IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master-next' into master-next-exp

Browse Source
This commit is contained in:
Timo Aaltonen
2015-10-03 08:55:34 +03:00
parent 0fc2672e01 2c1bb40f78
commit cae5fe17e6
16 changed files with 440 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
debian/changelog vendored
View File

@@ -1,6 +1,6 @@
freeipa (4.1.4-1) UNRELEASED; urgency=medium freeipa (4.1.4-1) experimental; urgency=medium
* New upstream release. * New upstream release. (LP: #1492226)
- Refresh patches - Refresh patches
- platform-support.diff: Added NAMED_VAR_DIR. - platform-support.diff: Added NAMED_VAR_DIR.
- fix-bind-conf.diff: Dropped, obsolete with above. - fix-bind-conf.diff: Dropped, obsolete with above.
@@ -8,9 +8,36 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
missing the dependencies for now. missing the dependencies for now.
* control: Add python-usb to build-depends and to python-freeipa * control: Add python-usb to build-depends and to python-freeipa
depends. depends.
* control: Bump libsss-nss-idmap-dev build-dep. * control: Bump SSSD dependencies.
* control: Add libsofthsm2-dev to build-depends and softhsm2 to server
depends.
* freeipa-{server,client}.install: Add new files.
* control: Bump Depends on slapi-nis for CVE fixes.
* control: Bump 389-ds-base, pki-ca depends.
* control: Drop dogtag-pki-server-theme from server depends, it's not
needed.
* control: Server needs newer python-ldap, bump build-dep too.
* control: Bump certmonger depends.
* control: Bump python-nss depends.
* freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
* platform: Add DebianNamedService.
* platform, disable-dnssec-support.patch: Fix named.conf template.
* server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
* Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
* server.postrm: Clean logs on purge and disable apache modules on
remove/purge.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 02 Apr 2015 13:16:49 +0300 -- Timo Aaltonen <tjaalton@debian.org> Fri, 25 Sep 2015 14:07:40 +0300
freeipa (4.0.5-6) unstable; urgency=medium
* control Add gnupg-agent to python-freeipa depends, and change gnupg
to gnupg2. (LP: #1492184)
* Rebuild against current krb5, there was an abi break which broke at
least the setup phase.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 24 Sep 2015 23:22:24 +0300
freeipa (4.0.5-5) unstable; urgency=medium freeipa (4.0.5-5) unstable; urgency=medium

