Imported Debian patch 4.8.10-2

install/share/60basev2.ldif

@@ -2,6 +2,7 @@
 ##
 ## Attributes:		2.16.840.1.113730.3.8.3 - V2 base attributres
 ## ObjectClasses:	2.16.840.1.113730.3.8.4 - V2 base objectclasses
+## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
 ##
 dn: cn=schema
 attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
@@ -21,8 +22,10 @@ objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entit
 objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
+# Same for memberManager except it's actually v4 attribute
+attributeTypes: (2.16.840.1.113730.3.8.23.1 NAME 'memberManager' DESC 'DNs of entries allowed to manage group membership' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4')
+objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL MAY memberManager X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL MAY memberManager X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.5 NAME 'memberUser' DESC 'Reference to a principal that performs an action (usually user).' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.6 NAME 'userCategory' DESC 'Additional classification for users' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to a device where the operation takes place (usually host).' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )

install/share/60ipaconfig.ldif

@@ -43,11 +43,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.23 NAME 'ipaCertificateSubjectBase' SY
 attributeTypes: (2.16.840.1.113730.3.8.3.16 NAME 'ipaConfigString' DESC 'Generic configuration stirng' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' DESC 'Default SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+## ipaMaxHostnameLength - maximum hostname length to allow
+attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
 ###############################################
 ##
 ## ObjectClasses
 ##
 ## ipaGuiConfig - GUI config parameters objectclass
-objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData ) )
+objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength) )
 ## ipaConfigObject - Generic config strings object holder
 objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )

install/share/60kerberos.ldif

@@ -269,6 +269,10 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY
 ##### A list of authentication indicator strings, one of which must be satisfied
 ##### to authenticate to the principal as a service.
 attributetypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+##### The maximum ticket lifetime for a principal based on authentication indicator in seconds. Indicator is specified as an attribute option
+attributetypes: ( 2.16.840.1.113730.3.8.15.2.2 NAME 'krbAuthIndMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
+##### Maximum renewable lifetime for a principal's ticket based on authentication indicator in seconds. Indicator is specified as an attribute option
+attributetypes: ( 2.16.840.1.113730.3.8.15.2.3 NAME 'krbAuthIndMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
 ########################################################################
 # 		        Object Class Definitions                       #
 ########################################################################
@@ -312,6 +316,6 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbSe
 objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
 ##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
 ##### This class can be attached to a principal object or realm object.
-objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge $ krbAuthIndMaxTicketLife $ krbAuthIndMaxRenewableAge ) )
 ##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
 objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )

install/share/73certmap.ldif

@@ -12,3 +12,6 @@ attributeTypes: (2.16.840.1.113730.3.8.22.1.5 NAME 'ipaCertMapPriority' DESC 'Ru
 objectClasses: (2.16.840.1.113730.3.8.22.2.1 NAME 'ipaCertMapConfigObject' DESC 'IPA Certificate Mapping global config options' AUXILIARY MAY ipaCertMapPromptUsername X-ORIGIN 'IPA v4.5' )
 objectClasses: (2.16.840.1.113730.3.8.22.2.2 NAME 'ipaCertMapRule' DESC 'IPA Certificate Mapping rule' SUP top STRUCTURAL MUST cn MAY ( description $ ipaCertMapMapRule $ ipaCertMapMatchRule $ associatedDomain $ ipaCertMapPriority $ ipaEnabledFlag ) X-ORIGIN 'IPA v4.5' )
 objectClasses: (2.16.840.1.113730.3.8.22.2.3 NAME 'ipaCertMapObject' DESC 'IPA Object for Certificate Mapping' AUXILIARY MAY ipaCertMapData X-ORIGIN 'IPA v4.5' )
+# altSecurityIdentities attribute is from MS-WSPP AD schema
+# we define it here to have proper indexed searches
+attributeTypes: (1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' DESC 'Alt-Security-Identities' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'MS-WSPP')

