1. yum install cpio rpm-build

2. rpmdev-setuptree
This will create a directory structure inside ~/rpmbuild

Create the SRPM:
1. yumdownloader --source ipa
This will download ipa-1.2.2-1.fc11.src.rpm to the current directory.

2. rpm2cpio ipa-1.2.2-1.fc11.src.rpm |cpio --extract
This will extract the source tarball to the current directory.

3. cp freeipa-1.2.2.tar.gz ~/rpmbuild/SOURCES

4. Edit ipa.spec as described in a previous email to change 'popt-devel'
to 'popt'

4. rpmbuild -bs --define _source_filedigest_algorithm=1 ipa.spec

You now will have a source RPM in ~/rpmbuild/SRPMS. (Pay no mind that it
still says .fc11 in the name, that's just because you're generating it
on an FC11 system) that can be built on a RHEL system with the command

rpmbuild --rebuild ipa-1.2.2-1.fc11.src.rpm

* If you're curious, the reason behind these steps are twofold.
1) The name of the popt package changed between RHEL5 and F11, so you
need to fix that in the spec.
2) The RPM format now uses a different digest algorithm in F11 and later
that RHEL5 cannot read. So we force it to use the old digest algorithm
in the rpmbuild step above.

> (*) You should edit the ipa.spec and change
> 
> BuildRequires:  popt-devel
> 
> to 
> 
> BuildRequires:  popt
> 
> 
>> Looking at the commit (f018c2123c2b0018af5d41ec007ac8ddf0f04d31), it
>> appears that an earlier version of mod_nss is okay as long as we don't
>> need to pass it through mod_proxy. As far as I can tell, slapi-nis is
>> used for providing an NIS interface, which I don't think we need
>> (RHEL4 and RHEL5 clients should be able to use LDAP for user
>> information). Does this sound accurate, or is there anything I'm
>> missing? Would it be sufficient to remove these dependencies from the
>> RPM spec (for mod_nss just remove the version restriction) before I
>> build the package, or would I need to make other modifications? After
>> trying it (installing with 'rpm --nodeps'), it appears to work at
>> first glance.
>>
>> Are there any other issues with running on RHEL 5 that I should be
>> aware of? Any comments on this configuration?
>>
>> Thank you,
>> Sam Hartsfield
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkr0kQcACgkQeiVVYja6o6PifgCfbjBXeN9uRMJ1DwCr8AnbNNGJ
QD8An1yAu9rYUNtrwJi+/E0SIESt6Q06
=/S16
-----END PGP SIGNATURE-----