35
debian/control vendored
View File

@@ -4,7 +4,7 @@ Priority: extra
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org> Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Uploaders: Timo Aaltonen <tjaalton@debian.org> Uploaders: Timo Aaltonen <tjaalton@debian.org>
Build-Depends: Build-Depends:
389-ds-base-dev (>= 1.3.3.2), 389-ds-base-dev (>= 1.3.3.8),
check, check,
debhelper (>= 9), debhelper (>= 9),
dh-autoreconf, dh-autoreconf,
@@ -22,9 +22,10 @@ Build-Depends:
libpopt-dev, libpopt-dev,
librhino-java, librhino-java,
libsasl2-dev, libsasl2-dev,
libsofthsm2-dev,
libssl-dev, libssl-dev,
libsss-idmap-dev, libsss-idmap-dev,
libsss-nss-idmap-dev (>= 1.12.2), libsss-nss-idmap-dev (>= 1.12.3),
libsvrcore-dev, libsvrcore-dev,
libtalloc-dev, libtalloc-dev,
libtevent-dev, libtevent-dev,
@@ -35,20 +36,20 @@ Build-Depends:
python-dnspython (>= 1.11.1), python-dnspython (>= 1.11.1),
python-kerberos, python-kerberos,
python-krbv, python-krbv,
python-ldap, python-ldap (>= 2.4.15),
python-lesscpy, python-lesscpy,
python-libipa-hbac, python-libipa-hbac,
python-lxml, python-lxml,
python-memcache, python-memcache,
python-netaddr, python-netaddr,
python-nose, python-nose,
python-nss, python-nss (>= 0.16.0),
python-openssl, python-openssl,
python-polib, python-polib,
python-pyasn1, python-pyasn1,
python-qrcode (>= 5.0.0), python-qrcode (>= 5.0.0),
python-setuptools, python-setuptools,
python-sss (>= 1.8.0), python-sss (>= 1.12.3),
python-usb (>= 1.0.0~b2), python-usb (>= 1.0.0~b2),
python-yubico, python-yubico,
rhino, rhino,
@@ -63,13 +64,12 @@ Homepage: http://www.freeipa.org
Package: freeipa-server Package: freeipa-server
Architecture: any Architecture: any
Depends: Depends:
389-ds-base (>= 1.3.3.5-2~), 389-ds-base (>= 1.3.3.8),
acl, acl,
apache2, apache2,
bind9, bind9,
bind9-dyndb-ldap (>= 6.0-4~), bind9-dyndb-ldap (>= 6.0-4~),
certmonger (>= 0.75.14), certmonger (>= 0.76.8),
dogtag-pki-server-theme,
fonts-font-awesome, fonts-font-awesome,
freeipa-admintools (= ${binary:Version}), freeipa-admintools (= ${binary:Version}),
freeipa-client (= ${binary:Version}), freeipa-client (= ${binary:Version}),
@@ -87,13 +87,14 @@ Depends:
libsasl2-modules-gssapi-mit, libsasl2-modules-gssapi-mit,
memcached, memcached,
ntp, ntp,
pki-ca, pki-ca (>= 10.2.1),
python-dateutil, python-dateutil,
python-freeipa (= ${binary:Version}), python-freeipa (= ${binary:Version}),
python-krbv, python-krbv,
python-ldap, python-ldap (>= 2.4.15),
python-pyasn1, python-pyasn1,
slapi-nis (>= 0.54), slapi-nis (>= 0.54.2),
softhsm2,
systemd-sysv, systemd-sysv,
${misc:Depends}, ${misc:Depends},
${python:Depends}, ${python:Depends},
@@ -132,7 +133,7 @@ Package: freeipa-client
Architecture: any Architecture: any
Depends: Depends:
bind9utils, bind9utils,
certmonger, certmonger (>= 0.76.8),
dnsutils, dnsutils,
krb5-user, krb5-user,
libcurl3 (>= 7.22.0), libcurl3 (>= 7.22.0),
@@ -144,7 +145,7 @@ Depends:
python-freeipa (= ${binary:Version}), python-freeipa (= ${binary:Version}),
python-krbv, python-krbv,
python-ldap, python-ldap,
sssd (>= 1.11.1), sssd (>= 1.12.3),
wget, wget,
${misc:Depends}, ${misc:Depends},
${python:Depends}, ${python:Depends},
@@ -190,8 +191,7 @@ Depends:
xz-utils, xz-utils,
${misc:Depends}, ${misc:Depends},
${python:Depends} ${python:Depends}
Recommends: Recommends: python-yaml
python-yaml,
Description: FreeIPA centralized identity framework -- tests Description: FreeIPA centralized identity framework -- tests
FreeIPA is an integrated solution to provide centrally managed Identity FreeIPA is an integrated solution to provide centrally managed Identity
(machine, user, virtual machines, groups, authentication credentials), Policy (machine, user, virtual machines, groups, authentication credentials), Policy
@@ -204,7 +204,8 @@ Package: python-freeipa
Architecture: any Architecture: any
Section: python Section: python
Depends: Depends:
gnupg, gnupg2,
gnupg-agent,
iproute, iproute,
keyutils, keyutils,
python-dbus, python-dbus,
@@ -216,7 +217,7 @@ Depends:
python-lxml, python-lxml,
python-memcache, python-memcache,
python-netaddr, python-netaddr,
python-nss, python-nss (>= 0.16.0),
python-openssl, python-openssl,
python-pyasn1, python-pyasn1,
python-qrcode (>= 5.0.0), python-qrcode (>= 5.0.0),

