websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Upstream version 4.12.4

Browse Source
This commit is contained in:
geos_one
2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
install/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -69,6 +69,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -157,8 +159,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -206,6 +206,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -219,8 +221,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -228,6 +232,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -240,9 +245,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -251,6 +259,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -310,6 +320,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -318,9 +330,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -359,8 +374,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -406,6 +423,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -569,7 +587,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -657,8 +674,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -770,3 +787,10 @@ uninstall-local:
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

45
install/certmonger/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -130,10 +132,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
SCRIPTS = $(nodist_app_SCRIPTS)
@@ -180,6 +181,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -193,8 +196,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -202,6 +207,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -214,9 +220,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -225,6 +234,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -284,6 +295,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -292,9 +305,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -333,8 +349,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -380,6 +398,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -480,7 +499,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -543,11 +561,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -647,3 +665,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

17
install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
View File

@@ -42,7 +42,7 @@ import six
from ipalib.install.kinit import kinit_keytab
from ipapython import ipautil
from ipapython.dn import DN
from ipalib import api, errors, x509
from ipalib import api, errors, x509, sysrestore
from ipaplatform.paths import paths
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import ca, cainstance, dsinstance, certs
@@ -220,7 +220,7 @@ def request_cert(reuse_existing, **kwargs):
sys.stderr.write(result.raw_error_output)
else:
# Write bytes directly
sys.stderr.buffer.write(result.raw_error_output) #pylint: disable=no-member
sys.stderr.buffer.write(result.raw_error_output)
sys.stderr.flush()
syslog.syslog(syslog.LOG_NOTICE,
@@ -383,7 +383,20 @@ def retrieve_cert_continuous(reuse_existing, **kwargs):
return result
new_cert = x509.load_pem_x509_certificate(result[1].encode('ascii'))
nickname = get_nickname()
if new_cert == old_cert:
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if (
sstore.get_state('pki_hsm', 'enabled')
and sstore.get_state('pki_hsm', 'token_name')
and nickname != 'ipaCert'
):
# HSMs must be networked so the cert is already present
# exception of the RA Agent certificate.
return (
ISSUED,
new_cert.public_bytes(x509.Encoding.PEM).decode("ascii"),
)
syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
# No cert available yet, tell certmonger to wait another 8 hours
return (WAIT_WITH_DELAY, 8 * 60 * 60, '')

4
install/certmonger/ipa-server-guard.in
View File

@@ -36,8 +36,8 @@ def run_operation(cmd):
result = ipautil.run(cmd, raiseonerr=False, env=os.environ)
# Write bytes directly
sys.stdout.buffer.write(result.raw_output) #pylint: disable=no-member
sys.stderr.buffer.write(result.raw_error_output) #pylint: disable=no-member
sys.stdout.buffer.write(result.raw_output)
sys.stderr.buffer.write(result.raw_error_output)
sys.stdout.flush()
sys.stderr.flush()

45
install/custodia/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -130,10 +132,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
SCRIPTS = $(nodist_app_SCRIPTS)
@@ -180,6 +181,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -193,8 +196,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -202,6 +207,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -214,9 +220,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -225,6 +234,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -284,6 +295,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -292,9 +305,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -333,8 +349,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -380,6 +398,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -484,7 +503,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -547,11 +565,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -651,3 +669,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

43
install/html/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -465,7 +484,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -530,8 +548,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -631,3 +649,10 @@ install-data-hook:
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

4
install/html/ssbrowser.html
View File

@@ -2,7 +2,7 @@
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<title>Identity Management</title>
<script type="text/javascript" src="../ui/js/libs/loader.js"></script>
<script type="text/javascript">
var dojoConfig = {
@@ -69,7 +69,7 @@
<nav class="navbar navbar-default navbar-pf" role="navigation">
<div class="navbar-header">
<a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="FreeIPA"></a>
<a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="Identity Management"></a>
</div>
</nav>

4
install/html/unauthorized.html
View File

@@ -2,7 +2,7 @@
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<title>Identity Management</title>
<script type="text/javascript" src="../ui/js/libs/loader.js"></script>
<script type="text/javascript">
var dojoConfig = {
@@ -62,7 +62,7 @@
<nav class="navbar navbar-default navbar-pf" role="navigation">
<div class="navbar-header">
<a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="FreeIPA"></a>
<a class="brand" href="../ui/index.html"><img src="../ui/images/header-logo.png" alt="Identity Management"></a>
</div>
</nav>

43
install/migration/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -458,7 +477,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -523,8 +541,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -616,3 +634,10 @@ uninstall-am: uninstall-appDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

2
install/migration/index.html
View File

@@ -2,7 +2,7 @@
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<title>Identity Management</title>
<!--[if IE]>
<meta id="ie-detector">

