Imported Upstream version 4.3.1

install/updates/10-config.update

@@ -58,11 +58,13 @@ addifnew:nsSaslMapPriority: 10
 dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
 addifnew:nsSaslMapPriority: 10
 
+# Default SASL buffer size was too small and could lead for example to
+# migration errors
+# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
+dn: cn=config
+only:nsslapd-sasl-max-buffer-size:2097152
+
 # Allow hashed passwords to be added by non-DM users. Without this
 # setting, password migration fails
 dn: cn=config
 only:nsslapd-allow-hashed-passwords:on
-
-# Decrease default value for IO blocking to prevent server unresponsiveness
-dn: cn=config
-only:nsslapd-ioblocktimeout:10000

install/updates/10-ipapwd.update

@@ -1,9 +0,0 @@
-dn: cn=ipa_pwd_extop,cn=plugins,cn=config
-# DS core server provides a default plugin (passwd_modify_extop) to handle
-# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
-# the pluginprecedence of the passwd_modify_extop is 50 (default value)
-#
-# IPA delivers ipa_pwd_extop plugin to handle that extended op
-# we need to make sure ipa_pwd_extop is called and so to set a lower
-# precedence value
-add:nsslapd-pluginprecedence: 49

install/updates/10-schema_compat.update

@@ -0,0 +1,89 @@
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
+add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
+add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
+# Fix for #4324 (regression of #1309)
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
+remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
+remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
+remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
+
+# We need to add the value in a separate transaction
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
+add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
+add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: $SUFFIX
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
+
+# Change padding for host and userCategory so the pad returns the same value
+# as the original, '' or -.
+dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
+replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: $SUFFIX
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
+
+dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
+default:objectClass: top
+default:objectClass: extensibleObject
+default:cn: computers
+default:schema-compat-container-group: cn=compat, $SUFFIX
+default:schema-compat-container-rdn: cn=computers
+default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
+default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
+default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
+default:schema-compat-entry-attribute: objectclass=device
+default:schema-compat-entry-attribute: objectclass=ieee802Device
+default:schema-compat-entry-attribute: cn=%{fqdn}
+default:schema-compat-entry-attribute: macAddress=%{macAddress}
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: $SUFFIX
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
+
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
+
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: $SUFFIX
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
+
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: $SUFFIX
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
+
+dn: cn=Schema Compatibility,cn=plugins,cn=config
+# We need to run schema-compat pre-bind callback before
+# other IPA pre-bind callbacks to make sure bind DN is
+# rewritten to the original entry if needed
+add:nsslapd-pluginprecedence: 49
+
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
+add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
+add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
+
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
+add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
+add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")

install/updates/10-uniqueness.update

@@ -92,20 +92,3 @@ add:uniqueness-across-all-subtrees: on
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
 add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
-
-dn: cn=caacl name uniqueness,cn=plugins,cn=config
-default:objectClass: top
-default:objectClass: nsSlapdPlugin
-default:objectClass: extensibleObject
-default:cn: caacl name uniqueness
-default:nsslapd-pluginDescription: Enforce unique attribute values
-default:nsslapd-pluginPath: libattr-unique-plugin
-default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
-default:nsslapd-pluginType: preoperation
-default:nsslapd-pluginEnabled: on
-default:uniqueness-attribute-name: cn
-default:uniqueness-subtrees: cn=caacls,cn=ca,$SUFFIX
-default:nsslapd-plugin-depends-on-type: database
-default:nsslapd-pluginId: NSUniqueAttr
-default:nsslapd-pluginVersion: 1.1.0
-default:nsslapd-pluginVendor: Fedora Project

install/updates/20-aci.update

@@ -21,10 +21,6 @@ add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other hos
 dn: $SUFFIX
 add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)
 
-# Read access to parentID information to allow filter optimizations in 389-ds
-dn: $SUFFIX
-add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";)
-
 # Read access to containers
 dn: $SUFFIX
 add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
@@ -36,10 +32,6 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
 add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
 
-# Allow users to discover enabled services
-dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)
-
 # Allow hosts to read masters service configuration
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
 add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
@@ -59,18 +51,14 @@ remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword ||
 remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-add:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+add:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 # Write-only
 remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-add:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash || krbPasswordExpiration")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+add:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 add:aci:(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 # Read-only
 add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
-add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-
 dn: cn=tasks,cn=config
 add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
@@ -128,11 +116,9 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
 