1
debian/freeipa-client.dirs vendored
View File

@@ -1,3 +1,4 @@
etc/ipa etc/ipa
etc/ipa/nssdb
etc/pki/nssdb etc/pki/nssdb
var/lib/ipa-client/sysrestore var/lib/ipa-client/sysrestore

2
debian/freeipa-client.install vendored
View File

@@ -1,9 +1,11 @@
usr/lib/python*/dist-packages/ipaclient/*.py usr/lib/python*/dist-packages/ipaclient/*.py
usr/sbin/ipa-certupdate
usr/sbin/ipa-client-automount usr/sbin/ipa-client-automount
usr/sbin/ipa-client-install usr/sbin/ipa-client-install
usr/sbin/ipa-getkeytab usr/sbin/ipa-getkeytab
usr/sbin/ipa-join usr/sbin/ipa-join
usr/sbin/ipa-rmkeytab usr/sbin/ipa-rmkeytab
usr/share/man/man1/ipa-certupdate.1.gz
usr/share/man/man1/ipa-client-automount.1.gz usr/share/man/man1/ipa-client-automount.1.gz
usr/share/man/man1/ipa-client-install.1.gz usr/share/man/man1/ipa-client-install.1.gz
usr/share/man/man1/ipa-getkeytab.1.gz usr/share/man/man1/ipa-getkeytab.1.gz

13
debian/freeipa-client.postinst vendored
View File

@@ -2,14 +2,23 @@
set -e set -e
if [ "$1" = configure ]; then if [ "$1" = configure ]; then
if [ ! -e /etc/pki/nssdb ]; then if [ ! -f /etc/pki/nssdb/cert8.db ]; then
tmp=$(mktemp) || exit tmp=$(mktemp) || exit
printf "\n" > $tmp printf "\n" > $tmp
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb -f $tmp certutil -N -d /etc/pki/nssdb -f $tmp
chmod 644 /etc/pki/nssdb/* chmod 644 /etc/pki/nssdb/*
rm $tmp rm $tmp
fi fi
if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
tmp=$(mktemp) || exit
if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
fi
rm -f "$tmp"
fi
fi fi
if [ ! -e /run/ipa ]; then if [ ! -e /run/ipa ]; then

8
debian/freeipa-client.postrm vendored
View File

@@ -7,6 +7,14 @@ if [ "$1" = purge ]; then
rm -f /etc/pki/nssdb/cert8.db \ rm -f /etc/pki/nssdb/cert8.db \
/etc/pki/nssdb/key3.db \ /etc/pki/nssdb/key3.db \
/etc/pki/nssdb/secmod.db /etc/pki/nssdb/secmod.db
rm -f /etc/ipa/nssdb/cert8.db \
/etc/ipa/nssdb/key3.db \
/etc/ipa/nssdb/pwdfile.txt \
/etc/ipa/nssdb/secmod.db \
/etc/ipa/nssdb/*.orig
rmdir /etc/pki/nssdb || true
rmdir /etc/ipa/nssdb || true
rmdir /etc/ipa || true
fi fi
#DEBHELPER# #DEBHELPER#

