Merge branch 'upstream'

ACI.txt

@@ -1,260 +1,262 @@
-dn: cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automember,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass")(targetfilter = "(objectclass=automemberdefinition)")(version 3.0;acl "permission:System: Read Automember Definitions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automember,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=tasks,cn=config
 aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Add Automount Keys";allow (add) groupdn = "ldap:///cn=System: Add Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountinformation || automountkey || description")(targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Modify Automount Keys";allow (write) groupdn = "ldap:///cn=System: Modify Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Remove Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Remove Automount Keys";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Add Automount Locations";allow (add) groupdn = "ldap:///cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
-dn: cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Remove Automount Locations";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Add Automount Maps";allow (add) groupdn = "ldap:///cn=System: Add Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
-dn: cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Add HBAC Rule";allow (add) groupdn = "ldap:///cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Delete HBAC Rule";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "externalhost || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Manage HBAC Rule Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Delete HBAC Services";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Add HBAC Service Groups";allow (add) groupdn = "ldap:///cn=System: Add HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Delete HBAC Service Groups";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage HBAC Service Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Manage HBAC Service Group Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Service Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add Hosts";allow (add) groupdn = "ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Certificates";allow (write) groupdn = "ldap:///cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "externalhost || member || memberhost || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "description")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroups";allow (write) groupdn = "ldap:///cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Modify Privilege Membership";allow (write) groupdn = "ldap:///cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=privileges,cn=pbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Privileges";allow (add) groupdn = "ldap:///cn=System: Add Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=privileges,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || o || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Privileges";allow (write) groupdn = "ldap:///cn=System: Modify Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=privileges,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Remove Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=privileges,cn=pbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Privileges";allow (delete) groupdn = "ldap:///cn=System: Remove Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=roles,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Roles";allow (add) groupdn = "ldap:///cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Role Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=roles,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Role Membership";allow (write) groupdn = "ldap:///cn=System: Modify Role Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=roles,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Roles";allow (write) groupdn = "ldap:///cn=System: Modify Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=roles,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Remove Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=roles,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Roles";allow (delete) groupdn = "ldap:///cn=System: Remove Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=System: Add SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetattr = "cn || ipaenabledflag || ipaselinuxuser || memberhost || memberuser || seealso")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=System: Modify SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Delete Sudo Command";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Modify Sudo Command";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Add Sudo Command Group";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Delete Sudo Command Group";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage Sudo Command Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Manage Sudo Command Group Membership";allow (write) groupdn = "ldap:///cn=System: Manage Sudo Command Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Modify Sudo Command Group";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: dc=ipa,dc=example
 aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add User to default group";allow (write) groupdn = "ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read User Addressbook Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read User IPA Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read User Kerberos Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange || krblastsuccessfulauth || krbloginfailedcount || krbpwdpolicyreference || krbticketpolicyreference || krbupenabled")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Login Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
-dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read AD Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || crosscertificatepair || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
-dn: cn=System: Read CA Renewal Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read DNA Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
-dn: cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=config
 aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=System: Read Replication Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)

API.txt

@@ -799,7 +799,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnsrecord_add
-args: 2,105,3
+args: 2,101,3
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
 option: Str('a6_part_data', attribute=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@@ -870,10 +870,6 @@ option: Str('naptr_part_replacement', attribute=False, cli_name='naptr_replaceme
 option: Str('naptr_part_service', attribute=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
 option: DNSNameParam('ns_part_hostname', attribute=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
-option: Int('nsec3param_part_algorithm', attribute=False, cli_name='nsec3param_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Int('nsec3param_part_flags', attribute=False, cli_name='nsec3param_flags', default=0, maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Int('nsec3param_part_iterations', attribute=False, cli_name='nsec3param_iterations', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Str('nsec3param_part_salt', attribute=False, cli_name='nsec3param_salt', default=u'-', minlength=1, multivalue=False, option_group=u'NSEC3PARAM Record', pattern='^([0-9a-fA-F]+|-)$', required=False)
 option: NSEC3PARAMRecord('nsec3paramrecord', attribute=True, cli_name='nsec3param_rec', csv=True, multivalue=True, option_group=u'NSEC3PARAM Record', required=False)
 option: NSEC3Record('nsec3record', attribute=True, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
 option: NSECRecord('nsecrecord', attribute=True, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
@@ -1020,7 +1016,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: dnsrecord_mod
-args: 2,105,3
+args: 2,101,3
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('a6_part_data', attribute=False, autofill=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@@ -1089,10 +1085,6 @@ option: Str('naptr_part_replacement', attribute=False, autofill=False, cli_name=
 option: Str('naptr_part_service', attribute=False, autofill=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, autofill=False, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
 option: DNSNameParam('ns_part_hostname', attribute=False, autofill=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
-option: Int('nsec3param_part_algorithm', attribute=False, autofill=False, cli_name='nsec3param_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Int('nsec3param_part_flags', attribute=False, autofill=False, cli_name='nsec3param_flags', default=0, maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Int('nsec3param_part_iterations', attribute=False, autofill=False, cli_name='nsec3param_iterations', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
-option: Str('nsec3param_part_salt', attribute=False, autofill=False, cli_name='nsec3param_salt', default=u'-', minlength=1, multivalue=False, option_group=u'NSEC3PARAM Record', pattern='^([0-9a-fA-F]+|-)$', required=False)
 option: NSEC3PARAMRecord('nsec3paramrecord', attribute=True, autofill=False, cli_name='nsec3param_rec', csv=True, multivalue=True, option_group=u'NSEC3PARAM Record', required=False)
 option: NSEC3Record('nsec3record', attribute=True, autofill=False, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
 option: NSECRecord('nsecrecord', attribute=True, autofill=False, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
@@ -1144,7 +1136,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnszone_add
-args: 1,25,3
+args: 1,26,3
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -1168,6 +1160,7 @@ option: Int('idnssoaserial', attribute=True, autofill=True, cli_name='serial', m
 option: Str('idnsupdatepolicy', attribute=True, autofill=True, cli_name='update_policy', multivalue=False, required=False)
 option: Str('ip_address?')
 option: Str('name_from_ip', attribute=False, cli_name='name_from_ip', multivalue=False, required=False)
+option: Str('nsec3paramrecord', attribute=True, cli_name='nsec3param_rec', multivalue=False, pattern='^\\d+ \\d+ \\d+ (([0-9a-fA-F]{2})+|-)$', required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('version?', exclude='webui')
@@ -1204,7 +1197,7 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnszone_find
-args: 1,27,4
+args: 1,28,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', multivalue=False, query=True, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
@@ -1228,6 +1221,7 @@ option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial',
 option: Str('idnsupdatepolicy', attribute=True, autofill=False, cli_name='update_policy', multivalue=False, query=True, required=False)
 option: Bool('idnszoneactive', attribute=True, autofill=False, cli_name='zone_active', multivalue=False, query=True, required=False)
 option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, query=True, required=False)
+option: Str('nsec3paramrecord', attribute=True, autofill=False, cli_name='nsec3param_rec', multivalue=False, pattern='^\\d+ \\d+ \\d+ (([0-9a-fA-F]{2})+|-)$', query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Int('sizelimit?', autofill=False, minvalue=0)
@@ -1238,7 +1232,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: dnszone_mod
-args: 1,26,3
+args: 1,27,3
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -1262,6 +1256,7 @@ option: DNSNameParam('idnssoarname', attribute=True, autofill=False, cli_name='a
 option: Int('idnssoaserial', attribute=True, autofill=False, cli_name='serial', maxvalue=4294967295L, minvalue=1, multivalue=False, required=False)
 option: Str('idnsupdatepolicy', attribute=True, autofill=False, cli_name='update_policy', multivalue=False, required=False)
 option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, required=False)
+option: Str('nsec3paramrecord', attribute=True, autofill=False, cli_name='nsec3param_rec', multivalue=False, pattern='^\\d+ \\d+ \\d+ (([0-9a-fA-F]{2})+|-)$', required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -2308,8 +2303,8 @@ option: Str('description', attribute=True, cli_name='desc', multivalue=False, re
 option: Bool('ipatokendisabled', attribute=True, cli_name='disabled', multivalue=False, required=False)
 option: Int('ipatokenhotpcounter', attribute=True, autofill=True, cli_name='counter', default=0, minvalue=0, multivalue=False, required=False)
 option: Str('ipatokenmodel', attribute=True, autofill=True, cli_name='model', multivalue=False, required=False)
-option: Str('ipatokennotafter', attribute=True, cli_name='not_after', multivalue=False, required=False)
-option: Str('ipatokennotbefore', attribute=True, cli_name='not_before', multivalue=False, required=False)
+option: DateTime('ipatokennotafter', attribute=True, cli_name='not_after', multivalue=False, required=False)
+option: DateTime('ipatokennotbefore', attribute=True, cli_name='not_before', multivalue=False, required=False)
 option: StrEnum('ipatokenotpalgorithm', attribute=True, autofill=True, cli_name='algo', default=u'sha1', multivalue=False, required=False, values=(u'sha1', u'sha256', u'sha384', u'sha512'))
 option: IntEnum('ipatokenotpdigits', attribute=True, autofill=True, cli_name='digits', default=6, multivalue=False, required=False, values=(6, 8))
 option: OTPTokenKey('ipatokenotpkey', attribute=True, autofill=True, cli_name='key', multivalue=False, required=False)
@@ -2343,8 +2338,8 @@ args: 1,8,1
 arg: Str('ipatokenuniqueid?', cli_name='id', primary_key=True)
 option: Str('description?', cli_name='desc')
 option: Bool('ipatokendisabled?', cli_name='disabled')
-option: Str('ipatokennotafter?', cli_name='not_after')
-option: Str('ipatokennotbefore?', cli_name='not_before')
+option: DateTime('ipatokennotafter?', cli_name='not_after')
+option: DateTime('ipatokennotbefore?', cli_name='not_before')
 option: IntEnum('ipatokenotpdigits?', autofill=True, cli_name='digits', default=6, values=(6, 8))
 option: Str('ipatokenowner?', cli_name='owner')
 option: IntEnum('slot?', cli_name='slot', values=(1, 2))
@@ -2366,8 +2361,8 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult
 option: Bool('ipatokendisabled', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False)
 option: Int('ipatokenhotpcounter', attribute=True, autofill=False, cli_name='counter', default=0, minvalue=0, multivalue=False, query=True, required=False)
 option: Str('ipatokenmodel', attribute=True, autofill=False, cli_name='model', multivalue=False, query=True, required=False)
-option: Str('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, query=True, required=False)
-option: Str('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, query=True, required=False)
+option: DateTime('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, query=True, required=False)
+option: DateTime('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, query=True, required=False)
 option: StrEnum('ipatokenotpalgorithm', attribute=True, autofill=False, cli_name='algo', default=u'sha1', multivalue=False, query=True, required=False, values=(u'sha1', u'sha256', u'sha384', u'sha512'))
 option: IntEnum('ipatokenotpdigits', attribute=True, autofill=False, cli_name='digits', default=6, multivalue=False, query=True, required=False, values=(6, 8))
 option: Str('ipatokenowner', attribute=True, autofill=False, cli_name='owner', multivalue=False, query=True, required=False)
@@ -2396,8 +2391,8 @@ option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
 option: Bool('ipatokendisabled', attribute=True, autofill=False, cli_name='disabled', multivalue=False, required=False)
 option: Str('ipatokenmodel', attribute=True, autofill=False, cli_name='model', multivalue=False, required=False)
-option: Str('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, required=False)
-option: Str('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, required=False)
+option: DateTime('ipatokennotafter', attribute=True, autofill=False, cli_name='not_after', multivalue=False, required=False)
+option: DateTime('ipatokennotbefore', attribute=True, autofill=False, cli_name='not_before', multivalue=False, required=False)
 option: Str('ipatokenowner', attribute=True, autofill=False, cli_name='owner', multivalue=False, required=False)
 option: Str('ipatokenserial', attribute=True, autofill=False, cli_name='serial', multivalue=False, required=False)
 option: Str('ipatokenvendor', attribute=True, autofill=False, cli_name='vendor', default=u'FreeIPA', multivalue=False, required=False)
@@ -2478,7 +2473,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: permission_add_member
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@@ -2489,7 +2484,7 @@ output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: permission_add_noaci
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', multivalue=False, required=True)
 option: Str('ipapermissiontype', cli_name='ipapermissiontype', multivalue=True, required=True)
 option: Flag('no_members', autofill=True, cli_name='no_members', default=False, exclude='webui', multivalue=False, required=True)
@@ -2500,7 +2495,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: permission_del
 args: 1,3,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=True)
 option: Flag('continue', autofill=True, cli_name='continue', default=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('version?', exclude='webui')
@@ -2512,7 +2507,7 @@ args: 1,24,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
-option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=False)
+option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=False)
 option: Str('extratargetfilter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
 option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
 option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous'))
@@ -2540,7 +2535,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: permission_mod
 args: 1,24,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False)
@@ -2570,7 +2565,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: permission_remove_member
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@@ -2581,7 +2576,7 @@ output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: permission_show
 args: 1,5,3
-arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True)
+arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:/]+$', primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')

VERSION

@@ -18,9 +18,9 @@
 #      IPA_VERSION_RELEASE=0                           #
 #  ->  "1.0.0"                                         #
 ########################################################
-IPA_VERSION_MAJOR=3
-IPA_VERSION_MINOR=3
-IPA_VERSION_RELEASE=90
+IPA_VERSION_MAJOR=4
+IPA_VERSION_MINOR=0
+IPA_VERSION_RELEASE=0
 
 ########################################################
 # For 'pre' releases the version will be               #
@@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=97
-# Last change: mbasti - New record type added: TLSA
+IPA_API_VERSION_MINOR=101
+# Last change: mbasti - Allow '/' in permission name

freeipa.spec.in

@@ -4,10 +4,7 @@
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global POLICYCOREUTILSVER 2.1.12-5
 %global gettext_domain ipa
-
-%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
 %define _hardened_build 1
-%endif
 
 Name:           freeipa
 Version:        __VERSION__
@@ -25,14 +22,9 @@ BuildRequires:  389-ds-base-devel >= 1.3.2.16
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
-%if 0%{?fedora} >= 18
 BuildRequires:  samba-devel >= 2:4.0.5-1
 BuildRequires:  samba-python
 BuildRequires:  libwbclient-devel
-%else
-BuildRequires:  samba4-devel >= 4.0.0-139
-BuildRequires:  samba4-python
-%endif
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 %endif # ONLY_CLIENT
@@ -81,11 +73,6 @@ BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico
 
-# Find out Kerberos middle version to infer ABI changes in DAL driver
-# We cannot load DAL driver into KDC with wrong ABI.
-# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
-%global krb5_dal_version %{expand:%(echo "#include <kdb.h>"|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
-
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
 user, virtual machines, groups, authentication credentials), Policy
@@ -99,36 +86,17 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.16
+Requires: 389-ds-base >= 1.3.2.19
 Requires: openldap-clients > 2.4.35-4
-%if 0%{?fedora} == 18
-Requires: nss >= 3.14.3-2
-Requires: nss-tools >= 3.14.3-2
-%else
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
-%endif
-%if 0%{?krb5_dal_version} >= 4
 Requires: krb5-server >= 1.11.5-3
-%else
-%if 0%{krb5_dal_version} == 3
-# krb5 1.11 bumped DAL interface major version, a rebuild is needed
-Requires: krb5-server < 1.11
-Requires: krb5-server >= 1.10
-%else
-Requires: krb5-server >= 1.10
-%endif
-%endif
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-%if 0%{?fedora} >= 18
 Requires: mod_auth_kerb >= 5.4-16
-%else
-Requires: mod_auth_kerb >= 5.4-8
-%endif
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap
 Requires: python-krbV
@@ -140,7 +108,7 @@ Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-135
+Requires: selinux-policy >= 3.12.1-176
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.1.1
@@ -155,7 +123,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.2.11
+Requires(pre): 389-ds-base >= 1.3.2.19
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 
@@ -166,11 +134,7 @@ Obsoletes: freeipa-server-selinux < 3.3.0
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
 # that work for us.
-%if 0%{?fedora} >= 18
-Conflicts: bind-dyndb-ldap < 3.5
-%else
-Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
-%endif
+Conflicts: bind-dyndb-ldap < 5.0
 Conflicts: bind < 9.8.2-0.4.rc2
 
