Merge branch 'master-next' into master-next-exp

2025-02-25 18:55:28 -06:00 · 2015-10-03 08:55:34 +03:00
parent 0fc2672e01 2c1bb40f78
commit cae5fe17e6
16 changed files with 440 additions and 35 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
-freeipa (4.1.4-1) UNRELEASED; urgency=medium
+freeipa (4.1.4-1) experimental; urgency=medium

-  * New upstream release.
+  * New upstream release. (LP: #1492226)
    - Refresh patches
    - platform-support.diff: Added NAMED_VAR_DIR.
    - fix-bind-conf.diff: Dropped, obsolete with above.
@@ -8,9 +8,36 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
      missing the dependencies for now.
  * control: Add python-usb to build-depends and to python-freeipa
    depends.
-  * control: Bump libsss-nss-idmap-dev build-dep.
+  * control: Bump SSSD dependencies.
+  * control: Add libsofthsm2-dev to build-depends and softhsm2 to server
+    depends.
+  * freeipa-{server,client}.install: Add new files.
+  * control: Bump Depends on slapi-nis for CVE fixes.
+  * control: Bump 389-ds-base, pki-ca depends.
+  * control: Drop dogtag-pki-server-theme from server depends, it's not
+    needed.
+  * control: Server needs newer python-ldap, bump build-dep too.
+  * control: Bump certmonger depends.
+  * control: Bump python-nss depends.
+  * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
+  * platform: Add DebianNamedService.
+  * platform, disable-dnssec-support.patch: Fix named.conf template.
+  * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
+    postinst.
+  * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
+  * server.postrm: Clean logs on purge and disable apache modules on
+    remove/purge.

- -- Timo Aaltonen <tjaalton@debian.org>  Thu, 02 Apr 2015 13:16:49 +0300
+ -- Timo Aaltonen <tjaalton@debian.org>  Fri, 25 Sep 2015 14:07:40 +0300
+
+freeipa (4.0.5-6) unstable; urgency=medium
+
+  * control Add gnupg-agent to python-freeipa depends, and change gnupg
+    to gnupg2. (LP: #1492184)
+  * Rebuild against current krb5, there was an abi break which broke at
+    least the setup phase.
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Thu, 24 Sep 2015 23:22:24 +0300