7
debian/freeipa-server.install vendored
View File

@@ -2,11 +2,13 @@ etc/default/ipa_memcached
etc/ipa/html/* etc/ipa/html/*
lib/systemd/system/* lib/systemd/system/*
usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit
usr/lib/*/certmonger/ipa-server-guard
usr/lib/*/dirsrv/plugins/libipa_cldap.so usr/lib/*/dirsrv/plugins/libipa_cldap.so
usr/lib/*/dirsrv/plugins/libipa_dns.so usr/lib/*/dirsrv/plugins/libipa_dns.so
usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
usr/lib/*/dirsrv/plugins/libipa_lockout.so usr/lib/*/dirsrv/plugins/libipa_lockout.so
usr/lib/*/dirsrv/plugins/libipa_modrdn.so usr/lib/*/dirsrv/plugins/libipa_modrdn.so
usr/lib/*/dirsrv/plugins/libipa_otp_counter.so
usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so
usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so
usr/lib/*/dirsrv/plugins/libipa_range_check.so usr/lib/*/dirsrv/plugins/libipa_range_check.so
@@ -22,6 +24,7 @@ usr/lib/python*/dist-packages/ipaserver/install/__init__.py
usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py
usr/lib/python*/dist-packages/ipaserver/install/cainstance.py usr/lib/python*/dist-packages/ipaserver/install/cainstance.py
usr/lib/python*/dist-packages/ipaserver/install/certs.py usr/lib/python*/dist-packages/ipaserver/install/certs.py
usr/lib/python*/dist-packages/ipaserver/install/dnskeysyncinstance.py
usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py
usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/installutils.py usr/lib/python*/dist-packages/ipaserver/install/installutils.py
@@ -30,6 +33,8 @@ usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py
usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py
usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py
usr/lib/python*/dist-packages/ipaserver/install/odsexporterinstance.py
usr/lib/python*/dist-packages/ipaserver/install/opendnssecinstance.py
usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py
usr/lib/python*/dist-packages/ipaserver/install/plugins usr/lib/python*/dist-packages/ipaserver/install/plugins
usr/lib/python*/dist-packages/ipaserver/install/replication.py usr/lib/python*/dist-packages/ipaserver/install/replication.py
@@ -42,6 +47,7 @@ usr/lib/python*/dist-packages/ipaserver/rpcserver*
usr/sbin/ipa-advise usr/sbin/ipa-advise
usr/sbin/ipa-backup usr/sbin/ipa-backup
usr/sbin/ipa-ca-install usr/sbin/ipa-ca-install
usr/sbin/ipa-cacert-manage
usr/sbin/ipa-compat-manage usr/sbin/ipa-compat-manage
usr/sbin/ipa-csreplica-manage usr/sbin/ipa-csreplica-manage
usr/sbin/ipa-dns-install usr/sbin/ipa-dns-install
@@ -77,6 +83,7 @@ usr/share/ipa/wsgi/*
usr/share/man/man1/ipa-advise.1* usr/share/man/man1/ipa-advise.1*
usr/share/man/man1/ipa-backup.1* usr/share/man/man1/ipa-backup.1*
usr/share/man/man1/ipa-ca-install.1* usr/share/man/man1/ipa-ca-install.1*
usr/share/man/man1/ipa-cacert-manage.1*
usr/share/man/man1/ipa-compat-manage.1* usr/share/man/man1/ipa-compat-manage.1*
usr/share/man/man1/ipa-csreplica-manage.1* usr/share/man/man1/ipa-csreplica-manage.1*
usr/share/man/man1/ipa-dns-install.1* usr/share/man/man1/ipa-dns-install.1*

4
debian/freeipa-server.links vendored
View File

@@ -1,8 +1,8 @@
/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html
/etc/ipa/html/ffconfig.js usr/share/ipa/html/ffconfig.js /etc/ipa/html/ffconfig.js usr/share/ipa/html/ffconfig.js
/etc/ipa/html/ffconfig_page.js usr/share/ipa/html/ffconfig_page.js /etc/ipa/html/ffconfig_page.js usr/share/ipa/html/ffconfig_page.js
/etc/ipa/html/ssbrowser.html usr/share/ipa/html/ssbrowser.html /etc/ipa/html/ssbrowser.html usr/share/ipa/html/ssbrowser.html
/etc/ipa/html/unauthorized.html usr/share/ipa/html/unauthorized.html /etc/ipa/html/unauthorized.html usr/share/ipa/html/unauthorized.html
/etc/ipa/html/browserconfig.html usr/share/ipa/html/browserconfig.html
/usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js /usr/share/javascript/prototype/prototype.js /usr/share/ipa/ipagui/static/javascript/prototype.js
/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js
/usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js /usr/share/javascript/scriptaculous/effects.js /usr/share/ipa/ipagui/static/javascript/effects.js
/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/ipa/ipagui/static/javascript/scriptaculous.js

