IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master-next' into master-next-exp

Browse Source
This commit is contained in:
Timo Aaltonen
2015-10-03 08:55:34 +03:00
parent 0fc2672e01 2c1bb40f78
commit cae5fe17e6
16 changed files with 440 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
debian/changelog vendored
View File

@@ -1,6 +1,6 @@
freeipa (4.1.4-1) UNRELEASED; urgency=medium
freeipa (4.1.4-1) experimental; urgency=medium
* New upstream release.
* New upstream release. (LP: #1492226)
- Refresh patches
- platform-support.diff: Added NAMED_VAR_DIR.
- fix-bind-conf.diff: Dropped, obsolete with above.
@@ -8,9 +8,36 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
missing the dependencies for now.
* control: Add python-usb to build-depends and to python-freeipa
depends.
* control: Bump libsss-nss-idmap-dev build-dep.
* control: Bump SSSD dependencies.
* control: Add libsofthsm2-dev to build-depends and softhsm2 to server
depends.
* freeipa-{server,client}.install: Add new files.
* control: Bump Depends on slapi-nis for CVE fixes.
* control: Bump 389-ds-base, pki-ca depends.
* control: Drop dogtag-pki-server-theme from server depends, it's not
needed.
* control: Server needs newer python-ldap, bump build-dep too.
* control: Bump certmonger depends.
* control: Bump python-nss depends.
* freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
* platform: Add DebianNamedService.
* platform, disable-dnssec-support.patch: Fix named.conf template.
* server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
* Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
* server.postrm: Clean logs on purge and disable apache modules on
remove/purge.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 02 Apr 2015 13:16:49 +0300
-- Timo Aaltonen <tjaalton@debian.org> Fri, 25 Sep 2015 14:07:40 +0300
freeipa (4.0.5-6) unstable; urgency=medium
* control Add gnupg-agent to python-freeipa depends, and change gnupg
to gnupg2. (LP: #1492184)
* Rebuild against current krb5, there was an abi break which broke at
least the setup phase.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 24 Sep 2015 23:22:24 +0300
freeipa (4.0.5-5) unstable; urgency=medium

35
debian/control vendored
View File

@@ -4,7 +4,7 @@ Priority: extra
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Uploaders: Timo Aaltonen <tjaalton@debian.org>
Build-Depends:
389-ds-base-dev (>= 1.3.3.2),
389-ds-base-dev (>= 1.3.3.8),
check,
debhelper (>= 9),
dh-autoreconf,
@@ -22,9 +22,10 @@ Build-Depends:
libpopt-dev,
librhino-java,
libsasl2-dev,
libsofthsm2-dev,
libssl-dev,
libsss-idmap-dev,
libsss-nss-idmap-dev (>= 1.12.2),
libsss-nss-idmap-dev (>= 1.12.3),
libsvrcore-dev,
libtalloc-dev,
libtevent-dev,
@@ -35,20 +36,20 @@ Build-Depends:
python-dnspython (>= 1.11.1),
python-kerberos,
python-krbv,
python-ldap,
python-ldap (>= 2.4.15),
python-lesscpy,
python-libipa-hbac,
python-lxml,
python-memcache,
python-netaddr,
python-nose,
python-nss,
python-nss (>= 0.16.0),
python-openssl,
python-polib,
python-pyasn1,
python-qrcode (>= 5.0.0),
python-setuptools,
python-sss (>= 1.8.0),
python-sss (>= 1.12.3),
python-usb (>= 1.0.0~b2),
python-yubico,
rhino,
@@ -63,13 +64,12 @@ Homepage: http://www.freeipa.org
Package: freeipa-server
Architecture: any
Depends:
389-ds-base (>= 1.3.3.5-2~),
389-ds-base (>= 1.3.3.8),
acl,
apache2,
bind9,
bind9-dyndb-ldap (>= 6.0-4~),
certmonger (>= 0.75.14),
dogtag-pki-server-theme,
certmonger (>= 0.76.8),
fonts-font-awesome,
freeipa-admintools (= ${binary:Version}),
freeipa-client (= ${binary:Version}),
@@ -87,13 +87,14 @@ Depends:
libsasl2-modules-gssapi-mit,
memcached,
ntp,
pki-ca,
pki-ca (>= 10.2.1),
python-dateutil,
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
python-ldap (>= 2.4.15),
python-pyasn1,
slapi-nis (>= 0.54),
slapi-nis (>= 0.54.2),
softhsm2,
systemd-sysv,
${misc:Depends},
${python:Depends},
@@ -132,7 +133,7 @@ Package: freeipa-client
Architecture: any
Depends:
bind9utils,
certmonger,
certmonger (>= 0.76.8),
dnsutils,
krb5-user,
libcurl3 (>= 7.22.0),
@@ -144,7 +145,7 @@ Depends:
python-freeipa (= ${binary:Version}),
python-krbv,
python-ldap,
sssd (>= 1.11.1),
sssd (>= 1.12.3),
wget,
${misc:Depends},
${python:Depends},
@@ -190,8 +191,7 @@ Depends:
xz-utils,
${misc:Depends},
${python:Depends}
Recommends:
python-yaml,
Recommends: python-yaml
Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy
@@ -204,7 +204,8 @@ Package: python-freeipa
Architecture: any
Section: python
Depends:
gnupg,
gnupg2,
gnupg-agent,
iproute,
keyutils,
python-dbus,
@@ -216,7 +217,7 @@ Depends:
python-lxml,
python-memcache,
python-netaddr,
python-nss,
python-nss (>= 0.16.0),
python-openssl,
python-pyasn1,
python-qrcode (>= 5.0.0),