install/share/Makefile.am

@@ -39,21 +39,26 @@ dist_app_DATA =				\
 	replica-acis.ldif		\
 	replica-prevent-time-skew.ldif  \
 	ds-nfiles.ldif			\
+	ds-ipa-env.conf.template	\
 	dns.ldif			\
 	dnssec.ldif			\
 	domainlevel.ldif			\
 	kerberos.ldif			\
 	indices.ldif			\
+	bind.ipa-ext.conf.template		\
+	bind.ipa-options-ext.conf.template	\
 	bind.named.conf.template	\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
 	kdc_req.conf.template		\
 	krb5.conf.template		\
+	freeipa-server.template		\
 	krb5.ini.template		\
 	krb.con.template		\
 	krbrealm.con.template		\
 	smb.conf.template		\
+	smb.conf.registry.template		\
 	smb.conf.empty			\
 	referint-conf.ldif		\
 	dna.ldif			\
@@ -65,7 +70,6 @@ dist_app_DATA =				\
 	opendnssec_conf.template	\
 	opendnssec_kasp.template	\
 	unique-attributes.ldif		\
-	ldapi.ldif			\
 	wsgi.py				\
 	repoint-managed-entries.ldif	\
 	managed-entries.ldif		\
@@ -76,6 +80,7 @@ dist_app_DATA =				\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
+	pw-logging-conf.ldif	\
 	sudobind.ldif			\
 	automember.ldif			\
 	replica-automember.ldif		\
@@ -94,6 +99,10 @@ dist_app_DATA =				\
 	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
+	ipaca_default.ini		\
+	ipaca_customize.ini		\
+	ipaca_softhsm2.ini		\
+	ldbm-tuning.ldif		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

install/share/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -275,6 +275,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -317,11 +319,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -342,8 +343,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -431,7 +430,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
@@ -482,21 +483,26 @@ dist_app_DATA = \
 	replica-acis.ldif		\
 	replica-prevent-time-skew.ldif  \
 	ds-nfiles.ldif			\
+	ds-ipa-env.conf.template	\
 	dns.ldif			\
 	dnssec.ldif			\
 	domainlevel.ldif			\
 	kerberos.ldif			\
 	indices.ldif			\
+	bind.ipa-ext.conf.template		\
+	bind.ipa-options-ext.conf.template	\
 	bind.named.conf.template	\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
 	kdc_req.conf.template		\
 	krb5.conf.template		\
+	freeipa-server.template		\
 	krb5.ini.template		\
 	krb.con.template		\
 	krbrealm.con.template		\
 	smb.conf.template		\
+	smb.conf.registry.template		\
 	smb.conf.empty			\
 	referint-conf.ldif		\
 	dna.ldif			\
@@ -508,7 +514,6 @@ dist_app_DATA = \
 	opendnssec_conf.template	\
 	opendnssec_kasp.template	\
 	unique-attributes.ldif		\
-	ldapi.ldif			\
 	wsgi.py				\
 	repoint-managed-entries.ldif	\
 	managed-entries.ldif		\
@@ -519,6 +524,7 @@ dist_app_DATA = \
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
+	pw-logging-conf.ldif	\
 	sudobind.ldif			\
 	automember.ldif			\
 	replica-automember.ldif		\
@@ -537,6 +543,10 @@ dist_app_DATA = \
 	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
+	ipaca_default.ini		\
+	ipaca_customize.ini		\
+	ipaca_softhsm2.ini		\
+	ldbm-tuning.ldif		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

install/share/advise/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -274,6 +274,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -316,11 +318,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -341,8 +342,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -430,7 +429,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@

install/share/advise/legacy/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -214,6 +214,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -256,11 +258,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -281,8 +282,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -370,7 +369,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@

install/share/bind.ipa-ext.conf.template

@@ -0,0 +1,16 @@
+/* User customization for BIND named
+ *
+ * This file is included in $NAMED_CONF and is not modified during IPA
+ * upgrades.
+ *
+ * "options" settings must be configured in $NAMED_CUSTOM_OPTIONS_CONF.
+ *
+ * Example: ACL for recursion access:
+ *
+ * acl "trusted_network" {
+ *   localnets;
+ *   localhost;
+ *   234.234.234.0/24;
+ *   2001::co:ffee:babe:1/48;
+ * };
+ */