 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
@@ -193,19 +157,11 @@ Summary: Virtual package to install packages required for Active Directory trust
 Group: System Environment/Base
 Requires: %{name}-server = %version-%release
 Requires: m2crypto
-%if 0%{?fedora} >= 18
 Requires: samba-python
 Requires: samba >= 2:4.0.5-1
 Requires: samba-winbind
-%else
-Requires: samba4-python
-Requires: samba4
-Requires: samba4-winbind
-%endif
 Requires: libsss_idmap
-%if 0%{?fedora} >= 19
 Requires: libsss_nss_idmap-python
-%endif
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
 # IPA AD trusts cannot be used at the same time with the locator plugin
@@ -836,6 +792,7 @@ fi
 %dir %{python_sitelib}/ipatests/test_ipapython
 %dir %{python_sitelib}/ipatests/test_ipaserver
 %dir %{python_sitelib}/ipatests/test_ipaserver/test_install
+%dir %{python_sitelib}/ipatests/test_ipaserver/data
 %dir %{python_sitelib}/ipatests/test_pkcs10
 %dir %{python_sitelib}/ipatests/test_webui
 %dir %{python_sitelib}/ipatests/test_xmlrpc

install/po/LINGUAS

@@ -5,6 +5,8 @@ cs      # Czech
 es      # Spanish
 eu      # Basque
 fr      # French
+hi      # Hindi
+hu      # Hungarian
 id      # Indonesian
 ja      # Japanese
 kn      # Kannada

install/po/bn_IN.po

@@ -10,8 +10,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Bengali (India) (http://www.transifex.com/projects/p/freeipa/"
 "language/bn_IN/)\n"

install/po/ca.po

@@ -9,8 +9,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/freeipa/language/"
 "ca/)\n"

install/po/cs.po

@@ -9,8 +9,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Czech (http://www.transifex.com/projects/p/freeipa/language/"
 "cs/)\n"

install/po/de.po

@@ -11,8 +11,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: German (http://www.transifex.com/projects/p/freeipa/language/"
 "de/)\n"

install/po/es.po

@@ -17,8 +17,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Spanish (http://www.transifex.com/projects/p/freeipa/language/"
 "es/)\n"
@@ -5304,6 +5304,3 @@ msgstr "Falló la creación de clave aleatoria\n"
 
 msgid "Failed to create key!\n"
 msgstr "¡Falló la creación de clave!\n"
-
-#~ msgid "Unable to set ldap options!\n"
-#~ msgstr "¡No puede establecer opciones IDAP!\n"

install/po/eu.po

@@ -9,8 +9,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Basque (http://www.transifex.com/projects/p/freeipa/language/"
 "eu/)\n"

install/po/fr.po

@@ -15,9 +15,9 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:59+0000\n"
-"Last-Translator: Jérôme Fenal <jfenal@gmail.com>\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
+"Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: French (http://www.transifex.com/projects/p/freeipa/language/"
 "fr/)\n"
 "Language: fr\n"
@@ -2428,444 +2428,6 @@ msgstr[1] "%(count)d délégations correspondantes"
 msgid "Display information about a delegation."
 msgstr "Afficher les informations sur une délégation."
 
-msgid ""
-"\n"
-"Domain Name System (DNS)\n"
-"\n"
-"Manage DNS zone and resource records.\n"
-"\n"
-"\n"
-"USING STRUCTURED PER-TYPE OPTIONS\n"
-"\n"
-"There are many structured DNS RR types where DNS data stored in LDAP server\n"
-"is not just a scalar value, for example an IP address or a domain name, but\n"
-"a data structure which may be often complex. A good example is a LOC record\n"
-"[RFC1876] which consists of many mandatory and optional parts (degrees,\n"
-"minutes, seconds of latitude and longitude, altitude or precision).\n"
-"\n"
-"It may be difficult to manipulate such DNS records without making a mistake\n"
-"and entering an invalid value. DNS module provides an abstraction over "
-"these\n"
-"raw records and allows to manipulate each RR type with specific options. "
-"For\n"
-"each supported RR type, DNS module provides a standard option to manipulate\n"
-"a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special "
-"options\n"
-"for every part of the RR structure with format --<rrtype>-<partname>, e.g.\n"
-"--mx-preference and --mx-exchanger.\n"
-"\n"
-"When adding a record, either RR specific options or standard option for a "
-"raw\n"
-"value can be used, they just should not be combined in one add operation. "
-"When\n"
-"modifying an existing entry, new RR specific options can be used to change\n"
-"one part of a DNS record, where the standard option for raw value is used\n"
-"to specify the modified value. The following example demonstrates\n"
-"a modification of MX record preference from 0 to 1 in a record without\n"
-"modifying the exchanger:\n"
-"ipa dnsrecord-mod --mx-rec=\"0 mx.example.com.\" --mx-preference=1\n"
-"\n"
-"\n"
-"EXAMPLES:\n"
-"\n"
-" Add new zone:\n"
-"   ipa dnszone-add example.com --name-server=ns \\\n"
-"                               --admin-email=admin@example.com \\\n"
-"                               --ip-address=10.0.0.1\n"
-"\n"
-" Add system permission that can be used for per-zone privilege delegation:\n"
-"   ipa dnszone-add-permission example.com\n"
-"\n"
-" Modify the zone to allow dynamic updates for hosts own records in realm "
-"EXAMPLE.COM:\n"
-"   ipa dnszone-mod example.com --dynamic-update=TRUE\n"
-"\n"
-"   This is the equivalent of:\n"
-"     ipa dnszone-mod example.com --dynamic-update=TRUE \\\n"
-"      --update-policy=\"grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM "
-"krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;\"\n"
-"\n"
-" Modify the zone to allow zone transfers for local network only:\n"
-"   ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8\n"
-"\n"
-" Add new reverse zone specified by network IP address:\n"
-"   ipa dnszone-add --name-from-ip=80.142.15.0/24 \\\n"
-"                   --name-server=ns.example.com.\n"
-"\n"
-" Add second nameserver for example.com:\n"
-"   ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com\n"
-"\n"
-" Add a mail server for example.com:\n"
-"   ipa dnsrecord-add example.com @ --mx-rec=\"10 mail1\"\n"
-"\n"
-" Add another record using MX record specific options:\n"
-"  ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2\n"
-"\n"
-" Add another record using interactive mode (started when dnsrecord-add, "
-"dnsrecord-mod,\n"
-" or dnsrecord-del are executed with no options):\n"
-"  ipa dnsrecord-add example.com @\n"
-"  Please choose a type of DNS resource record to be added\n"
-"  The most common types for this type of zone are: NS, MX, LOC\n"
-"\n"
-"  DNS resource record type: MX\n"
-"  MX Preference: 30\n"
-"  MX Exchanger: mail3\n"
-"    Record name: example.com\n"
-"    MX record: 10 mail1, 20 mail2, 30 mail3\n"
-"    NS record: nameserver.example.com., nameserver2.example.com.\n"
-"\n"
-" Delete previously added nameserver from example.com:\n"
-"   ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.\n"
-"\n"
-" Add LOC record for example.com:\n"
-"   ipa dnsrecord-add example.com @ --loc-rec=\"49 11 42.4 N 16 36 29.6 E "
-"227.64m\"\n"
-"\n"
-" Add new A record for www.example.com. Create a reverse record in "
-"appropriate\n"
-" reverse zone as well. In this case a PTR record \"2\" pointing to www."
-"example.com\n"
-" will be created in zone 15.142.80.in-addr.arpa.\n"
-"   ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse\n"
-"\n"
-" Add new PTR record for www.example.com\n"
-"   ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com.\n"
-"\n"
-" Add new SRV records for LDAP servers. Three quarters of the requests\n"
-" should go to fast.example.com, one quarter to slow.example.com. If neither\n"
-" is available, switch to backup.example.com.\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 3 389 fast.example."
-"com\"\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 1 389 slow.example."
-"com\"\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"1 1 389 backup."
-"example.com\"\n"
-"\n"
-" The interactive mode can be used for easy modification:\n"
-"  ipa dnsrecord-mod example.com _ldap._tcp\n"
-"  No option to modify specific record provided.\n"
-"  Current DNS record contents:\n"
-"\n"
-"  SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 "
-"backup.example.com\n"
-"\n"
-"  Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):\n"
-"  Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y\n"
-"  SRV Priority [0]:                     (keep the default value)\n"
-"  SRV Weight [1]: 2                     (modified value)\n"
-"  SRV Port [389]:                       (keep the default value)\n"
-"  SRV Target [slow.example.com]:        (keep the default value)\n"
-"  1 SRV record skipped. Only one value per DNS record type can be modified "
-"at one time.\n"
-"    Record name: _ldap._tcp\n"
-"    SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 "
-"389 slow.example.com\n"
-"\n"
-" After this modification, three fifths of the requests should go to\n"
-" fast.example.com and two fifths to slow.example.com.\n"
-"\n"
-" An example of the interactive mode for dnsrecord-del command:\n"
-"   ipa dnsrecord-del example.com www\n"
-"   No option to delete specific record provided.\n"
-"   Delete all? Yes/No (default No):     (do not delete all records)\n"
-"   Current DNS record contents:\n"
-"\n"
-"   A record: 1.2.3.4, 11.22.33.44\n"
-"\n"
-"   Delete A record '1.2.3.4'? Yes/No (default No):\n"
-"   Delete A record '11.22.33.44'? Yes/No (default No): y\n"
-"     Record name: www\n"
-"     A record: 1.2.3.4                  (A record 11.22.33.44 has been "
-"deleted)\n"
-"\n"
-" Show zone example.com:\n"
-"   ipa dnszone-show example.com\n"
-"\n"
-" Find zone with \"example\" in its domain name:\n"
-"   ipa dnszone-find example\n"
-"\n"
-" Find records for resources with \"www\" in their name in zone example.com:\n"
-"   ipa dnsrecord-find example.com www\n"
-"\n"
-" Find A records with value 10.10.0.1 in zone example.com\n"
-"   ipa dnsrecord-find example.com --a-rec=10.10.0.1\n"
-"\n"
-" Show records for resource www in zone example.com\n"
-"   ipa dnsrecord-show example.com www\n"
-"\n"
-" Delegate zone sub.example to another nameserver:\n"
-"   ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5\n"
-"   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.\n"
-"\n"
-" If global forwarder is configured, all requests to sub.example.com will be\n"
-" routed through the global forwarder. To change the behavior for example."
-"com\n"
-" zone only and forward the request directly to ns.sub.example.com., global\n"
-" forwarding may be disabled per-zone:\n"
-"   ipa dnszone-mod example.com --forward-policy=none\n"
-"\n"
-" Forward all requests for the zone external.com to another nameserver using\n"
-" a \"first\" policy (it will send the queries to the selected forwarder and "
-"if\n"
-" not answered it will use global resolvers):\n"
-"   ipa dnszone-add external.com\n"
-"   ipa dnszone-mod external.com --forwarder=10.20.0.1 \\\n"
-"                                --forward-policy=first\n"
-"\n"
-" Delete zone example.com with all resource records:\n"
-"   ipa dnszone-del example.com\n"
-"\n"
-" Resolve a host name to see if it exists (will add default IPA domain\n"
-" if one is not included):\n"
-"   ipa dns-resolve www.example.com\n"
-"   ipa dns-resolve www\n"
-"\n"
-"\n"
-"GLOBAL DNS CONFIGURATION\n"
-"\n"
-"DNS configuration passed to command line install script is stored in a "
-"local\n"
-"configuration file on each IPA server where DNS service is configured. "
-"These\n"
-"local settings can be overridden with a common configuration stored in LDAP\n"
-"server:\n"
-"\n"
-" Show global DNS configuration:\n"
-"   ipa dnsconfig-show\n"
-"\n"
-" Modify global DNS configuration and set a list of global forwarders:\n"
-"   ipa dnsconfig-mod --forwarder=10.0.0.1\n"
-msgstr ""
-"\n"
-"Domain Name System (DNS)\n"
-"\n"
-"Gestion des zones DNS et des enregistrements de ressource.\n"
-"\n"
-"UTILISATION D'OPTIONS STRUCTURÉES PAR TYPE\n"
-"\n"
-"Il existe de nombreux types structurés de RR DNS où les données DNS "
-"stockées\n"
-"dans le serveur LDAP ne sont pas seulement des valeurs scalaires, par "
-"exemple\n"
-"une adresse IP ou un nom de domaine, mais une structure de données qui "
-"peut \n"
-"être souvent complexe. Un bon exemple est un enregistrement LOC [RFC1876] "
-"qui \n"
-"se compose de plusieurs parties obligatoires et facultatives (degrés, "
-"minutes,\n"
-"secondes de latitude et de longitude, altitude ou précision).\n"
-"\n"
-"Il peut être difficile de manipuler ces enregistrements DNS sans se tromper\n"
-"et entrer une valeur invalide. Le module DNS fournit une abstraction sur "
-"ces\n"
-"enregistrements bruts et permet de manipuler chaque type RR avec des "
-"options \n"
-"spécifiques. Pour chaque type RR pris en charge, le module DNS fournit une \n"
-"option standard pour manipuler les enregistrements bruts avec un format\n"
-"--<rrtype>-rec, par exemple --mx-rec, ainsi que des options spéciales\n"
-"pour chaque partie de la structure RR avec le format --<rrtype>-<partname>,\n"
-"par exemple, --mx-preference and --mx-exchanger.\n"
-"\n"
-"Lors de l'ajout d'un enregistrement, les options standards ou les options\n"
-"spécifiques peuvent au choix être utilisées, mais ne peuvent être combinées\n"
-"au sein de la même commande. Lors de la modification d'une entrée "
-"existante,\n"
-"de nouvelles options spécifiques RR peuvent être utilisés pour changer une \n"
-"partie d'un enregistrement DNS, où l'option standard pour la valeur brute "
-"est\n"
-"utilisée pour spécifier la valeur modifiée. L'exemple suivant montre une \n"
-"modification de la préférence du MX de 0 à 1 dans un enregistrement\n"
-"existant, sans modifier le MX lui-même :\n"
-"ipa dnsrecord-mod --mx-rec=\"0 mx.example.com.\" --mx-preference=1\n"
-"\n"
-"\n"
-"EXEMPLES :\n"
-"\n"
-" Ajouter une nouvelle zone :\n"
-"   ipa dnszone-add example.com --name-server=ns \\\n"
-"                               --admin-email=admin@example.com \\\n"
-"                               --ip-address=10.0.0.1\n"
-" Ajouter une permission ssytème afin de pouvoir utiliser la délégation\n"
-" de privilège par zone :\n"
-"   ipa dnszone-add-permission example.com\n"
-"\n"
-" Modifier la zone pour permettre les mises à jour dynamiques des\n"
-" enregistrements des systèmes du domaine EXAMPLE.COM :\n"
-"   ipa dnszone-mod example.com --dynamic-update=TRUE\n"
-"\n"
-" Ceci est l'équivalent de :\n"
-"   ipa dnszone-mod example.com --dynamic-update=TRUE \\\n"
-"      --update-policy=\"grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM "
-"krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;\"\n"
-"\n"
-" Modifier la zone afin de permettre les transferts de zone pour les réseaux\n"
-" locaux uniquement :\n"
-"   ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8\n"
-"\n"
-" Ajouter une nouvelle zone inverse spécifiée par son adresse de réseau :\n"
-"   ipa dnszone-add --name-from-ip=80.142.15.0/24 \\\n"
-"                   --name-server=ns.example.com.\n"
-"\n"
-" Ajouter un second serveur de nom pour example.com:\n"
-"   ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com\n"
-"\n"
-" Ajouter un serveur de messagerie pour example.com:\n"
-"   ipa dnsrecord-add example.com @ --mx-rec=\"10 mail1\"\n"
-"\n"
-" Ajouter un nouvel enregistrement avec les options spécifiques MX :\n"
-"  ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2\n"
-"\n"
-" Ajouter un nouvel enregistrement grâce au mode interactif (lancé lorsque "
-"dnsrecord-add,\n"
-" dnsrecord-mod ou dnsrecord-del sont exécutés sans options) :\n"
-"  ipa dnsrecord-add example.com @\n"
-"  Merci de choisir un type de ressource DNS pour l'enregistrement à "
-"ajouter.\n"
-"  Les types les plus courants pour ce type de zone sont : NS, MX, LOC\n"
-"\n"
-"  Type de ressource d'enregistrement DNS : MX\n"
-"  Préférence MX : 30\n"
-"  Échangeur MX : mail3\n"
-"    Nom d'enregistrement : example.com\n"
-"    Enregistrement MX : 10 mail1, 20 mail2, 30 mail3\n"
-"    Enregistrement NS : nameserver.example.com., nameserver2.example.com.\n"
-"\n"
-" Supprimer un serveur de nom précédemment défini pour example.com:\n"
-"   ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.\n"
-"\n"
-" Ajouter un enregistrement LOC pour example.com:\n"
-"   ipa dnsrecord-add example.com @ --loc-rec=\"49 11 42.4 N 16 36 29.6 E "
-"227.64m\"\n"
-"\n"
-" Ajouter un nouvel enregistrement A pour www.example.com. Créer aussi un\n"
-" enregistrement inverse. Dans ce cas, un enregistrement PTR « 2 » pointant\n"
-" vers www.example.com sera créé dans la zone 15.142.80.in-addr.arpa.\n"
-"   ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse\n"
-"\n"
-" Ajouter un nouvel enregistrement PTR pour www.example.com\n"
-"   ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com.\n"
-"\n"
-" Ajouter de nouveaux enregistrement SRV pour les serveurs LDAP. Les trois "
-"quarts\n"
-" des requêtes doivent aller sur fast.example.com, un quart sur slow.example."
-"com.\n"
-" Si aucune n'est disponible, basculer sur backup.example.com.\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 3 389 fast.example."
-"com\"\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 1 389 slow.example."
-"com\"\n"
-"   ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"1 1 389 backup."
-"example.com\"\n"
-"\n"
-" Le mode interactif peut être utilisé pour faciliter les modifications :\n"
-"  ipa dnsrecord-mod example.com _ldap._tcp\n"
-"  Aucune option spécifiées pour modifier l'enregistrement demandé.\n"
-"  Contenu actuel de l'enregistrement DNS :\n"
-"\n"
-"  Enregistrement SRV : 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 "
-"1 389 backup.example.com\n"
-"\n"
-"  Modifier l'enregistrement SRV '0 3 389 fast.example.com'? Oui/Non (par "
-"défaut Non): \n"
-"  Modifier l'enregistrement SRV '0 1 389 slow.example.com'? Oui/Non (Par "
-"défaut Non): o\n"
-"  Priorité SRV [0]:                     (garder la valeur par défaut)\n"
-"  Poids SRV [1]: 2                      (modifier la valeur)\n"
-"  Port SRV [389]:                       (garder la valeur par défaut)\n"
-"  Cible SRV [slow.example.com]:         (garder la valeur par défaut)\n"
-"  1 enregistrement SRV sauté. Seule une valeur par enregistrement DNS peut "
-"être modifié un instant donné.\n"
-"    Nom d'enregistrement : _ldap._tcp\n"
-"    Enregistrement SRV : 0 3 389 fast.example.com, 1 1 389 backup.example."
-"com, 0 2 389 slow.example.com\n"
-"\n"
-" Après cette modification, trois cinquièmes des requêtes devraient aller "
-"sur\n"
-" fast.example.com et deux cinquièmes sur slow.example.com.\n"
-"\n"
-" Un exemple d'utilisation du mode interactif pour la commande dnsrecord-"
-"del :\n"
-"   ipa dnsrecord-del example.com www\n"
-"   Pas d'option fournie pour supprimer un enregistrement spécifique.\n"
-"   Tout supprimer ? Oui/Non (Défault: Non):     (ne pas détruire tous les "
-"enregistrements)\n"
-"   Contenu actuel de l'enregistrement DNS :\n"
-"\n"
-"   Enregistrement A : 1.2.3.4, 11.22.33.44\n"
-"\n"
-"   Supprimer l'enregistrement A '1.2.3.4'? Oui/Non (par défaut: Non): \n"
-"   Supprimer l'enregistrement A '11.22.33.44'? Oui/Non (par défaut: Non): o\n"
-"     Nom de l'enregistrement : www\n"
-"     Enregistrement A : 1.2.3.4                  (Enregistrement A "
-"11.22.33.44 a été supprimé)\n"
-"\n"
-" Afficher la zone example.com :\n"
-"   ipa dnszone-show example.com\n"
-"\n"
-" Chercher les zones contenant \"example\" dans le nom de domaine :\n"
-"   ipa dnszone-find example\n"
-"\n"
-" Chercher les enregistrements pour les ressources dont le nom contient \"www"
-"\" dans la zone example.com :\n"
-"   ipa dnsrecord-find example.com www\n"
-"\n"
-" Chercher les enregistrements A de valeur 10.10.0.1 dans la zone example."
-"com\n"
-"   ipa dnsrecord-find example.com --a-rec=10.10.0.1\n"
-"\n"
-" Afficher les enregistrements pour la ressource www dans la zone example."
-"com\n"
-"   ipa dnsrecord-show example.com www\n"
-"\n"
-" Déléguer la zone sub.example à un autre serveur de noms :\n"
-"   ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5\n"
-"   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.\n"
-"\n"
-" Si un fournisseur global est configuré, toutes les requêtes à sub.example."
-"com\n"
-" seront routées vers le fournisseur global. Pour modifier le comportement "
-"pour\n"
-" la zone example.com uniquement et transférer les requêtes directement à\n"
-" ns.sub.example.com., la transmission globale peut être désactivée zone par "
-"zone :\n"
-"   ipa dnszone-mod example.com --forward-policy=none\n"
-"\n"
-" Transmet toutes les requêtes pour la zone external.com vers un autre "
-"serveur de\n"
-" noms primant (first) sur le global (il envoie les requêtes au fournisseur \n"
-" sélectionné, et s'il n'a pas de réponse, utilise le transmetteur global) :\n"
-"   ipa dnszone-add external.com\n"
-"   ipa dnszone-mod external.com --forwarder=10.20.0.1 \\\n"
-"                                --forward-policy=first\n"
-"\n"
-" Supprimer la zone example.com avec toutes ses ressources :\n"
-"   ipa dnszone-del example.com\n"
-"\n"
-" Résoudre un nom de système afin de vérifier son existence (ajout "
-"automatique du nom de domaine IPA\n"
-" si non spécifié) :\n"
-"   ipa dns-resolve www.example.com\n"
-"   ipa dns-resolve www\n"
-"\n"
-"\n"
-"CONFIGURATION DNS GLOBALE\n"
-"\n"
-"La configuration DNS passée au script d'installation en ligne de commande "
-"est \n"
-"stockée dans un fichier de configuration local sur chaque serveur IPA lors "
-"de \n"
-"la configuration du service DNS. Cette configuration locale peut être "
-"surchargée\n"
-"par une configuration stockée dans l'annuaire LDAP :\n"
-"\n"
-" Afficher la configuration DNS globale :\n"
-"   ipa dnsconfig-show\n"
-"\n"
-" Modifier la configuration DNS globale et définit une liste de transmetteurs "
-"globaux :\n"
-"   ipa dnsconfig-mod --forwarder=10.0.0.1\n"
-
 msgid "Permission value"
 msgstr "Valeur de permission"
 