-# Hosts can add and delete their own services
+# Hosts can add their own services
 dn: cn=services,cn=accounts,$SUFFIX
-remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
 # CIFS service on the master can manage ID ranges
 dn: cn=ranges,cn=etc,$SUFFIX
@@ -150,17 +136,3 @@ add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5R
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-
-# IPA server hosts can create and manage Dogtag Custodia secrets for same host
-dn: cn=ipa,cn=etc,$SUFFIX
-add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create Dogtag Custodia secrets for same host"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia secrets for same host"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-
-# Dogtag service principals can search Custodia keys
-add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";)
-
-# Anonymous Principal key retrieval
-dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX
-addifexist: objectclass: ipaAllowedOperations
-addifexist: aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
-addifexist: ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX

install/updates/20-default_password_policy.update

@@ -1,133 +0,0 @@
-# Default password policies for hosts, services and Kerberos services
-# Setting all attributes to zero effectively disables any password policy
-# We can do this because hosts and services uses keytabs instead of passwords
-
-# hosts
-dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-default:objectClass: krbPwdPolicy
-default:objectClass: nsContainer
-default:objectClass: top
-default:cn: Default Host Password Policy
-default:krbMinPwdLife: 0
-default:krbPwdMinDiffChars: 0
-default:krbPwdMinLength: 0
-default:krbPwdHistoryLength: 0
-default:krbMaxPwdLife: 0
-default:krbPwdMaxFailure: 0
-default:krbPwdFailureCountInterval: 0
-default:krbPwdLockoutDuration: 0
-
-# services
-dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-default:objectClass: krbPwdPolicy
-default:objectClass: nsContainer
-default:objectClass: top
-default:cn: Default Service Password Policy
-default:krbMinPwdLife: 0
-default:krbPwdMinDiffChars: 0
-default:krbPwdMinLength: 0
-default:krbPwdHistoryLength: 0
-default:krbMaxPwdLife: 0
-default:krbPwdMaxFailure: 0
-default:krbPwdFailureCountInterval: 0
-default:krbPwdLockoutDuration: 0
-
-# kerberos policy container
-# this is necessary to avoid mixing the Kerberos sevice password policy
-# with group-membership based user password policies
-dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-default:objectClass: nsContainer
-default:objectClass: top
-default:cn: Kerberos Service Password Policy
-
-# kerberos services
-dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-default:objectClass: krbPwdPolicy
-default:objectClass: nsContainer
-default:objectClass: top
-default:cn: Default Kerberos Service Password Policy
-default:krbMinPwdLife: 0
-default:krbPwdMinDiffChars: 0
-default:krbPwdMinLength: 0
-default:krbPwdHistoryLength: 0
-default:krbMaxPwdLife: 0
-default:krbPwdMaxFailure: 0
-default:krbPwdFailureCountInterval: 0
-default:krbPwdLockoutDuration: 0
-
-# default password policies for hosts, services and kerberos services
-# cosPriority is set intentionally to higher number than FreeIPA API allows
-# to set to ensure that these password policies have always lower priority
-# than any defined by user.
-
-# hosts
-dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-default:objectclass: top
-default:objectclass: nsContainer
-default:cn: cosTemplates
-
-dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-default:objectclass: top
-default:objectclass: cosTemplate
-default:objectclass: extensibleObject
-default:objectclass: krbContainer
-default:cn: Default Password Policy
-default:cosPriority: 10000000000
-default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-
-dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
-default:description: Default Password Policy for Hosts
-default:objectClass: top
-default:objectClass: ldapsubentry
-default:objectClass: cosSuperDefinition
-default:objectClass: cosPointerDefinition
-default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-default:cosAttribute: krbPwdPolicyReference default
-
-# services
-dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-default:objectclass: top
-default:objectclass: nsContainer
-default:cn: cosTemplates
-
-dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-default:objectclass: top
-default:objectclass: cosTemplate
-default:objectclass: extensibleObject
-default:objectclass: krbContainer
-default:cn: Default Password Policy
-default:cosPriority: 10000000000
-default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-
-dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
-default:description: Default Password Policy for Services
-default:objectClass: top
-default:objectClass: ldapsubentry
-default:objectClass: cosSuperDefinition
-default:objectClass: cosPointerDefinition
-default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-default:cosAttribute: krbPwdPolicyReference default
-
-# kerberos services
-dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-default:objectclass: top
-default:objectclass: nsContainer
-default:cn: cosTemplates
-
-dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-default:objectclass: top
-default:objectclass: cosTemplate
-default:objectclass: extensibleObject
-default:objectclass: krbContainer
-default:cn: Default Password Policy
-default:cosPriority: 10000000000
-default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-
-dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-default:description: Default Password Policy for Kerberos Services
-default:objectClass: top
-default:objectClass: ldapsubentry
-default:objectClass: cosSuperDefinition
-default:objectClass: cosPointerDefinition
-default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-default:cosAttribute: krbPwdPolicyReference default