install/share/bind.ipa-options-ext.conf.template

@@ -0,0 +1,18 @@
+/* User customization for BIND named
+ *
+ * This file is included in $NAMED_CONF and is not modified during IPA
+ * upgrades.
+ *
+ * It must only contain "options" settings. Any other setting must be
+ * configured in $NAMED_CUSTOM_CONF.
+ *
+ * Examples:
+ * allow-recursion { trusted_network; };
+ * allow-query-cache { trusted_network; };
+ */
+
+/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
+listen-on-v6 { any; };
+
+/* dnssec-enable is obsolete and 'yes' by default */
+dnssec-validation $NAMED_DNSSEC_VALIDATION;

install/share/bind.named.conf.template

@@ -1,27 +1,28 @@
-options {
-	// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
-	listen-on-v6 {any;};
+/* WARNING: This config file is managed by IPA.
+ *
+ * DO NOT MODIFY! Any modification will be overwritten by upgrades.
+ *
+ *
+ * - $NAMED_CUSTOM_OPTIONS_CONF (for options)
+ * - $NAMED_CUSTOM_CONF (all other settings)
+ */
 
+options {
 	// Put files that named is allowed to write in the data/ directory:
 	directory "$NAMED_VAR_DIR"; // the default
 	dump-file		"${NAMED_DATA_DIR}cache_dump.db";
 	statistics-file		"${NAMED_DATA_DIR}named_stats.txt";
 	memstatistics-file	"${NAMED_DATA_DIR}named_mem_stats.txt";
 
-	// Any host is permitted to issue recursive queries
-	allow-recursion { any; };
-
 	tkey-gssapi-keytab "$NAMED_KEYTAB";
+
 	pid-file "$NAMED_PID";
 
-	dnssec-enable yes;
-	dnssec-validation yes;
-
-	/* Path to ISC DLV key */
-	bindkeys-file "$BINDKEYS_FILE";
-
 	managed-keys-directory "$MANAGED_KEYS_DIR";
 
+	/* user customizations of options */
+	include "$NAMED_CUSTOM_OPTIONS_CONF";
+
 	/* crypto policy snippet on platforms with system-wide policy. */
 	$INCLUDE_CRYPTO_POLICY
 };
@@ -46,15 +47,14 @@ ${NAMED_ZONE_COMMENT}};
 include "$RFC1912_ZONES";
 include "$ROOT_KEY";
 
-/* WARNING: This part of the config file is IPA-managed.
- * Modifications may break IPA setup or upgrades.
- */
+/* user customization */
+include "$NAMED_CUSTOM_CONF";
+
 dyndb "ipa" "$BIND_LDAP_SO" {
 	uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
-	base "cn=dns, $SUFFIX";
+	base "cn=dns,$SUFFIX";
 	server_id "$FQDN";
 	auth_method "sasl";
 	sasl_mech "GSSAPI";
 	sasl_user "DNS/$FQDN";
 };
-/* End of IPA-managed part. */

install/share/bootstrap-template.ldif

@@ -34,6 +34,12 @@ objectClass: top
 objectClass: nsContainer
 cn: hostgroups
 
+dn: cn=ipservices,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: ipservices
+
 dn: cn=alt,$SUFFIX
 changetype: add
 objectClass: nsContainer
@@ -226,12 +232,13 @@ objectClass: ipaobject
 objectClass: ipasshuser
 uid: admin
 krbPrincipalName: admin@$REALM
+krbPrincipalName: root@$REALM
 cn: Administrator
 sn: Administrator
 uidNumber: $IDSTART
 gidNumber: $IDSTART
 homeDirectory: /home/admin
-loginShell: /bin/bash
+loginShell: $DEFAULT_ADMIN_SHELL
 gecos: Administrator
 nsAccountLock: FALSE
 ipaUniqueID: autogenerate
@@ -340,6 +347,14 @@ cn: sudo-i
 description: sudo-i
 ipauniqueid:autogenerate
 
