How To Build Red Hat Enterprise IPA RPMs For CentOS 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by jemtallon (Contact Author) (Forums) on Tue, 2008-09-23 13:15. :: CentOS

How To Build Red Hat Enterprise IPA RPMs For CentOS 5

FreeIPA has existed for some time as RHE IPA for Red Hat Linux and has been added into Fedora. Still, since it is an extra add-on to RHEL, CentOS hasn't gotten it rebuilt yet. That's a shame because FreeIPA is an easy to configure, easy to manage security information management solution. If, like me, you want to use IPA with CentOS, this tutorial is for you.

 

Assumptions

  • You have installed Centos 5.2 with at least the minimal package set (unchecked everything during install) and that you have fully updated it with CentOS's repositories.
    • I built these RPMs on a 32-bit i386 system but I imagine building them on x86_64 or others would be very similar
  • You have a basic working knowledge of Linux commands (moving files, etc)
  • You are running the following as root
  • Red Hat, CentOS, and EPEL haven't moved all of these packages to some excitingly new and obscure location. If so, you may have to Google a bit to find them all.

 

Download and install centos-ds rpm

  1. CentOS and EPEL have already compiled some of the necessary packages. Why rebuild packages if someone else has already done the work for you? This way they'll also update down the road if updates are added into the repositories!
  2. Create a file at /etc/yum.repos.d/CentOS-testing.repo with the following contents:
    [testing]
    name=CentOS-$releasever - Testing
    baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/
    gpgcheck=1
    enabled=1
    gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing
    
  3. Run the following commands to download and install some of the existing RPMs:

    rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
    yum install centos-ds-base-devel centos-ds centos-ds-admin-console python-psycopg2
    rm /etc/yum.repos.d/CentOS-testing.repo
    yum clean all

 

Download the source packages from RedHat

  1. Run the following commands to download the necessary SRPMS:

    mkdir ~/srcbuild; cd ~/srcbuild/
    wget -r -l 1 http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/
    mv ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/*.rpm .

  2. Remove RPMs we won't need
    • Remove older versions of rpms (ex: if there are 3 versions of ipa, only keep the newest)
    • Also remove redhat-ds* since we already installed centos-ds
    • Remove python-psycopg2 since we installed that from EPEL

 

Use yum to get some necessary development packages

  1. Run the following command to download the required packages:

    yum install gcc gcc-c++ automake autoconf rpm-build mozldap-devel openssl-devel openldap-devel krb5-devel nss-devel libcap-devel python-devel libtool selinux-policy-devel python-setuptools-devel bison flex ncurses-devel texinfo tetex-latex pam-devel httpd-devel apr-devel apr-util-devel postgresql-devel sqlite-devel

 

Build TurboGears and the krb5 packages first

  1. Run the following commands:

    rpmbuild --rebuild TurboGears*.rpm krb5-server-ldap*.rpm python-kerberos python-tgexpandingformwidget*.rpm mod_nss*.rpm

    • There will be quite a bit of output to the console while you do this - don't let that scare you. If there is an error, rpmbuild will stop running and tell you something was missing.
  2. If rpmbuild fails to build the package because you are missing a package, perform a "yum search" for the package, install it, and try the above command again.
  3. When rpmbuild finishes without errors, it will print "exit 0" to the screen and then stop outputting information
  4. When rpmbuild is done, you can install TurboGears with the following command:

    yum install /usr/src/redhat/RPMS/*/*.rpm

 

Build IPA

  1. We'll also build IPA on its own since it requires a small modification. To start, run these commands:

    rpm -Uvh ipa-*.src.rpm
    rm ipa-*.src.rpm
    cd /usr/src/redhat/SPECS/
    mv ipa.spec ipa.spec.save
    sed -e "s/redhat-ds/centos-ds/g" ipa.spec.save > ipa.spec
    rpmbuild -bb ipa.spec

  2. If there are errors when building, try to install the missing packages with yum and run the rpmbuild command again. Once it completes, install all of the packages we've built so far with the following command:

    yum install /usr/src/redhat/RPMS/*/*.rpm

 