27
install/migration/migration.py
View File

@@ -21,7 +21,7 @@ Password migration script
"""
from __future__ import absolute_import
import cgi
from urllib.parse import parse_qs
import errno
import logging
import os.path
@@ -80,10 +80,28 @@ def application(environ, start_response):
if not content_type.startswith('application/x-www-form-urlencoded'):
return bad_request(start_response)
form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
if 'username' not in form_data or 'password' not in form_data:
try:
length = int(environ.get("CONTENT_LENGTH"))
except (ValueError, TypeError):
return bad_request(start_response)
query_string = environ["wsgi.input"].read(length).decode("utf-8")
try:
query_dict = parse_qs(query_string)
except Exception:
return bad_request(start_response)
user_query = query_dict.get("username", None)
if user_query is None or len(user_query) != 1:
return bad_request(start_response)
username = user_query[0]
password_query = query_dict.get("password", None)
if password_query is None or len(password_query) != 1:
return bad_request(start_response)
password = password_query[0]
status = '200 Success'
response_headers = []
result = 'error'
@@ -93,8 +111,7 @@ def application(environ, start_response):
api = create_api(mode=None)
api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True)
try:
bind(api.env.ldap_uri, api.env.basedn,
form_data['username'].value, form_data['password'].value)
bind(api.env.ldap_uri, api.env.basedn, username, password)
except IOError as err:
if err.errno == errno.EPERM:
result = 'invalid-password'

2
install/oddjob/Makefile.am
View File

@@ -7,6 +7,7 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
dist_noinst_DATA = \
com.redhat.idm.trust-fetch-domains.in \
org.freeipa.server.trust-enable-agent.in \
org.freeipa.server.config-enable-sid.in \
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in \
etc/oddjobd.conf.d/ipa-server.conf.in \
$(NULL)
@@ -18,6 +19,7 @@ dist_oddjob_SCRIPTS = \
nodist_oddjob_SCRIPTS = \
com.redhat.idm.trust-fetch-domains \
org.freeipa.server.trust-enable-agent \
org.freeipa.server.config-enable-sid \
$(NULL)

47
install/oddjob/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -131,10 +133,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(oddjobdir)" "$(DESTDIR)$(oddjobdir)" \
"$(DESTDIR)$(dbusconfdir)" "$(DESTDIR)$(oddjobconfdir)"
@@ -183,6 +184,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -196,8 +199,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -205,6 +210,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -217,9 +223,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -228,6 +237,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -287,6 +298,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -295,9 +308,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -336,8 +352,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -383,6 +401,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -396,6 +415,7 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
dist_noinst_DATA = \
com.redhat.idm.trust-fetch-domains.in \
org.freeipa.server.trust-enable-agent.in \
org.freeipa.server.config-enable-sid.in \
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in \
etc/oddjobd.conf.d/ipa-server.conf.in \
$(NULL)
@@ -407,6 +427,7 @@ dist_oddjob_SCRIPTS = \
nodist_oddjob_SCRIPTS = \
com.redhat.idm.trust-fetch-domains \
org.freeipa.server.trust-enable-agent \
org.freeipa.server.config-enable-sid \
$(NULL)
dist_dbusconf_DATA = \
@@ -578,7 +599,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -641,11 +661,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -754,3 +774,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