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipahbacservice
+objectclass: ipaobject
+cn: systemd-user
+description: pam_systemd and systemd user@.service
+ipauniqueid:autogenerate
+
 dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
 objectclass: ipahbacservice
@@ -388,9 +403,10 @@ ipaGroupSearchFields: cn,description
 ipaSearchTimeLimit: 2
 ipaSearchRecordsLimit: 100
 ipaHomesRootDir: /home
-ipaDefaultLoginShell: /bin/sh
+ipaDefaultLoginShell: $DEFAULT_SHELL
 ipaDefaultPrimaryGroup: ipausers
 ipaMaxUsernameLength: 32
+ipaMaxHostnameLength: 64
 ipaPwdExpAdvNotify: 4
 ipaGroupObjectClasses: top
 ipaGroupObjectClasses: groupofnames
@@ -411,8 +427,8 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 ipaConfigString: KDC:Disable Last Success
-ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$sysadm_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
+ipaSELinuxUserMapOrder: $SELINUX_USERMAP_ORDER
+ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
 
 dn: cn=cosTemplates,cn=accounts,$SUFFIX
 changetype: add

install/share/default-aci.ldif

@@ -70,6 +70,19 @@ changetype: modify
 add: aci
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
+# Allow member managers to modify members of user groups
+dn: cn=groups,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+
+# Allow member managers to modify members of a host group
+dn: cn=hostgroups,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+
+
 # This is used for the host/service one-time passwordn and keytab indirectors.
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX

install/share/default-hbac.ldif

@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
 description: Allow all users to access any host from any host
 ipauniqueid: autogenerate
 
+# default HBAC policy for pam_systemd
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_systemd-user
+accessruletype: allow
+usercategory: all
+hostcategory: all
+memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+ipaenabledflag: TRUE
+description: Allow pam_systemd to run user@.service to create a system user session
+ipauniqueid: autogenerate

install/share/dns.ldif

@@ -12,6 +12,7 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
 aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
 
 dn: cn=servers,cn=dns,$SUFFIX
 changetype: add

install/share/ds-ipa-env.conf.template

@@ -0,0 +1,5 @@
+# Installed and maintained by ipa update tools, please do not modify
+
+[Service]
+Environment=KRB5_KTNAME=$KRB5_KTNAME
+Environment=KRB5CCNAME=$KRB5CCNAME

install/share/freeipa-server.template

@@ -0,0 +1,9 @@
+[plugins]
+    certauth = {
+        module = ipakdb:kdb/ipadb.so
+        enable_only = ipakdb
+    }
+    kdcpolicy = {
+        module = ipakdb:kdb/ipadb.so
+        enable_only = ipakdb
+    }

install/share/indices.ldif

@@ -6,6 +6,7 @@ cn:krbPrincipalName
 nsSystemIndex:false
 nsIndexType:eq
 nsIndexType:sub
+nsIndexType:pres
 nsMatchingRule:caseIgnoreIA5Match
 nsMatchingRule:caseExactIA5Match
 
@@ -216,6 +217,40 @@ ObjectClass: top
 ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
+nsIndexType: pres
+
+dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: automountMapName
+ObjectClass: top
+ObjectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipaConfigString
+objectClass:top
+objectClass:nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipaEnabledFlag
+objectClass:top
+objectClass:nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipaKrbAuthzData
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+nsIndexType: sub
 
 dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
@@ -333,3 +368,62 @@ objectClass: nsindex
 nssystemindex: false
 nsindextype: eq
 nsindextype: sub
+
+# NOTE: There is no index on ipServiceProtocol because the index would have
+# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol.
+dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipServicePort
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: accessRuleType
+objectClass:top
+objectClass:nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: hostCategory
+objectClass:top
+objectClass:nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: idnsName
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: ipaCertmapData
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: altSecurityIdentities
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+
+dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: memberManager
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+nsIndexType: pres

install/share/ipa-pki-proxy.conf.template

@@ -1,4 +1,4 @@
-# VERSION 13 - DO NOT REMOVE THIS LINE
+# VERSION 15 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -6,7 +6,7 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
     SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     SSLVerifyClient none
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
@@ -14,7 +14,7 @@ ProxyRequests Off
 <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
     SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     SSLVerifyClient none
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
@@ -22,23 +22,15 @@ ProxyRequests Off
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
     SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     SSLVerifyClient require
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
-# matches for CA REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
+# matches for REST API of CA, KRA, and PKI
+<LocationMatch "^/(ca|kra|pki)/rest/">
     SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     SSLVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for KRA REST API
-<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
-    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    SSLVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 

install/share/ipa.conf.template

@@ -1,5 +1,5 @@
 #
-# VERSION 30 - DO NOT REMOVE THIS LINE
+# VERSION 31 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -164,7 +164,7 @@ Alias /ipa/config "/usr/share/ipa/html"
   SetHandler None
   AllowOverride None
   Satisfy Any
-  Allow from all
+  Require all granted
   ExpiresActive On
   ExpiresDefault "access plus 0 seconds"
 </Directory>
@@ -177,18 +177,18 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
   AllowOverride None
   Options Indexes FollowSymLinks
   Satisfy Any
-  Allow from all
+  Require all granted
 </Directory>
 
