diff --git a/debian/changelog b/debian/changelog index cd14f451b..0b968d360 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -freeipa (4.1.4-1) UNRELEASED; urgency=medium +freeipa (4.1.4-1) experimental; urgency=medium - * New upstream release. + * New upstream release. (LP: #1492226) - Refresh patches - platform-support.diff: Added NAMED_VAR_DIR. - fix-bind-conf.diff: Dropped, obsolete with above. @@ -8,9 +8,36 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium missing the dependencies for now. * control: Add python-usb to build-depends and to python-freeipa depends. - * control: Bump libsss-nss-idmap-dev build-dep. + * control: Bump SSSD dependencies. + * control: Add libsofthsm2-dev to build-depends and softhsm2 to server + depends. + * freeipa-{server,client}.install: Add new files. + * control: Bump Depends on slapi-nis for CVE fixes. + * control: Bump 389-ds-base, pki-ca depends. + * control: Drop dogtag-pki-server-theme from server depends, it's not + needed. + * control: Server needs newer python-ldap, bump build-dep too. + * control: Bump certmonger depends. + * control: Bump python-nss depends. + * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling. + * platform: Add DebianNamedService. + * platform, disable-dnssec-support.patch: Fix named.conf template. + * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on + postinst. + * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail. + * server.postrm: Clean logs on purge and disable apache modules on + remove/purge. - -- Timo Aaltonen Thu, 02 Apr 2015 13:16:49 +0300 + -- Timo Aaltonen Fri, 25 Sep 2015 14:07:40 +0300 + +freeipa (4.0.5-6) unstable; urgency=medium + + * control Add gnupg-agent to python-freeipa depends, and change gnupg + to gnupg2. (LP: #1492184) + * Rebuild against current krb5, there was an abi break which broke at + least the setup phase. + + -- Timo Aaltonen Thu, 24 Sep 2015 23:22:24 +0300 freeipa (4.0.5-5) unstable; urgency=medium diff --git a/debian/control b/debian/control index 0b977283e..16fa2a4fa 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: extra Maintainer: Debian FreeIPA Team Uploaders: Timo Aaltonen Build-Depends: - 389-ds-base-dev (>= 1.3.3.2), + 389-ds-base-dev (>= 1.3.3.8), check, debhelper (>= 9), dh-autoreconf, @@ -22,9 +22,10 @@ Build-Depends: libpopt-dev, librhino-java, libsasl2-dev, + libsofthsm2-dev, libssl-dev, libsss-idmap-dev, - libsss-nss-idmap-dev (>= 1.12.2), + libsss-nss-idmap-dev (>= 1.12.3), libsvrcore-dev, libtalloc-dev, libtevent-dev, @@ -35,20 +36,20 @@ Build-Depends: python-dnspython (>= 1.11.1), python-kerberos, python-krbv, - python-ldap, + python-ldap (>= 2.4.15), python-lesscpy, python-libipa-hbac, python-lxml, python-memcache, python-netaddr, python-nose, - python-nss, + python-nss (>= 0.16.0), python-openssl, python-polib, python-pyasn1, python-qrcode (>= 5.0.0), python-setuptools, - python-sss (>= 1.8.0), + python-sss (>= 1.12.3), python-usb (>= 1.0.0~b2), python-yubico, rhino, @@ -63,13 +64,12 @@ Homepage: http://www.freeipa.org Package: freeipa-server Architecture: any Depends: - 389-ds-base (>= 1.3.3.5-2~), + 389-ds-base (>= 1.3.3.8), acl, apache2, bind9, bind9-dyndb-ldap (>= 6.0-4~), - certmonger (>= 0.75.14), - dogtag-pki-server-theme, + certmonger (>= 0.76.8), fonts-font-awesome, freeipa-admintools (= ${binary:Version}), freeipa-client (= ${binary:Version}), @@ -87,13 +87,14 @@ Depends: libsasl2-modules-gssapi-mit, memcached, ntp, - pki-ca, + pki-ca (>= 10.2.1), python-dateutil, python-freeipa (= ${binary:Version}), python-krbv, - python-ldap, + python-ldap (>= 2.4.15), python-pyasn1, - slapi-nis (>= 0.54), + slapi-nis (>= 0.54.2), + softhsm2, systemd-sysv, ${misc:Depends}, ${python:Depends}, @@ -132,7 +133,7 @@ Package: freeipa-client Architecture: any Depends: bind9utils, - certmonger, + certmonger (>= 0.76.8), dnsutils, krb5-user, libcurl3 (>= 7.22.0), @@ -144,7 +145,7 @@ Depends: python-freeipa (= ${binary:Version}), python-krbv, python-ldap, - sssd (>= 1.11.1), + sssd (>= 1.12.3), wget, ${misc:Depends}, ${python:Depends}, @@ -190,8 +191,7 @@ Depends: xz-utils, ${misc:Depends}, ${python:Depends} -Recommends: - python-yaml, +Recommends: python-yaml Description: FreeIPA centralized identity framework -- tests FreeIPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy @@ -204,7 +204,8 @@ Package: python-freeipa Architecture: any Section: python Depends: - gnupg, + gnupg2, + gnupg-agent, iproute, keyutils, python-dbus, @@ -216,7 +217,7 @@ Depends: python-lxml, python-memcache, python-netaddr, - python-nss, + python-nss (>= 0.16.0), python-openssl, python-pyasn1, python-qrcode (>= 5.0.0), diff --git a/debian/freeipa-client.dirs b/debian/freeipa-client.dirs index e5c26bf7f..7d94a8405 100644 --- a/debian/freeipa-client.dirs +++ b/debian/freeipa-client.dirs @@ -1,3 +1,4 @@ etc/ipa +etc/ipa/nssdb etc/pki/nssdb var/lib/ipa-client/sysrestore diff --git a/debian/freeipa-client.install b/debian/freeipa-client.install index f606ea054..993dc56b9 100644 --- a/debian/freeipa-client.install +++ b/debian/freeipa-client.install @@ -1,9 +1,11 @@ usr/lib/python*/dist-packages/ipaclient/*.py +usr/sbin/ipa-certupdate usr/sbin/ipa-client-automount usr/sbin/ipa-client-install usr/sbin/ipa-getkeytab usr/sbin/ipa-join usr/sbin/ipa-rmkeytab +usr/share/man/man1/ipa-certupdate.1.gz usr/share/man/man1/ipa-client-automount.1.gz usr/share/man/man1/ipa-client-install.1.gz usr/share/man/man1/ipa-getkeytab.1.gz diff --git a/debian/freeipa-client.postinst b/debian/freeipa-client.postinst index 4451c3415..e4fdd53f4 100644 --- a/debian/freeipa-client.postinst +++ b/debian/freeipa-client.postinst @@ -2,14 +2,23 @@ set -e if [ "$1" = configure ]; then - if [ ! -e /etc/pki/nssdb ]; then + if [ ! -f /etc/pki/nssdb/cert8.db ]; then tmp=$(mktemp) || exit printf "\n" > $tmp - mkdir -p /etc/pki/nssdb certutil -N -d /etc/pki/nssdb -f $tmp chmod 644 /etc/pki/nssdb/* rm $tmp fi + if [ ! -f /etc/ipa/nssdb/cert8.db ]; then + python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1 + tmp=$(mktemp) || exit + if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then + certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1 + elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then + certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1 + fi + rm -f "$tmp" + fi fi if [ ! -e /run/ipa ]; then diff --git a/debian/freeipa-client.postrm b/debian/freeipa-client.postrm index 65d1d9ae6..9ee8a95f6 100644 --- a/debian/freeipa-client.postrm +++ b/debian/freeipa-client.postrm @@ -7,6 +7,14 @@ if [ "$1" = purge ]; then rm -f /etc/pki/nssdb/cert8.db \ /etc/pki/nssdb/key3.db \ /etc/pki/nssdb/secmod.db + rm -f /etc/ipa/nssdb/cert8.db \ + /etc/ipa/nssdb/key3.db \ + /etc/ipa/nssdb/pwdfile.txt \ + /etc/ipa/nssdb/secmod.db \ + /etc/ipa/nssdb/*.orig + rmdir /etc/pki/nssdb || true + rmdir /etc/ipa/nssdb || true + rmdir /etc/ipa || true fi #DEBHELPER# diff --git a/debian/freeipa-server.install b/debian/freeipa-server.install index 2d2b13e58..d28539ab9 100644 --- a/debian/freeipa-server.install +++ b/debian/freeipa-server.install @@ -2,11 +2,13 @@ etc/default/ipa_memcached etc/ipa/html/* lib/systemd/system/* usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit +usr/lib/*/certmonger/ipa-server-guard usr/lib/*/dirsrv/plugins/libipa_cldap.so usr/lib/*/dirsrv/plugins/libipa_dns.so usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so usr/lib/*/dirsrv/plugins/libipa_lockout.so usr/lib/*/dirsrv/plugins/libipa_modrdn.so +usr/lib/*/dirsrv/plugins/libipa_otp_counter.so usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so usr/lib/*/dirsrv/plugins/libipa_range_check.so @@ -22,6 +24,7 @@ usr/lib/python*/dist-packages/ipaserver/install/__init__.py usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py usr/lib/python*/dist-packages/ipaserver/install/cainstance.py usr/lib/python*/dist-packages/ipaserver/install/certs.py +usr/lib/python*/dist-packages/ipaserver/install/dnskeysyncinstance.py usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py usr/lib/python*/dist-packages/ipaserver/install/installutils.py @@ -30,6 +33,8 @@ usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py +usr/lib/python*/dist-packages/ipaserver/install/odsexporterinstance.py +usr/lib/python*/dist-packages/ipaserver/install/opendnssecinstance.py usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py usr/lib/python*/dist-packages/ipaserver/install/plugins usr/lib/python*/dist-packages/ipaserver/install/replication.py @@ -42,6 +47,7 @@ usr/lib/python*/dist-packages/ipaserver/rpcserver* usr/sbin/ipa-advise usr/sbin/ipa-backup usr/sbin/ipa-ca-install +usr/sbin/ipa-cacert-manage usr/sbin/ipa-compat-manage usr/sbin/ipa-csreplica-manage usr/sbin/ipa-dns-install @@ -77,6 +83,7 @@ usr/share/ipa/wsgi/* usr/share/man/man1/ipa-advise.1* usr/share/man/man1/ipa-backup.1* usr/share/man/man1/ipa-ca-install.1* +usr/share/man/man1/ipa-cacert-manage.1* usr/share/man/man1/ipa-compat-manage.1* usr/share/man/man1/ipa-csreplica-manage.1* usr/share/man/man1/ipa-dns-install.1* diff --git a/debian/freeipa-server.links b/debian/freeipa-server.links index 54e0a00cc..b9c0153cc 100644 --- a/debian/freeipa-server.links +++ b/debian/freeipa-server.links @@ -1,8 +1,8 @@ +/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html /etc/ipa/html/ffconfig.js usr/share/ipa/html/ffconfig.js /etc/ipa/html/ffconfig_page.js usr/share/ipa/html/ffconfig_page.js /etc/ipa/html/ssbrowser.html usr/share/ipa/html/ssbrowser.html /etc/ipa/html/unauthorized.html usr/share/ipa/html/unauthorized.html -/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html /usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js -/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js /usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js +/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst index 198d52b07..49cdcb69f 100644 --- a/debian/freeipa-server.postinst +++ b/debian/freeipa-server.postinst @@ -27,6 +27,15 @@ if [ "$1" = configure ]; then fi fi chown root:bind /var/cache/bind/data + + # check if IPA is set up + is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'` + if [ $is_configured = yes ]; then + echo "Running ipa-ldap-updater..." + ipa-ldap-updater --upgrade --quiet >/dev/null + echo "Running ipa-upgradeconfig..." + ipa-upgradeconfig --quiet >/dev/null + fi fi if [ ! -e /run/ipa_memcached ]; then diff --git a/debian/freeipa-server.postrm b/debian/freeipa-server.postrm new file mode 100644 index 000000000..fd71998e8 --- /dev/null +++ b/debian/freeipa-server.postrm @@ -0,0 +1,42 @@ +#!/bin/sh +set -e + +case "$1" in + remove|purge) + if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then + . /usr/share/apache2/apache2-maintscript-helper + + if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then + apache2_invoke dismod auth_kerb || exit $? + fi + if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then + apache2_invoke dismod authz_user || exit $? + fi + if [ -e /etc/apache2/mods-enabled/deflate.load ]; then + apache2_invoke dismod deflate || exit $? + fi + if [ -e /etc/apache2/mods-enabled/expires.load ]; then + apache2_invoke dismod expires || exit $? + fi + if [ -e /etc/apache2/mods-enabled/headers.load ]; then + apache2_invoke dismod headers || exit $? + fi + if [ -e /etc/apache2/mods-enabled/proxy.load ]; then + apache2_invoke dismod proxy || exit $? + fi + if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then + apache2_invoke dismod rewrite || exit $? + fi + fi + ;; +esac +case "$1" in + purge) + rm -f \ + /var/log/ipareplica-conncheck.log \ + /var/log/ipareplica-install.log \ + /var/log/ipaserver-install.log \ + /var/log/ipaserver-uninstall.log \ + /var/log/ipaupgrade.log + ;; +esac diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff index 8367facdc..07fa589fe 100644 --- a/debian/patches/add-debian-platform.diff +++ b/debian/patches/add-debian-platform.diff @@ -105,7 +105,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200 +paths = DebianPathNamespace() --- /dev/null +++ b/ipaplatform/debian/services.py -@@ -0,0 +1,184 @@ +@@ -0,0 +1,198 @@ +# Authors: +# Timo Aaltonen +# @@ -247,6 +247,20 @@ Date: Fri Mar 1 12:21:00 2013 +0200 + def get_config_dir(self, instance_name=""): + return '/etc/ssh' + ++class DebianNamedService(DebianSysvService): ++ def get_user_name(self): ++ return u'bind' ++ ++ def get_group_name(self): ++ return u'bind' ++ ++ def get_binary_path(self): ++ return paths.NAMED ++ ++ def get_package_name(self): ++ return u'bind9' ++ ++ +# Function that constructs proper Debian-specific server classes for services +# of specified name + @@ -266,7 +280,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200 + if name == 'messagebus': + return DebianSysvService("dbus") + if name == 'named': -+ return DebianSysvService("bind9") ++ return DebianNamedService("bind9") + if name == 'ntpd': + return DebianSysvService("ntp") + if name == 'sshd': @@ -541,3 +555,16 @@ Date: Fri Mar 1 12:21:00 2013 +0200 PIDFile=/var/run/ipa_memcached/ipa_memcached.pid ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS +--- a/install/share/bind.named.conf.template ++++ b/install/share/bind.named.conf.template +@@ -38,10 +38,6 @@ logging { + }; + }; + +-zone "." IN { +- type hint; +- file "named.ca"; +-}; + + include "$RFC1912_ZONES"; + include "$ROOT_KEY"; diff --git a/debian/patches/disable-dnssec-support.patch b/debian/patches/disable-dnssec-support.patch index 88471b0e7..24781ceac 100644 --- a/debian/patches/disable-dnssec-support.patch +++ b/debian/patches/disable-dnssec-support.patch @@ -19,15 +19,28 @@ Subject: [PATCH] Disable DNSSEC support --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template -@@ -18,7 +18,7 @@ options { +@@ -18,12 +18,8 @@ options { pid-file "$NAMED_PID"; dnssec-enable yes; - dnssec-validation yes; + dnssec-validation no; - /* Path to ISC DLV key */ - bindkeys-file "$BINDKEYS_FILE"; +- /* Path to ISC DLV key */ +- bindkeys-file "$BINDKEYS_FILE"; +- +- managed-keys-directory "$MANAGED_KEYS_DIR"; + }; + + /* If you want to enable debugging, eg. using the 'rndc trace' command, +@@ -40,7 +36,6 @@ logging { + + + include "$RFC1912_ZONES"; +-include "$ROOT_KEY"; + + dynamic-db "ipa" { + library "ldap.so"; --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE @@ -370,14 +383,20 @@ Subject: [PATCH] Disable DNSSEC support cleanup_kdc(fstore) cleanup_adtrust(fstore) setup_firefox_extension(fstore) -@@ -1462,7 +1453,6 @@ def main(): - named_bindkey_file_option(), - named_managed_keys_dir_option(), - named_root_key_include(), +@@ -1457,13 +1448,6 @@ def main(): + named_enable_serial_autoincrement(), + named_update_gssapi_configuration(), + named_update_pid_file(), +- named_enable_dnssec(), +- named_validate_dnssec(), +- named_bindkey_file_option(), +- named_managed_keys_dir_option(), +- named_root_key_include(), - mask_named_regular(), - fix_dyndb_ldap_workdir_permissions(), +- fix_dyndb_ldap_workdir_permissions(), ) + if any(named_conf_changes): --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase): diff --git a/debian/patches/revert-dnssec-aci.diff b/debian/patches/revert-dnssec-aci.diff new file mode 100644 index 000000000..eb49b53a5 --- /dev/null +++ b/debian/patches/revert-dnssec-aci.diff @@ -0,0 +1,98 @@ +commit d37678b62dc588180b7207dd9226f1e328f995eb +Author: Timo Aaltonen +Date: Fri Sep 25 06:28:37 2015 +0300 + + Revert "DNSSEC: ACI" + + This reverts commit 4ddc978cea5229f6429221a37cc657b88a734736. + +diff --git a/ACI.txt b/ACI.txt +index 933b57c..12726ee 100644 +--- a/ACI.txt ++++ b/ACI.txt +@@ -39,14 +39,8 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i + dn: dc=ipa,dc=example + aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: dc=ipa,dc=example +-aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) +-dn: dc=ipa,dc=example +-aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) +-dn: dc=ipa,dc=example + aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: dc=ipa,dc=example +-aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) +-dn: dc=ipa,dc=example + aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: dc=ipa,dc=example + aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py +index f589ab5..ccca6d1 100644 +--- a/ipalib/plugins/dns.py ++++ b/ipalib/plugins/dns.py +@@ -2471,7 +2471,6 @@ class dnszone(DNSZoneBase): + ), + ) + # Permissions will be apllied for forwardzones too +- # Store permissions into api.env.basedn, dns container could not exists + managed_permissions = { + 'System: Add DNS Entries': { + 'non_object': True, +@@ -2546,58 +2545,6 @@ class dnszone(DNSZoneBase): + ], + 'default_privileges': {'DNS Administrators', 'DNS Servers'}, + }, +- 'System: Read DNSSEC metadata': { +- 'non_object': True, +- 'ipapermright': {'read', 'search', 'compare'}, +- 'ipapermlocation': api.env.basedn, +- 'ipapermtarget': DN('cn=dns', api.env.basedn), +- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], +- 'ipapermdefaultattr': { +- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', +- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', +- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', +- 'idnsSecKeyRef', 'cn', 'objectclass', +- }, +- 'default_privileges': {'DNS Administrators'}, +- }, +- 'System: Manage DNSSEC metadata': { +- 'non_object': True, +- 'ipapermright': {'all'}, +- 'ipapermlocation': api.env.basedn, +- 'ipapermtarget': DN('cn=dns', api.env.basedn), +- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'], +- 'ipapermdefaultattr': { +- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish', +- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete', +- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep', +- 