freeipa/install
Stanislav Levin 5c907e34ae named: Allow using of a custom OpenSSL engine for BIND
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.

With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.

BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
..
certmonger Improve performance of ipa-server-guard 2020-08-19 13:59:11 -04:00
custodia Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
html Don't fully quality the FQDN in ssbrowser.html for Chrome 2020-02-18 09:15:57 -05:00
migration Use new LDAPClient constructors 2019-02-05 08:39:13 -05:00
oddjob Create a common place to retrieve facts about an IPA installation 2020-08-06 14:11:27 +02:00
restart_scripts Don't create log files from help scripts 2019-09-24 15:23:30 +02:00
share named: Allow using of a custom OpenSSL engine for BIND 2020-08-31 09:42:31 +03:00
tools Create a common place to retrieve facts about an IPA installation 2020-08-06 14:11:27 +02:00
ui WebUI: Unify adapter property definition for state evaluators 2020-08-07 12:42:50 +02:00
updates Issue 8456 - Add new aci's for the new replication changelog entries 2020-08-17 10:44:03 +02:00
wsgi Add absolute_import future imports 2018-04-20 09:43:37 +02:00
Makefile.am Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
README.schema Add some basic rules for adding new schema 2010-08-27 13:40:37 -04:00

Ground rules on adding new schema

Brand new schema, particularly when written specifically for IPA, should be
added in share/*.ldif. Any new files need to be explicitly loaded in
ipaserver/install/dsinstance.py. These simply get copied directly into
the new instance schema directory.

Existing schema (e.g. in an LDAP draft) may either be added as a separate
ldif in share or as an update in the updates directory. The advantage of
adding the schema as an update is if 389-ds ever adds the schema then the
installation won't fail due to existing schema failing to load during
bootstrap.

If the new schema requires a new container then this should be added
to install/bootstrap-template.ldif.