 
 #  List explicitly only the fonts we want to serve
-Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
-Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
+Alias /ipa/ui/fonts/open-sans "${FONTS_OPENSANS_DIR}"
+Alias /ipa/ui/fonts/fontawesome "${FONTS_FONTAWESOME_DIR}"
 <Directory "${FONTS_DIR}">
   SetHandler None
   AllowOverride None
   Satisfy Any
-  Allow from all
+  Require all granted
   ExpiresActive On
   ExpiresDefault "access plus 1 year"
 </Directory>
@@ -200,7 +200,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
   SetHandler None
   AllowOverride None
   Satisfy Any
-  Allow from all
+  Require all granted
   ExpiresActive On
   ExpiresDefault "access plus 1 year"
   <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
@@ -213,7 +213,7 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
 <Directory "/usr/share/ipa/wsgi">
     AllowOverride None
     Satisfy Any
-    Allow from all
+    Require all granted
     Options ExecCGI
     AddHandler wsgi-script .py
 </Directory>
@@ -223,7 +223,7 @@ Alias /ipa/migration "/usr/share/ipa/migration"
 <Directory "/usr/share/ipa/migration">
     AllowOverride None
     Satisfy Any
-    Allow from all
+    Require all granted
     Options ExecCGI
     AddHandler wsgi-script .py
 </Directory>

install/share/ipaca_customize.ini

@@ -0,0 +1,119 @@
+#
+# Dogtag PKI configuration file
+#
+# Notes:
+#  - "%" must be quoted as "%%".
+#  - options in the [CA] and [KRA] section cannot be overriden from options
+#    in the [DEFAULT] section
+#  - pki_*_token options are hard-coded to pki_token_name
+#  - pki_sslserver_token is hard-coded to 'internal'
+#  - pki_backup_keys is automatically disabled when HSM support is enabled,
+#    as HSM backup is not possible with the default mechanism.
+#
+# Predefined variables
+#  - ipa_ca_subject
+#  - ipa_ajp_secret
+#  - ipa_fqdn
+#  - ipa_subject_base
+#  - pki_admin_password
+#  - pki_dns_domainname
+#  - softhsm2_so
+
+
+[DEFAULT]
+# default algorithms for all certificates
+ipa_key_algorithm=SHA256withRSA
+ipa_key_size=2048
+ipa_key_type=rsa
+ipa_signing_algorithm=SHA256withRSA
+
+# Used for IPA CA
+# signing algorithm can be overriden on command line
+ipa_ca_key_algorithm=%(ipa_key_algorithm)s
+ipa_ca_key_size=3072
+ipa_ca_key_type=%(ipa_key_type)s
+ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
+
+# HSM support
+pki_hsm_enable=False
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=internal
+# backup is automatically disabled when HSM support is enabled
+pki_backup_keys=True
+pki_backup_password=%(pki_admin_password)s
+
+pki_admin_email=root@localhost
+
+## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
+pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_audit_signing_key_size=%(ipa_key_size)s
+pki_audit_signing_key_type=%(ipa_key_type)s
+pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_audit_signing_token=%(pki_token_name)s
+
+# Configures the status request timeout, i.e. the connect/data
+# timeout on the HTTP request to get the status of Dogtag.
+#
+# This configuration is needed in "multiple IP address" scenarios
+# where this server's hostname has multiple IP addresses but the
+# HTTP server is only listening on one of them.  Without a timeout,
+# if a "wrong" IP address is tried first, it will take a long time
+# to timeout, exceeding the overall timeout hence the request will
+# not be re-tried.  Setting a shorter timeout allows the request
+# to be re-tried.
+#
+# Note that HSMs cause different behaviour so this value might
+# not be suitable for when we implement HSM support.  It is
+# known that a value of 5s is too short in HSM environment.
+#
+pki_status_request_timeout=15
+
+# for supporting server cert SAN injection
+pki_san_inject=False
+pki_san_for_server_cert=
+
+## Server-Cert cert-pki-ca
+pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
+pki_sslserver_key_size=%(ipa_key_size)s
+pki_sslserver_key_type=%(ipa_key_type)s
+
+## subsystemCert cert-pki-ca
+pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
+pki_subsystem_key_size=%(ipa_key_size)s
+pki_subsystem_key_type=%(ipa_key_type)s
+pki_subsystem_token=%(pki_token_name)s
+
+[CA]
+pki_random_serial_numbers_enable=False
+
+## caSigningCert cert-pki-ca
+pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
+pki_ca_signing_key_size=%(ipa_ca_key_size)s
+pki_ca_signing_key_type=%(ipa_ca_key_type)s
+pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
+pki_ca_signing_token=%(pki_token_name)s
+
+## ocspSigningCert cert-pki-ca
+pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_ocsp_signing_key_size=%(ipa_key_size)s
+pki_ocsp_signing_key_type=%(ipa_key_type)s
+pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_ocsp_signing_token=%(pki_token_name)s
+
+[KRA]
+pki_kra_ephemeral_requests=True
+
+## storageCert cert-pki-kra
+pki_storage_key_algorithm=%(ipa_key_algorithm)s
+pki_storage_key_size=%(ipa_key_size)s
+pki_storage_key_type=%(ipa_key_type)s
+pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
+pki_storage_token=%(pki_token_name)s
+
+## transportCert cert-pki-kra
+pki_transport_key_algorithm=%(ipa_key_algorithm)s
+pki_transport_key_size=%(ipa_key_size)s
+pki_transport_key_type=%(ipa_key_type)s
+pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
+pki_transport_token=%(pki_token_name)s