1
debian/freeipa-client.dirs vendored
View File

@@ -1,3 +1,4 @@
etc/ipa
etc/ipa/nssdb
etc/pki/nssdb
var/lib/ipa-client/sysrestore

2
debian/freeipa-client.install vendored
View File

@@ -1,9 +1,11 @@
usr/lib/python*/dist-packages/ipaclient/*.py
usr/sbin/ipa-certupdate
usr/sbin/ipa-client-automount
usr/sbin/ipa-client-install
usr/sbin/ipa-getkeytab
usr/sbin/ipa-join
usr/sbin/ipa-rmkeytab
usr/share/man/man1/ipa-certupdate.1.gz
usr/share/man/man1/ipa-client-automount.1.gz
usr/share/man/man1/ipa-client-install.1.gz
usr/share/man/man1/ipa-getkeytab.1.gz

13
debian/freeipa-client.postinst vendored
View File

@@ -2,14 +2,23 @@
set -e
if [ "$1" = configure ]; then
if [ ! -e /etc/pki/nssdb ]; then
if [ ! -f /etc/pki/nssdb/cert8.db ]; then
tmp=$(mktemp) || exit
printf "\n" > $tmp
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb -f $tmp
chmod 644 /etc/pki/nssdb/*
rm $tmp
fi
if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
tmp=$(mktemp) || exit
if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
fi
rm -f "$tmp"
fi
fi
if [ ! -e /run/ipa ]; then

8
debian/freeipa-client.postrm vendored
View File

@@ -7,6 +7,14 @@ if [ "$1" = purge ]; then
rm -f /etc/pki/nssdb/cert8.db \
/etc/pki/nssdb/key3.db \
/etc/pki/nssdb/secmod.db
rm -f /etc/ipa/nssdb/cert8.db \
/etc/ipa/nssdb/key3.db \
/etc/ipa/nssdb/pwdfile.txt \
/etc/ipa/nssdb/secmod.db \
/etc/ipa/nssdb/*.orig
rmdir /etc/pki/nssdb || true
rmdir /etc/ipa/nssdb || true
rmdir /etc/ipa || true
fi
#DEBHELPER#