Build the rest of the rpms

  1. At this point we're finally ready to build the rest of the RPMs needed for IPA to work correctly. Build them with the following commands:

    cd ~/srcbuild/
    rpmbuild --rebuild *.rpm

  2. This may fail a few times just like the other times. Repeat as needed.

 

Find the rpms

  1. The finished RPMs are all located in /usr/src/redhat/RPMS/. For a list of all of them, you can run the following command:

    find /usr/src/redhat/|grep "rpm$"

  2. Move or copy the RPMs somewhere you can find them. You'll need some of these for the IPA client machines and all of them if you want to install multiple IPA servers so keep all of them.
  3. Remember that you downloaded the centos-ds and other RPMs from testing and EPEL. You'll need to download them or add in the testing and EPEL repos for clients so they can get all of the packages.
  4. If you have a spacewalk server, you can now rhnpush the RPMs into it and use yum for any future clients and servers!

 

Configure the server and clients using Red Hat's documentation

  1. I won't go into documenting the configuration process as that has been very well done by Red Hat already. Their documentation is located at http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_IPA/
  2. Of particular importance are the Installation and Deployment Guide and the Client Configuration Guide

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Dan Casey (not registered) on Tue, 2009-06-02 19:49.

This went almost completely flawlessly.   Some ugly notes i took while following this howto below.

 

  - Install the dependancies before enabling the testing repo. Otherwise a testing will install httpd-2.2.8 rather then the normal 2.2.3

Install rpmdevtools
  - run rpmdev-setuptree
  - append the following to your .rpmmacros
     - %packager       Your Name <your@email.addresss>
     - %vendor         Your Company

  - The following line has a typo.  'python-kerberos' should be 'python-kerberos*'.
    rpmbuild --rebuild TurboGears-1.0.3.2-7.el5ipa.src.rpm krb5-server-ldap-1.6.1-26.el5ipa.src.rpm python-kerberos python-tgexpandingformwidget-0.1.3-5.el5ipa.src.rpm mod_nss-1.0.3-5.el5ipa.src.rpm
  - Delete those extra garbage rpms.   rm ../rpmbuild/RPMS/x86_64/*debuginfo*
  - To install the krb and python packages created in the repo, yum --nogpgcheck install ~builder/rpmbuild/RPMS/*/*.rpm
 
  Building IPA
cd srcbuild
mkdir done
mv TurboGears-1.0.3.2-7.el5ipa.src.rpm done/
mv krb5-server-ldap-1.6.1-26.el5ipa.src.rpm done/
mv python-kerberos-1.0-5.el5ipa.src.rpm done/
mv python-tgexpandingformwidget-0.1.3-5.el5ipa.src.rpm done/
mv mod_nss-1.0.3-5.el5ipa.src.rpm done/

rpm -Uvh ipa-1.0.0-23.el5ipa.src.rpm
mv ipa-1.0.0-23.el5ipa.src.rpm done/

cd ../rpmbuild/SPECS/
mv ipa.spec ipa.spec.save
sed -e "s/redhat-ds/centos-ds/g" ipa.spec.save > ipa.spec
rpmbuild -bb ipa.spec

  Building the rest.
cd ~/srcbuild
rpmbuild --rebuild *.rpm

Submitted by Ozgur (not registered) on Tue, 2009-01-13 16:47.

If the installer gives you the error:

Error: Missing Dependency: python-pyasn1 is needed by package ipa-server

You need to download python-pyasn1-0.0.8a-2.fc11.src.rpm, rebuild with:

 rpmbuild --rebuild python-pyasn1-0.0.8a-2.fc11.src.rpm

And install:

rpm -i   /usr/src/redhat/RPMS/noarch/python-pyasn1-0.0.8a-2.noarch.rpm

 Then you can safely continue with 

yum install /usr/src/redhat/RPMS/*/*.rpm 

Submitted by Dave Thomas (not registered) on Sat, 2009-01-10 08:28.
When I installed on a client machine, ipa-client-install couldn't find the ldap server via DNS, so it hard-coded the value in /etc/ldap.conf. I'm using two IPA replicas, so this is not good. I solved this by removing the installed version of nss_ldap and compiling the Fedora 10 nss_ldap source rpm, and now everything seems to work.
Submitted by keulator (not registered) on Wed, 2008-11-05 17:48.