202
install/oddjob/com.redhat.idm.trust-fetch-domains.in
View File

@@ -4,22 +4,18 @@ from ipaserver import dcerpc
from ipaserver.install.installutils import ScriptError
from ipapython import config, ipautil
from ipalib import api
from ipalib.facts import is_ipa_configured
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
from ipaplatform.constants import constants
from ipaplatform.paths import paths
import io
import sys
import os
import pwd
import tempfile
import textwrap
import six
import gssapi
from ipalib.install.kinit import kinit_keytab, kinit_password
from ipapython.admintool import admin_cleanup_global_argv
if six.PY3:
unicode = str
@@ -57,11 +53,13 @@ def parse_options():
"--password",
action="store",
dest="password",
help="Display debugging information",
help="Password for Active Directory administrator",
sensitive=True
)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
# We only use first argument of the passed args but as D-BUS interface
# in oddjobd cannot expose optional, we fill in empty slots from IPA side
@@ -97,9 +95,8 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
)
# Make sure SSSD is able to read the keytab
try:
sssd = pwd.getpwnam(constants.SSSD_USER)
os.chown(oneway_keytab_name, sssd[2], sssd[3])
except KeyError:
constants.SSSD_USER.chown(oneway_keytab_name)
except ValueError:
# If user 'sssd' does not exist, we don't need to chown from root to sssd
# because it means SSSD does not run as sssd user
pass
@@ -123,43 +120,6 @@ def get_forest_root_domain(api_instance, trusted_domain, server=None):
return remote_domain.info["dns_forest"]
def generate_krb5_config(realm, server):
"""Generate override krb5 config file for trusted domain DC access
:param realm: realm of the trusted AD domain
:param server: server to override KDC to
:returns: tuple (temporary config file name, KRB5_CONFIG string)
"""
cfg = paths.KRB5_CONF
tcfg = None
if server:
content = textwrap.dedent(u"""
[realms]
%s = {
kdc = %s
}
""") % (
realm.upper(),
server,
)
(fd, tcfg) = tempfile.mkstemp(dir="/run/ipa",
prefix="krb5conf", text=True)
with io.open(fd, mode='w', encoding='utf-8') as o:
o.write(content)
cfg = ":".join([tcfg, cfg])
return (tcfg, cfg)
if not is_ipa_configured():
# LSB status code 6: program is not configured
raise ScriptError(
"IPA is not configured "
+ "(see man pages of ipa-server-install for help)",
6,
)
if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise ScriptError("You must be root to run ipactl.", 4)
@@ -221,7 +181,9 @@ api.Backend.ldap2.connect(ccache_name)
# Retrieve own NetBIOS name and trusted forest's name.
# We use script's input to retrieve the trusted forest's name to sanitize input
# for file-level access as we might need to wipe out keytab in /var/lib/sss/keytabs
# for file-level access as we might need to wipe out keytab in
# paths.SSSD_KEYTABS_DIR
own_trust_dn = DN(
("cn", api.env.domain), ("cn", "ad"), ("cn", "etc"), api.env.basedn
)
@@ -236,97 +198,95 @@ trusted_domain = trusted_domain_entry.single_value.get("cn").lower()
# At this point if we didn't find trusted forest name, an exception will be raised
# and script will quit. This is actually intended.
rc = 0
# Generate MIT Kerberos configuration file that potentially overlays
# the KDC to connect to for a trusted domain to allow --server option
# to take precedence.
cfg_file, cfg = generate_krb5_config(trusted_domain, options.server)
with ipautil.private_krb5_config(trusted_domain, options.server) as cfg_file:
if not (options.admin and options.password):
oneway_keytab_name = os.path.join(paths.SSSD_KEYTABS_DIR,
trusted_domain + ".keytab")
if not (options.admin and options.password):
oneway_keytab_name = "/var/lib/sss/keytabs/" + trusted_domain + ".keytab"
oneway_principal = str(
"%s$@%s" % (own_trust_flatname, trusted_domain.upper())
)
oneway_principal = str(
"%s$@%s" % (own_trust_flatname, trusted_domain.upper())
)
# If keytab does not exist, retrieve it
if not os.path.isfile(oneway_keytab_name):
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
# If keytab does not exist, retrieve it
if not os.path.isfile(oneway_keytab_name):
retrieve_keytab(api, ccache_name,
oneway_keytab_name, oneway_principal)
try:
have_ccache = False
try:
# The keytab may have stale key material (from older trust-add run)
have_ccache = False
try:
# The keytab may have stale key material (from older trust-add run)
cred = kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
)
if cred.lifetime > 0:
have_ccache = True
except (gssapi.exceptions.ExpiredCredentialsError, gssapi.raw.misc.GSSError):
pass
if not have_ccache:
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
)
except (gssapi.exceptions.GSSError, gssapi.raw.misc.GSSError):
# If there was failure on using keytab, assume it is stale and retrieve again
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
cred = kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
config=cfg,
)
if cred.lifetime > 0:
have_ccache = True
except (gssapi.exceptions.ExpiredCredentialsError, gssapi.raw.misc.GSSError):
pass
if not have_ccache:
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
kinit_keytab(
oneway_principal,
oneway_keytab_name,
oneway_ccache_name,
config=cfg,
)
except (gssapi.exceptions.GSSError, gssapi.raw.misc.GSSError):
# If there was failure on using keytab, assume it is stale and retrieve again
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
if os.path.exists(oneway_ccache_name):
os.unlink(oneway_ccache_name)
cred = kinit_keytab(
oneway_principal,
oneway_keytab_name,
else:
cred = kinit_password(
options.admin,
options.password,
oneway_ccache_name,
config=cfg,
canonicalize=True,
enterprise=True,
)
else:
cred = kinit_password(
options.admin,
options.password,
oneway_ccache_name,
canonicalize=True,
enterprise=True,
config=cfg,
if cred and cred.lifetime > 0:
have_ccache = True
if not have_ccache:
rc = 1
raise GeneratorExit
# We are done: we have ccache with TDO credentials and can fetch domains
ipa_domain = api.env.domain
os.environ["KRB5CCNAME"] = oneway_ccache_name
# retrieve the forest root domain name and contact it to retrieve trust
# topology info
forest_root = get_forest_root_domain(
api, trusted_domain, server=options.server
)
domains = dcerpc.fetch_domains(
api, ipa_domain, forest_root, creds=True, server=options.server
)
if cred and cred.lifetime > 0:
have_ccache = True
# We still need to use the override for KDC configuration in case the --server
# was forced, thus only switch to the old ccache.
if old_ccache:
os.environ["KRB5CCNAME"] = old_ccache
if not have_ccache:
sys.exit(1)
# We are done: we have ccache with TDO credentials and can fetch domains
ipa_domain = api.env.domain
os.environ["KRB5CCNAME"] = oneway_ccache_name
os.environ["KRB5_CONFIG"] = cfg
trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)[
"result"
]
# retrieve the forest root domain name and contact it to retrieve trust
# topology info
forest_root = get_forest_root_domain(
api, trusted_domain, server=options.server
)
domains = dcerpc.fetch_domains(
api, ipa_domain, forest_root, creds=True, server=options.server
)
trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
if old_ccache:
os.environ["KRB5CCNAME"] = old_ccache
if old_config:
os.environ["KRB5_CONFIG"] = old_config
if cfg_file:
os.remove(cfg_file)
trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)[
"result"
]
trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
sys.exit(0)
sys.exit(rc)