9
debian/freeipa-server.postinst vendored
View File

@@ -27,6 +27,15 @@ if [ "$1" = configure ]; then
fi fi
fi fi
chown root:bind /var/cache/bind/data chown root:bind /var/cache/bind/data
# check if IPA is set up
is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
if [ $is_configured = yes ]; then
echo "Running ipa-ldap-updater..."
ipa-ldap-updater --upgrade --quiet >/dev/null
echo "Running ipa-upgradeconfig..."
ipa-upgradeconfig --quiet >/dev/null
fi
fi fi
if [ ! -e /run/ipa_memcached ]; then if [ ! -e /run/ipa_memcached ]; then

42
debian/freeipa-server.postrm vendored Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
set -e
case "$1" in
remove|purge)
if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
. /usr/share/apache2/apache2-maintscript-helper
if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
apache2_invoke dismod auth_kerb || exit $?
fi
if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then
apache2_invoke dismod authz_user || exit $?
fi
if [ -e /etc/apache2/mods-enabled/deflate.load ]; then
apache2_invoke dismod deflate || exit $?
fi
if [ -e /etc/apache2/mods-enabled/expires.load ]; then
apache2_invoke dismod expires || exit $?
fi
if [ -e /etc/apache2/mods-enabled/headers.load ]; then
apache2_invoke dismod headers || exit $?
fi
if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
apache2_invoke dismod proxy || exit $?
fi
if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
apache2_invoke dismod rewrite || exit $?
fi
fi
;;
esac
case "$1" in
purge)
rm -f \
/var/log/ipareplica-conncheck.log \
/var/log/ipareplica-install.log \
/var/log/ipaserver-install.log \
/var/log/ipaserver-uninstall.log \
/var/log/ipaupgrade.log
;;
esac

31
debian/patches/add-debian-platform.diff vendored
View File

@@ -105,7 +105,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+paths = DebianPathNamespace() +paths = DebianPathNamespace()
--- /dev/null --- /dev/null
+++ b/ipaplatform/debian/services.py +++ b/ipaplatform/debian/services.py
@@ -0,0 +1,184 @@ @@ -0,0 +1,198 @@
+# Authors: +# Authors:
+# Timo Aaltonen <tjaalton@ubuntu.com> +# Timo Aaltonen <tjaalton@ubuntu.com>
+# +#
@@ -247,6 +247,20 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def get_config_dir(self, instance_name=""): + def get_config_dir(self, instance_name=""):
+ return '/etc/ssh' + return '/etc/ssh'
+ +
+class DebianNamedService(DebianSysvService):
+ def get_user_name(self):
+ return u'bind'
+
+ def get_group_name(self):
+ return u'bind'
+
+ def get_binary_path(self):
+ return paths.NAMED
+
+ def get_package_name(self):
+ return u'bind9'
+
+
+# Function that constructs proper Debian-specific server classes for services +# Function that constructs proper Debian-specific server classes for services
+# of specified name +# of specified name
+ +
@@ -266,7 +280,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ if name == 'messagebus': + if name == 'messagebus':
+ return DebianSysvService("dbus") + return DebianSysvService("dbus")
+ if name == 'named': + if name == 'named':
+ return DebianSysvService("bind9") + return DebianNamedService("bind9")
+ if name == 'ntpd': + if name == 'ntpd':
+ return DebianSysvService("ntp") + return DebianSysvService("ntp")
+ if name == 'sshd': + if name == 'sshd':
@@ -541,3 +555,16 @@ Date: Fri Mar 1 12:21:00 2013 +0200
PIDFile=/var/run/ipa_memcached/ipa_memcached.pid PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -38,10 +38,6 @@ logging {
};
};
-zone "." IN {
- type hint;
- file "named.ca";
-};
include "$RFC1912_ZONES";
include "$ROOT_KEY";