@@ -3070,15 +2632,6 @@ msgstr "'%(required)s' ne doit pas être vide lorsque '%(name)s' est défini"
 msgid "A host willing to act as a mail exchanger"
 msgstr "Un système désirant agir comme échangeur de messagerie"
 
-msgid "Flags"
-msgstr "Drapeaux"
-
-msgid "Iterations"
-msgstr "Itérations"
-
-msgid "Salt"
-msgstr "Graine"
-
 msgid "flags must be one of \"S\", \"A\", \"U\", or \"P\""
 msgstr ""
 "les drapeaux doivent être une valeur parmi « S », « A », « U », ou « P »"
@@ -3086,6 +2639,9 @@ msgstr ""
 msgid "Order"
 msgstr "Ordre"
 
+msgid "Flags"
+msgstr "Drapeaux"
+
 msgid "Service"
 msgstr "Service"
 
@@ -11450,9 +11006,3 @@ msgstr "Échec à la création de la clé !\n"
 
 msgid "Bad or unsupported salt type.\n"
 msgstr "Type de sel non-conforme ou non pris en compte.\n"
-
-#~ msgid "Display length"
-#~ msgstr "Longueur de l'affichage"
-
-#~ msgid "Unable to set ldap options!\n"
-#~ msgstr "Impossible de définir les options LDAP !\n"

install/po/hi.po

@@ -0,0 +1,81 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the PACKAGE package.
+#
+# Translators:
+# solomonsunder <solomonsunder@gmail.com>, 2014
+msgid ""
+msgstr ""
+"Project-Id-Version: FreeIPA\n"
+"Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
+"newticket\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-04 21:21+0000\n"
+"Last-Translator: solomonsunder <solomonsunder@gmail.com>\n"
+"Language-Team: Hindi (http://www.transifex.com/projects/p/freeipa/language/"
+"hi/)\n"
+"Language: hi\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#, python-format
+msgid "Enter %(label)s again to verify: "
+msgstr "सत्यापित करने के लिए फिर से %(label)s दर्ज करें:"
+
+#, c-format
+msgid "Passwords do not match!"
+msgstr "पासवर्ड मेल नहीं खाते"
+
+msgid "an internal error has occurred"
+msgstr "एक आंतरिक त्रुटि हुई है"
+
+msgid "did not receive Kerberos credentials"
+msgstr "कर्बेरॉस क्रेडेंशियल्स प्राप्त नहीं हुआ"
+
+msgid "No credentials cache found"
+msgstr "कैश क्रेडेंशियल्स नहीं मिली"
+
+msgid "Ticket expired"
+msgstr "टिकट समाप्त"
+
+msgid "Credentials cache permissions incorrect"
+msgstr "क्रेडेंशियल्स कैश अनुमतियाँ गलत"
+
+msgid "Bad format in credentials cache"
+msgstr "क्रेडेंशियल्स कैश में बुरा प्रारूप"
+
+msgid "Cannot resolve KDC for requested realm"
+msgstr "अनुरोधित दायरे के लिए KDC हल नहीं कर सकता"
+
+msgid "Passwords do not match"
+msgstr "पासवर्ड मेल नहीं खाते"
+
+msgid "This command requires root access"
+msgstr "इस आदेश को रूट मूल अभिगम की आवश्यकता है"
+
+msgid "This is already a posix group"
+msgstr "यह पहले से ही एक पोसिक्स समूह है"
+
+msgid "A group may not be a member of itself"
+msgstr "एक समूह खुद के ही सदस्य नहीं हो सकता"
+
+#, python-format
+msgid "Base64 decoding failed: %(reason)s"
+msgstr "बेस६४ डिकोडिंग विफल: %(reason)s"
+
+msgid "A list of LDAP entries"
+msgstr "LDAP प्रविष्टियों की सूची"
+
+msgid "All commands should at least have a result"
+msgstr "सभी आदेशों का कम से कम परिणाम होना चाहिए"
+
+msgid "incorrect type"
+msgstr "गलत प्रकार"
+
+msgid "Only one value is allowed"
+msgstr "केवल एक मान की अनुमति है"
+
+msgid "must be True or False"
+msgstr "सही या गलत होना चाहिए"

install/po/hu.po

@@ -0,0 +1,167 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the PACKAGE package.
+#
+# Translators:
+# Endre ZELENA, 2014
+msgid ""
+msgstr ""
+"Project-Id-Version: FreeIPA\n"
+"Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
+"newticket\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
+"Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
+"Language-Team: Hungarian (http://www.transifex.com/projects/p/freeipa/"
+"language/hu/)\n"
+"Language: hu\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid "Passwords do not match"
+msgstr "A jelszavak nem egyeznek meg"
+
+msgid "This command requires root access"
+msgstr "Ez a parancs rendszergazdai jogosultságot igényel"
+
+msgid "This is already a posix group"
+msgstr "Ez egy létező POSIX csoport"
+
+msgid "A group may not be a member of itself"
+msgstr "Egy csoport nem lehet tagja önmagának"
+
+#, python-format
+msgid "Base64 decoding failed: %(reason)s"
+msgstr "Base64 kicsomagolás sikertelen: %(reason)s"
+
+msgid "The default users group cannot be removed"
+msgstr "Az alapértelmezett csoport nem távolítható el"
+
+#, python-format
+msgid "Certificate format error: %(error)s"
+msgstr "Tanúsítványhiba: %(error)s"
+
+msgid "A list of LDAP entries"
+msgstr "LDAP-bejegyzések listája"
+
+#, python-format
+msgid "Group '%s' does not exist"
+msgstr "A '%s' csoport nem létezik"
+
+msgid "User group"
+msgstr "Felhasználói csport"
+
+msgid "Permissions"
+msgstr "Jogosultságok"
+
+msgid "Description"
+msgstr "Leírás"
+
+msgid "Certificate"
+msgstr "Tanúsítvány"
+
+msgid "Subject"
+msgstr "Tárgy"
+
+msgid "Issuer"
+msgstr "Kibocsátó"
+
+msgid "Not Before"
+msgstr "Érvényesség kezdete"
+
+msgid "Not After"
+msgstr "Érvényesség vége"
+
+msgid "Fingerprint (MD5)"
+msgstr "Ujjlenyomat (MD5)"
+
+msgid "Fingerprint (SHA1)"
+msgstr "Ujjlenyomat (SHA1)"
+
+msgid "Serial number"
+msgstr "Sorozatszám"
+
+msgid "Request id"
+msgstr "Igénylés azonosítója"
+
+msgid "Request status"
+msgstr "Igénylés állapota"
+
+msgid "Revocation reason"
+msgstr "Visszavonás oka"
+
+msgid "Revoked"
+msgstr "Visszavont"
+
+msgid "Reason"
+msgstr "Ok"
+
+msgid "Default shell"
+msgstr "Alapértelmezett shell"
+
+msgid "Default users group"
+msgstr "Alapértelmezett csoport"
+
+msgid "Zone name (FQDN)"
+msgstr "Zóna neve (FQDN)"
+
+msgid "SOA serial"
+msgstr "SOA sorozatszám"
+
+msgid "GID"
+msgstr "GID"
+
+msgid "GID (use this option to set it manually)"
+msgstr "GID (kézzel történő beállításhoz)"
+
+msgid "change to a POSIX group"
+msgstr "POSIX-csoportra módosít"
+
+msgid "Rule name"
+msgstr "Szabály neve"
+
+msgid "Services"
+msgstr "Szolgáltatások"
+
+msgid "Service Groups"
+msgstr "Szolgáltatás-csoportok"
+
+msgid "Service name"
+msgstr "Szolgáltatás neve"
+
+msgid "Service group name"
+msgstr "Szolgáltatás-csoport neve"
+
+msgid "HBAC service group description"
+msgstr "HBAC szolgáltatás-csoport leírása"
+
+msgid "LDAP URI"
+msgstr "LDAP URI"
+
+msgid "Max lifetime (days)"
+msgstr "Élettartam legfeljebb (nap)"
+
+msgid "Maximum password lifetime (in days)"
+msgstr "Jelszó maximális élettartama (nap)"
+
+msgid "Min lifetime (hours)"
+msgstr "Minimális élettartam (óra)"
+
+msgid "Minimum password lifetime (in hours)"
+msgstr "Jelszó minimális élettartama (óra)"
+
+msgid "Password history size"
+msgstr "Megőrzött jelszavak (darab)"
+
+msgid "Character classes"
+msgstr "Karakterosztályok"
+
+#, python-format
+msgid "Added service \"%(value)s\""
+msgstr "A %(value)s szolgáltatás hozzáadva"
+
+#, python-format
+msgid "Deleted service \"%(value)s\""
+msgstr "A %(value)s szolgáltatás eltávolítva"

install/po/id.po

@@ -10,8 +10,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Indonesian (http://www.transifex.com/projects/p/freeipa/"
 "language/id/)\n"

install/po/ja.po

@@ -10,8 +10,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Japanese (http://www.transifex.com/projects/p/freeipa/"
 "language/ja/)\n"

install/po/kn.po

@@ -10,8 +10,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Kannada (http://www.transifex.com/projects/p/freeipa/language/"
 "kn/)\n"

install/po/nl.po

@@ -9,8 +9,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Dutch (http://www.transifex.com/projects/p/freeipa/language/"
 "nl/)\n"

install/po/pl.po

@@ -11,8 +11,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Polish (http://www.transifex.com/projects/p/freeipa/language/"
 "pl/)\n"
@@ -1630,6 +1630,3 @@ msgstr "Utworzenie losowego klucza nie powiodło się.\n"
 
 msgid "Failed to create key!\n"
 msgstr "Utworzenie klucza nie powiodło się.\n"
-
-#~ msgid "Unable to set ldap options!\n"
-#~ msgstr "Nie można ustawić opcji LDAP.\n"

install/po/ru.po

@@ -12,8 +12,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Russian (http://www.transifex.com/projects/p/freeipa/language/"
 "ru/)\n"

install/po/tg.po

@@ -9,8 +9,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Tajik (http://www.transifex.com/projects/p/freeipa/language/"
 "tg/)\n"

install/po/zh_CN.po

@@ -10,8 +10,8 @@ msgstr ""
 "Project-Id-Version: FreeIPA\n"
 "Report-Msgid-Bugs-To: https://hosted.fedoraproject.org/projects/freeipa/"
 "newticket\n"
-"POT-Creation-Date: 2014-06-27 16:29+0200\n"
-"PO-Revision-Date: 2014-06-25 19:44+0000\n"
+"POT-Creation-Date: 2014-07-07 15:24+0200\n"
+"PO-Revision-Date: 2014-07-03 08:37+0000\n"
 "Last-Translator: Petr Viktorin <encukou@gmail.com>\n"
 "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/freeipa/"
 "language/zh_CN/)\n"

install/share/60ipadns.ldif

@@ -53,8 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
 attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ nSEC3PARAMRecord $ DLVRecord $ TLSARecord ) )
-objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
 objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
 objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )

install/share/bind.named.conf.template

@@ -16,6 +16,8 @@ options {
 
 	tkey-gssapi-keytab "/etc/named.keytab";
 	pid-file "/run/named/named.pid";
+
+	dnssec-enable yes;
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,

install/share/dns.ldif

@@ -7,6 +7,7 @@ cn: dns
 aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
+aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 
 dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
 changetype: add

install/tools/ipa-upgradeconfig

@@ -594,6 +594,26 @@ def named_update_pid_file():
     sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
     return True
 