install/updates/20-dna.update

@@ -1,4 +1,12 @@
-# Config winsync plugin according to DNA
+# Enable the DNA plugin
+dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
+
+# Change the magic value to -1
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:dnaMagicRegen: -1
+add: dnaExcludeScope: cn=provisioning,$SUFFIX
+
 dn: cn=ipa-winsync,cn=plugins,cn=config
 remove:ipaWinSyncUserAttr: uidNumber 999
 remove:ipaWinSyncUserAttr: gidNumber 999

install/updates/20-enable_dirsrv_plugins.update

@@ -1,76 +0,0 @@
-# 7-bit check, plugins, config
-dn: cn=7-bit check,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Account Usability Plugin, plugins, config
-dn: cn=Account Usability Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# ACL Plugin, plugins, config
-dn: cn=ACL Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# ACL preoperation, plugins, config
-dn: cn=ACL preoperation,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Auto Membership Plugin, plugins, config
-dn: cn=Auto Membership Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Bitwise Plugin, plugins, config
-dn: cn=Bitwise Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# chaining database, plugins, config
-dn: cn=chaining database,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Class of Service, plugins, config
-dn: cn=Class of Service,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# deref, plugins, config
-dn: cn=deref,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# HTTP Client, plugins, config
-dn: cn=HTTP Client,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Internationalization Plugin, plugins, config
-dn: cn=Internationalization Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Linked Attributes, plugins, config
-dn: cn=Linked Attributes,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Managed Entries, plugins, config
-dn: cn=Managed Entries,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Multimaster Replication Plugin, plugins, config
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Roles Plugin, plugins, config
-dn: cn=Roles Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Schema Reload, plugins, config
-dn: cn=Schema Reload,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# State Change Plugin, plugins, config
-dn: cn=State Change Plugin,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# Views, plugins, config
-dn: cn=Views,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-
-# whoami, plugins, config
-dn: cn=whoami,cn=plugins,cn=config
-replace: nsslapd-pluginEnabled:off::on
-

install/updates/20-idoverride_index.update

@@ -1,22 +0,0 @@
-#
-# Make sure ID override attributes have the correct indexing
-#
-
-dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: ipaOriginalUid
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: pres
-
-dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: ipaAnchorUUID
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: pres
-
-dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-remove:cn: ipaOriginalUid

install/updates/20-indices.update

@@ -70,9 +70,8 @@ default:cn: fqdn
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-only:nsIndexType: eq
-only:nsIndexType: pres
-only:nsIndexType: sub
+default:nsIndexType: eq
+default:nsIndexType: pres
 
 dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: macAddress
@@ -223,7 +222,6 @@ dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: ntUniqueId
 default:ObjectClass: top
 default:ObjectClass: nsIndex
-default:nsSystemIndex: false
 only:nsIndexType: eq
 only:nsIndexType: pres
 
@@ -231,80 +229,5 @@ dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: ntUserDomainId
 default:ObjectClass: top
 default:ObjectClass: nsIndex
-default:nsSystemIndex: false
 only:nsIndexType: eq
 only:nsIndexType: pres
-
-dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: ipalocation
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only:nsIndexType: eq
-only:nsIndexType: pres
-
-dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: krbPrincipalName
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only: nsMatchingRule: caseIgnoreIA5Match
-only: nsMatchingRule: caseExactIA5Match
-only:nsIndexType: eq
-only:nsIndexType: sub
-
-dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default: cn: krbCanonicalName
-default: objectClass: top
-default: objectClass: nsIndex
-only: nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: sub
-
-dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default: cn: serverhostname
-default: objectClass: top
-default: objectClass: nsIndex
-only: nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: sub
-
-dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-default: cn: description
-default: objectclass: top
-default: objectclass: nsindex
-default: nssystemindex: false
-default: nsindextype: eq
-default: nsindextype: sub
-
-dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-default: cn: l
-default: objectclass: top
-default: objectclass: nsindex
-default: nssystemindex: false
-default: nsindextype: eq
-default: nsindextype: sub
-
-dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-default: cn: nsOsVersion
-default: objectclass: top
-default: objectclass: nsindex
-default: nssystemindex: false
-default: nsindextype: eq
-default: nsindextype: sub
-
-dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-default: cn: nsHardwarePlatform
-default: objectclass: top
-default: objectclass: nsindex
-default: nssystemindex: false
-default: nsindextype: eq
-default: nsindextype: sub
-
-dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-default: cn: nsHostLocation
-default: objectclass: top
-default: objectclass: nsindex
-default: nssystemindex: false
-default: nsindextype: eq
-default: nsindextype: sub

install/updates/20-syncrepl.update

@@ -4,7 +4,7 @@ only:nsslapd-pluginEnabled: on
 # Remember original nsuniqueid for objects referenced from cn=changelog
 add:nsslapd-attribute: nsuniqueid:targetUniqueId
 add:nsslapd-changelogmaxage: 2d
-add:nsslapd-include-suffix: cn=dns,$SUFFIX
+add:nsslapd-exclude-suffix: o=ipaca
 