Just want to add a note that it's quite important to have the right devel packages installed. So if you're on a 64-bit system ensure that you have the correponding devel-packages installed, f.e. krb5-devel.x86_64 otherwise the build will fail. I discovered that yum sometimes installes the i386 devel package.

 

 

Submitted by jemtallon (registered user) on Thu, 2008-09-25 15:45.

I'm not sure if it's temporary or meant to be permanent but I also just found a repository with the compiled RHEIPA RPMs at http://www.math.ias.edu/PU_IAS/RHEIPA/5.2/ which contains both i386 and x86_64 RPMs. I'm not associated with that website at all and can't vouch for them so if you're concerned with trusting random RPMs someone found through Google (and you should be ;) I still recommend you build your own. But then again if you're just making a proof-of-concept setup it's probably easier to try those.

Submitted by Guillaume Belan... (not registered) on Wed, 2008-09-24 05:21.

When installing the ipa-server RPM, yum fails with a warning that ipa-server conflicts with mod_ssl.

 I checked mod_ssl files and they do not conflict with any file from the ipa-server package. However, yum is pretty strict with conflicts and dependencies.

My solution was to use rpm -Uvh  --node ipa-server*.rpm to bypass this (seemingly unfounded) limitation.

Submitted by Rob Crittenden (not registered) on Mon, 2008-09-29 15:20.

There are 2 SSL engines for Apache: mod_ssl (which uses OpenSSL) and mod_nss (which uses NSS). 

The mod_ssl conflict is not that there are files that will conflict but that mod_ssl conflicts with mod_nss when using mod_proxy.

mod_proxy has a single API for proxying SSL. mod_nss will advertise those functions only if mod_ssl is not loaded. Simply loading mod_ssl is enough to cause mod_nss to not register the functions.

The result is that the webui won't work. 

Submitted by Guillaume Belanger (not registered) on Wed, 2008-09-24 05:06.

By now I guess you've realized I'm posting these as I go through the tutorial, which is why I posted so many small posts. Feel free to aggregate them into one.insltal

When building IPA with the rpmbuild -bb command, I found that the process would die when running tg-agent with a traceback error report. I am not familiar with Python and it took me a while to decrypt the message: it was missing the Pythin library called 'kid'

 A simple: "easy_install kid" did the trick.

Submitted by Guillaume Belanger (not registered) on Wed, 2008-09-24 04:32.

When using:

 yum install /usr/src/redhat/RPMS/*/*.rpm

 The process will halt and display an error stating that some package is not signed.

 In order to prevent this, all yum commands executed on built packages can be run like this:

yum --nogpgcheck install /path/to/packages/*.rpm

Submitted by Guillaume Belanger (not registered) on Wed, 2008-09-24 04:25.

The line:

rpmbuild --rebuild TurboGears*.rpm krb5-server-ldap*.rpm python-kerberos python-tgexpandingformwidget*.rpm mod_nss*.rpm

When building Turbogear and others, is broken. The python-kerberos part should read python-kerberos*.rpm

 Otherwise the build process will halt in the middle.

Submitted by Guillaume Belan... (not registered) on Wed, 2008-09-24 04:13.

Regarding the rebuild process (Build Turbogears and krb5 packages first), I got stuck at a missing package: "python-setuptools-devel"

This package, although referenced earlier in your howto, was not available from any of my centos repositories.

For some reason, building the "python-setuptools" package individually and installing it first allowed me to run the rest of the rebuild without problems.

 Just thought this should be corrected, as this is not an obvious problem.

Submitted by Johnny Hughes (not registered) on Thu, 2009-10-01 17:07.
For the record, we now have this in the CentOS testing repository.