35
debian/patches/disable-dnssec-support.patch vendored
View File

@@ -19,15 +19,28 @@ Subject: [PATCH] Disable DNSSEC support
--- a/install/share/bind.named.conf.template --- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template
@@ -18,7 +18,7 @@ options { @@ -18,12 +18,8 @@ options {
pid-file "$NAMED_PID"; pid-file "$NAMED_PID";
dnssec-enable yes; dnssec-enable yes;
- dnssec-validation yes; - dnssec-validation yes;
+ dnssec-validation no; + dnssec-validation no;
/* Path to ISC DLV key */ - /* Path to ISC DLV key */
bindkeys-file "$BINDKEYS_FILE"; - bindkeys-file "$BINDKEYS_FILE";
-
- managed-keys-directory "$MANAGED_KEYS_DIR";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -40,7 +36,6 @@ logging {
include "$RFC1912_ZONES";
-include "$ROOT_KEY";
dynamic-db "ipa" {
library "ldap.so";
--- a/install/tools/ipa-dns-install --- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install
@@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE @@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE
@@ -370,14 +383,20 @@ Subject: [PATCH] Disable DNSSEC support
cleanup_kdc(fstore) cleanup_kdc(fstore)
cleanup_adtrust(fstore) cleanup_adtrust(fstore)
setup_firefox_extension(fstore) setup_firefox_extension(fstore)
@@ -1462,7 +1453,6 @@ def main(): @@ -1457,13 +1448,6 @@ def main():
named_bindkey_file_option(), named_enable_serial_autoincrement(),
named_managed_keys_dir_option(), named_update_gssapi_configuration(),
named_root_key_include(), named_update_pid_file(),
- named_enable_dnssec(),
- named_validate_dnssec(),
- named_bindkey_file_option(),
- named_managed_keys_dir_option(),
- named_root_key_include(),
- mask_named_regular(), - mask_named_regular(),
fix_dyndb_ldap_workdir_permissions(), - fix_dyndb_ldap_workdir_permissions(),
) )
if any(named_conf_changes):
--- a/ipalib/plugins/dns.py --- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py
@@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase): @@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase):

98
debian/patches/revert-dnssec-aci.diff vendored Normal file
View File

@@ -0,0 +1,98 @@
commit d37678b62dc588180b7207dd9226f1e328f995eb
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:28:37 2015 +0300
Revert "DNSSEC: ACI"
This reverts commit 4ddc978cea5229f6429221a37cc657b88a734736.
diff --git a/ACI.txt b/ACI.txt
index 933b57c..12726ee 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -39,14 +39,8 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i
dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
-aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index f589ab5..ccca6d1 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2471,7 +2471,6 @@ class dnszone(DNSZoneBase):
),
)
# Permissions will be apllied for forwardzones too
- # Store permissions into api.env.basedn, dns container could not exists
managed_permissions = {
'System: Add DNS Entries': {
'non_object': True,
@@ -2546,58 +2545,6 @@ class dnszone(DNSZoneBase):
],
'default_privileges': {'DNS Administrators', 'DNS Servers'},
},
- 'System: Read DNSSEC metadata': {
- 'non_object': True,
- 'ipapermright': {'read', 'search', 'compare'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=dns', api.env.basedn),
- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
- 'ipapermdefaultattr': {
- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
- 'idnsSecKeyRef', 'cn', 'objectclass',
- },
- 'default_privileges': {'DNS Administrators'},
- },
- 'System: Manage DNSSEC metadata': {
- 'non_object': True,
- 'ipapermright': {'all'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=dns', api.env.basedn),
- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
- 'ipapermdefaultattr': {
- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
- 'idnsSecKeyRef', 'cn', 'objectclass',
- },
- 'default_privileges': {'DNS Servers'},
- },
- 'System: Manage DNSSEC keys': {
- 'non_object': True,
- 'ipapermright': {'all'},
- 'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn),
- 'ipapermdefaultattr': {
- 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey',
- 'ipaWrappingMech','ipaWrappingKey',
- 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label',
- 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted',
- 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate',
- 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted',
- 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType',
- 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms',
- 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap',
- 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt',
- 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap',
- 'ipk11Extractable', 'ipk11AlwaysSensitive',
- 'ipk11NeverExtractable', 'ipk11WrapWithTrusted',
- 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate',
- 'objectclass',
- },
- 'default_privileges': {'DNS Servers'},
- },
}
def _rr_zone_postprocess(self, record, **options):