 freeipa (4.0.5-5) unstable; urgency=medium

--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: extra
 Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
 Uploaders: Timo Aaltonen <tjaalton@debian.org>
 Build-Depends:
- 389-ds-base-dev (>= 1.3.3.2),
+ 389-ds-base-dev (>= 1.3.3.8),
 check,
 debhelper (>= 9),
 dh-autoreconf,
@@ -22,9 +22,10 @@ Build-Depends:
 libpopt-dev,
 librhino-java,
 libsasl2-dev,
+ libsofthsm2-dev,
 libssl-dev,
 libsss-idmap-dev,
- libsss-nss-idmap-dev (>= 1.12.2),
+ libsss-nss-idmap-dev (>= 1.12.3),
 libsvrcore-dev,
 libtalloc-dev,
 libtevent-dev,
@@ -35,20 +36,20 @@ Build-Depends:
 python-dnspython (>= 1.11.1),
 python-kerberos,
 python-krbv,
- python-ldap,
+ python-ldap (>= 2.4.15),
 python-lesscpy,
 python-libipa-hbac,
 python-lxml,
 python-memcache,
 python-netaddr,
 python-nose,
- python-nss,
+ python-nss (>= 0.16.0),
 python-openssl,
 python-polib,
 python-pyasn1,
 python-qrcode (>= 5.0.0),
 python-setuptools,
- python-sss (>= 1.8.0),
+ python-sss (>= 1.12.3),
 python-usb (>= 1.0.0~b2),
 python-yubico,
 rhino,
@@ -63,13 +64,12 @@ Homepage: http://www.freeipa.org
 Package: freeipa-server
 Architecture: any
 Depends:
- 389-ds-base (>= 1.3.3.5-2~),
+ 389-ds-base (>= 1.3.3.8),
 acl,
 apache2,
 bind9,
 bind9-dyndb-ldap (>= 6.0-4~),
- certmonger (>= 0.75.14),
- dogtag-pki-server-theme,
+ certmonger (>= 0.76.8),
 fonts-font-awesome,
 freeipa-admintools (= ${binary:Version}),
 freeipa-client (= ${binary:Version}),
@@ -87,13 +87,14 @@ Depends:
 libsasl2-modules-gssapi-mit,
 memcached,
 ntp,
- pki-ca,
+ pki-ca (>= 10.2.1),
 python-dateutil,
 python-freeipa (= ${binary:Version}),
 python-krbv,
- python-ldap,
+ python-ldap (>= 2.4.15),
 python-pyasn1,
- slapi-nis (>= 0.54),
+ slapi-nis (>= 0.54.2),
+ softhsm2,
 systemd-sysv,
 ${misc:Depends},
 ${python:Depends},
@@ -132,7 +133,7 @@ Package: freeipa-client
 Architecture: any
 Depends:
 bind9utils,
- certmonger,
+ certmonger (>= 0.76.8),
 dnsutils,
 krb5-user,
 libcurl3 (>= 7.22.0),
@@ -144,7 +145,7 @@ Depends:
 python-freeipa (= ${binary:Version}),
 python-krbv,
 python-ldap,
- sssd (>= 1.11.1),
+ sssd (>= 1.12.3),
 wget,
 ${misc:Depends},
 ${python:Depends},
@@ -190,8 +191,7 @@ Depends:
 xz-utils,
 ${misc:Depends},
 ${python:Depends}
-Recommends:
- python-yaml,
+Recommends: python-yaml
 Description: FreeIPA centralized identity framework -- tests
 FreeIPA is an integrated solution to provide centrally managed Identity
 (machine, user, virtual machines, groups, authentication credentials), Policy
@@ -204,7 +204,8 @@ Package: python-freeipa
 Architecture: any
 Section: python
 Depends:
- gnupg,
+ gnupg2,
+ gnupg-agent,
 iproute,
 keyutils,
 python-dbus,
@@ -216,7 +217,7 @@ Depends:
 python-lxml,
 python-memcache,
 python-netaddr,
- python-nss,
+ python-nss (>= 0.16.0),
 python-openssl,
 python-pyasn1,
 python-qrcode (>= 5.0.0),
--- a/debian/freeipa-client.dirs
+++ b/debian/freeipa-client.dirs
@@ -1,3 +1,4 @@
 etc/ipa
+etc/ipa/nssdb
 etc/pki/nssdb
 var/lib/ipa-client/sysrestore
--- a/debian/freeipa-client.install
+++ b/debian/freeipa-client.install
@@ -1,9 +1,11 @@
 usr/lib/python*/dist-packages/ipaclient/*.py
+usr/sbin/ipa-certupdate
 usr/sbin/ipa-client-automount
 usr/sbin/ipa-client-install
 usr/sbin/ipa-getkeytab
 usr/sbin/ipa-join
 usr/sbin/ipa-rmkeytab
+usr/share/man/man1/ipa-certupdate.1.gz
 usr/share/man/man1/ipa-client-automount.1.gz
 usr/share/man/man1/ipa-client-install.1.gz
 usr/share/man/man1/ipa-getkeytab.1.gz
--- a/debian/freeipa-client.postinst
+++ b/debian/freeipa-client.postinst
@@ -2,14 +2,23 @@
 set -e

 if [ "$1" = configure ]; then
-    if [ ! -e /etc/pki/nssdb ]; then
+    if [ ! -f /etc/pki/nssdb/cert8.db ]; then
        tmp=$(mktemp) || exit
        printf "\n" > $tmp
-        mkdir -p /etc/pki/nssdb
        certutil -N -d /etc/pki/nssdb -f $tmp
        chmod 644 /etc/pki/nssdb/*
        rm $tmp
    fi
+    if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
+        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+        tmp=$(mktemp) || exit
+        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        fi
+        rm -f "$tmp"
+    fi
 fi

 if [ ! -e /run/ipa ]; then
--- a/debian/freeipa-client.postrm
+++ b/debian/freeipa-client.postrm
@@ -7,6 +7,14 @@ if [ "$1" = purge ]; then
    rm -f /etc/pki/nssdb/cert8.db \
          /etc/pki/nssdb/key3.db \
          /etc/pki/nssdb/secmod.db
+    rm -f /etc/ipa/nssdb/cert8.db \
+          /etc/ipa/nssdb/key3.db \
+          /etc/ipa/nssdb/pwdfile.txt \
+          /etc/ipa/nssdb/secmod.db \
+          /etc/ipa/nssdb/*.orig
+    rmdir /etc/pki/nssdb || true
+    rmdir /etc/ipa/nssdb || true
+    rmdir /etc/ipa || true
 fi