7
debian/freeipa-server.install vendored
View File

@@ -2,11 +2,13 @@ etc/default/ipa_memcached
etc/ipa/html/*
lib/systemd/system/*
usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit
usr/lib/*/certmonger/ipa-server-guard
usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
usr/lib/*/dirsrv/plugins/libipa_lockout.so
usr/lib/*/dirsrv/plugins/libipa_modrdn.so
usr/lib/*/dirsrv/plugins/libipa_otp_counter.so
usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so
usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so
usr/lib/*/dirsrv/plugins/libipa_range_check.so
@@ -22,6 +24,7 @@ usr/lib/python*/dist-packages/ipaserver/install/__init__.py
usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py
usr/lib/python*/dist-packages/ipaserver/install/cainstance.py
usr/lib/python*/dist-packages/ipaserver/install/certs.py
usr/lib/python*/dist-packages/ipaserver/install/dnskeysyncinstance.py
usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py
usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/installutils.py
@@ -30,6 +33,8 @@ usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py
usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/odsexporterinstance.py
usr/lib/python*/dist-packages/ipaserver/install/opendnssecinstance.py
usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py
usr/lib/python*/dist-packages/ipaserver/install/plugins
usr/lib/python*/dist-packages/ipaserver/install/replication.py
@@ -42,6 +47,7 @@ usr/lib/python*/dist-packages/ipaserver/rpcserver*
usr/sbin/ipa-advise
usr/sbin/ipa-backup
usr/sbin/ipa-ca-install
usr/sbin/ipa-cacert-manage
usr/sbin/ipa-compat-manage
usr/sbin/ipa-csreplica-manage
usr/sbin/ipa-dns-install
@@ -77,6 +83,7 @@ usr/share/ipa/wsgi/*
usr/share/man/man1/ipa-advise.1*
usr/share/man/man1/ipa-backup.1*
usr/share/man/man1/ipa-ca-install.1*
usr/share/man/man1/ipa-cacert-manage.1*
usr/share/man/man1/ipa-compat-manage.1*
usr/share/man/man1/ipa-csreplica-manage.1*
usr/share/man/man1/ipa-dns-install.1*

4
debian/freeipa-server.links vendored
View File

@@ -1,8 +1,8 @@
/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html
/etc/ipa/html/ffconfig.js usr/share/ipa/html/ffconfig.js
/etc/ipa/html/ffconfig_page.js usr/share/ipa/html/ffconfig_page.js
/etc/ipa/html/ssbrowser.html usr/share/ipa/html/ssbrowser.html
/etc/ipa/html/unauthorized.html usr/share/ipa/html/unauthorized.html
/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html
/usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js
/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js
/usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js
/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js

9
debian/freeipa-server.postinst vendored
View File

@@ -27,6 +27,15 @@ if [ "$1" = configure ]; then
fi
fi
chown root:bind /var/cache/bind/data
# check if IPA is set up
is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
if [ $is_configured = yes ]; then
echo "Running ipa-ldap-updater..."
ipa-ldap-updater --upgrade --quiet >/dev/null
echo "Running ipa-upgradeconfig..."
ipa-upgradeconfig --quiet >/dev/null
fi
fi
if [ ! -e /run/ipa_memcached ]; then

42
debian/freeipa-server.postrm vendored Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
set -e
case "$1" in
remove|purge)
if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
. /usr/share/apache2/apache2-maintscript-helper
if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
apache2_invoke dismod auth_kerb || exit $?
fi
if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then
apache2_invoke dismod authz_user || exit $?
fi
if [ -e /etc/apache2/mods-enabled/deflate.load ]; then
apache2_invoke dismod deflate || exit $?
fi
if [ -e /etc/apache2/mods-enabled/expires.load ]; then
apache2_invoke dismod expires || exit $?
fi
if [ -e /etc/apache2/mods-enabled/headers.load ]; then
apache2_invoke dismod headers || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke dismod proxy || exit $?
fi
if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke dismod rewrite || exit $?
fi
fi
;;
esac
case "$1" in
purge)
rm -f \
/var/log/ipareplica-conncheck.log \
/var/log/ipareplica-install.log \
/var/log/ipaserver-install.log \
/var/log/ipaserver-uninstall.log \
/var/log/ipaupgrade.log
;;
esac