+def named_enable_dnssec():
+    """
+    Enable dnssec in named.conf
+    """
+    if not sysupgrade.get_upgrade_state('named.conf', 'dnssec_enabled'):
+        root_logger.info('[Enabling "dnssec-enable" configuration in DNS]')
+        try:
+            bindinstance.named_conf_set_directive('dnssec-enable', 'yes',
+                                                  bindinstance.NAMED_SECTION_OPTIONS,
+                                                  str_val=False)
+        except IOError, e:
+            root_logger.error('Cannot update dnssec-enable configuration in %s: %s',
+                    bindinstance.NAMED_CONF, e)
+            return False
+    else:
+        root_logger.debug('dnssec-enabled in %s' % bindinstance.NAMED_CONF)
+
+    sysupgrade.set_upgrade_state('named.conf', 'dnssec_enabled', True)
+    return True
+
 
 def certificate_renewal_update(ca):
     """
@@ -1129,6 +1149,7 @@ def main():
                           named_enable_serial_autoincrement(),
                           named_update_gssapi_configuration(),
                           named_update_pid_file(),
+                          named_enable_dnssec(),
                          )
 
     if any(named_conf_changes):

install/ui/src/freeipa/certificate.js

@@ -1293,7 +1293,7 @@ IPA.cert.cert_update_policy = function(spec) {
 
 exp.remove_menu_item = function() {
     if (!IPA.cert.is_enabled()) {
-        menu.remove_item('identity/cert');
+        menu.remove_item('authentication/cert');
     }
 };
 

install/ui/src/freeipa/dns.js

@@ -222,7 +222,8 @@ return {
                     {
                         $type: 'checkbox',
                         name: 'idnssecinlinesigning'
-                    }
+                    },
+                    'nsec3paramrecord'
                 ]
             }],
             actions: [
@@ -1075,20 +1076,6 @@ IPA.dns.get_record_metadata = function() {
             adder_attributes: [],
             columns: ['ns_part_hostname']
         },
-        {
-            name: 'nsec3paramrecord',
-            attributes: [
-                'nsec3param_part_algorithm',
-                'nsec3param_part_flags',
-                'nsec3param_part_iterations',
-                'nsec3param_part_salt'
-            ],
-            adder_attributes: [],
-            columns: [
-                'nsec3param_part_algorithm', 'nsec3param_part_flags',
-                'nsec3param_part_iterations', 'nsec3param_part_salt'
-            ]
-        },
         {
             name: 'ptrrecord',
             attributes: [
@@ -1524,7 +1511,7 @@ IPA.dns_record_types = function() {
     //only supported
     var attrs = ['A', 'AAAA', 'A6', 'AFSDB', 'CERT', 'CNAME', 'DNAME',
                    'DS', 'DLV', 'KX', 'LOC', 'MX', 'NAPTR', 'NS',
-                   'NSEC3PARAM', 'PTR', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
+                   'PTR', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
     var record_types = [];
     for (var i=0; i<attrs.length; i++) {
         var attr = attrs[i];
@@ -2543,7 +2530,7 @@ IPA.network_validator = function(spec) {
 
 exp.remove_menu_item = function() {
     if (!IPA.dns_enabled) {
-        menu.remove_item('identity/dns');
+        menu.remove_item('network_services/dns');
     }
 };
 

install/ui/src/freeipa/ipa.js

@@ -36,9 +36,10 @@ define([
         './reg',
         './rpc',
         './text',
+        './util',
         'exports'
     ], function(Deferred, keys, topic, $, JSON, i18n, auth, datetime,
-        metadata_provider, builder, reg, rpc, text, exports) {
+        metadata_provider, builder, reg, rpc, text, util, exports) {
 
 /**
  * @class
@@ -830,32 +831,6 @@ IPA.error_dialog = function(spec) {
     /** @property {string[]} visible_buttons=['retry', 'cancel'] Visible button names */
     that.visible_buttons = spec.visible_buttons || ['retry', 'cancel'];
 
-    /**
-     * Beautify error message
-     *
-     * Multi-lined text may contain TAB character as first char of the line
-     * to hint at marking the whole line differently.
-     * @param {jQuery} container Container to add the beautified message.
-     * @param {string} message
-     */
-    that.beautify_message = function(container, message) {
-        var lines = message.split(/\n/g);
-        var line_span;
-        for(var i=0; i<lines.length; i++) {
-
-            if (lines[i].charAt(0) == '\t') {
-                line_span = $('<p />', {
-                    'class': 'error-message-hinted',
-                    text: lines[i].substr(1)
-                }).appendTo(container);
-            } else {
-                line_span = $('<p />', {
-                    text: lines[i]
-                }).appendTo(container);
-            }
-        }
-    };
-
     /** @inheritDoc */
     that.create_content = function() {
         if (that.error_thrown.url) {
@@ -865,7 +840,7 @@ IPA.error_dialog = function(spec) {
         }
 
         var error_message = $('<div />', {});
-        that.beautify_message(error_message, that.error_thrown.message);
+        error_message.append(util.beautify_message(that.error_thrown.message));
         error_message.appendTo(that.container);
 
         if(that.errors && that.errors.length > 0) {
@@ -896,7 +871,7 @@ IPA.error_dialog = function(spec) {
                 var error = that.errors[i];
                 if(error.message) {
                     var error_div = $('<li />', {});
-                    that.beautify_message(error_div, error.message);
+                    error_div.append(util.beautify_message(error.message));
                     error_div.appendTo(errors_container);
                 }
             }
@@ -1161,36 +1136,38 @@ IPA.notify = function(message, type, timeout) {
 
     if (!message) return; // don't show undefined, null and such
 
-    message = text.get(message);
-
-    function destroy_timeout() {
-        if (IPA.notify_success.timeout) window.clearTimeout(IPA.notify_success.timeout);
+    if (typeof message === 'string') {
+        message = text.get(message);
     }
 
-    var notification_area = $('.notification-area');
+    var notification_area = $('#notification .notification-area');
     if (notification_area.length === 0) {
         notification_area =  $('<div/>', {
-            'class': 'notification-area',
-            click: function() {
-                destroy_timeout();
-                notification_area.fadeOut(100);
-            }
+            'class': 'notification-area'
         });
-
         notification_area.appendTo('#notification');
     }
-    notification_area.empty();
-
     var alert = IPA.alert_helper.create_alert('msg', message, type);
-    var el = IPA.alert_helper.render_alert(alert);
+    var el = IPA.alert_helper.render_alert(alert, true);
     notification_area.append(el);
+    el.alert();
 
-    destroy_timeout();
-    notification_area.fadeIn(IPA.config.message_fadein_time);
+    if (!timeout) {
+        // compute timeout, based on text length
 
-    IPA.notify_success.timeout = window.setTimeout(function() {
-        notification_area.fadeOut(IPA.config.message_fadeout_time);
-    }, timeout || IPA.config.message_timeout);
+        // get text length without whitespace chars (misleading with
+        // multiple inner HTML elements)
+        var l = el.text().replace(/\s+/g, ' ').length;
+        var ratio = IPA.config.message_timeout_length;
+        if (l < ratio) timeout = IPA.config.message_timeout;
+        else {
+            timeout = l/ratio*IPA.config.message_timeout;
+        }
+    }
+
+    window.setTimeout(function() {
+        el.alert('close');
+    }, timeout);
 };
 
 /**
@@ -1220,14 +1197,13 @@ IPA.get_succeeded = function(data) {
  * @property {number} default_priority - command default priority. Used in
  *                                        'update info' concept
  * @property {number} message_timeout - timeout for notification messages
- * @property {number} message_fadeout_time
- * @property {number} message_fadein_time
+ * @property {number} message_timeout_length - longer messages will be displayed
+ *                                             longer
  */
 IPA.config = {
     default_priority: 500,
     message_timeout: 3000, // [ms]
-    message_fadeout_time: 800, // [ms]
-    message_fadein_time: 400 // [ms]
+    message_timeout_length: 50 // [chars]
 };
 
 return IPA;

install/ui/src/freeipa/navigation/menu_spec.js

@@ -42,6 +42,91 @@ var nav = {};
                 { entity: 'hostgroup' },
                 { entity: 'netgroup' },
                 { entity: 'service' },
+                {
+                    name: 'automember',
+                    label: '@i18n:tabs.automember',
+                    children: [
+                        {
+                            name: 'amgroup',
+                            entity: 'automember',
+                            facet: 'searchgroup',
+                            label: '@i18n:objects.automember.usergrouprules',
+                            children: [
+                                {
+                                    entity: 'automember',
+                                    facet: 'usergrouprule',
+                                    hidden: true
+                                }
+                            ]
+                        },
+                        {
+                            name: 'amhostgroup',
+                            entity: 'automember',
+                            facet: 'searchhostgroup',
+                            label: '@i18n:objects.automember.hostgrouprules',
+                            children: [
+                                {
+                                    entity: 'automember',
+                                    facet: 'hostgrouprule',
+                                    hidden: true
+                                }
+                            ]
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            name: 'policy',
+            label: '@i18n:tabs.policy',
+            children: [
+                {
+                    name: 'hbac',
+                    label: '@i18n:tabs.hbac',
+                    children: [
+                        { entity: 'hbacrule' },
+                        { entity: 'hbacsvc' },
+                        { entity: 'hbacsvcgroup' },
+                        { entity: 'hbactest' }
+                    ]
+                },
+                {
+                    name: 'sudo',
+                    label: '@i18n:tabs.sudo',
+                    children: [
+                        { entity: 'sudorule' },
+                        { entity: 'sudocmd' },
+                        { entity: 'sudocmdgroup' }
+                    ]
+                },
+                { entity: 'selinuxusermap' },
+                { entity: 'pwpolicy' },
+                { entity: 'krbtpolicy' }
+            ]
+        },
+        {
+            name: 'authentication',
+            label: '@i18n:tabs.authentication',
+            children: [
+                { entity: 'cert', label: '@i18n:tabs.cert' },
+                { entity: 'otptoken' },
+                { entity: 'radiusproxy' }
+            ]
+        },
+        {
+            name: 'network_services',
+            label: '@i18n:tabs.network_services',
+            children: [
+                {
+                    name:'automount',
+                    label: '@i18n:tabs.automount',
+                    entity: 'automountlocation',
+                    children: [
+                        { entity: 'automountlocation', hidden: true },
+                        { entity: 'automountmap', hidden: true },
+                        { entity: 'automountkey', hidden: true }
+                    ]
+                },
                 {
                     name:'dns',
                     label: '@i18n:tabs.dns',
@@ -49,95 +134,43 @@ var nav = {};
                         {
                             entity: 'dnszone',
                             children: [
-                                { entity: 'dnsrecord', hidden:true }
+                                { entity: 'dnsrecord', hidden: true }
                             ]
                         },
                         { entity: 'dnsforwardzone' },
                         { entity: 'dnsconfig' }
                     ]
-                },
-                { entity: 'cert', label: '@i18n:tabs.cert' },
-                { entity: 'realmdomains' },
-                { entity: 'otptoken' }
+                }
             ]
         },
-        {name: 'policy', label: '@i18n:tabs.policy', children: [
-            {name: 'hbac', label: '@i18n:tabs.hbac', children: [
-                {entity: 'hbacrule'},
-                {entity: 'hbacsvc'},
-                {entity: 'hbacsvcgroup'},
-                {entity: 'hbactest'}
-            ]},
-            {name: 'sudo', label: '@i18n:tabs.sudo', children: [
-                {entity: 'sudorule'},
-                {entity: 'sudocmd'},
-                {entity: 'sudocmdgroup'}
-            ]},
-            {
-                name:'automount',
-                label: '@i18n:tabs.automount',
-                entity: 'automountlocation',
-                children:[
-                 {entity: 'automountlocation', hidden:true},
-                 {entity: 'automountmap', hidden: true},
-                 {entity: 'automountkey', hidden: true}]
-            },
-            {entity: 'pwpolicy'},
-            {entity: 'krbtpolicy'},
-            {entity: 'selinuxusermap'},
-            {
-                name: 'automember',
-                label: '@i18n:tabs.automember',
-                children: [
-                    {
-                        name: 'amgroup',
-                        entity: 'automember',
-                        facet: 'searchgroup',
-                        label: '@i18n:objects.automember.usergrouprules',
-                        children: [
-                            {
-                                entity: 'automember',
-                                facet: 'usergrouprule',
-                                hidden: true
-                            }
-                        ]
-                    },
-                    {
-                        name: 'amhostgroup',
-                        entity: 'automember',
-                        facet: 'searchhostgroup',
-                        label: '@i18n:objects.automember.hostgrouprules',
-                        children: [
-                            {
-                                entity: 'automember',
-                                facet: 'hostgrouprule',
-                                hidden: true
-                            }
-                        ]
-                    }
-                ]
-            }
-        ]},
-        {name: 'ipaserver', label: '@i18n:tabs.ipaserver', children: [
-            {name: 'rolebased', label: '@i18n:tabs.role', children: [
-                {entity: 'role'},
-                {entity: 'privilege'},
-                {entity: 'permission'}
-            ]},
-            {entity: 'selfservice'},
-            {entity: 'delegation'},
-            {entity: 'idrange'},
-            {
-                name: 'trusts',
-                label: '@i18n:tabs.trust',
-                children:[
-                    {entity: 'trust'},
-                    {entity: 'trustconfig'}
-                ]
-            },
-            {entity: 'radiusproxy'},
-            {entity: 'config'}
-        ]}
+        {
+            name: 'ipaserver',
+            label: '@i18n:tabs.ipaserver',
+            children: [
+                {
+                    name: 'rbac',
+                    label: '@i18n:tabs.role',
+                    children: [
+                        { entity: 'role' },
+                        { entity: 'privilege' },
+                        { entity: 'permission' },
+                        { entity: 'selfservice' },
+                        { entity: 'delegation' }
+                    ]
+                },
+                { entity: 'idrange' },
+                { entity: 'realmdomains' },
+                {
+                    name: 'trusts',
+                    label: '@i18n:tabs.trust',
+                    children: [
+                        { entity: 'trust' },
+                        { entity: 'trustconfig' }
+                    ]
+                },
+                { entity: 'config' }
+            ]
+        }
     ]
 };
 

install/ui/src/freeipa/otptoken.js

@@ -183,8 +183,14 @@ return {
                             other_entity: 'user',
                             other_field: 'uid'
                         },
-                        'ipatokennotbefore',
-                        'ipatokennotafter',
+                        {
+                            $type: 'datetime',
+                            name: 'ipatokennotbefore'
+                        },
+                        {
+                            $type: 'datetime',
+                            name: 'ipatokennotafter'
+                        },
                         'ipatokenvendor',
                         'ipatokenmodel',
                         'ipatokenserial',
@@ -228,8 +234,14 @@ return {
                 other_entity: 'user',
                 other_field: 'uid'
             },
-            'ipatokennotbefore',
-            'ipatokennotafter',
+            {
+                $type: 'datetime',
+                name: 'ipatokennotbefore'
+            },
+            {
+                $type: 'datetime',
+                name: 'ipatokennotafter'
+            },
             'ipatokenvendor',
             'ipatokenmodel',
             'ipatokenserial',

install/ui/src/freeipa/rpc.js

@@ -27,9 +27,10 @@ define([
     './auth',
     './ipa',
     './text',
+    './util',
     'exports'
    ],
-   function(lang, auth, IPA, text, rpc /*exports*/) {
+   function(lang, auth, IPA, text, util, rpc /*exports*/) {
 