 #DEBHELPER#
--- a/debian/freeipa-server.install
+++ b/debian/freeipa-server.install
@@ -2,11 +2,13 @@ etc/default/ipa_memcached
 etc/ipa/html/*
 lib/systemd/system/*
 usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit
+usr/lib/*/certmonger/ipa-server-guard
 usr/lib/*/dirsrv/plugins/libipa_cldap.so
 usr/lib/*/dirsrv/plugins/libipa_dns.so
 usr/lib/*/dirsrv/plugins/libipa_enrollment_extop.so
 usr/lib/*/dirsrv/plugins/libipa_lockout.so
 usr/lib/*/dirsrv/plugins/libipa_modrdn.so
+usr/lib/*/dirsrv/plugins/libipa_otp_counter.so
 usr/lib/*/dirsrv/plugins/libipa_otp_lasttoken.so
 usr/lib/*/dirsrv/plugins/libipa_pwd_extop.so
 usr/lib/*/dirsrv/plugins/libipa_range_check.so
@@ -22,6 +24,7 @@ usr/lib/python*/dist-packages/ipaserver/install/__init__.py
 usr/lib/python*/dist-packages/ipaserver/install/bindinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/cainstance.py
 usr/lib/python*/dist-packages/ipaserver/install/certs.py
+usr/lib/python*/dist-packages/ipaserver/install/dnskeysyncinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/dsinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/httpinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/installutils.py
@@ -30,6 +33,8 @@ usr/lib/python*/dist-packages/ipaserver/install/krbinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/ldapupdate.py
 usr/lib/python*/dist-packages/ipaserver/install/memcacheinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/ntpinstance.py
+usr/lib/python*/dist-packages/ipaserver/install/odsexporterinstance.py
+usr/lib/python*/dist-packages/ipaserver/install/opendnssecinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/otpdinstance.py
 usr/lib/python*/dist-packages/ipaserver/install/plugins
 usr/lib/python*/dist-packages/ipaserver/install/replication.py
@@ -42,6 +47,7 @@ usr/lib/python*/dist-packages/ipaserver/rpcserver*
 usr/sbin/ipa-advise
 usr/sbin/ipa-backup
 usr/sbin/ipa-ca-install
+usr/sbin/ipa-cacert-manage
 usr/sbin/ipa-compat-manage
 usr/sbin/ipa-csreplica-manage
 usr/sbin/ipa-dns-install
@@ -77,6 +83,7 @@ usr/share/ipa/wsgi/*
 usr/share/man/man1/ipa-advise.1*
 usr/share/man/man1/ipa-backup.1*
 usr/share/man/man1/ipa-ca-install.1*
+usr/share/man/man1/ipa-cacert-manage.1*
 usr/share/man/man1/ipa-compat-manage.1*
 usr/share/man/man1/ipa-csreplica-manage.1*
 usr/share/man/man1/ipa-dns-install.1*
--- a/debian/freeipa-server.links
+++ b/debian/freeipa-server.links
@@ -1,8 +1,8 @@
+/etc/ipa/html/browserconfig.html	usr/share/ipa/html/browserconfig.html
 /etc/ipa/html/ffconfig.js		usr/share/ipa/html/ffconfig.js
 /etc/ipa/html/ffconfig_page.js		usr/share/ipa/html/ffconfig_page.js
 /etc/ipa/html/ssbrowser.html		usr/share/ipa/html/ssbrowser.html
 /etc/ipa/html/unauthorized.html		usr/share/ipa/html/unauthorized.html
-/etc/ipa/html/browserconfig.html	usr/share/ipa/html/browserconfig.html
 /usr/share/javascript/prototype/prototype.js       	/usr/share/ipa/ipagui/static/javascript/prototype.js
-/usr/share/javascript/scriptaculous/scriptaculous.js	/usr/share/ipa/ipagui/static/javascript/scriptaculous.js
 /usr/share/javascript/scriptaculous/effects.js		/usr/share/ipa/ipagui/static/javascript/effects.js
+/usr/share/javascript/scriptaculous/scriptaculous.js	/usr/share/ipa/ipagui/static/javascript/scriptaculous.js
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -27,6 +27,15 @@ if [ "$1" = configure ]; then
        fi
    fi
    chown root:bind /var/cache/bind/data
+
+    # check if IPA is set up
+    is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
+    if [ $is_configured = yes ]; then
+        echo "Running ipa-ldap-updater..."
+        ipa-ldap-updater --upgrade --quiet >/dev/null
+        echo "Running ipa-upgradeconfig..."
+        ipa-upgradeconfig --quiet >/dev/null
+    fi
 fi