31
debian/patches/add-debian-platform.diff vendored
View File

@@ -105,7 +105,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
@@ -0,0 +1,184 @@
@@ -0,0 +1,198 @@
+# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com>
+#
@@ -247,6 +247,20 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
+
+class DebianNamedService(DebianSysvService):
+ def get_user_name(self):
+ return u'bind'
+
+ def get_group_name(self):
+ return u'bind'
+
+ def get_binary_path(self):
+ return paths.NAMED
+
+ def get_package_name(self):
+ return u'bind9'
+
+
+# Function that constructs proper Debian-specific server classes for services
+# of specified name
+
@@ -266,7 +280,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ if name == 'messagebus':
+ return DebianSysvService("dbus")
+ if name == 'named':
+ return DebianSysvService("bind9")
+ return DebianNamedService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'sshd':
@@ -541,3 +555,16 @@ Date: Fri Mar 1 12:21:00 2013 +0200
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -38,10 +38,6 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

35
debian/patches/disable-dnssec-support.patch vendored
View File

@@ -19,15 +19,28 @@ Subject: [PATCH] Disable DNSSEC support
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -18,7 +18,7 @@ options {
@@ -18,12 +18,8 @@ options {
pid-file "$NAMED_PID";
dnssec-enable yes;
- dnssec-validation yes;
+ dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "$BINDKEYS_FILE";
- /* Path to ISC DLV key */
- bindkeys-file "$BINDKEYS_FILE";
-
- managed-keys-directory "$MANAGED_KEYS_DIR";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -40,7 +36,6 @@ logging {
include "$RFC1912_ZONES";
-include "$ROOT_KEY";
dynamic-db "ipa" {
library "ldap.so";
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE
@@ -370,14 +383,20 @@ Subject: [PATCH] Disable DNSSEC support
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
setup_firefox_extension(fstore)
@@ -1462,7 +1453,6 @@ def main():
named_bindkey_file_option(),
named_managed_keys_dir_option(),
named_root_key_include(),
@@ -1457,13 +1448,6 @@ def main():
named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
- named_enable_dnssec(),
- named_validate_dnssec(),
- named_bindkey_file_option(),
- named_managed_keys_dir_option(),
- named_root_key_include(),
- mask_named_regular(),
fix_dyndb_ldap_workdir_permissions(),
- fix_dyndb_ldap_workdir_permissions(),
)
if any(named_conf_changes):
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase):