 # Keep memberOf and referential integrity plugins away from cn=changelog.
 # It is necessary for performance reasons because we don't have appropriate

install/updates/20-whoami.update

@@ -1,14 +0,0 @@
-dn: cn=whoami,cn=plugins,cn=config
-default:objectClass: top
-default:objectClass: nsSlapdPlugin
-default:objectClass: extensibleObject
-default:cn: whoami
-default:nsslapd-plugin-depends-on-type: database
-default:nsslapd-pluginDescription: whoami extended operation plugin
-default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginId: whoami-plugin
-default:nsslapd-pluginInitfunc: whoami_init
-default:nsslapd-pluginPath: libwhoami-plugin
-default:nsslapd-pluginType: extendedop
-default:nsslapd-pluginVendor: 389 Project
-default:nsslapd-pluginVersion: 1.0

install/updates/25-referint.update

@@ -19,4 +19,3 @@ add: referint-membership-attr: ipaassignedidview
 add: referint-membership-attr: ipaallowedtarget
 add: referint-membership-attr: ipamemberca
 add: referint-membership-attr: ipamembercertprofile
-add: referint-membership-attr: ipalocation

install/updates/30-provisioning.update

@@ -23,14 +23,12 @@ default: cn: deleted users
 # This is used for the admin to know if credential are set for stage users
 # We can do a query on a DN to see if an attribute exists or retrieve the value
 dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
-remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
-add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
 
 # This is used for the admin to reset the delete users credential
 # No one is allowed to add entry in Delete container
 dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
-remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
-add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
 add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
 
 dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX

install/updates/37-locations.update

@@ -1,4 +0,0 @@
-dn: cn=locations,cn=etc,$SUFFIX
-default: objectClass: nsContainer
-default: objectClass: top
-default: cn: locations

install/updates/40-delegation.update

@@ -133,6 +133,21 @@ default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate remove hold
 
+dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: request certificate with subjectaltname
+
+dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Request Certificate with SubjectAltName
+default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
+
 dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
 default:objectClass: top
 default:objectClass: nsContainer
@@ -259,19 +274,3 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Vault Administrators
 default:description: Vault Administrators
-
-
-# Locations - always create DNS related privileges
-dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: nestedgroup
-default:cn: DNS Administrators
-default:description: DNS Administrators
-
-dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: nestedgroup
-default:cn: DNS Servers
-default:description: DNS Servers

install/updates/40-dns.update

@@ -2,9 +2,10 @@
 # update DNS container
 dn: cn=dns, $SUFFIX
 addifexist: objectClass: idnsConfigObject
+addifexist: objectClass: ipaConfigObject
 addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
-addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 
 
 # replace DNS tree deny rule with managedBy enhanced allow rule
@@ -17,7 +18,6 @@ dn: cn=dns, $SUFFIX
 remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
-remove:aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 
 # add DNS plugin
 dn: cn=IPA DNS,cn=plugins,cn=config

install/updates/41-lightweight-cas.update

@@ -1,4 +0,0 @@
-dn: cn=cas,cn=ca,$SUFFIX
-default: objectClass: nsContainer
-default: objectClass: top
-default: cn: cas

install/updates/45-roles.update

@@ -91,12 +91,3 @@ add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
 dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
 add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
 
-dn: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX
-default:objectClass: groupofnames
-default:objectClass: nestedgroup
-default:objectClass: top
-default:cn: Enrollment Administrator
-default:description: Enrollment Administrator responsible for client(host) enrollment
-
-dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-add:member: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX

install/updates/50-ipaconfig.update

@@ -1,7 +1,6 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
-replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
+add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
-add:objectClass: ipaNameResolutionData

install/updates/71-idviews-sasl-mapping.update

@@ -1,8 +0,0 @@
-dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
-default:cn: ID Overridden Principal
-default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
-default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
-default:nsSaslMapPriority: 20
-default:nsSaslMapRegexString: \(.*\)@\(.*\)
-default:objectClass: top
-default:objectClass: nsSaslMapping

