Comments on How To Build Red Hat Enterprise IPA RPMs For CentOS 5
How To Build Red Hat Enterprise IPA RPMs For CentOS 5 FreeIPA has existed for some time as RHE IPA for Red Hat Linux and has been added into Fedora. Still, since it is an extra add-on to RHEL, CentOS hasn't gotten it rebuilt yet. That's a shame because FreeIPA is an easy to configure, easy to manage security information management solution. If, like me, you want to use IPA with CentOS, this tutorial is for you.
12 Comment(s)
Comments
I'm not sure if it's temporary or meant to be permanent but I also just found a repository with the compiled RHEIPA RPMs at http://www.math.ias.edu/PU_IAS/RHEIPA/5.2/ which contains both i386 and x86_64 RPMs. I'm not associated with that website at all and can't vouch for them so if you're concerned with trusting random RPMs someone found through Google (and you should be ;) I still recommend you build your own. But then again if you're just making a proof-of-concept setup it's probably easier to try those.
Regarding the rebuild process (Build Turbogears and krb5 packages first), I got stuck at a missing package: "python-setuptools-devel"
This package, although referenced earlier in your howto, was not available from any of my centos repositories.
For some reason, building the "python-setuptools" package individually and installing it first allowed me to run the rest of the rebuild without problems.
Just thought this should be corrected, as this is not an obvious problem.
For the record, we now have this in the CentOS testing repository.
The line:
rpmbuild --rebuild TurboGears*.rpm krb5-server-ldap*.rpm python-kerberos python-tgexpandingformwidget*.rpm mod_nss*.rpm
When building Turbogear and others, is broken. The python-kerberos part should read python-kerberos*.rpm
Otherwise the build process will halt in the middle.
When using:
yum install /usr/src/redhat/RPMS/*/*.rpm
The process will halt and display an error stating that some package is not signed.
In order to prevent this, all yum commands executed on built packages can be run like this:
yum --nogpgcheck install /path/to/packages/*.rpm
By now I guess you've realized I'm posting these as I go through the tutorial, which is why I posted so many small posts. Feel free to aggregate them into one.insltal
When building IPA with the rpmbuild -bb command, I found that the process would die when running tg-agent with a traceback error report. I am not familiar with Python and it took me a while to decrypt the message: it was missing the Pythin library called 'kid'
A simple: "easy_install kid" did the trick.
When installing the ipa-server RPM, yum fails with a warning that ipa-server conflicts with mod_ssl.
I checked mod_ssl files and they do not conflict with any file from the ipa-server package. However, yum is pretty strict with conflicts and dependencies.
My solution was to use rpm -Uvh --node ipa-server*.rpm to bypass this (seemingly unfounded) limitation.
There are 2 SSL engines for Apache: mod_ssl (which uses OpenSSL) and mod_nss (which uses NSS).
The mod_ssl conflict is not that there are files that will conflict but that mod_ssl conflicts with mod_nss when using mod_proxy.
mod_proxy has a single API for proxying SSL. mod_nss will advertise those functions only if mod_ssl is not loaded. Simply loading mod_ssl is enough to cause mod_nss to not register the functions.
The result is that the webui won't work.
Just want to add a note that it's quite important to have the right devel packages installed. So if you're on a 64-bit system ensure that you have the correponding devel-packages installed, f.e. krb5-devel.x86_64 otherwise the build will fail. I discovered that yum sometimes installes the i386 devel package.
If the installer gives you the error:
Error: Missing Dependency: python-pyasn1 is needed by package ipa-server
You need to download python-pyasn1-0.0.8a-2.fc11.src.rpm, rebuild with:
rpmbuild --rebuild python-pyasn1-0.0.8a-2.fc11.src.rpm
And install:
rpm -i /usr/src/redhat/RPMS/noarch/python-pyasn1-0.0.8a-2.noarch.rpm
Then you can safely continue with
yum install /usr/src/redhat/RPMS/*/*.rpm
When I installed on a client machine, ipa-client-install couldn't find the ldap server via DNS, so it hard-coded the value in /etc/ldap.conf. I'm using two IPA replicas, so this is not good. I solved this by removing the installed version of nss_ldap and compiling the Fedora 10 nss_ldap source rpm, and now everything seems to work.
This went almost completely flawlessly. Some ugly notes i took while following this howto below.
- Install the dependancies before enabling the testing repo. Otherwise a testing will install httpd-2.2.8 rather then the normal 2.2.3
Install rpmdevtools
- run rpmdev-setuptree
- append the following to your .rpmmacros
- %packager Your Name <[email protected]>
- %vendor Your Company
- The following line has a typo. 'python-kerberos' should be 'python-kerberos*'.
rpmbuild --rebuild TurboGears-1.0.3.2-7.el5ipa.src.rpm krb5-server-ldap-1.6.1-26.el5ipa.src.rpm python-kerberos python-tgexpandingformwidget-0.1.3-5.el5ipa.src.rpm mod_nss-1.0.3-5.el5ipa.src.rpm
- Delete those extra garbage rpms. rm ../rpmbuild/RPMS/x86_64/*debuginfo*
- To install the krb and python packages created in the repo, yum --nogpgcheck install ~builder/rpmbuild/RPMS/*/*.rpm
Building IPA
cd srcbuild
mkdir done
mv TurboGears-1.0.3.2-7.el5ipa.src.rpm done/
mv krb5-server-ldap-1.6.1-26.el5ipa.src.rpm done/
mv python-kerberos-1.0-5.el5ipa.src.rpm done/
mv python-tgexpandingformwidget-0.1.3-5.el5ipa.src.rpm done/
mv mod_nss-1.0.3-5.el5ipa.src.rpm done/
rpm -Uvh ipa-1.0.0-23.el5ipa.src.rpm
mv ipa-1.0.0-23.el5ipa.src.rpm done/
cd ../rpmbuild/SPECS/
mv ipa.spec ipa.spec.save
sed -e "s/redhat-ds/centos-ds/g" ipa.spec.save > ipa.spec
rpmbuild -bb ipa.spec
Building the rest.
cd ~/srcbuild
rpmbuild --rebuild *.rpm