98
debian/patches/revert-dnssec-aci.diff vendored Normal file
View File

@@ -0,0 +1,98 @@
commit d37678b62dc588180b7207dd9226f1e328f995eb
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:28:37 2015 +0300
Revert "DNSSEC: ACI"
This reverts commit 4ddc978cea5229f6429221a37cc657b88a734736.
diff --git a/ACI.txt b/ACI.txt
index 933b57c..12726ee 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -39,14 +39,8 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i
dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
-aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f589ab5..ccca6d1 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2471,7 +2471,6 @@ class dnszone(DNSZoneBase):
),
)
# Permissions will be apllied for forwardzones too
- # Store permissions into api.env.basedn, dns container could not exists
managed_permissions = {
'System: Add DNS Entries': {
'non_object': True,
@@ -2546,58 +2545,6 @@ class dnszone(DNSZoneBase):
],
'default_privileges': {'DNS Administrators', 'DNS Servers'},
},
- 'System: Read DNSSEC metadata': {
- 'non_object': True,
- 'ipapermright': {'read', 'search', 'compare'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=dns', api.env.basedn),
- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
- 'ipapermdefaultattr': {
- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
- 'idnsSecKeyRef', 'cn', 'objectclass',
- },
- 'default_privileges': {'DNS Administrators'},
- },
- 'System: Manage DNSSEC metadata': {
- 'non_object': True,
- 'ipapermright': {'all'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=dns', api.env.basedn),
- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
- 'ipapermdefaultattr': {
- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
- 'idnsSecKeyRef', 'cn', 'objectclass',
- },
- 'default_privileges': {'DNS Servers'},
- },
- 'System: Manage DNSSEC keys': {
- 'non_object': True,
- 'ipapermright': {'all'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn),
- 'ipapermdefaultattr': {
- 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey',
- 'ipaWrappingMech','ipaWrappingKey',
- 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label',
- 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted',
- 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate',
- 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted',
- 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType',
- 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms',
- 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap',
- 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt',
- 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap',
- 'ipk11Extractable', 'ipk11AlwaysSensitive',
- 'ipk11NeverExtractable', 'ipk11WrapWithTrusted',
- 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate',
- 'objectclass',
- },
- 'default_privileges': {'DNS Servers'},
- },
}
def _rr_zone_postprocess(self, record, **options):

131
debian/patches/revert-dnssec-schema.diff vendored Normal file
View File

@@ -0,0 +1,131 @@
commit 69cb61ab1ef5c232e4270b49388a8f730e89e84b
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:02:29 2015 +0300
Revert "DNSSEC: schema"
This reverts commit 3f0440f1950319febabcf726304bc10954c8b2b8.
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 4efb1fe..7ce7777 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -49,11 +49,9 @@ attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA perm
attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA v4.0')
attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: (2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -74,6 +72,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid
objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' )
objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 678a5b4..eccc4fe 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -53,19 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )
-objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/60ipapk11.ldif b/install/share/60ipapk11.ldif
deleted file mode 100644
index 9db113d..0000000
--- a/install/share/60ipapk11.ldif
+++ /dev/null
@@ -1,42 +0,0 @@
-dn: cn=schema
-attributeTypes: (2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is private to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'Can be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Description' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC 'Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'Checksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Validity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Validity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Meaningless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'Must not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER-encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key association identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was created locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key supports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DESC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key supports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key supports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Key is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key supports signatures where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC 'Key supports signatures where data can be recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key supports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC 'Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DESC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' DESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DESC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DESC 'DN of template to apply to keys unwrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC 'Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP ipk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ipk11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMechanisms ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Public key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verify $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Private key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11Decrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11UnwrapTemplate $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secret key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Decrypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWithTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 878d886..3f8fa9a 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -15,7 +15,6 @@ app_DATA = \
60basev2.ldif \
60basev3.ldif \
60ipadns.ldif \
- 60ipapk11.ldif \
61kerberos-ipav3.ldif \
65ipacertstore.ldif \
65ipasudo.ldif \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0ab4ae7..7e1ef20 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -54,7 +54,6 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
"60ipaconfig.ldif",
"60basev2.ldif",
"60basev3.ldif",
- "60ipapk11.ldif",
"60ipadns.ldif",
"61kerberos-ipav3.ldif",
"65ipacertstore.ldif",

21
debian/patches/revert-revert-removal-of-cn-attribute.diff vendored Normal file
View File

@@ -0,0 +1,21 @@
commit 323bc2dc6b6a3f7919b6cb477df357119abdee8d
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:02:10 2015 +0300
Revert "revert removal of cn attribute from idnsRecord"
This reverts commit 2fa07b1d24f61f9bcff5adb804a18c9eae72932d.
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 8fd0bb9..678a5b4 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -63,7 +63,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE
attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )

3
debian/patches/series vendored
View File

@@ -14,3 +14,6 @@ fix-ipa-conf.diff
revert-pykerberos-api-change.diff
disable-dnssec-support.patch
revert-revert-removal-of-cn-attribute.diff
revert-dnssec-schema.diff
revert-dnssec-aci.diff