6
install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
View File

@@ -17,6 +17,12 @@
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
<method name="config_enable_sid">
<helper exec="/usr/local/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid"
arguments="10"
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>

6
install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
View File

@@ -17,6 +17,12 @@
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
<method name="config_enable_sid">
<helper exec="@ODDJOBDIR@/org.freeipa.server.config-enable-sid"
arguments="10"
prepend_user_name="no"
argument_passing_method="cmdline"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Introspectable">
<allow min_uid="0" max_uid="0"/>

76
install/oddjob/org.freeipa.server.config-enable-sid.in Normal file
View File

@@ -0,0 +1,76 @@
#!/usr/bin/python3
#
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
import logging
from ipalib import api
from ipalib.install import sysrestore
from ipaplatform.paths import paths
from ipapython import ipaldap
from ipapython.admintool import AdminTool
from ipaserver.install import adtrust, adtrustinstance
logger = logging.getLogger(__name__)
class IPAConfigEnableSid(AdminTool):
command_name = "ipa-enable-sid"
log_file_name = paths.IPASERVER_ENABLESID_LOG
usage = "%prog"
description = "Enable SID generation"
@classmethod
def add_options(cls, parser):
super(IPAConfigEnableSid, cls).add_options(parser)
parser.add_option(
"--add-sids",
dest="add_sids", default=False, action="store_true",
help="Add SIDs for existing users and groups as the final step"
)
parser.add_option(
"--netbios-name",
dest="netbios_name", default=None,
help="NetBIOS name of the IPA domain"
)
parser.add_option(
"--reset-netbios-name",
dest="reset_netbios_name", default=False, action="store_true",
help="Force reset of the existing NetBIOS name"
)
def validate_options(self):
super(IPAConfigEnableSid, self).validate_options(needs_root=True)
def run(self):
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
try:
api.Backend.ldap2.connect()
fstore = sysrestore.FileStore(paths.SYSRESTORE)
smb = adtrustinstance.ADTRUSTInstance(fstore, False)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host, api.env.realm,
self.options.netbios_name,
self.options.reset_netbios_name,
adtrust.DEFAULT_PRIMARY_RID_BASE,
adtrust.DEFAULT_SECONDARY_RID_BASE,
self.options.add_sids,
enable_compat=False)
smb.find_local_id_range()
smb.create_instance()
finally:
if api.Backend.ldap2.isconnected():
api.Backend.ldap2.disconnect()
return 0
IPAConfigEnableSid.run_cli()

45
install/restart_scripts/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -177,6 +178,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -190,8 +193,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -199,6 +204,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -211,9 +217,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -222,6 +231,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -281,6 +292,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -289,9 +302,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -330,8 +346,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -377,6 +395,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -473,7 +492,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -536,11 +554,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -640,3 +658,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