 /**
  * Call an IPA command over JSON-RPC.
@@ -179,6 +180,23 @@ rpc.command = function(spec) {
         delete that.options[name];
     };
 
+    /**
+     * Check result for warnings and process them
+     * @param  {Object} result
+     */
+    that.process_warnings = function(result) {
+
+        var msgs = result.messages;
+        if (!result.messages) return;
+
+        for (var i=0,l=msgs.length; i<l; i++) {
+            var msg = lang.clone(msgs[i]);
+            // escape and reformat message
+            msg.message = util.beautify_message(msg.message);
+            IPA.notify(msg.message, msg.type);
+        }
+    };
+
     /**
      * Execute the command.
      *
@@ -359,6 +377,7 @@ rpc.command = function(spec) {
                     //custom success handling, maintaining AJAX call's context
                     if (that.on_success) that.on_success.call(this, data, text_status, xhr);
                 }
+                that.process_warnings(data.result);
             }
         }
 

install/ui/src/freeipa/util.js

@@ -220,6 +220,27 @@ define([
         }, 0);
     }
 
+    function beautify_message(message) {
+        var els = [];
+        var lines = message.split(/\n/g);
+        var line_span;
+        for (var i=0,l=lines.length; i<l; i++) {
+            if (lines[i].charAt(0) == '\t') {
+                line_span = $('<p />', {
+                    'class': 'error-message-hinted',
+                    text: lines[i].substr(1)
+                });
+                els.push(line_span);
+            } else {
+                line_span = $('<p />', {
+                    text: lines[i]
+                });
+                els.push(line_span);
+            }
+        }
+        return els;
+    }
+
     /**
      * Module with utility functions
      * @class
@@ -328,7 +349,20 @@ define([
          * @param {Object} event Event object
          * @param {Number} [delay=0]
          */
-        emit_delayed: emit_delayed
+        emit_delayed: emit_delayed,
+
+        /**
+         * Beautify message
+         *
+         * Converts text value into array of HTML <p> elements. One additional
+         * paragraph for each line break.
+         *
+         * Multi-lined text may contain TAB character as first char of the line
+         * to hint at marking the whole line differently.
+         * @param {string} text
+         * @return {Array} array of jQuery elements
+         */
+        beautify_message: beautify_message
     };
 
     return util;

install/ui/src/freeipa/widget.js

@@ -5557,12 +5557,18 @@ exp.alert_helper = IPA.alert_helper = {
      * @param  {Object} alert
      * @return {jQuery} alert as html element
      */
-    render_alert: function(alert) {
+    render_alert: function(alert, close_icon) {
 
         var el = $('<div/>', {
             'data-name': alert.name,
-            'class': alert.cls
+            'class': "fade in " + alert.cls
         });
+        if (close_icon) {
+            el.addClass('alert-dismissable');
+            el.append("<button type=\"button\" class=\"close\" \
+            data-dismiss=\"alert\"><span aria-hidden=\"true\">&times;\
+            </span><span class=\"sr-only\">Close</span></button>");
+        }
         $('<span/>', { 'class': alert.icon }).appendTo(el);
         el.append(' ');
         el.append(alert.text);

install/ui/test/data/ipa_init.json

@@ -553,6 +553,7 @@
                     },
                     "tabs": {
                         "audit": "Audit",
+                        "authentication": "Authentication",
                         "automember": "Automember",
                         "automount": "Automount",
                         "cert": "Certificates",
@@ -560,6 +561,7 @@
                         "hbac": "Host Based Access Control",
                         "identity": "Identity",
                         "ipaserver": "IPA Server",
+                        "network_services": "Network Services",
                         "policy": "Policy",
                         "role": "Role Based Access Control",
                         "sudo": "Sudo",
@@ -572,8 +574,8 @@
                         "next": "Next",
                         "page": "Page",
                         "prev": "Prev",
-                        "undo": "undo",
-                        "undo_all": "undo all",
+                        "undo": "Undo",
+                        "undo_all": "Undo All",
                         "validation": {
                             "error": "Text does not match field pattern",
                             "datetime": "Must be an UTC date/time value (e.g., \"2014-01-20 17:58:01Z\")",

install/ui/util/build.sh

@@ -31,6 +31,6 @@ if [[ ! $profile ]] ; then
     exit 1
 fi
 
-RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/rhino.jar  org.mozilla.javascript.tools.shell.Main"
+RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/js.jar  org.mozilla.javascript.tools.shell.Main"
 $RHINO $DIR/build/build.js baseUrl=$DIR/build load=build profile=$DIR/../src/$profile.profile.js
 exit $?

install/ui/util/uglifyjs/uglify

@@ -25,7 +25,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 # rhino-1.7R4 doesn't have -main option to enable CommonJS support. It was
 # replaced by -require option.
-RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/rhino.jar  org.mozilla.javascript.tools.shell.Main"
+RHINO="java -Xss${JAVA_STACK_SIZE:-512k} -classpath /usr/share/java/js.jar  org.mozilla.javascript.tools.shell.Main"
 if [ `$RHINO --help | grep -e -require | wc -l` -gt 0 ] ; then
     $RHINO -require $DIR/uglify-js.js $@
 else

install/updates/20-aci.update

@@ -28,9 +28,9 @@ add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
 
-# Read access to masters (but not their services)
+# Read access to masters and their services
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
+add:aci:'(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
 
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX

install/updates/40-dns.update

@@ -4,13 +4,13 @@ dn: cn=dns, $SUFFIX
 addifexist: objectClass: idnsConfigObject
 addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)'
 addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)'
-addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
+addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
 
 # replace DNS tree deny rule with managedBy enhanced allow rule
 dn: cn=dns, $SUFFIX
 replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
 replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
-replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || nsec3paramrecord || dlvrecord || idnssecinlinesigning ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
+replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
 
 # add DNS plugin
 dn: cn=IPA DNS,cn=plugins,cn=config

ipa-client/ipa-install/ipa-client-install

@@ -692,7 +692,10 @@ def uninstall(options, env):
            if restored:
                services.knownservices.ntpd.restart()
 
-    ipaclient.ntpconf.restore_forced_ntpd(statestore)
+    try:
+        ipaclient.ntpconf.restore_forced_ntpd(statestore)
+    except CalledProcessError, e:
+        root_logger.error('Failed to start chronyd: %s', e)
 
     if was_sshd_configured and services.knownservices.sshd.is_running():
         services.knownservices.sshd.restart()

ipalib/messages.py

@@ -135,6 +135,28 @@ class VersionMissing(PublicMessage):
         "guaranteed. Assuming server's API version, %(server_version)s")
 
 
+class ForwardersWarning(PublicMessage):
+    """
+    **13002** Used when (master) zone contains forwarders
+    """
+
+    errno = 13002
+    type = 'warning'
+    format =  _(
+        u"DNS forwarder semantics changed since IPA 4.0.\n"
+        u"You may want to use forward zones (dnsforwardzone-*) instead.\n"
+        u"For more details read the docs.")
+
+
+class DNSSECWarning(PublicMessage):
+    """
+    **13003** Used when user change DNSSEC settings
+    """
+
+    errno = 13003
+    type = "warning"
+    format = _("DNSSEC support is experimental.\n%(additional_info)s")
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """

ipalib/plugins/dns.py

@@ -23,6 +23,7 @@ from __future__ import absolute_import
 import netaddr
 import time
 import re
+import binascii
 import dns.name
 import dns.exception
 import dns.resolver
@@ -31,11 +32,13 @@ import encodings.idna
 from ipalib.request import context
 from ipalib import api, errors, output
 from ipalib import Command
+from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib.parameters import (Flag, Bool, Int, Decimal, Str, StrEnum, Any,
                                DeprecatedParam, DNSNameParam)
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
+from ipalib import messages
 from ipalib.util import (validate_zonemgr, normalize_zonemgr,
                          get_dns_forward_zone_update_policy,
                          get_dns_reverse_zone_update_policy,
@@ -45,18 +48,23 @@ from ipapython.dnsutil import DNSName
 
 __doc__ = _("""
 Domain Name System (DNS)
-
+""") + _("""
 Manage DNS zone and resource records.
+""") + _("""
+SUPPORTED ZONE TYPES
 
-
+ * Master zone (dnszone-*), contains authoritative data.
+ * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
+ (a set of DNS servers).
+""") + _("""
 USING STRUCTURED PER-TYPE OPTIONS
-
+""") + _("""
 There are many structured DNS RR types where DNS data stored in LDAP server
 is not just a scalar value, for example an IP address or a domain name, but
 a data structure which may be often complex. A good example is a LOC record
 [RFC1876] which consists of many mandatory and optional parts (degrees,
 minutes, seconds of latitude and longitude, altitude or precision).
-
+""") + _("""
 It may be difficult to manipulate such DNS records without making a mistake
 and entering an invalid value. DNS module provides an abstraction over these
 raw records and allows to manipulate each RR type with specific options. For
@@ -64,7 +72,7 @@ each supported RR type, DNS module provides a standard option to manipulate
 a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
 for every part of the RR structure with format --<rrtype>-<partname>, e.g.
 --mx-preference and --mx-exchanger.
-
+""") + _("""
 When adding a record, either RR specific options or standard option for a raw
 value can be used, they just should not be combined in one add operation. When
 modifying an existing entry, new RR specific options can be used to change
@@ -73,41 +81,41 @@ to specify the modified value. The following example demonstrates
 a modification of MX record preference from 0 to 1 in a record without
 modifying the exchanger:
 ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1
-
+""") + _("""
 
 EXAMPLES:
-
+""") + _("""
  Add new zone:
    ipa dnszone-add example.com --name-server=ns \\
                                --admin-email=admin@example.com \\
-                               --ip-address=10.0.0.1
-
+                               --ip-address=192.0.2.1
+""") + _("""
  Add system permission that can be used for per-zone privilege delegation:
    ipa dnszone-add-permission example.com
-
+""") + _("""
  Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
    ipa dnszone-mod example.com --dynamic-update=TRUE
-
+""") + _("""
    This is the equivalent of:
      ipa dnszone-mod example.com --dynamic-update=TRUE \\
       --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"
-
+""") + _("""
  Modify the zone to allow zone transfers for local network only:
-   ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8
-
+   ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24
+""") + _("""
  Add new reverse zone specified by network IP address:
-   ipa dnszone-add --name-from-ip=80.142.15.0/24 \\
+   ipa dnszone-add --name-from-ip=192.0.2.0/24 \\
                    --name-server=ns.example.com.
-
+""") + _("""
  Add second nameserver for example.com:
    ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com
-
+""") + _("""
  Add a mail server for example.com:
    ipa dnsrecord-add example.com @ --mx-rec="10 mail1"
-
+""") + _("""
  Add another record using MX record specific options:
   ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2
-
+""") + _("""
  Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
  or dnsrecord-del are executed with no options):
   ipa dnsrecord-add example.com @
@@ -120,28 +128,28 @@ EXAMPLES:
     Record name: example.com
     MX record: 10 mail1, 20 mail2, 30 mail3
     NS record: nameserver.example.com., nameserver2.example.com.
-
+""") + _("""
  Delete previously added nameserver from example.com:
    ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.
-
+""") + _("""
  Add LOC record for example.com:
    ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"
-
+""") + _("""
  Add new A record for www.example.com. Create a reverse record in appropriate
  reverse zone as well. In this case a PTR record "2" pointing to www.example.com
- will be created in zone 15.142.80.in-addr.arpa.
-   ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse
-
+ will be created in zone 2.0.192.in-addr.arpa.
+   ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse
+""") + _("""
  Add new PTR record for www.example.com
-   ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com.
-
+   ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.
+""") + _("""
  Add new SRV records for LDAP servers. Three quarters of the requests
  should go to fast.example.com, one quarter to slow.example.com. If neither
  is available, switch to backup.example.com.
    ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
    ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
    ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"
-
+""") + _("""
  The interactive mode can be used for easy modification:
   ipa dnsrecord-mod example.com _ldap._tcp
   No option to modify specific record provided.
@@ -158,76 +166,110 @@ EXAMPLES:
   1 SRV record skipped. Only one value per DNS record type can be modified at one time.
     Record name: _ldap._tcp
     SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com
-
+""") + _("""
  After this modification, three fifths of the requests should go to
  fast.example.com and two fifths to slow.example.com.
-
+""") + _("""
  An example of the interactive mode for dnsrecord-del command:
    ipa dnsrecord-del example.com www
    No option to delete specific record provided.
    Delete all? Yes/No (default No):     (do not delete all records)
    Current DNS record contents:
 
-   A record: 1.2.3.4, 11.22.33.44
+   A record: 192.0.2.2, 192.0.2.3
 
-   Delete A record '1.2.3.4'? Yes/No (default No):
-   Delete A record '11.22.33.44'? Yes/No (default No): y
+   Delete A record '192.0.2.2'? Yes/No (default No):
+   Delete A record '192.0.2.3'? Yes/No (default No): y
      Record name: www
-     A record: 1.2.3.4                  (A record 11.22.33.44 has been deleted)
-
+     A record: 192.0.2.2               (A record 192.0.2.3 has been deleted)
+""") + _("""
  Show zone example.com:
    ipa dnszone-show example.com
-
+""") + _("""
  Find zone with "example" in its domain name:
    ipa dnszone-find example
-
+""") + _("""
  Find records for resources with "www" in their name in zone example.com:
    ipa dnsrecord-find example.com www
-
- Find A records with value 10.10.0.1 in zone example.com
-   ipa dnsrecord-find example.com --a-rec=10.10.0.1
-
+""") + _("""
+ Find A records with value 192.0.2.2 in zone example.com
+   ipa dnsrecord-find example.com --a-rec=192.0.2.2
+""") + _("""
  Show records for resource www in zone example.com
    ipa dnsrecord-show example.com www
-
+""") + _("""
  Delegate zone sub.example to another nameserver:
-   ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5
+   ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
    ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.
-
- If global forwarder is configured, all requests to sub.example.com will be
- routed through the global forwarder. To change the behavior for example.com
- zone only and forward the request directly to ns.sub.example.com., global
- forwarding may be disabled per-zone:
-   ipa dnszone-mod example.com --forward-policy=none
-
- Forward all requests for the zone external.com to another nameserver using
- a "first" policy (it will send the queries to the selected forwarder and if
- not answered it will use global resolvers):
-   ipa dnszone-add external.com
-   ipa dnszone-mod external.com --forwarder=10.20.0.1 \\
-                                --forward-policy=first
-
+""") + _("""
  Delete zone example.com with all resource records:
    ipa dnszone-del example.com
+""") + _("""
+ If a global forwarder is configured, all queries for which this server is not
+ authoritative (e.g. sub.example.com) will be routed to the global forwarder.
+ Global forwarding configuration can be overridden per-zone.
+""") + _("""
+ Semantics of forwarding in IPA matches BIND sematics and depends on type
+ of the zone:
+   * Master zone: local BIND replies authoritatively to queries for data in
+   the given zone (including authoritative NXDOMAIN answers) and forwarding
+   affects only queries for names bellow zone cuts (NS records) of locally
+   served zones.
 