install/updates/73-certmap.update

@@ -1,23 +0,0 @@
-# Configuration for Certificate Identity Mapping
-dn: cn=certmap,$SUFFIX
-default:objectclass: top
-default:objectclass: nsContainer
-default:objectclass: ipaCertMapConfigObject
-default:cn: certmap
-default:ipaCertMapPromptUsername: FALSE
-
-dn: cn=certmaprules,cn=certmap,$SUFFIX
-default:objectclass: top
-default:objectclass: nsContainer
-default:cn: certmaprules
-
-# Certificate Identity Mapping Administrators
-dn: cn=Certificate Identity Mapping Administrators,cn=privileges,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: nestedgroup
-default:cn: Certificate Identity Mapping Administrators
-default:description: Certificate Identity Mapping Administrators
-
-dn: $SUFFIX
-add:aci: (targetattr = "ipacertmapdata")(targattrfilters="add=objectclass:(objectclass=ipacertmapobject)")(version 3.0;acl "selfservice:Users can manage their own X.509 certificate identity mappings";allow (write) userdn = "ldap:///self";)

install/updates/73-custodia.update

@@ -2,8 +2,3 @@ dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
 default: objectClass: top
 default: objectClass: nsContainer
 default: cn: custodia
-
-dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: dogtag

install/updates/80-schema_compat.update

@@ -1,227 +0,0 @@
-#
-# Setup the Schema Compatibility plugin provided by slapi-nis.
-# This should be done after all other updates have been applied
-#
-# https://pagure.io/slapi-nis/
-#
-dn: cn=Schema Compatibility, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: Schema Compatibility
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
-default:nsslapd-plugininitfunc: schema_compat_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginenabled: on
-default:nsslapd-pluginid: schema-compat-plugin
-# We need to run schema-compat pre-bind callback before
-# other IPA pre-bind callbacks to make sure bind DN is
-# rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 40
-default:nsslapd-pluginversion: 0.8
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: Schema Compatibility Plugin
-
-dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
-default:objectClass: top
-default:objectClass: extensibleObject
-default:cn: users
-default:schema-compat-container-group: cn=compat, $SUFFIX
-default:schema-compat-container-rdn: cn=users
-default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
-default:schema-compat-search-filter: objectclass=posixAccount
-default:schema-compat-entry-rdn: uid=%{uid}
-default:schema-compat-entry-attribute: objectclass=posixAccount
-default:schema-compat-entry-attribute: gecos=%{cn}
-default:schema-compat-entry-attribute: cn=%{cn}
-default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
-default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
-default:schema-compat-entry-attribute: loginShell=%{loginShell}
-default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
-default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
-default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
-default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
-default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
-
-dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
-default:objectClass: top
-default:objectClass: extensibleObject
-default:cn: groups
-default:schema-compat-container-group: cn=compat, $SUFFIX
-default:schema-compat-container-rdn: cn=groups
-default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
-default:schema-compat-search-filter: objectclass=posixGroup
-default:schema-compat-entry-rdn: cn=%{cn}
-default:schema-compat-entry-attribute: objectclass=posixGroup
-default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
-default:schema-compat-entry-attribute: memberUid=%{memberUid}
-default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
-default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
-default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
-default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
-default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
-
-dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
-add:objectClass: top
-add:objectClass: extensibleObject
-add:cn: ng
-add:schema-compat-container-group: cn=compat, $SUFFIX
-add:schema-compat-container-rdn: cn=ng
-add:schema-compat-check-access: yes
-add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX
-add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
-add:schema-compat-entry-rdn: cn=%{cn}
-add:schema-compat-entry-attribute: objectclass=nisNetgroup
-add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
-add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
-
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
-add:objectClass: top
-add:objectClass: extensibleObject
-add:cn: sudoers
-add:schema-compat-container-group: ou=SUDOers, $SUFFIX
-add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX
-add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
-add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
-add:schema-compat-entry-attribute: objectclass=sudoRole
-add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")
-add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
-add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")
-add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
-add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
-add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")
-add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")
-# memberDenyCmds are to be allowed even if cmdCategory is set to ALL
-add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd")
-add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")
-add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
-add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
-add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
-add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")
-add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
-add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
-add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt}
-
-dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
-default:objectClass: top
-default:objectClass: extensibleObject
-default:cn: computers
-default:schema-compat-container-group: cn=compat, $SUFFIX
-default:schema-compat-container-rdn: cn=computers
-default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
-default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
-default:schema-compat-entry-attribute: objectclass=device
-default:schema-compat-entry-attribute: objectclass=ieee802Device
-default:schema-compat-entry-attribute: cn=%{fqdn}
-default:schema-compat-entry-attribute: macAddress=%{macAddress}
-
-# Enable anonymous VLV browsing for Solaris
-dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
-only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )
-
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
-only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
-add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
-# Fix for #4324 (regression of #1309)
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
-remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
-remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
-remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
-
-# We need to add the value in a separate transaction
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
-add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
-add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
-remove: schema-compat-ignore-subtree: cn=changelog
-remove: schema-compat-ignore-subtree: o=ipaca
-add: schema-compat-restrict-subtree: $SUFFIX
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
-add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
-
-# Change padding for host and userCategory so the pad returns the same value
-# as the original, '' or -.
-dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
-replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
-remove: schema-compat-ignore-subtree: cn=changelog
-remove: schema-compat-ignore-subtree: o=ipaca
-add: schema-compat-restrict-subtree: $SUFFIX
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
-add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
-
-dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
-default:objectClass: top
-default:objectClass: extensibleObject
-default:cn: computers
-default:schema-compat-container-group: cn=compat, $SUFFIX
-default:schema-compat-container-rdn: cn=computers
-default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
-default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
-default:schema-compat-entry-attribute: objectclass=device
-default:schema-compat-entry-attribute: objectclass=ieee802Device
-default:schema-compat-entry-attribute: cn=%{fqdn}
-default:schema-compat-entry-attribute: macAddress=%{macAddress}
-remove: schema-compat-ignore-subtree: cn=changelog
-remove: schema-compat-ignore-subtree: o=ipaca
-add: schema-compat-restrict-subtree: $SUFFIX
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
-add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
-
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
-add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
-
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-remove: schema-compat-ignore-subtree: cn=changelog
-remove: schema-compat-ignore-subtree: o=ipaca
-add: schema-compat-restrict-subtree: $SUFFIX
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
-add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
-
-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-remove: schema-compat-ignore-subtree: cn=changelog
-remove: schema-compat-ignore-subtree: o=ipaca
-add: schema-compat-restrict-subtree: $SUFFIX
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
-add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
-
-dn: cn=Schema Compatibility,cn=plugins,cn=config
-# We need to run schema-compat pre-bind callback before
-# other IPA pre-bind callbacks to make sure bind DN is
-# rewritten to the original entry if needed
-add:nsslapd-pluginprecedence: 40
-
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
-add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
-add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
-
-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
-add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
-add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
-
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add:schema-compat-entry-attribute: uid=%{uid}
-replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")