install/share/ipaca_default.ini

@@ -0,0 +1,169 @@
+#
+# Dogtag PKI configuration file
+#
+# The ipaca_default.ini contains hard-coded defaults that cannot be modified
+# by a user without breaking FreeIPA internals.
+#
+# Note: "%" must be quoted as "%%".
+#
+
+[DEFAULT]
+ipa_ca_pem_file=/etc/ipa/ca.crt
+
+## dynamic values
+# ipa_ca_subject=
+# ipa_ajp_secret=
+# ipa_subject_base=
+# ipa_fqdn=
+# ipa_ocsp_uri=
+# ipa_admin_cert_p12=
+# ipa_admin_user=
+
+# sensitive dynamic values
+# pki_admin_password=
+# pki_ds_password=
+
+# Dogtag defaults
+pki_instance_name=pki-tomcat
+pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
+
+pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
+pki_admin_cert_request_type=pkcs10
+pki_admin_dualkey=False
+pki_admin_name=%(ipa_admin_user)s
+pki_admin_nickname=ipa-ca-agent
+pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
+pki_admin_uid=%(ipa_admin_user)s
+
+pki_ca_hostname=%(pki_security_domain_hostname)s
+pki_ca_port=%(pki_security_domain_https_port)s
+
+# nickname and subject are hard-coded
+pki_ca_signing_nickname=caSigningCert cert-pki-ca
+pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+
+pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
+pki_client_database_password=
+pki_client_database_purge=True
+pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
+pki_client_pkcs12_password=%(pki_admin_password)s
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_ldap_port=389
+pki_ds_ldaps_port=636
+# CA: o=ipaca, KRA: o=kra,o=ipaca
+pki_ds_base_dn=o=ipaca
+pki_ds_database=ipaca
+pki_ds_hostname=%(ipa_fqdn)s
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
+
+pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
+pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
+pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
+pki_issuing_ca=%(pki_issuing_ca_uri)s
+pki_replication_password=
+
+pki_enable_proxy=True
+pki_ajp_secret=%(ipa_ajp_secret)s
+pki_restart_configured_instance=False
+pki_security_domain_hostname=%(ipa_fqdn)s
+pki_security_domain_https_port=443
+pki_security_domain_name=IPA
+pki_security_domain_password=%(pki_admin_password)s
+pki_security_domain_user=%(ipa_admin_user)s
+pki_self_signed_token=internal
+
+pki_skip_configuration=False
+pki_skip_ds_verify=False
+pki_skip_installation=False
+pki_skip_sd_verify=False
+
+pki_sslserver_token=internal
+pki_ssl_server_token=%(pki_sslserver_token)s
+pki_sslserver_nickname=Server-Cert cert-pki-ca
+pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
+
+# nickname and subject are hard-coded
+pki_subsystem_nickname=subsystemCert cert-pki-ca
+pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
+
+pki_theme_enable=True
+pki_theme_server_dir=/usr/share/pki/common-ui
+pki_audit_group=pkiaudit
+pki_group=pkiuser
+pki_user=pkiuser
+pki_existing=False
+
+pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_cert_chain_nickname=caSigningCert External CA
+
+pki_pkcs12_path=
+pki_pkcs12_password=
+
+
+[CA]
+pki_ds_base_dn=o=ipaca
+
+pki_ca_signing_record_create=True
+pki_ca_signing_serial_number=1
+pki_ca_signing_subject_dn=%(ipa_ca_subject)s
+
+pki_ca_signing_csr_path=/root/ipa.csr