+   * Forward zone: forward zone contains no authoritative data. BIND forwards
+   queries, which cannot be answered from its local cache, to configured
+   forwarders.
+""") + _("""
+ Semantics of the --forwarder-policy option:
+   * none - disable forwarding for the given zone.
+   * first - forward all queries to configured forwarders. If they fail,
+   do resolution using DNS root servers.
+   * only - forward all queries to configured forwarders and if they fail,
+   return failure.
+""") + _("""
+ Disable global forwarding for given sub-tree:
+   ipa dnszone-mod example.com --forward-policy=none
+""") + _("""
+ This configuration forwards all queries for names outside the example.com
+ sub-tree to global forwarders. Normal recursive resolution process is used
+ for names inside the example.com sub-tree (i.e. NS records are followed etc.).
+""") + _("""
+ Forward all requests for the zone external.example.com to another forwarder
+ using a "first" policy (it will send the queries to the selected forwarder
+ and if not answered it will use global root servers):
+   ipa dnsforwardzone-add external.example.com --forward-policy=first \\
+                               --forwarder=203.0.113.1
+""") + _("""
+ Change forward-policy for external.example.com:
+   ipa dnsforwardzone-mod external.example.com --forward-policy=only
+""") + _("""
+ Show forward zone external.example.com:
+   ipa dnsforwardzone-show external.example.com
+""") + _("""
+ List all forward zones:
+   ipa dnsforwardzone-find
+""") + _("""
+ Delete forward zone external.example.com:
+   ipa dnsforwardzone-del external.example.com
+""") + _("""
  Resolve a host name to see if it exists (will add default IPA domain
  if one is not included):
    ipa dns-resolve www.example.com
    ipa dns-resolve www
-
+""") + _("""
 
 GLOBAL DNS CONFIGURATION
-
+""") + _("""
 DNS configuration passed to command line install script is stored in a local
 configuration file on each IPA server where DNS service is configured. These
 local settings can be overridden with a common configuration stored in LDAP
 server:
-
+""") + _("""
  Show global DNS configuration:
    ipa dnsconfig-show
-
+""") + _("""
  Modify global DNS configuration and set a list of global forwarders:
-   ipa dnsconfig-mod --forwarder=10.0.0.1
+   ipa dnsconfig-mod --forwarder=203.0.113.113
 """)
 
 register = Registry()
@@ -267,6 +309,7 @@ _output_permissions = (
     output.Output('value', unicode, _('Permission value')),
 )
 
+
 def _rname_validator(ugettext, zonemgr):
     try:
         validate_zonemgr(zonemgr)
@@ -405,6 +448,40 @@ def _validate_bind_forwarder(ugettext, forwarder):
 
     return None
 
+def _validate_nsec3param_record(ugettext, value):
+    _nsec3param_pattern = (r'^(?P<alg>\d+) (?P<flags>\d+) (?P<iter>\d+) '
+        r'(?P<salt>([0-9a-fA-F]{2})+|-)$')
+    rec = re.compile(_nsec3param_pattern, flags=re.U)
+    result = rec.match(value)
+
+    if result is None:
+        return _(u'expected format: <0-255> <0-255> <0-65535> '
+                 'even-length_hexadecimal_digits_or_hyphen')
+
+    alg = int(result.group('alg'))
+    flags = int(result.group('flags'))
+    iterations = int(result.group('iter'))
+    salt = result.group('salt')
+
+    if alg > 255:
+        return _('algorithm value: allowed interval 0-255')
+
+    if flags > 255:
+        return _('flags value: allowed interval 0-255')
+
+    if iterations > 65535:
+        return _('iterations value: allowed interval 0-65535')
+
+    if salt == u'-':
+        return None
+
+    try:
+        binascii.a2b_hex(salt)
+    except TypeError, e:
+        return _('salt value: %(err)s') % {'err': e}
+    return None
+
+
 def _hostname_validator(ugettext, value):
     assert isinstance(value, DNSName)
     if len(value.make_absolute().labels) < 3:
@@ -1229,34 +1306,7 @@ class NSEC3Record(DNSRecord):
 class NSEC3PARAMRecord(DNSRecord):
     rrtype = 'NSEC3PARAM'
     rfc = 5155
-    parts = (
-        Int('algorithm',
-            label=_('Algorithm'),
-            minvalue=0,
-            maxvalue=255,
-            ),
-        Int('flags',
-            label=_('Flags'),
-            minvalue=0,
-            maxvalue=255,
-            default=0,
-            ),
-        Int('iterations',
-            label=_('Iterations'),
-            minvalue=0,
-            maxvalue=65535,
-            ),
-        Str('salt',
-            label=_('Salt'),
-            doc=_('A hexadecimal salt value. Requires hexadecimal digits '
-                  'or hyphen ("-") if no salt is required'),
-            minlength=1,
-            default=u'-',  # no salt
-            pattern=r'^([0-9a-fA-F]+|-)$',
-            pattern_errmsg=u'only hexadecimal digits or single hyphen ("-") '
-                           u'are allowed'
-            ),
-    )
+    supported = False  # this is part of zone in IPA
 
 def _validate_naptr_flags(ugettext, flags):
     allowed_flags = u'SAUP'
@@ -1658,6 +1708,15 @@ def _records_idn_postprocess(record, **options):
                 rrs.append(dnsvalue)
         record[attr] = rrs
 
+def _normalize_zone(zone):
+    if isinstance(zone, unicode):
+        # normalize only non-IDNA zones
+        try:
+            return unicode(zone.encode('ascii')).lower()
+        except UnicodeError:
+            pass
+    return zone
+
 
 class DNSZoneBase(LDAPObject):
     """
@@ -1677,6 +1736,7 @@ class DNSZoneBase(LDAPObject):
             label=_('Zone name'),
             doc=_('Zone name (FQDN)'),
             default_from=lambda name_from_ip: _reverse_zone_name(name_from_ip),
+            normalizer=_normalize_zone,
             primary_key=True,
         ),
         Str('name_from_ip?', _validate_ipnet,
@@ -1751,6 +1811,21 @@ class DNSZoneBase(LDAPObject):
 
         return None
 
+    def _remove_permission(self, zone):
+        permission_name = self.permission_name(zone)
+        try:
+            api.Command['permission_del'](permission_name, force=True)
+        except errors.NotFound, e:
+            # compatibility, older IPA versions which allows to create zone
+            # without absolute zone name
+            permission_name_rel = self.permission_name(
+                zone.relativize(DNSName.root)
+            )
+            try:
+                api.Command['permission_del'](permission_name_rel, force=True)
+            except errors.NotFound:
+                raise e  # re-raise original exception
+
 
 class DNSZoneBase_add(LDAPCreate):
 
@@ -1788,8 +1863,7 @@ class DNSZoneBase_del(LDAPDelete):
 
     def post_callback(self, ldap, dn, *keys, **options):
         try:
-            api.Command['permission_del'](self.obj.permission_name(keys[-1]),
-                    force=True)
+            self.obj._remove_permission(keys[-1])
         except errors.NotFound:
             pass
 
@@ -1967,18 +2041,9 @@ class DNSZoneBase_remove_permission(LDAPQuery):
 
         permission_name = self.obj.permission_name(keys[-1])
         try:
-            api.Command['permission_del'](permission_name, force=True)
-        except errors.NotFound, e:
-            # compatibility, older IPA versions which allows to create zone
-            # without absolute zone name
-            permission_name_rel = self.obj.permission_name(
-                keys[-1].relativize(DNSName.root)
-            )
-            try:
-                api.Command['permission_del'](permission_name_rel, force=True)
-            except errors.NotFound:
-                raise e  # re-raise original exception
-
+            self.obj._remove_permission(keys[-1])
+        except errors.NotFound:
+            pass
 
         return dict(
             result=True,
@@ -2120,6 +2185,15 @@ class dnszone(DNSZoneBase):
             label=_('Allow in-line DNSSEC signing'),
             doc=_('Allow inline DNSSEC signing of records in the zone'),
         ),
+        Str('nsec3paramrecord?',
+            _validate_nsec3param_record,
+            cli_name='nsec3param_rec',
+            label=_('NSEC3PARAM record'),
+            doc=_('NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'),
+            pattern=r'^\d+ \d+ \d+ (([0-9a-fA-F]{2})+|-)$',
+            pattern_errmsg=(u'expected format: <0-255> <0-255> <0-65535> '
+                 'even-length_hexadecimal_digits_or_hyphen'),
+        ),
     )
     # Permissions will be apllied for forwardzones too
     managed_permissions = {
@@ -2204,6 +2278,28 @@ class dnszone(DNSZoneBase):
             return
         _records_idn_postprocess(record, **options)
 
+    def _warning_forwarding(self, result, **options):
+        if ('idnsforwarders' in result['result']):
+            messages.add_message(options.get('version', VERSION_WITHOUT_CAPABILITIES),
+                                 result, messages.ForwardersWarning())
+
+    def _warning_dnssec_experimental(self, result, *keys, **options):
+        # add warning when user use option --dnssec
+        if 'idnssecinlinesigning' in options:
+            if options['idnssecinlinesigning'] is True:
+                messages.add_message(options['version'], result,
+                    messages.DNSSECWarning(
+                    additional_info=_("Manual configuration needed, please "
+                    "visit 'http://www.freeipa.org/page/Releases/4.0.0#"
+                    "Experimental_DNSSEC_Support'")
+                ))
+            else:
+                messages.add_message(options['version'], result,
+                    messages.DNSSECWarning(
+                    additional_info=_("If you encounter any problems please "
+                    "report them and restart 'named' service on affected IPA "
+                    "server.")
+                ))
 
 
 @register()
@@ -2292,6 +2388,12 @@ class dnszone_add(DNSZoneBase_add):
         entry_attrs['idnssoamname'] = nameserver
         return dn
 
+    def execute(self, *keys, **options):
+        result = super(dnszone_add, self).execute(*keys, **options)
+        self.obj._warning_forwarding(result, **options)
+        self.obj._warning_dnssec_experimental(result, *keys, **options)
+        return result
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         nameserver_ip_address = options.get('ip_address')
@@ -2369,6 +2471,12 @@ class dnszone_mod(DNSZoneBase_mod):
 
         return dn
 
+    def execute(self, *keys, **options):
+        result = super(dnszone_mod, self).execute(*keys, **options)
+        self.obj._warning_forwarding(result, **options)
+        self.obj._warning_dnssec_experimental(result, *keys, **options)
+        return result
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         self.obj._rr_zone_postprocess(entry_attrs, **options)
@@ -2417,6 +2525,11 @@ class dnszone_find(DNSZoneBase_find):
 class dnszone_show(DNSZoneBase_show):
     __doc__ = _('Display information about a DNS zone (SOA record).')
 
+    def execute(self, *keys, **options):
+        result = super(dnszone_show, self).execute(*keys, **options)
+        self.obj._warning_forwarding(result, **options)
+        return result
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         self.obj._rr_zone_postprocess(entry_attrs, **options)
@@ -2496,13 +2609,6 @@ class dnsrecord(LDAPObject):
         for nsrecord in nsrecords:
             check_ns_rec_resolvable(keys[0], DNSName(nsrecord))
 
-    def _nsec3paramrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-        nsec3paramrecord = entry_attrs.get('nsec3paramrecord')
-        if nsec3paramrecord and not self.is_pkey_zone_record(*keys):
-            raise errors.ValidationError(name='nsec3paramrecord',
-                        error=unicode(_('must be in zone record')))
-
     def _idnsname_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         if keys[-1].is_absolute():
@@ -2789,14 +2895,6 @@ class dnsrecord(LDAPObject):
                                   'NS record except when located in a zone root '
                                   'record (RFC 6672, section 2.3)'))
 
-        # NSEC3PARAM record validation
-        nsec3params = rrattrs.get('nsec3paramrecord')
-        if nsec3params is not None:
-            if len(nsec3params) > 1:
-                raise errors.ValidationError(name='nsec3paramrecord',
-                    error=_('Only one NSEC3PARAM record is '
-                            'allowed per zone'))
-
     def _entry2rrsets(self, entry_attrs, dns_name, dns_domain):
         '''Convert entry_attrs to a dictionary {rdtype: rrset}.
 

ipalib/plugins/internal.py

@@ -698,6 +698,7 @@ class i18n_messages(Command):
         },
         "tabs": {
             "audit": _("Audit"),
+            "authentication": _("Authentication"),
             "automember": _("Automember"),
             "automount": _("Automount"),
             "cert": _("Certificates"),
@@ -705,6 +706,7 @@ class i18n_messages(Command):
             "hbac": _("Host Based Access Control"),
             "identity": _("Identity"),
             "ipaserver": _("IPA Server"),
+            "network_services": _("Network Services"),
             "policy": _("Policy"),
             "role": _("Role Based Access Control"),
             "sudo": _("Sudo"),
@@ -717,8 +719,8 @@ class i18n_messages(Command):
             "next": _("Next"),
             "page": _("Page"),
             "prev": _("Prev"),
-            "undo": _("undo"),
-            "undo_all": _("undo all"),
+            "undo": _("Undo"),
+            "undo_all": _("Undo All"),
             "validation": {
                 "error": _("Text does not match field pattern"),
                 "datetime": _("Must be an UTC date/time value (e.g., \"2014-01-20 17:58:01Z\")"),

ipalib/plugins/otptoken.py

@@ -19,7 +19,7 @@
 
 from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember
 from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
+from ipalib import api, Int, Str, Bool, DateTime, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
 from ipalib.plugable import Registry
 from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
 from ipalib.request import context
@@ -160,11 +160,11 @@ class otptoken(LDAPObject):
             cli_name='disabled',
             label=_('Disabled state')
         ),
-        Str('ipatokennotbefore?',
+        DateTime('ipatokennotbefore?',
             cli_name='not_before',
             label=_('Validity start'),
         ),
-        Str('ipatokennotafter?',
+        DateTime('ipatokennotafter?',
             cli_name='not_after',
             label=_('Validity end'),
         ),

ipalib/plugins/permission.py

@@ -223,9 +223,9 @@ class permission(baseldap.LDAPObject):
             cli_name='name',
             label=_('Permission name'),
             primary_key=True,
-            pattern='^[-_ a-zA-Z0-9.:]+$',
+            pattern='^[-_ a-zA-Z0-9.:/]+$',
             pattern_errmsg="May only contain letters, numbers, "
-                           "-, _, ., :, and space",
+                           "-, _, ., :, /, and space",
         ),
         StrEnum(
             'ipapermright*',

ipalib/plugins/realmdomains.py

@@ -79,6 +79,14 @@ class realmdomains(LDAPObject):
                 'objectclass', 'cn', 'associateddomain',
             },
         },
+        'System: Modify Realm Domains': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'associatedDomain',
+            },
+            'default_privileges': {'DNS Administrators'},
+        },
     }
 
     label = _('Realm Domains')

ipapython/ipaldap.py

@@ -263,6 +263,10 @@ class IPASimpleLDAPObject(object):
         'idnssoamname':    DNSName,
         'idnssoarname':    DNSName,
         'dnszoneidnsname': DNSName,
+        'nsds5replicalastupdatestart': unicode,
+        'nsds5replicalastupdateend': unicode,
+        'nsds5replicalastinitstart': unicode,
+        'nsds5replicalastinitend': unicode,
     })
     _SINGLE_VALUE_OVERRIDE = CIDict({
         'nsslapd-ssl-check-hostname': True,
@@ -1200,6 +1204,10 @@ class LDAPClient(object):
             pass
         except ldap.CONNECT_ERROR:
             raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.UNWILLING_TO_PERFORM:
+            raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.AUTH_UNKNOWN:
+            raise errors.ACIError(info='%s (%s)' % (info,desc))
         except ldap.LDAPError, e:
             if 'NOT_ALLOWED_TO_DELEGATE' in info:
                 raise errors.ACIError(

ipapython/nsslib.py

@@ -247,6 +247,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
         if self.sock:
             self.sock.close()   # close it manually... there may be other refs
             self.sock = None
+            ssl.clear_session_cache()
 
     def endheaders(self, message=None):
         """

ipaserver/install/bindinstance.py

@@ -51,6 +51,9 @@ named_conf_arg_ipa_re = re.compile(r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<va
 named_conf_arg_options_re = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
 named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
 named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
+# non string args for options section
+named_conf_arg_options_re_nonstr = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
+named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
 
 def check_inst(unattended):
     has_bind = True
@@ -94,14 +97,21 @@ def named_conf_exists():
 
 NAMED_SECTION_OPTIONS = "options"
 NAMED_SECTION_IPA = "ipa"
-def named_conf_get_directive(name, section=NAMED_SECTION_IPA):
-    """Get a configuration option in bind-dyndb-ldap section of named.conf"""
+def named_conf_get_directive(name, section=NAMED_SECTION_IPA, str_val=True):
+    """Get a configuration option in bind-dyndb-ldap section of named.conf
+
+    :str_val - set to True if directive value is string
+        (only for NAMED_SECTION_OPTIONS)
+    """
     if section == NAMED_SECTION_IPA:
         named_conf_section_start_re = named_conf_section_ipa_start_re
         named_conf_arg_re = named_conf_arg_ipa_re
     elif section == NAMED_SECTION_OPTIONS:
         named_conf_section_start_re = named_conf_section_options_start_re
-        named_conf_arg_re = named_conf_arg_options_re
+        if str_val:
+            named_conf_arg_re = named_conf_arg_options_re
+        else:
+            named_conf_arg_re = named_conf_arg_options_re_nonstr
     else:
         raise NotImplementedError('Section "%s" is not supported' % section)
 
@@ -121,7 +131,8 @@ def named_conf_get_directive(name, section=NAMED_SECTION_IPA):
                 if match and name == match.group('name'):
                     return match.group('value')
 
-def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA):
+def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA,
+                             str_val=True):
     """
     Set configuration option in bind-dyndb-ldap section of named.conf.
 