install/updates/90-post_upgrade_plugins.update

@@ -3,34 +3,22 @@
 
 # middle
 plugin: update_ca_topology
-plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
 plugin: update_dnszones
 plugin: update_dns_limits
 plugin: update_sigden_extdom_broken_config
 plugin: update_sids
 plugin: update_default_range
 plugin: update_default_trust_view
-plugin: update_tdo_gidnumber
 plugin: update_ca_renewal_master
 plugin: update_idrange_type
 plugin: update_pacs
 plugin: update_service_principalalias
-plugin: update_fix_duplicate_cacrt_in_ldap
 plugin: update_upload_cacrt
-# update_ra_cert_store has to be executed after update_ca_renewal_master
-plugin: update_ra_cert_store
-plugin: update_mapping_Guests_to_nobody
 
 # last
-# DNS version 1
 plugin: update_master_to_dnsforwardzones
-# DNS version 2
-plugin: update_dnsforward_emptyzones
 plugin: update_managed_post
 plugin: update_managed_permissions
 plugin: update_read_replication_agreements_permission
 plugin: update_idrange_baserid
 plugin: update_passync_privilege_update
-plugin: update_dnsserver_configuration_into_ldap
-plugin: update_ldap_server_list
-plugin: update_dna_shared_config

install/updates/Makefile.am

@@ -5,14 +5,13 @@ app_DATA =				\
 	05-pre_upgrade_plugins.update	\
 	10-config.update		\
 	10-enable-betxn.update		\
-	10-ipapwd.update		\
 	10-selinuxusermap.update	\
 	10-rootdse.update		\
 	10-uniqueness.update		\
+	10-schema_compat.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
 	20-dna.update			\
-	20-enable_dirsrv_plugins.update	\
 	20-host_nis_groups.update	\
 	20-indices.update		\
 	20-ipaservers_hostgroup.update	\
@@ -22,17 +21,13 @@ app_DATA =				\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
-	20-idoverride_index.update	\
 	20-uuid.update  \
-	20-default_password_policy.update \
-	20-whoami.update	\
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
 	21-certstore_container.update	\
 	25-referint.update		\
 	30-provisioning.update		\
 	30-s4u2proxy.update		\
-	37-locations.update		\
 	40-delegation.update		\
 	40-realm_domains.update		\
 	40-replication.update		\
@@ -42,7 +37,6 @@ app_DATA =				\
 	40-otp.update			\
 	40-vault.update			\
 	41-caacl.update			\
-	41-lightweight-cas.update	\
 	45-roles.update			\
 	50-7_bit_check.update	        \
 	50-dogtag10-migration.update	\
@@ -58,15 +52,16 @@ app_DATA =				\
 	61-trusts-s4u2proxy.update	\
 	62-ranges.update		\
 	71-idviews.update		\
-	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
 	73-winsync.update		\
-	73-certmap.update		\
-	80-schema_compat.update \
 	90-post_upgrade_plugins.update	\
 	$(NULL)
 