'idnsSecKeyRef', 'cn', 'objectclass', +- }, +- 'default_privileges': {'DNS Servers'}, +- }, +- 'System: Manage DNSSEC keys': { +- 'non_object': True, +- 'ipapermright': {'all'}, +- 'ipapermlocation': api.env.basedn, +- 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn), +- 'ipapermdefaultattr': { +- 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey', +- 'ipaWrappingMech','ipaWrappingKey', +- 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label', +- 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted', +- 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate', +- 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted', +- 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType', +- 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms', +- 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap', +- 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt', +- 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap', +- 'ipk11Extractable', 'ipk11AlwaysSensitive', +- 'ipk11NeverExtractable', 'ipk11WrapWithTrusted', +- 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate', +- 'objectclass', +- }, +- 'default_privileges': {'DNS Servers'}, +- }, + } + + def _rr_zone_postprocess(self, record, **options): diff --git a/debian/patches/revert-dnssec-schema.diff b/debian/patches/revert-dnssec-schema.diff new file mode 100644 index 000000000..e888893c5 --- /dev/null +++ b/debian/patches/revert-dnssec-schema.diff @@ -0,0 +1,131 @@ +commit 69cb61ab1ef5c232e4270b49388a8f730e89e84b +Author: Timo Aaltonen +Date: Fri Sep 25 06:02:29 2015 +0300 + + Revert "DNSSEC: schema" + + This reverts commit 3f0440f1950319febabcf726304bc10954c8b2b8. + +diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif +index 4efb1fe..7ce7777 100644 +--- a/install/share/60basev3.ldif ++++ b/install/share/60basev3.ldif +@@ -49,11 +49,9 @@ attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA perm + attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA v4.0') + attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) + attributeTypes: (2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) ++attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' ) ++attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' ) + attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') + objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) + objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) + objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) +@@ -74,6 +72,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid + objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' ) + objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0') + objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) ++objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' ) ++objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' ) +diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif +index 678a5b4..eccc4fe 100644 +--- a/install/share/60ipadns.ldif ++++ b/install/share/60ipadns.ldif +@@ -53,19 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of + attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' ) + attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' ) + attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +-attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) + objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) ) + objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) + objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) + objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' ) + objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) +-objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) +diff --git a/install/share/60ipapk11.ldif b/install/share/60ipapk11.ldif +deleted file mode 100644 +index 9db113d..0000000 +--- a/install/share/60ipapk11.ldif ++++ /dev/null +@@ -1,42 +0,0 @@ +-dn: cn=schema +-attributeTypes: (2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is private to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'Can be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Description' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC 'Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'Checksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Validity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Validity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Meaningless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'Must not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER-encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key association identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was created locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key supports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DESC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key supports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key supports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Key is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key supports signatures where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC 'Key supports signatures where data can be recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key supports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC 'Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DESC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' DESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DESC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DESC 'DN of template to apply to keys unwrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-attributeTypes: (2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC 'Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP ipk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ipk11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMechanisms ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Public key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verify $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Private key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11Decrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11UnwrapTemplate $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' ) +-objectClasses: (2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secret key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Decrypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWithTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN 'IPA v4.1' ) +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index 878d886..3f8fa9a 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -15,7 +15,6 @@ app_DATA = \ + 60basev2.ldif \ + 60basev3.ldif \ + 60ipadns.ldif \ +- 60ipapk11.ldif \ + 61kerberos-ipav3.ldif \ + 65ipacertstore.ldif \ + 65ipasudo.ldif \ +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 0ab4ae7..7e1ef20 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -54,7 +54,6 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif", + "60ipaconfig.ldif", + "60basev2.ldif", + "60basev3.ldif", +- "60ipapk11.ldif", + "60ipadns.ldif", + "61kerberos-ipav3.ldif", + "65ipacertstore.ldif", diff --git a/debian/patches/revert-revert-removal-of-cn-attribute.diff b/debian/patches/revert-revert-removal-of-cn-attribute.diff new file mode 100644 index 000000000..28b0bc61e --- /dev/null +++ b/debian/patches/revert-revert-removal-of-cn-attribute.diff @@ -0,0 +1,21 @@ +commit 323bc2dc6b6a3f7919b6cb477df357119abdee8d +Author: Timo Aaltonen +Date: Fri Sep 25 06:02:10 2015 +0300 + + Revert "revert removal of cn attribute from idnsRecord" + + This reverts commit 2fa07b1d24f61f9bcff5adb804a18c9eae72932d. + +diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif +index 8fd0bb9..678a5b4 100644 +--- a/install/share/60ipadns.ldif ++++ b/install/share/60ipadns.ldif +@@ -63,7 +63,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE + attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) + attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) + attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) +-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) ) ++objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) ) + objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) + objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) + objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' ) diff --git a/debian/patches/series b/debian/patches/series index 269a9f021..7a64ab4f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,3 +14,6 @@ fix-ipa-conf.diff revert-pykerberos-api-change.diff disable-dnssec-support.patch +revert-revert-removal-of-cn-attribute.diff +revert-dnssec-schema.diff +revert-dnssec-aci.diff