 if [ ! -e /run/ipa_memcached ]; then
--- a/debian/freeipa-server.postrm
+++ b/debian/freeipa-server.postrm
@@ -0,0 +1,42 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    remove|purge)
+        if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+            . /usr/share/apache2/apache2-maintscript-helper
+
+            if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
+                apache2_invoke dismod auth_kerb || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then
+                apache2_invoke dismod authz_user || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/deflate.load ]; then
+                apache2_invoke dismod deflate || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/expires.load ]; then
+                apache2_invoke dismod expires || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/headers.load ]; then
+                apache2_invoke dismod headers || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
+                apache2_invoke dismod proxy || exit $?
+            fi
+            if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
+                apache2_invoke dismod rewrite || exit $?
+            fi
+        fi
+    ;;
+esac
+case "$1" in
+    purge)
+        rm -f \
+            /var/log/ipareplica-conncheck.log \
+            /var/log/ipareplica-install.log \
+            /var/log/ipaserver-install.log \
+            /var/log/ipaserver-uninstall.log \
+            /var/log/ipaupgrade.log
+    ;;
+esac
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -105,7 +105,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +paths = DebianPathNamespace()
 --- /dev/null
 +++ b/ipaplatform/debian/services.py
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,198 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -247,6 +247,20 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    def get_config_dir(self, instance_name=""):
 +        return '/etc/ssh'
 +
+class DebianNamedService(DebianSysvService):
+    def get_user_name(self):
+        return u'bind'
+
+    def get_group_name(self):
+        return u'bind'
+
+    def get_binary_path(self):
+        return paths.NAMED
+
+    def get_package_name(self):
+        return u'bind9'
+
+
 +# Function that constructs proper Debian-specific server classes for services
 +# of specified name
 +
@@ -266,7 +280,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    if name == 'messagebus':
 +        return DebianSysvService("dbus")
 +    if name == 'named':
-+        return DebianSysvService("bind9")
+        return DebianNamedService("bind9")
 +    if name == 'ntpd':
 +        return DebianSysvService("ntp")
 +    if name == 'sshd':
@@ -541,3 +555,16 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
 
+--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
+@@ -38,10 +38,6 @@ logging {
+ 	};
+ };
+ 
+-zone "." IN {
+-	type hint;
+-	file "named.ca";
+-};
+ 
+ include "$RFC1912_ZONES";
+ include "$ROOT_KEY";
--- a/debian/patches/disable-dnssec-support.patch
+++ b/debian/patches/disable-dnssec-support.patch
@@ -19,15 +19,28 @@ Subject: [PATCH] Disable DNSSEC support

 --- a/install/share/bind.named.conf.template
 +++ b/install/share/bind.named.conf.template
-@@ -18,7 +18,7 @@ options {
+@@ -18,12 +18,8 @@ options {
 	pid-file "$NAMED_PID";
 
 	dnssec-enable yes;
 -	dnssec-validation yes;
 +	dnssec-validation no;
 