 EXTRA_DIST =				\
 	$(app_DATA)			\
 	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in

install/updates/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -86,19 +86,10 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = install/updates
+subdir = updates
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
-	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
-	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
-	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
-	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
-	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
-	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
-	$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -160,110 +151,34 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-API_VERSION = @API_VERSION@
-AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
-CMOCKA_LIBS = @CMOCKA_LIBS@
-CONFIG_STATUS = @CONFIG_STATUS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
-CRYPTO_LIBS = @CRYPTO_LIBS@
 CYGPATH_W = @CYGPATH_W@
-DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
-DIRSRV_LIBS = @DIRSRV_LIBS@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
-GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
-GIT_BRANCH = @GIT_BRANCH@
-GIT_VERSION = @GIT_VERSION@
-GMSGFMT = @GMSGFMT@
-GMSGFMT_015 = @GMSGFMT_015@
-GREP = @GREP@
-INI_CFLAGS = @INI_CFLAGS@
-INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-INTLLIBS = @INTLLIBS@
-INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
-IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
-JSLINT = @JSLINT@
-KRAD_LIBS = @KRAD_LIBS@
-KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
-KRB5_CFLAGS = @KRB5_CFLAGS@
-KRB5_LIBS = @KRB5_LIBS@
-LD = @LD@
-LDAP_CFLAGS = @LDAP_CFLAGS@
-LDAP_LIBS = @LDAP_LIBS@
-LDFLAGS = @LDFLAGS@
-LIBICONV = @LIBICONV@
-LIBINTL = @LIBINTL@
-LIBINTL_LIBS = @LIBINTL_LIBS@
 LIBOBJS = @LIBOBJS@
-LIBPDB_NAME = @LIBPDB_NAME@
 LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
-LIBVERTO_LIBS = @LIBVERTO_LIBS@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBICONV = @LTLIBICONV@
-LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
-MK_ASSIGN = @MK_ASSIGN@
-MK_ELSE = @MK_ELSE@
-MK_ENDIF = @MK_ENDIF@
-MK_IFEQ = @MK_IFEQ@
 MSGATTRIB = @MSGATTRIB@
+MSGCMP = @MSGCMP@
 MSGFMT = @MSGFMT@
-MSGFMT_015 = @MSGFMT_015@
+MSGINIT = @MSGINIT@
 MSGMERGE = @MSGMERGE@
-NAMED_GROUP = @NAMED_GROUP@
-NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
-NDRNBT_LIBS = @NDRNBT_LIBS@
-NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
-NDRPAC_LIBS = @NDRPAC_LIBS@
-NDR_CFLAGS = @NDR_CFLAGS@
-NDR_LIBS = @NDR_LIBS@
-NM = @NM@
-NMEDIT = @NMEDIT@
-NSPR_CFLAGS = @NSPR_CFLAGS@
-NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
-NUM_VERSION = @NUM_VERSION@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-ODS_USER = @ODS_USER@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
@@ -272,89 +187,33 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLATFORM_PYTHON = @PLATFORM_PYTHON@
-POPT_CFLAGS = @POPT_CFLAGS@
-POPT_LIBS = @POPT_LIBS@
-POSUB = @POSUB@
-PYLINT = @PYLINT@
-PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
-SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
-SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
-SASL_CFLAGS = @SASL_CFLAGS@
-SASL_LIBS = @SASL_LIBS@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
-SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
-SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
-SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
-SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
-SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
-SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
 STRIP = @STRIP@
-TALLOC_CFLAGS = @TALLOC_CFLAGS@
-TALLOC_LIBS = @TALLOC_LIBS@
-TEVENT_CFLAGS = @TEVENT_CFLAGS@
-TEVENT_LIBS = @TEVENT_LIBS@
-UNISTRING_LIBS = @UNISTRING_LIBS@
-UNLINK = @UNLINK@
-USE_NLS = @USE_NLS@
-UUID_CFLAGS = @UUID_CFLAGS@
-UUID_LIBS = @UUID_LIBS@
-VENDOR_SUFFIX = @VENDOR_SUFFIX@
+TX = @TX@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
-XGETTEXT_015 = @XGETTEXT_015@
-XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
-XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
-XMLRPC_LIBS = @XMLRPC_LIBS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
 am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 bindir = @bindir@
-build = @build@
 build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
 builddir = @builddir@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
-host = @host@
 host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
 htmldir = @htmldir@
-i18ntests = @i18ntests@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
-krb5rundir = @krb5rundir@
 libdir = @libdir@
 libexecdir = @libexecdir@
 localedir = @localedir@
@@ -363,20 +222,13 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
-sysconfenvdir = @sysconfenvdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
@@ -387,14 +239,13 @@ app_DATA = \
 	05-pre_upgrade_plugins.update	\
 	10-config.update		\
 	10-enable-betxn.update		\
-	10-ipapwd.update		\
 	10-selinuxusermap.update	\
 	10-rootdse.update		\
 	10-uniqueness.update		\
+	10-schema_compat.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
 	20-dna.update			\
-	20-enable_dirsrv_plugins.update	\
 	20-host_nis_groups.update	\
 	20-indices.update		\
 	20-ipaservers_hostgroup.update	\
@@ -404,17 +255,13 @@ app_DATA = \
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
-	20-idoverride_index.update	\
 	20-uuid.update  \
-	20-default_password_policy.update \
-	20-whoami.update	\
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
 	21-certstore_container.update	\
 	25-referint.update		\
 	30-provisioning.update		\
 	30-s4u2proxy.update		\
-	37-locations.update		\
 	40-delegation.update		\
 	40-realm_domains.update		\
 	40-replication.update		\
@@ -424,7 +271,6 @@ app_DATA = \
 	40-otp.update			\
 	40-vault.update			\
 	41-caacl.update			\
-	41-lightweight-cas.update	\
 	45-roles.update			\
 	50-7_bit_check.update	        \
 	50-dogtag10-migration.update	\
@@ -440,12 +286,9 @@ app_DATA = \
 	61-trusts-s4u2proxy.update	\
 	62-ranges.update		\
 	71-idviews.update		\
-	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
 	73-winsync.update		\
-	73-certmap.update		\
-	80-schema_compat.update \
 	90-post_upgrade_plugins.update	\
 	$(NULL)
 