@@ -130,6 +141,9 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA):
 
     If the value is set to None, the configuration option is removed
     from named.conf.
+
+    :str_val - set to True if directive value is string
+        (only for NAMED_SECTION_OPTIONS)
     """
     new_lines = []
 
@@ -139,8 +153,12 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA):
         named_conf_arg_template = named_conf_arg_ipa_template
     elif section == NAMED_SECTION_OPTIONS:
         named_conf_section_start_re = named_conf_section_options_start_re
-        named_conf_arg_re = named_conf_arg_options_re
-        named_conf_arg_template = named_conf_arg_options_template
+        if str_val:
+            named_conf_arg_re = named_conf_arg_options_re
+            named_conf_arg_template = named_conf_arg_options_template
+        else:
+            named_conf_arg_re = named_conf_arg_options_re_nonstr
+            named_conf_arg_template = named_conf_arg_options_template_nonstr
     else:
         raise NotImplementedError('Section "%s" is not supported' % section)
 

ipaserver/install/ipa_ldap_updater.py

@@ -204,7 +204,8 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater):
             modified = schemaupdate.update_schema(
                 options.schema_files,
                 dm_password=self.dirman_password,
-                live_run=not options.test) or modified
+                live_run=not options.test,
+                ldapi=options.ldapi) or modified
 
         if not self.files:
             self.files = ld.get_all_files(UPDATES_DIR)

ipaserver/install/ldapupdate.py

@@ -625,6 +625,14 @@ class LDAPUpdate:
                         (old, new) = update_value.split('::', 1)
                     except ValueError:
                         raise BadSyntax, "bad syntax in replace, needs to be in the format old::new in %s" % update_value
+                    try:
+                        entry_values.remove(old)
+                    except ValueError:
+                        self.debug('replace: %s not found, skipping', safe_output(attr, old))
+                    else:
+                        entry_values.append(new)
+                        self.debug('replace: updated value %s', safe_output(attr, entry_values))
+                        entry[attr] = entry_values
 
         return entry
 

ipaserver/install/plugins/dns.py

@@ -210,6 +210,10 @@ class update_master_to_dnsforwardzones(PostUpdate):
             # add time to filename
             self.backup_path = time.strftime(self.backup_path)
 
+            # DNs of privileges which contain dns managed permissions
+            privileges_to_ldif = set()  # store priviledges only once
+            zone_to_privileges = {}  # zone: [privileges cn]
+
             self.log.info('Zones with specified forwarders with policy different'
                           ' than none will be transformed to forward zones.')
             self.log.info('Original zones will be saved in LDIF format in '
@@ -228,7 +232,13 @@ class update_master_to_dnsforwardzones(PostUpdate):
 
                             if 'managedBy' in zone:
                                 entry = ldap.get_entry(DN(zone['managedBy'][0]))
-                                writer.unparse(str(entry.dn), dict(entry))
+                                for privilege_member_dn in entry.get('member', []):
+                                    privileges_to_ldif.add(privilege_member_dn)
+                                writer.unparse(str(entry.dn), dict(entry.raw))
+
+                                # privileges where permission is used
+                                if entry.get('member'):
+                                    zone_to_privileges[zone['idnsname'][0]] = entry['member']
 
                             # raw values are required to store into ldif
                             records = api.Command['dnsrecord_find'](
@@ -249,6 +259,17 @@ class update_master_to_dnsforwardzones(PostUpdate):
                                            zone['idnsname'][0])
                             self.log.error(traceback.format_exc())
                             return (False, False, [])
+
+                    for privilege_dn in privileges_to_ldif:
+                        try:
+                            entry = ldap.get_entry(privilege_dn)
+                            writer.unparse(str(entry.dn), dict(entry.raw))
+                        except Exception, e:
+                            self.log.error('Unable to backup privilege %s' %
+                                           privilege_dn)
+                            self.log.error(traceback.format_exc())
+                            return (False, False, [])
+
                     f.close()
             except Exception:
                 self.log.error('Unable to create backup file')
@@ -285,7 +306,8 @@ class update_master_to_dnsforwardzones(PostUpdate):
                 # create permission if original zone has one
                 if 'managedBy' in zone:
                     try:
-                        api.Command['dnsforwardzone_add_permission'](zone['idnsname'][0])
+                        perm_name = api.Command['dnsforwardzone_add_permission'](
+                                        zone['idnsname'][0])['value']
                     except Exception, e:
                         self.log.error('Transform to forwardzone terminated: '
                                        'Adding managed by permission to forward zone'
@@ -296,9 +318,28 @@ class update_master_to_dnsforwardzones(PostUpdate):
                                       zone['idnsname'][0])
                         continue
 
+                    else:
+                        if zone['idnsname'][0] in zone_to_privileges:
+                            privileges = [
+                                dn[0].value for dn in zone_to_privileges[zone['idnsname'][0]]
+                            ]
+                            try:
+                                api.Command['permission_add_member'](perm_name,
+                                                    privilege=privileges)
+                            except Exception, e:
+                                self.log.error('Unable to restore privileges for '
+                                       'permission %s, for zone %s'
+                                        % (perm_name, zone['idnsname']))
+                                self.log.error(traceback.format_exc())
+                                self.log.info('Zone %s was transformed to forward zone'
+                                              ' without restored privileges',
+                                              zone['idnsname'][0])
+                                continue
+
                 self.log.info('Zone %s was sucessfully transformed to forward zone',
                               zone['idnsname'][0])
 
+
         sysupgrade.set_upgrade_state('dns', 'update_to_forward_zones', False)
 
         return (False, False, [])

ipaserver/install/replication.py

@@ -238,12 +238,17 @@ class ReplicationManager(object):
             root_logger.debug("Unable to retrieve nsDS5ReplicaId from remote server")
             raise
         else:
-            if replica.single_value.get('nsDS5ReplicaId') is None:
+            id_values = replica.get('nsDS5ReplicaId')
+            if not id_values:
                 root_logger.debug("Unable to retrieve nsDS5ReplicaId from remote server")
                 raise RuntimeError("Unable to retrieve nsDS5ReplicaId from remote server")
 
+        # nsDS5ReplicaId is single-valued now, but historically it could
+        # contain multiple values, of which we need the highest.
+        # see bug: https://fedorahosted.org/freeipa/ticket/3394
+        retval = max(int(v) for v in id_values)
+
         # Now update the value on the master
-        retval = int(replica.single_value['nsDS5ReplicaId'])
         mod = [(ldap.MOD_REPLACE, 'nsDS5ReplicaId', str(retval + 1))]
 
         try:

ipatests/setup.py.in

@@ -80,7 +80,9 @@ def setup_package():
             package_data = {
                 'ipatests.test_install': ['*.update'],
                 'ipatests.test_integration': ['scripts/*'],
-                'ipatests.test_pkcs10': ['*.csr']}
+                'ipatests.test_pkcs10': ['*.csr'],
+                "ipatests.test_ipaserver": ['data/*'],
+            }
         )
     finally:
         del sys.path[0]

ipatests/test_cmdline/test_ipagetkeytab.py

@@ -86,7 +86,10 @@ class test_ipagetkeytab(cmdline_test):
                     "-k", self.keytabname,
                    ]
         (out, err, rc) = ipautil.run(new_args, stdin=None, raiseonerr=False)
-        assert err == 'Operation failed! PrincipalName not found.\n\n'
+        assert err == (
+            'Failed to parse result! PrincipalName not found.\n\n'
+            'Failed to get keytab\n'
+        ), err
 
     def test_2_run(self):
         """

ipatests/test_webui/test_automember.py

@@ -72,7 +72,7 @@ class test_automember(UI_driver):
                         delete=False)
 
         # host group rule
-        self.navigate_by_menu('policy/automember/amhostgroup')
+        self.navigate_by_menu('identity/automember/amhostgroup')
 
         self.basic_crud(ENTITY, HOST_GROUP_DATA,
                         search_facet='searchhostgroup',

ipatests/test_webui/test_dns.py

@@ -167,5 +167,5 @@ class test_dns(UI_driver):
         Basic CRUD: dnsconfig
         """
         self.init_app()
-        self.navigate_by_menu('identity/dns/dnsconfig')
+        self.navigate_by_menu('network_services/dns/dnsconfig')
         self.mod_record(CONFIG_ENTITY, CONFIG_MOD_DATA)

ipatests/test_webui/test_navigation.py

@@ -37,6 +37,8 @@ ENTITIES = [
     # TODO: dnsrecord
     'dnsconfig',
     'cert',
+    'otptoken',
+    'radiusproxy',
     'realmdomains',
     'hbacrule',
     'hbacsvc',
@@ -77,6 +79,7 @@ class test_navigation(UI_driver):
         if not self.has_dns():
             unsupported.extend([
                                'dnszone',
+                               'dnsforwardzone',
                                'dnsconfig',
                                ])
         if not self.has_ca():
@@ -99,6 +102,7 @@ class test_navigation(UI_driver):
 
         self.init_app()
 
+        # Identity
         # don't start by users (default)
         self.navigate_by_menu('identity/group', False)
         self.navigate_by_menu('identity/user', False)
@@ -106,18 +110,11 @@ class test_navigation(UI_driver):
         self.navigate_by_menu('identity/hostgroup', False)
         self.navigate_by_menu('identity/netgroup', False)
         self.navigate_by_menu('identity/service', False)
-        if self.has_dns():
-            self.navigate_by_menu('identity/dns/dnsconfig', True)
-            self.navigate_by_menu('identity/dns', False)
-            self.navigate_by_menu('identity/dns/dnszone', False)
-            self.navigate_by_menu('identity/dns/dnsforwardzone')
-        else:
-            self.assert_menu_item('identity/dns', False)
-        if self.has_ca():
-            self.navigate_by_menu('identity/cert', False)
-        else:
-            self.assert_menu_item('identity/cert', False)
-        self.navigate_by_menu('identity/realmdomains', False)
+        self.navigate_by_menu('identity/automember', False)
+        self.navigate_by_menu('identity/automember/amhostgroup')
+        self.navigate_by_menu('identity/automember/amgroup')
+
+        # Policy
         self.navigate_by_menu('policy')
         self.navigate_by_menu('policy/hbac', False)
         self.navigate_by_menu('policy/hbac/hbacsvc', False)
@@ -128,21 +125,40 @@ class test_navigation(UI_driver):
         self.navigate_by_menu('policy/sudo/sudorule', False)
         self.navigate_by_menu('policy/sudo/sudocmd')
         self.navigate_by_menu('policy/sudo/sudocmdgroup')
-        self.navigate_by_menu('policy/automount', False)
+        self.navigate_by_menu('policy/selinuxusermap', False)
         self.navigate_by_menu('policy/pwpolicy', False)
         self.navigate_by_menu('policy/krbtpolicy', False)
-        self.navigate_by_menu('policy/selinuxusermap', False)
-        self.navigate_by_menu('policy/automember', False)
-        self.navigate_by_menu('policy/automember/amhostgroup')
-        self.navigate_by_menu('policy/automember/amgroup')
+
+        # Authentication
+        self.navigate_by_menu('authentication')
+        self.navigate_by_menu('authentication/radiusproxy', False)
+        self.navigate_by_menu('authentication/otptoken', False)
+        if self.has_ca():
+            self.navigate_by_menu('authentication/cert', False)
+        else:
+            self.assert_menu_item('authentication/cert', False)
+
+        # Network Services
+        self.navigate_by_menu('network_services')
+        self.navigate_by_menu('network_services/automount')
+        if self.has_dns():
+            self.navigate_by_menu('network_services/dns/dnsconfig', True)
+            self.navigate_by_menu('network_services/dns', False)
+            self.navigate_by_menu('network_services/dns/dnszone', False)
+            self.navigate_by_menu('network_services/dns/dnsforwardzone')
+        else:
+            self.assert_menu_item('network_services/dns', False)
+
+        # IPA Server
         self.navigate_by_menu('ipaserver')
-        self.navigate_by_menu('ipaserver/rolebased', False)
-        self.navigate_by_menu('ipaserver/rolebased/privilege', False)
-        self.navigate_by_menu('ipaserver/rolebased/role')
-        self.navigate_by_menu('ipaserver/rolebased/permission')
-        self.navigate_by_menu('ipaserver/selfservice', False)
-        self.navigate_by_menu('ipaserver/delegation', False)
+        self.navigate_by_menu('ipaserver/rbac', False)
+        self.navigate_by_menu('ipaserver/rbac/privilege', False)
+        self.navigate_by_menu('ipaserver/rbac/role')
+        self.navigate_by_menu('ipaserver/rbac/permission')
+        self.navigate_by_menu('ipaserver/rbac/selfservice')
+        self.navigate_by_menu('ipaserver/rbac/delegation')
         self.navigate_by_menu('ipaserver/idrange', False)
+        self.navigate_by_menu('ipaserver/realmdomains', False)
         if self.has_trusts():
             self.navigate_by_menu('ipaserver/trusts', False)
             self.navigate_by_menu('ipaserver/trusts/trust', False)
@@ -151,6 +167,7 @@ class test_navigation(UI_driver):
             self.assert_menu_item('ipaserver/trusts', False)
         self.navigate_by_menu('ipaserver/config', False)
 
+
     def assert_e_url(self, url, e):
         """
         Assert correct url for entity

ipatests/test_webui/ui_driver.py

@@ -427,7 +427,7 @@ class UI_driver(object):
 
         s = ".navbar a[href='#%s']" % item
         link = self.find(s, By.CSS_SELECTOR, strict=True)
-        assert link.is_displayed(), 'Navigation link is not displayed'
+        assert link.is_displayed(), 'Navigation link is not displayed: %s' % item
         link.click()
         self.wait_for_request()
         self.wait_for_request(0.4)

ipatests/test_xmlrpc/test_dns_plugin.py

@@ -73,6 +73,23 @@ zone3_ns2_arec = u'ns2'
 zone3_ns2_arec_dnsname = DNSName(zone3_ns2_arec)
 zone3_ns2_arec_dn = DN(('idnsname',zone3_ns2_arec), zone3_dn)
 