- 	/* Path to ISC DLV key */
- 	bindkeys-file "$BINDKEYS_FILE";
+-	/* Path to ISC DLV key */
+-	bindkeys-file "$BINDKEYS_FILE";
+-
+-	managed-keys-directory "$MANAGED_KEYS_DIR";
+ };
+ 
+ /* If you want to enable debugging, eg. using the 'rndc trace' command,
+@@ -40,7 +36,6 @@ logging {
+ 
+ 
+ include "$RFC1912_ZONES";
+-include "$ROOT_KEY";
+ 
+ dynamic-db "ipa" {
+ 	library "ldap.so";
 --- a/install/tools/ipa-dns-install
 +++ b/install/tools/ipa-dns-install
@@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE
@@ -370,14 +383,20 @@ Subject: [PATCH] Disable DNSSEC support
     cleanup_kdc(fstore)
     cleanup_adtrust(fstore)
     setup_firefox_extension(fstore)
-@@ -1462,7 +1453,6 @@ def main():
-                           named_bindkey_file_option(),
-                           named_managed_keys_dir_option(),
-                           named_root_key_include(),
+@@ -1457,13 +1448,6 @@ def main():
+                           named_enable_serial_autoincrement(),
+                           named_update_gssapi_configuration(),
+                           named_update_pid_file(),
+-                          named_enable_dnssec(),
+-                          named_validate_dnssec(),
+-                          named_bindkey_file_option(),
+-                          named_managed_keys_dir_option(),
+-                          named_root_key_include(),
 -                          mask_named_regular(),
-                           fix_dyndb_ldap_workdir_permissions(),
+-                          fix_dyndb_ldap_workdir_permissions(),
                          )
 