39
install/restart_scripts/renew_ca_cert.in
View File

@@ -28,7 +28,6 @@ import shutil
import traceback
from ipalib.install import certstore
from ipapython import directivesetter
from ipapython import ipautil
from ipalib import api, errors
from ipalib import x509
@@ -37,7 +36,7 @@ from ipaserver.install import certs, cainstance
from ipaserver.plugins.ldap2 import ldap2
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython.certdb import TrustFlags
from ipapython.certdb import TrustFlags, get_ca_nickname
def _main():
@@ -50,6 +49,8 @@ def _main():
dogtag_service = services.knownservices['pki_tomcatd']
ca = cainstance.CAInstance(host_name=api.env.host)
# dogtag opens its NSS database in read/write mode so we need it
# shut down so certmonger can open it read/write mode. This avoids
# database corruption. It should already be stopped by the pre-command
@@ -83,13 +84,15 @@ def _main():
api.Backend.ldap2.connect()
ca = cainstance.CAInstance(host_name=api.env.host)
ca.update_cert_config(nickname, cert)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)
cainstance.update_authority_entry(cert)
if nickname == 'auditSigningCert cert-pki-ca':
if nickname in (
'auditSigningCert cert-pki-ca',
'auditSigningCert cert-pki-kra',
):
# Fix trust on the audit cert
try:
db.run_certutil(['-M',
@@ -105,32 +108,9 @@ def _main():
"Updating trust on certificate %s failed in %s" %
(nickname, db.secdir))
elif nickname == 'caSigningCert cert-pki-ca':
# Update CS.cfg
cfg_path = paths.CA_CS_CFG_PATH
config = directivesetter.get_directive(
cfg_path, 'subsystem.select', '=')
if config == 'New':
syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
if cert.is_self_signed():
directivesetter.set_directive(
cfg_path, 'hierarchy.select', 'Root',
quotes=False, separator='=')
directivesetter.set_directive(
cfg_path, 'subsystem.count', '1',
quotes=False, separator='=')
else:
directivesetter.set_directive(
cfg_path, 'hierarchy.select', 'Subordinate',
quotes=False, separator='=')
directivesetter.set_directive(
cfg_path, 'subsystem.count', '0',
quotes=False, separator='=')
else:
syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
# Remove old external CA certificates
for ca_nick, ca_flags in db.list_certs():
if ca_flags.has_key:
if ca_flags.has_key or not ca_flags.ca:
continue
# Delete *all* certificates that use the nickname
while True:
@@ -174,8 +154,11 @@ def _main():
"%s" % e)
ca_certs = []
realm_nickname = get_ca_nickname(api.env.realm)
for ca_cert, ca_nick, ca_flags in ca_certs:
try:
if ca_nick == realm_nickname:
ca_nick = 'caSigningCert cert-pki-ca'
db.add_cert(ca_cert, ca_nick, ca_flags)
except ipautil.CalledProcessError as e:
syslog.syslog(

7
install/share/60basev2.ldif
View File

@@ -3,6 +3,7 @@
## Attributes: 2.16.840.1.113730.3.8.3 - V2 base attributres
## ObjectClasses: 2.16.840.1.113730.3.8.4 - V2 base objectclasses
## Attributes: 2.16.840.1.113730.3.8.23 - V4 base attributes
## ObjectClasses: 2.16.840.1.113730.3.8.24 - V4 base objectclasses
##
dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
@@ -52,3 +53,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.17 NAME 'hostCApolicy' DESC 'Policy on
objectClasses: (2.16.840.1.113730.3.8.4.9 NAME 'ipaCAaccess' STRUCTURAL MAY (member $ hostCApolicy) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' STRUCTURAL MUST ( cn ) MAY ( description $ memberOf ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP groupOfNames STRUCTURAL X-ORIGIN 'IPA v2' )
# IPA password policy configuration via libpwquality
attributeTypes: (2.16.840.1.113730.3.8.23.2 NAME 'ipaPwdMaxRepeat' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4')
attributeTypes: (2.16.840.1.113730.3.8.23.3 NAME 'ipaPwdMaxSequence' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4')
attributeTypes: (2.16.840.1.113730.3.8.23.4 NAME 'ipaPwdDictCheck' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4')
attributeTypes: (2.16.840.1.113730.3.8.23.5 NAME 'ipaPwdUserCheck' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4')
objectClasses: (2.16.840.1.113730.3.8.24.1 NAME 'ipaPwdPolicy' DESC 'IPA Password policy object class' SUP top MAY (ipaPwdMaxRepeat $ ipaPwdMaxSequence $ ipaPwdDictCheck $ ipaPwdUserCheck $ passwordGraceLimit) X-ORIGIN 'IPA v4')

3
install/share/60basev3.ldif
View File

@@ -62,6 +62,7 @@ attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vaul
attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
# FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
attributeTypes: (2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey' DESC 'IPA vault public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
attributeTypes: (2.16.840.1.113730.3.8.23.6 NAME 'ipaAutoPrivateGroups' DESC 'Auto private groups' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v4.9' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -76,7 +77,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfP
objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) MAY ( ipaAutoPrivateGroups ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' )