+
+pki_ca_starting_crl_number=0
+
+pki_external=False
+pki_external_step_two=False
+
+pki_external_pkcs12_path=%(pki_pkcs12_path)s
+pki_external_pkcs12_password=%(pki_pkcs12_password)s
+pki_import_admin_cert=False
+
+pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
+pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
+
+pki_profiles_in_ldap=True
+pki_subordinate=False
+pki_subordinate_create_new_security_domain=False
+
+pki_audit_signing_nickname=auditSigningCert cert-pki-ca
+pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
+
+pki_share_db=False
+pki_master_crl_enable=True
+
+pki_default_ocsp_uri=%(ipa_ocsp_uri)s
+
+pki_serial_number_range_start=1
+pki_serial_number_range_end=10000000
+pki_request_number_range_start=1
+pki_request_number_range_end=10000000
+pki_replica_number_range_start=1
+pki_replica_number_range_end=100
+
+
+[KRA]
+pki_ds_base_dn=o=kra,o=ipaca
+pki_ds_create_new_db=False
+pki_ds_secure_connection=True
+
+pki_import_admin_cert=True
+pki_standalone=False
+
+pki_external_step_two=False
+
+pki_storage_nickname=storageCert cert-pki-kra
+pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
+
+pki_transport_nickname=transportCert cert-pki-kra
+pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
+
+pki_audit_signing_nickname=auditSigningCert cert-pki-kra
+pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
+
+# Needed because CA and KRA share the same database
+# We will use the dbuser created for the CA.
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca

install/share/ipaca_softhsm2.ini

@@ -0,0 +1,9 @@
+#
+# Example config for softhsm2
+#
+
+[DEFAULT]
+pki_hsm_enable=True
+pki_hsm_libfile=%(softhsm2_so)s
+pki_hsm_modulename=softhsm2
+pki_token_name=softhsm_token

install/share/kdc.conf.template

@@ -17,4 +17,7 @@
   pkinit_anchors = FILE:$KDC_CERT
   pkinit_anchors = FILE:$CACERT_PEM
   pkinit_pool = FILE:$CA_BUNDLE_PEM
+  pkinit_indicator = pkinit
+  spake_preauth_indicator = hardened
+  encrypted_challenge_indicator = hardened
  }

install/share/kerberos.ldif

@@ -18,14 +18,14 @@ krbSupportedEncSaltTypes: aes256-cts:normal
 krbSupportedEncSaltTypes: aes256-cts:special
 krbSupportedEncSaltTypes: aes128-cts:normal
 krbSupportedEncSaltTypes: aes128-cts:special
-krbSupportedEncSaltTypes: des3-hmac-sha1:normal
-krbSupportedEncSaltTypes: des3-hmac-sha1:special
-krbSupportedEncSaltTypes: arcfour-hmac:normal
-krbSupportedEncSaltTypes: arcfour-hmac:special
-krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
-krbSupportedEncSaltTypes: camellia128-cts-cmac:special
-krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
-krbSupportedEncSaltTypes: camellia256-cts-cmac:special
+krbSupportedEncSaltTypes: aes128-sha2:normal
+krbSupportedEncSaltTypes: aes128-sha2:special
+krbSupportedEncSaltTypes: aes256-sha2:normal
+krbSupportedEncSaltTypes: aes256-sha2:special
+${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
+${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
+${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
+${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
 krbDefaultEncSaltTypes: aes256-cts:special