@@ -453,10 +296,14 @@ EXTRA_DIST = \
 	$(app_DATA)			\
 	$(NULL)
 
+MAINTAINERCLEANFILES = \
+	*~				\
+	Makefile.in
+
 all: all-am
 
 .SUFFIXES:
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
@@ -465,32 +312,26 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/updates/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign updates/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign install/updates/Makefile
+	  $(AUTOMAKE) --foreign updates/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
 	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
 	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
 	esac;
 
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 
-$(top_srcdir)/configure:  $(am__configure_deps)
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
 install-appDATA: $(app_DATA)
 	@$(NORMAL_INSTALL)
 	@list='$(app_DATA)'; test -n "$(appdir)" || list=; \
@@ -519,10 +360,7 @@ ctags CTAGS:
 cscope cscopelist:
 
 
-distdir: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) distdir-am
-
-distdir-am: $(DISTFILES)
+distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -589,9 +427,10 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
 clean: clean-am
 
-clean-am: clean-generic clean-libtool mostlyclean-am
+clean-am: clean-generic mostlyclean-am
 
 distclean: distclean-am
 	-rm -f Makefile
@@ -643,7 +482,7 @@ maintainer-clean-am: distclean-am maintainer-clean-generic
 
 mostlyclean: mostlyclean-am
 
-mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+mostlyclean-am: mostlyclean-generic
 
 pdf: pdf-am
 
@@ -657,18 +496,17 @@ uninstall-am: uninstall-appDATA
 
 .MAKE: install-am install-strip
 
-.PHONY: all all-am check check-am clean clean-generic clean-libtool \
-	cscopelist-am ctags-am distclean distclean-generic \
-	distclean-libtool distdir dvi dvi-am html html-am info info-am \
-	install install-am install-appDATA install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
-	uninstall-am uninstall-appDATA
+.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
+	ctags-am distclean distclean-generic distdir dvi dvi-am html \
+	html-am info info-am install install-am install-appDATA \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
+	pdf-am ps ps-am tags-am uninstall uninstall-am \
+	uninstall-appDATA
 
 .PRECIOUS: Makefile