39
install/share/60basev4.ldif Normal file
View File

@@ -0,0 +1,39 @@
## IPA Base OID: 2.16.840.1.113730.3.8
##
## Attributes: 2.16.840.1.113730.3.8.23 - V4 base attributes
## ObjectClasses: 2.16.840.1.113730.3.8.24 - V4 base objectclasses
##
dn: cn=schema
# subordinate ids
# range ceiling OIDs are reserved for future use
attributeTypes: ( 2.16.840.1.113730.3.8.23.7 NAME 'ipaSubUidNumber' DESC 'Numerical subordinate user ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
attributeTypes: ( 2.16.840.1.113730.3.8.23.8 NAME 'ipaSubUidCount' DESC 'Subordinate user ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
# attributeTypes: ( 2.16.840.1.113730.3.8.23.9 NAME 'ipaSubUidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
attributeTypes: ( 2.16.840.1.113730.3.8.23.10 NAME 'ipaSubGidNumber' DESC 'Numerical subordinate group ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
attributeTypes: ( 2.16.840.1.113730.3.8.23.11 NAME 'ipaSubGidCount' DESC 'Subordinate group ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
# attributeTypes: ( 2.16.840.1.113730.3.8.23.12 NAME 'ipaSubGidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
attributeTypes: ( 2.16.840.1.113730.3.8.23.13 NAME 'ipaOwner' DESC 'Owner of an entry' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
# attribute 2.16.840.1.113730.3.8.23.14 'ipaUserDefaultSubordinateId' is defined in 60ipaconfig.ldif
objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subordinate uids for users, see subuid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount ) X-ORIGIN 'IPA v4.9')
objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
objectClasses: (2.16.840.1.113730.3.8.24.5 NAME 'ipaSubordinateIdEntry' DESC 'Subordinate uid and gid entry' SUP top STRUCTURAL MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9')
# External IdP support
attributeTypes: (2.16.840.1.113730.3.8.23.15 NAME 'ipaIdpDevAuthEndpoint' DESC 'Identity Provider Device Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.16 NAME 'ipaIdpAuthEndpoint' DESC 'Identity Provider Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.17 NAME 'ipaIdpTokenEndpoint' DESC 'Identity Provider Token Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.18 NAME 'ipaIdpClientId' DESC 'Identity Provider Client Identifier' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.19 NAME 'ipaIdpClientSecret' DESC 'Identity Provider Client Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.20 NAME 'ipaIdpScope' DESC 'Identity Provider Scope' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.21 NAME 'ipaIdpConfigLink' DESC 'Corresponding Identity Provider Configuration link' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
attributeTypes: (2.16.840.1.113730.3.8.23.22 NAME 'ipaIdpSub' DESC 'Identity Provider User Subject' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.23 NAME 'ipaIdpIssuerURL' DESC 'Identity Provider OIDC URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.24 NAME 'ipaIdpUserInfoEndpoint' DESC 'Identity Provider UserInfo Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
attributeTypes: (2.16.840.1.113730.3.8.23.25 NAME 'ipaIdpKeysEndpoint' DESC 'Identity Provider JWKS Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
objectClasses: (2.16.840.1.113730.3.8.24.6 NAME 'ipaIdP' SUP top STRUCTURAL DESC 'Identity Provider Configuration' MUST ( cn ) MAY ( ipaIdpDevAuthEndpoint $ ipaIdpAuthEndpoint $ ipaIdpTokenEndpoint $ ipaIdpUserInfoEndpoint $ ipaIdpKeysEndpoint $ ipaIdpClientId $ description $ ipaIdpClientSecret $ ipaIdpScope $ ipaIdpIssuerURL $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
objectClasses: (2.16.840.1.113730.3.8.24.7 NAME 'ipaIdpUser' SUP top AUXILIARY DESC 'User from an external Identity Provider ' MAY ( ipaIdpConfigLink $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
### Passkey support
attributeTypes: ( 2.16.840.1.113730.3.8.23.26 NAME 'ipaRequireUserVerification' DESC 'require passkey user verification' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.10')
attributeTypes: ( 2.16.840.1.113730.3.8.23.27 NAME 'ipapasskey' DESC 'Passkey mapping' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.10' )
objectclasses: ( 2.16.840.1.113730.3.8.24.8 NAME 'ipaPasskeyConfigObject' DESC 'IPA passkey global config options' AUXILIARY MUST ipaRequireUserVerification X-ORIGIN 'IPA v4.10')
objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'ipaPasskeyUser' DESC 'IPA passkey user' AUXILIARY MAY ipapasskey X-ORIGIN 'IPA v4.10')

4
install/share/60certificate-profiles.ldif
View File

@@ -7,6 +7,8 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC
attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' )
attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' )
attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' )
attributeTypes: (2.16.840.1.113730.3.8.21.1.9 NAME 'ipaCaRandomSerialNumberVersion' DESC 'Random Serial Number Version' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9 RSNv3' )
attributeTypes: (2.16.840.1.113730.3.8.21.1.10 NAME 'ipaCaHSMConfiguration' DESC 'HSM Configuration' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.10 HSM' )
objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' )
objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY ( description $ ipaCaRandomSerialNumberVersion $ ipaCaHSMConfiguration) X-ORIGIN 'IPA v4.4 Lightweight CAs' )

5
install/share/60ipaconfig.ldif
View File

@@ -6,6 +6,7 @@
## ObjectClasses: 2.16.840.1.113730.3.8.2 - V1
## Attributes: 2.16.840.1.113730.3.8.3 - V2
## ObjectClasses: 2.16.840.1.113730.3.8.4 - V2
## Attributes: 2.16.840.1.113730.3.8.23 - V4 base attributes
dn: cn=schema
###############################################
##
@@ -45,11 +46,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' DES
attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
## ipaMaxHostnameLength - maximum hostname length to allow
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
attributeTypes: ( 2.16.840.1.113730.3.8.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
###############################################
##
## ObjectClasses
##
## ipaGuiConfig - GUI config parameters objectclass
objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength) )
objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength $ ipaUserDefaultSubordinateId) )
## ipaConfigObject - Generic config strings object holder
objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )

2
install/share/61kerberos-ipav3.ldif
View File

@@ -1,3 +1,5 @@
dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'DEPRECATED - DO NOT USE' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
# Resource delegation object class uses memberPrincipal to specify targets and requires a Kerberos principal
objectClasses: (2.16.840.1.113730.3.8.24.10 NAME 'resourceDelegation' SUP krbPrincipal AUXILIARY MAY ( memberPrincipal ) X-ORIGIN 'IPA v4.10' )

12
install/share/Makefile.am
View File

@@ -16,6 +16,7 @@ dist_app_DATA = \
60ipaconfig.ldif \
60basev2.ldif \
60basev3.ldif \
60basev4.ldif \
60ipadns.ldif \
60ipapk11.ldif \
60certificate-profiles.ldif \
@@ -37,17 +38,18 @@ dist_app_DATA = \
default-trust-view.ldif \
delegation.ldif \
replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
kerberos.ldif \
indices.ldif \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.ipa-logging-ext.conf.template \
bind.named.conf.template \
bind.openssl.cnf.template \
bind.openssl.cryptopolicy.cnf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
@@ -79,7 +81,6 @@ dist_app_DATA = \
uuid.ldif \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
pw-logging-conf.ldif \
sudobind.ldif \
automember.ldif \
@@ -102,6 +103,11 @@ dist_app_DATA = \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
pki-acme-configsources.conf.template \
pki-acme-database.conf.template \
pki-acme-engine.conf.template \
pki-acme-issuer.conf.template \
pki-acme-realm.conf.template \
ldbm-tuning.ldif \
$(NULL)

57
install/share/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -156,10 +158,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(kdcproxyconfdir)"
DATA = $(dist_app_DATA) $(dist_kdcproxyconf_DATA)
@@ -188,8 +189,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -237,6 +236,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -250,8 +251,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -259,6 +262,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -271,9 +275,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -282,6 +289,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -341,6 +350,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -349,9 +360,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -390,8 +404,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -437,6 +453,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -460,6 +477,7 @@ dist_app_DATA = \
60ipaconfig.ldif \
60basev2.ldif \
60basev3.ldif \
60basev4.ldif \
60ipadns.ldif \
60ipapk11.ldif \
60certificate-profiles.ldif \
@@ -481,17 +499,18 @@ dist_app_DATA = \
default-trust-view.ldif \
delegation.ldif \
replica-acis.ldif \
replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
kerberos.ldif \
indices.ldif \
bind.ipa-ext.conf.template \
bind.ipa-options-ext.conf.template \
bind.ipa-logging-ext.conf.template \
bind.named.conf.template \
bind.openssl.cnf.template \
bind.openssl.cryptopolicy.cnf.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
@@ -523,7 +542,6 @@ dist_app_DATA = \
uuid.ldif \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
pw-logging-conf.ldif \
sudobind.ldif \
automember.ldif \
@@ -546,6 +564,11 @@ dist_app_DATA = \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
pki-acme-configsources.conf.template \
pki-acme-database.conf.template \
pki-acme-engine.conf.template \
pki-acme-issuer.conf.template \
pki-acme-realm.conf.template \
ldbm-tuning.ldif \
$(NULL)
@@ -732,7 +755,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -823,8 +845,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -918,3 +940,10 @@ uninstall-am: uninstall-dist_appDATA uninstall-dist_kdcproxyconfDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

45
install/share/advise/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -155,10 +157,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -187,8 +188,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -236,6 +235,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -249,8 +250,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -258,6 +261,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -270,9 +274,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -281,6 +288,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -340,6 +349,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -348,9 +359,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -389,8 +403,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -436,6 +452,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -613,7 +630,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -704,8 +720,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -798,3 +814,10 @@ uninstall-am: uninstall-appDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

43
install/share/advise/legacy/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -460,7 +479,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -525,8 +543,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -618,3 +636,10 @@ uninstall-am: uninstall-appDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

91
install/share/bind.ipa-logging-ext.conf.template Normal file
View File

@@ -0,0 +1,91 @@
channel named {
file "${NAMED_DATA_DIR}named.log" versions 10 size 20M;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel security {
file "${NAMED_DATA_DIR}security.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel dnssec {
file "${NAMED_DATA_DIR}dnssec.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel resolver {
file "${NAMED_DATA_DIR}resolver.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel query_log {
file "${NAMED_DATA_DIR}query.log" versions 10 size 80M;
severity info;
print-time yes;
print-severity yes;
};
channel query_error {
file "${NAMED_DATA_DIR}query_errors.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel lame_servers {
file "${NAMED_DATA_DIR}lame-servers.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel capacity {
file "${NAMED_DATA_DIR}capacity.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel database {
file "${NAMED_DATA_DIR}database.log" versions 10 size 20M;
severity info;
print-time yes;
print-severity yes;
};
channel update {
file "${NAMED_DATA_DIR}update.log" versions 10 size 10M;
severity info;
print-time yes;
print-severity yes;
};
category default { default_syslog; named; };
category general { default_syslog; named; };
category security { security; };
category queries { query_log; };
category query-errors { query_error; };
category lame-servers { lame_servers; };
category dnssec { dnssec; };
category edns-disabled { default_syslog; resolver; };
category config { default_syslog; named; };
category resolver { resolver; };
category cname { resolver; };
category spill { capacity; };
category rate-limit { capacity; };
category database { database; };
category client { default_syslog; named; };
category network { default_syslog; named; };
category unmatched { named; };
category delegation-only { named; };
category update { default_syslog; update; };
category update-security { default_syslog; update; };