131
debian/patches/revert-dnssec-schema.diff vendored Normal file
View File

@@ -0,0 +1,131 @@
commit 69cb61ab1ef5c232e4270b49388a8f730e89e84b
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:02:29 2015 +0300
Revert "DNSSEC: schema"
This reverts commit 3f0440f1950319febabcf726304bc10954c8b2b8.
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 4efb1fe..7ce7777 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -49,11 +49,9 @@ attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA perm
attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA v4.0')
attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: (2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1')
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -74,6 +72,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid
objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' )
objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 678a5b4..eccc4fe 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -53,19 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )
-objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/60ipapk11.ldif b/install/share/60ipapk11.ldif
deleted file mode 100644
index 9db113d..0000000
--- a/install/share/60ipapk11.ldif
+++ /dev/null
@@ -1,42 +0,0 @@
-dn: cn=schema
-attributeTypes: (2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is private to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'Can be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Description' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC 'Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'Checksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Validity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Validity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Meaningless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'Must not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER-encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key association identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was created locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key supports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DESC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key supports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key supports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Key is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key supports signatures where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC 'Key supports signatures where data can be recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key supports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC 'Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DESC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' DESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DESC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DESC 'DN of template to apply to keys unwrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-attributeTypes: (2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC 'Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP ipk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ipk11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMechanisms ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Public key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verify $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Private key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11Decrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11UnwrapTemplate $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
-objectClasses: (2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secret key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Decrypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWithTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN 'IPA v4.1' )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 878d886..3f8fa9a 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -15,7 +15,6 @@ app_DATA = \
60basev2.ldif \
60basev3.ldif \
60ipadns.ldif \
- 60ipapk11.ldif \
61kerberos-ipav3.ldif \
65ipacertstore.ldif \
65ipasudo.ldif \
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0ab4ae7..7e1ef20 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -54,7 +54,6 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
"60ipaconfig.ldif",
"60basev2.ldif",
"60basev3.ldif",
- "60ipapk11.ldif",
"60ipadns.ldif",
"61kerberos-ipav3.ldif",
"65ipacertstore.ldif",

21
debian/patches/revert-revert-removal-of-cn-attribute.diff vendored Normal file
View File

@@ -0,0 +1,21 @@
commit 323bc2dc6b6a3f7919b6cb477df357119abdee8d
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Sep 25 06:02:10 2015 +0300
Revert "revert removal of cn attribute from idnsRecord"
This reverts commit 2fa07b1d24f61f9bcff5adb804a18c9eae72932d.
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 8fd0bb9..678a5b4 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -63,7 +63,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE
attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )

3
debian/patches/series vendored
View File

@@ -14,3 +14,6 @@ fix-ipa-conf.diff
revert-pykerberos-api-change.diff revert-pykerberos-api-change.diff
disable-dnssec-support.patch disable-dnssec-support.patch
revert-revert-removal-of-cn-attribute.diff
revert-dnssec-schema.diff
revert-dnssec-aci.diff