install/share/ldapi.ldif

@@ -1,6 +0,0 @@
-# Enable the ldapi listener
-dn: cn=config
-changetype: modify
-replace: nsslapd-ldapilisten
-nsslapd-ldapilisten: on
-

install/share/ldbm-tuning.ldif

@@ -0,0 +1,4 @@
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-db-locks
+nsslapd-db-locks: 50000

install/share/opendnssec_conf.template

@@ -33,7 +33,7 @@
 		</Privileges>
 
 		<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
-		<Interval>PT3600S</Interval>
+		$INTERVAL
 		<!-- <ManualKeyGeneration/> -->
 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
 

install/share/profiles/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -214,6 +214,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -256,11 +258,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -281,8 +282,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -370,7 +369,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@

install/share/pw-logging-conf.ldif

@@ -0,0 +1,5 @@
+dn: cn=config
+changetype: modify
+replace: nsslapd-unhashed-pw-switch
+nsslapd-unhashed-pw-switch: nolog
+

install/share/replica-acis.ldif

@@ -8,29 +8,29 @@ aci: (targetattr = "cn || createtimestamp || description || entryusn || modifyti
 dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "*")(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "nsslapd-readonly")(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=tasks,cn=config
 changetype: modify
 add: aci
-aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "*")(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)

install/share/schema.d/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -274,6 +274,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -316,11 +318,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -341,8 +342,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -430,7 +429,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@

install/share/smb.conf.registry.template

@@ -0,0 +1,35 @@
+[global]
+workgroup = $NETBIOS_NAME
+netbios name = $HOST_NETBIOS_NAME
+realm = $REALM
+kerberos method = dedicated keytab
+dedicated keytab file = /etc/samba/samba.keytab
+create krb5 conf = no
+security = user
+domain master = yes
+domain logons = yes
+log level = 1
+max log size = 100000
+log file = /var/log/samba/log.%m
+passdb backend = ipasam:ldapi://$LDAPI_SOCKET
+disable spoolss = yes
+ldapsam:trusted=yes
+ldap ssl = off
+ldap suffix = $SUFFIX
+ldap user suffix = cn=users,cn=accounts
+ldap group suffix = cn=groups,cn=accounts
+ldap machine suffix = cn=computers,cn=accounts
+rpc_server:epmapper = external
+rpc_server:lsarpc = external
+rpc_server:lsass = external
+rpc_server:lsasd = external
+rpc_server:samr = external
+rpc_server:netlogon = external
+rpc_server:tcpip = yes
+rpc_daemon:epmd = fork
+rpc_daemon:lsasd = fork
+idmap config * : backend = tdb
+idmap config * : range =  0 - 0
+idmap config $NETBIOS_NAME : backend = sss
+idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
+max smbd processes = 1000

install/share/smb.conf.template

@@ -1,30 +1,7 @@
+### Added by IPA Installer ###
+#         DO NOT EDIT        #
 [global]
-workgroup = $NETBIOS_NAME
-netbios name = $HOST_NETBIOS_NAME
-realm = $REALM
-kerberos method = dedicated keytab
-dedicated keytab file = /etc/samba/samba.keytab
-create krb5 conf = no
-security = user
-domain master = yes
-domain logons = yes
-log level = 1
-max log size = 100000
-log file = /var/log/samba/log.%m
-passdb backend = ipasam:ldapi://$LDAPI_SOCKET
-disable spoolss = yes
-ldapsam:trusted=yes
-ldap ssl = off
-ldap suffix = $SUFFIX
-ldap user suffix = cn=users,cn=accounts
-ldap group suffix = cn=groups,cn=accounts
-ldap machine suffix = cn=computers,cn=accounts
-rpc_server:epmapper = external
-rpc_server:lsarpc = external
-rpc_server:lsass = external
-rpc_server:lsasd = external
-rpc_server:samr = external
-rpc_server:netlogon = external
-rpc_server:tcpip = yes
-rpc_daemon:epmd = fork
-rpc_daemon:lsasd = fork
+debug pid = yes
+state directory = $SAMBA_DIR
+cache directory = $SAMBA_DIR
+include = registry