+     if any(named_conf_changes):
 --- a/ipalib/plugins/dns.py
 +++ b/ipalib/plugins/dns.py
@@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase):
--- a/debian/patches/revert-dnssec-aci.diff
+++ b/debian/patches/revert-dnssec-aci.diff
@@ -0,0 +1,98 @@
+commit d37678b62dc588180b7207dd9226f1e328f995eb
+Author: Timo Aaltonen <tjaalton@debian.org>
+Date:   Fri Sep 25 06:28:37 2015 +0300
+
+    Revert "DNSSEC: ACI"
+    
+    This reverts commit 4ddc978cea5229f6429221a37cc657b88a734736.
+
+diff --git a/ACI.txt b/ACI.txt
+index 933b57c..12726ee 100644
+--- a/ACI.txt
+++ b/ACI.txt
+@@ -39,14 +39,8 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i
+ dn: dc=ipa,dc=example
+ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+-aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+-aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+-aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index f589ab5..ccca6d1 100644
+--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
+@@ -2471,7 +2471,6 @@ class dnszone(DNSZoneBase):
+         ),
+     )
+     # Permissions will be apllied for forwardzones too
+-    # Store permissions into api.env.basedn, dns container could not exists
+     managed_permissions = {
+         'System: Add DNS Entries': {
+             'non_object': True,
+@@ -2546,58 +2545,6 @@ class dnszone(DNSZoneBase):
+             ],
+             'default_privileges': {'DNS Administrators', 'DNS Servers'},
+         },
+-        'System: Read DNSSEC metadata': {
+-            'non_object': True,
+-            'ipapermright': {'read', 'search', 'compare'},
+-            'ipapermlocation': api.env.basedn,
+-            'ipapermtarget': DN('cn=dns', api.env.basedn),
+-            'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
+-            'ipapermdefaultattr': {
+-                'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
+-                'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
+-                'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
+-                'idnsSecKeyRef', 'cn', 'objectclass',
+-            },
+-            'default_privileges': {'DNS Administrators'},
+-        },
+-        'System: Manage DNSSEC metadata': {
+-            'non_object': True,
+-            'ipapermright': {'all'},
+-            'ipapermlocation': api.env.basedn,
+-            'ipapermtarget': DN('cn=dns', api.env.basedn),
+-            'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
+-            'ipapermdefaultattr': {
+-                'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
+-                'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
+-                'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
+-                'idnsSecKeyRef', 'cn', 'objectclass',
+-            },
+-            'default_privileges': {'DNS Servers'},
+-        },
+-        'System: Manage DNSSEC keys': {
+-            'non_object': True,
+-            'ipapermright': {'all'},
+-            'ipapermlocation': api.env.basedn,
+-            'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn),
+-            'ipapermdefaultattr': {
+-                'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey',
+-                'ipaWrappingMech','ipaWrappingKey',
+-                'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label',
+-                'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted',
+-                'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate',
+-                'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted',
+-                'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType',
+-                'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms',
+-                'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap',
+-                'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt',
+-                'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap',
+-                'ipk11Extractable', 'ipk11AlwaysSensitive',
+-                'ipk11NeverExtractable', 'ipk11WrapWithTrusted',
+-                'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate',
+-                'objectclass',
+-            },
+-            'default_privileges': {'DNS Servers'},
+-        },
+     }
+ 
+     def _rr_zone_postprocess(self, record, **options):
--- a/debian/patches/revert-dnssec-schema.diff
+++ b/debian/patches/revert-dnssec-schema.diff
@@ -0,0 +1,131 @@
+commit 69cb61ab1ef5c232e4270b49388a8f730e89e84b
+Author: Timo Aaltonen <tjaalton@debian.org>
+Date:   Fri Sep 25 06:02:29 2015 +0300
+
+    Revert "DNSSEC: schema"
+    
+    This reverts commit 3f0440f1950319febabcf726304bc10954c8b2b8.
+
+diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
+index 4efb1fe..7ce7777 100644
+--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
+@@ -49,11 +49,9 @@ attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA perm
+ attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA v4.0')
+ attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+ attributeTypes: (2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+ attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1')
+ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
+ objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
+ objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
+@@ -74,6 +72,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid
+ objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' )
+ objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
+ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
+index 678a5b4..eccc4fe 100644
+--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
+@@ -53,19 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )
+-objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/60ipapk11.ldif b/install/share/60ipapk11.ldif
+deleted file mode 100644
+index 9db113d..0000000
+--- a/install/share/60ipapk11.ldif
+++ /dev/null
+@@ -1,42 +0,0 @@
+-dn: cn=schema
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is private to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'Can be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Description' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC 'Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'Checksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Validity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Validity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Meaningless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'Must not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER-encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key association identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was created locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key supports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DESC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key supports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key supports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Key is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key supports signatures where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC 'Key supports signatures where data can be recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key supports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC 'Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DESC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' DESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DESC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DESC 'DN of template to apply to keys unwrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC 'Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP ipk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ipk11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMechanisms ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Public key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verify $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Private key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11Decrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11UnwrapTemplate $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secret key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Decrypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWithTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index 878d886..3f8fa9a 100644
+--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
+@@ -15,7 +15,6 @@ app_DATA =				\
+ 	60basev2.ldif			\
+ 	60basev3.ldif			\
+ 	60ipadns.ldif			\
+-	60ipapk11.ldif			\
+ 	61kerberos-ipav3.ldif		\
+ 	65ipacertstore.ldif		\
+ 	65ipasudo.ldif			\
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 0ab4ae7..7e1ef20 100644
+--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
+@@ -54,7 +54,6 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
+                     "60ipaconfig.ldif",
+                     "60basev2.ldif",
+                     "60basev3.ldif",
+-                    "60ipapk11.ldif",
+                     "60ipadns.ldif",
+                     "61kerberos-ipav3.ldif",
+                     "65ipacertstore.ldif",
--- a/debian/patches/revert-revert-removal-of-cn-attribute.diff
+++ b/debian/patches/revert-revert-removal-of-cn-attribute.diff
@@ -0,0 +1,21 @@
+commit 323bc2dc6b6a3f7919b6cb477df357119abdee8d
+Author: Timo Aaltonen <tjaalton@debian.org>
+Date:   Fri Sep 25 06:02:10 2015 +0300
+
+    Revert "revert removal of cn attribute from idnsRecord"
+    
+    This reverts commit 2fa07b1d24f61f9bcff5adb804a18c9eae72932d.
+
+diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
+index 8fd0bb9..678a5b4 100644
+--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
+@@ -63,7 +63,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
+-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,6 @@ fix-ipa-conf.diff
 revert-pykerberos-api-change.diff

 disable-dnssec-support.patch
+revert-revert-removal-of-cn-attribute.diff
+revert-dnssec-schema.diff
+revert-dnssec-aci.diff