+zone4_upper = u'ZONE4.test'
+zone4 = u'zone4.test.'
+zone4_dnsname = DNSName(zone4)
+zone4_dn = DN(('idnsname', zone4), api.env.container_dns, api.env.basedn)
+zone4_ns = u'ns1.%s' % zone4
+zone4_ns_dnsname = DNSName(zone4_ns)
+zone4_rname = u'root.%s' % zone4
+zone4_rname_dnsname = DNSName(zone4_rname)
+
+zone5 = u'zone--5.test.'
+zone5_dnsname = DNSName(zone5)
+zone5_dn = DN(('idnsname', zone5), api.env.container_dns, api.env.basedn)
+zone5_ns = u'ns1.%s' % zone5
+zone5_ns_dnsname = DNSName(zone5_ns)
+zone5_rname = u'root.%s' % zone5
+zone5_rname_dnsname = DNSName(zone5_rname)
+
 revzone1 = u'31.16.172.in-addr.arpa.'
 revzone1_dnsname = DNSName(revzone1)
 revzone1_ip = u'172.16.31.0'
@@ -96,6 +113,10 @@ revzone3_classless2_ip = u'172.16.70.128'
 revzone3_classless2_ipprefix = u'172.16.70.'
 revzone3_classless2_dn = DN(('idnsname', revzone3_classless2), api.env.container_dns, api.env.basedn)
 
+revzone3_classless2_permission = u'Manage DNS zone %s' % revzone3_classless2
+revzone3_classless2_permission_dn = DN(('cn', revzone3_classless2_permission),
+                           api.env.container_permission, api.env.basedn)
+
 name1 = u'testdnsres'
 name1_dnsname = DNSName(name1)
 name1_dn = DN(('idnsname',name1), zone1_dn)
@@ -126,6 +147,15 @@ dlv_dn = DN(('idnsname', dlv), zone1_dn)
 
 dlvrec = u'60485 5 1 2BB183AF5F22588179A53B0A98631FAD1A292118'
 
+tlsa = u'tlsa'
+tlsa_dnsname = DNSName(tlsa)
+tlsa_dn = DN(('idnsname', tlsa), zone1_dn)
+
+tlsarec_err1 = u'300 0 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_err2 = u'0 300 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_err3 = u'0 0 300 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+tlsarec_ok = u'0 0 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971'
+
 wildcard_rec1 = u'*.test'
 wildcard_rec1_dnsname = DNSName(wildcard_rec1)
 wildcard_rec1_dn = DN(('idnsname',wildcard_rec1), zone1_dn)
@@ -255,7 +285,7 @@ class test_dns(Declarative):
             pass
 
     cleanup_commands = [
-        ('dnszone_del', [zone1, zone2, zone3, revzone1, revzone2,
+        ('dnszone_del', [zone1, zone2, zone3, zone4, zone5, revzone1, revzone2,
                          revzone3_classless1, revzone3_classless2,
                          idnzone1, revidnzone1, zone_findtest_master],
             {'continue': True}),
@@ -266,7 +296,8 @@ class test_dns(Declarative):
                                'idnsallowsyncptr' : None,
                                }),
         ('permission_del', [zone1_permission, idnzone1_permission,
-                            fwzone1_permission], {'force': True}
+                            fwzone1_permission,
+                            revzone3_classless2_permission], {'force': True}
         ),
     ]
 
@@ -400,6 +431,80 @@ class test_dns(Declarative):
         ),
 
 
+        dict(
+            desc='Create a zone with upper case name with --force',
+            command=(
+                'dnszone_add', [zone4_upper], {
+                    'idnssoamname': zone4_ns,
+                    'idnssoarname': zone4_rname,
+                    'force'       : True,
+                }
+            ),
+            expected={
+                'value': zone4_dnsname,
+                'summary': None,
+                'result': {
+                    'dn': zone4_dn,
+                    'idnsname': [zone4_dnsname],
+                    'idnszoneactive': [u'TRUE'],
+                    'idnssoamname': [zone4_ns_dnsname],
+                    'nsrecord': [zone4_ns],
+                    'idnssoarname': [zone4_rname_dnsname],
+                    'idnssoaserial': [fuzzy_digits],
+                    'idnssoarefresh': [fuzzy_digits],
+                    'idnssoaretry': [fuzzy_digits],
+                    'idnssoaexpire': [fuzzy_digits],
+                    'idnssoaminimum': [fuzzy_digits],
+                    'idnsallowdynupdate': [u'FALSE'],
+                    'idnsupdatepolicy': [u'grant %(realm)s krb5-self * A; '
+                                         u'grant %(realm)s krb5-self * AAAA; '
+                                         u'grant %(realm)s krb5-self * SSHFP;'
+                                         % dict(realm=api.env.realm)],
+                    'idnsallowtransfer': [u'none;'],
+                    'idnsallowquery': [u'any;'],
+                    'objectclass': objectclasses.dnszone,
+                },
+            },
+        ),
+
+
+        dict(  # https://fedorahosted.org/freeipa/ticket/4268
+            desc='Create a zone with consecutive dash characters with --force',
+            command=(
+                'dnszone_add', [zone5], {
+                    'idnssoamname': zone5_ns,
+                    'idnssoarname': zone5_rname,
+                    'force'       : True,
+                }
+            ),
+            expected={
+                'value': zone5_dnsname,
+                'summary': None,
+                'result': {
+                    'dn': zone5_dn,
+                    'idnsname': [zone5_dnsname],
+                    'idnszoneactive': [u'TRUE'],
+                    'idnssoamname': [zone5_ns_dnsname],
+                    'nsrecord': [zone5_ns],
+                    'idnssoarname': [zone5_rname_dnsname],
+                    'idnssoaserial': [fuzzy_digits],
+                    'idnssoarefresh': [fuzzy_digits],
+                    'idnssoaretry': [fuzzy_digits],
+                    'idnssoaexpire': [fuzzy_digits],
+                    'idnssoaminimum': [fuzzy_digits],
+                    'idnsallowdynupdate': [u'FALSE'],
+                    'idnsupdatepolicy': [u'grant %(realm)s krb5-self * A; '
+                                         u'grant %(realm)s krb5-self * AAAA; '
+                                         u'grant %(realm)s krb5-self * SSHFP;'
+                                         % dict(realm=api.env.realm)],
+                    'idnsallowtransfer': [u'none;'],
+                    'idnsallowquery': [u'any;'],
+                    'objectclass': objectclasses.dnszone,
+                },
+            },
+        ),
+
+
         dict(
             desc='Retrieve zone %r' % zone1,
             command=('dnszone_show', [zone1], {}),
@@ -448,6 +553,111 @@ class test_dns(Declarative):
             },
         ),
 
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 0 0 0 X'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=(u'expected format: <0-255> <0-255> <0-65535> '
+                               u'even-length_hexadecimal_digits_or_hyphen')
+            )
+        ),
+
+
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 0 0 X'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=(u'expected format: <0-255> <0-255> <0-65535> '
+                               u'even-length_hexadecimal_digits_or_hyphen')
+            )
+        ),
+
+
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'333 0 0 -'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=u'algorithm value: allowed interval 0-255'
+            )
+        ),
+
+
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 333 0 -'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=u'flags value: allowed interval 0-255'
+            )
+        ),
+
+
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 0 65536 -'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=u'iterations value: allowed interval 0-65535'
+            )
+        ),
+
+
+        dict(
+            desc='Try to add invalid NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 0 0 A'}),
+            expected=errors.ValidationError(name="nsec3param_rec",
+                        error=(u'expected format: <0-255> <0-255> <0-65535> '
+                               u'even-length_hexadecimal_digits_or_hyphen')
+            )
+        ),
+
+
+        dict(
+            desc='Add NSEC3PARAM record to zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u'0 0 0 -'}),
+            expected={
+                'value': zone1_absolute_dnsname,
+                'summary': None,
+                'result': {
+                    'idnsname': [zone1_absolute_dnsname],
+                    'idnszoneactive': [u'TRUE'],
+                    'nsrecord': [zone1_ns],
+                    'idnssoamname': [zone1_ns_dnsname],
+                    'idnssoarname': [zone1_rname_dnsname],
+                    'idnssoaserial': [fuzzy_digits],
+                    'idnssoarefresh': [u'5478'],
+                    'idnssoaretry': [fuzzy_digits],
+                    'idnssoaexpire': [fuzzy_digits],
+                    'idnssoaminimum': [fuzzy_digits],
+                    'idnsallowtransfer': [u'none;'],
+                    'idnsallowquery': [u'any;'],
+                    'nsec3paramrecord': [u'0 0 0 -'],
+                },
+            },
+        ),
+
+
+        dict(
+            desc='Delete NSEC3PARAM record from zone %s' % (zone1),
+            command=('dnszone_mod', [zone1], {'nsec3paramrecord': u''}),
+            expected={
+                'value': zone1_absolute_dnsname,
+                'summary': None,
+                'result': {
+                    'idnsname': [zone1_absolute_dnsname],
+                    'idnszoneactive': [u'TRUE'],
+                    'nsrecord': [zone1_ns],
+                    'idnssoamname': [zone1_ns_dnsname],
+                    'idnssoarname': [zone1_rname_dnsname],
+                    'idnssoaserial': [fuzzy_digits],
+                    'idnssoarefresh': [u'5478'],
+                    'idnssoaretry': [fuzzy_digits],
+                    'idnssoaexpire': [fuzzy_digits],
+                    'idnssoaminimum': [fuzzy_digits],
+                    'idnsallowtransfer': [u'none;'],
+                    'idnsallowquery': [u'any;'],
+                },
+            },
+        ),
+
 
         dict(
             desc='Try to create reverse zone %r with NS record in it' % revzone1,
@@ -1121,6 +1331,63 @@ class test_dns(Declarative):
         ),
 
 
+        dict(
+            desc='Try to add invalid TLSA record to %r using dnsrecord_add (1)' % (tlsa),
+            command=('dnsrecord_add', [zone1, tlsa], {'tlsarecord': tlsarec_err1}),
+            expected=errors.ValidationError(
+                name="cert_usage",
+                error=u'can be at most 255'
+            ),
+        ),
+
+
+        dict(
+            desc='Try to add invalid TLSA record to %r using dnsrecord_add (2)' % (tlsa),
+            command=('dnsrecord_add', [zone1, tlsa], {'tlsarecord': tlsarec_err2}),
+            expected=errors.ValidationError(
+                name="selector",
+                error=u'can be at most 255'
+            ),
+        ),
+
+
+        dict(
+            desc='Try to add invalid TLSA record to %r using dnsrecord_add (3)' % (tlsa),
+            command=('dnsrecord_add', [zone1, tlsa], {'tlsarecord': tlsarec_err3}),
+            expected=errors.ValidationError(
+                name="matching_type",
+                error=u'can be at most 255'
+            ),
+        ),
+
+
+        dict(
+            desc='Add TLSA record to %r using dnsrecord_add' % (tlsa),
+            command=('dnsrecord_add', [zone1, tlsa], {'tlsarecord': tlsarec_ok}),
+            expected={
+                'value': tlsa_dnsname,
+                'summary': None,
+                'result': {
+                    'objectclass': objectclasses.dnsrecord,
+                    'dn': tlsa_dn,
+                    'idnsname': [tlsa_dnsname],
+                    'tlsarecord': [tlsarec_ok],
+                },
+            },
+        ),
+
+
+        dict(
+            desc='Delete record %r in zone %r' % (tlsa, zone1),
+            command=('dnsrecord_del', [zone1, tlsa], {'del_all': True}),
+            expected={
+                'value': [tlsa_dnsname],
+                'summary': u'Deleted record "%s"' % tlsa,
+                'result': {'failed': []},
+            },
+        ),
+
+
         dict(
             desc='Try to create a reverse zone from invalid IP',
             command=(
@@ -1593,68 +1860,6 @@ class test_dns(Declarative):
         ),
 
 
-        dict(
-            desc='Try to add NSEC3PARAM record out of zone record %r' % (zone1),
-            command=('dnsrecord_add', [zone1, u'test'],
-                     {'nsec3paramrecord': u'1 0 2 ad50f1'}),
-            expected=errors.ValidationError(name='nsec3paramrecord',
-                        error=u'must be in zone record'),
-        ),
-
-
-        dict(
-            desc='Try to add invalid NSEC3PARAM record to zone %r' % (zone1),
-            command=('dnsrecord_add', [zone1, u'@'],
-                     {'nsec3paramrecord': u'1 0 2 -ad50f1'}),
-            expected=errors.ValidationError(name='salt',
-                        error=u'only hexadecimal digits or single hyphen ("-") are allowed'),
-        ),
-
-
-        dict(
-            desc='Add NSEC3PARAM record to zone %r' % (zone1),
-            command=('dnsrecord_add', [zone1, u'@'],
-                     {'nsec3paramrecord': u'1 0 2 ad50f1'}),
-            expected={
-                'value': _dns_zone_record,
-                'summary': None,
-                'result': {
-                    'dn': zone1_dn,
-                    'arecord': [u'172.16.29.111'],
-                    'idnsname': [_dns_zone_record],
-                    'nsrecord': [zone1_absolute],
-                    'nsec3paramrecord': [u'1 0 2 ad50f1'],
-                    'objectclass': objectclasses.dnszone,
-                },
-            },
-        ),
-
-
-        dict(
-            desc='Try to add another NSEC3PARAM record to zone %r' % (zone1),
-            command=('dnsrecord_add', [zone1, u'@'],
-                     {'nsec3paramrecord': u'1 0 2 -'}),
-            expected=errors.ValidationError(name='nsec3paramrecord',
-                        error=u'Only one NSEC3PARAM record is allowed per zone'),
-        ),
-
-
-        dict(
-            desc='Remove NSEC3PARAM record from zone %r' % (zone1),
-            command=('dnsrecord_del', [zone1, u'@'],
-                     {'nsec3paramrecord': u'1 0 2 ad50f1'}),
-            expected={
-                'value': [_dns_zone_record],
-                'summary': None,
-                'result': {
-                    'arecord': [u'172.16.29.111'],
-                    'idnsname': [_dns_zone_record],
-                    'nsrecord': [zone1_absolute],
-                },
-            },
-        ),
-
-
         dict(
             desc='Create zone %r' % zone3,
             command=(
@@ -1772,6 +1977,33 @@ class test_dns(Declarative):
             },
         ),
 
+
+        dict(
+            desc='Add per-zone permission for classless zone %r' % revzone3_classless2,
+            command=(
+                'dnszone_add_permission', [revzone3_classless2], {}
+            ),
+            expected=dict(
+                result=True,
+                value=revzone3_classless2_permission,
+                summary=u'Added system permission "%s"' % revzone3_classless2_permission,
+            ),
+        ),
+
+
+        dict(
+            desc='Remove per-zone permission for classless zone %r' % revzone3_classless2,
+            command=(
+                'dnszone_remove_permission', [revzone3_classless2], {}
+            ),
+            expected=dict(
+                result=True,
+                value=revzone3_classless2_permission,
+                summary=u'Removed system permission "%s"' % revzone3_classless2_permission,
+            ),
+        ),
+
+
         dict(
             desc='Add NS record to %r in revzone %r' % (nsrev, revzone3_classless1),
             command=('dnsrecord_add', [revzone3_classless1, nsrev], {'nsrecord': zone3_ns2}),

ipatests/test_xmlrpc/test_dns_realmdomains_integration.py

@@ -141,6 +141,15 @@ class test_dns_realmdomains_integration(Declarative):
             expected={
                 'value': DNSName(dnszone_2_absolute),
                 'summary': None,
+                'messages': ({
+                    u'message': u'DNS forwarder semantics changed since '
+                    u'IPA 4.0.\nYou may want to use forward zones '
+                    u'(dnsforwardzone-*) instead.\nFor more details read '
+                    u'the docs.',
+                    u'code': 13002,
+                    u'type': u'warning',
+                    u'name': u'ForwardersWarning'
+                },),
                 'result': {
                     'dn': dnszone_2_dn,
                     'idnsname': [DNSName(dnszone_2_absolute)],

makeaci

@@ -69,7 +69,7 @@ def generate_aci_lines(api):
             is_new=True,
         )
         aci = perm_plugin.make_aci(entry)
-        yield 'dn: %s\n' % dn
+        yield 'dn: %s\n' % entry.single_value['ipapermlocation']
         yield 'aci: %s\n' % aci
 
         check_member_attrs(name, template)