6
install/share/bind.named.conf.template
View File

@@ -4,6 +4,7 @@
*
*
* - $NAMED_CUSTOM_OPTIONS_CONF (for options)
* - $NAMED_LOGGING_OPTIONS_CONF (for logging options)
* - $NAMED_CUSTOM_CONF (all other settings)
*/
@@ -37,6 +38,7 @@ logging {
severity dynamic;
print-time yes;
};
include "$NAMED_LOGGING_OPTIONS_CONF";
};
${NAMED_ZONE_COMMENT}zone "." IN {
@@ -55,6 +57,6 @@ dyndb "ipa" "$BIND_LDAP_SO" {
base "cn=dns,$SUFFIX";
server_id "$FQDN";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
sasl_mech "EXTERNAL";
krb5_keytab "FILE:$NAMED_KEYTAB";
};

14
install/share/bind.openssl.cnf.template Normal file
View File

@@ -0,0 +1,14 @@
# OpenSSL configuration file
# File generated by IPA instalation
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
[${OPENSSL_ENGINE}_section]
engine_id = $OPENSSL_ENGINE
MODULE_PATH = $SOFTHSM_MODULE
init=0

21
install/share/bind.openssl.cryptopolicy.cnf.template Normal file
View File

@@ -0,0 +1,21 @@
# OpenSSL configuration file
# File generated by IPA instalation
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_configuration
engines = engine_section
[ssl_configuration]
system_default = crypto_policy
[crypto_policy]
.include $CRYPTO_POLICY_FILE
[engine_section]
$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
[${OPENSSL_ENGINE}_section]
engine_id = $OPENSSL_ENGINE
MODULE_PATH = $SOFTHSM_MODULE
init=0

23
install/share/bootstrap-template.ldif
View File

@@ -167,6 +167,12 @@ objectClass: nsContainer
objectClass: top
cn: posix-ids
dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: subordinate-ids
dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
@@ -233,6 +239,7 @@ objectClass: ipasshuser
uid: admin
krbPrincipalName: admin@$REALM
krbPrincipalName: root@$REALM
krbCanonicalName: admin@$REALM
cn: Administrator
sn: Administrator
uidNumber: $IDSTART
@@ -476,6 +483,22 @@ ipaBaseID: $IDSTART
ipaIDRangeSize: $IDRANGE_SIZE
ipaRangeType: ipa-local
dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: ipaIDrange
objectClass: ipaTrustedADDomainRange
cn: ${REALM}_subid_range
ipaBaseID: eval($SUBID_RANGE_START)
ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
# HACK: RIDs to work around adtrust sidgen issue
ipaBaseRID: eval($SUBID_BASE_RID)
# 738065-838566 = IPA-SUB
ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
# see https://github.com/SSSD/sssd/issues/5571
ipaRangeType: ipa-ad-trust
dn: cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer

6
install/share/custodia.conf.template
View File

@@ -4,12 +4,12 @@ server_socket = $IPA_CUSTODIA_SOCKET
auditlog = $IPA_CUSTODIA_AUDIT_LOG
[auth:simple]
handler = custodia.httpd.authenticators.SimpleCredsAuth
handler = ipaserver.custodia.httpd.authenticators.SimpleCredsAuth
uid = $UID
gid = $GID
[auth:header]
handler = custodia.httpd.authenticators.SimpleHeaderAuth
handler = ipaserver.custodia.httpd.authenticators.SimpleHeaderAuth
header = GSS_NAME
[authz:kemkeys]
@@ -23,6 +23,6 @@ handler = ipaserver.secrets.store.IPASecStore
ldap_uri = $LDAP_URI
[/keys]
handler = custodia.secrets.Secrets
handler = ipaserver.custodia.secrets.Secrets
allowed_keytypes = kem
store = ipa

8
install/share/delegation.ldif
View File

@@ -307,3 +307,11 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: External IdP server Administrators
description: External IdP server Administrators

17
install/share/dna.ldif
View File

@@ -16,6 +16,23 @@ dnaThreshold: 500
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: Subordinate IDs
dnaType: ipasubuidnumber
dnaType: ipasubgidnumber
dnaNextValue: eval($SUBID_RANGE_START)
dnaMaxValue: eval($SUBID_RANGE_MAX)
dnaMagicRegen: -1
dnaFilter: (objectClass=ipaSubordinateId)
dnaScope: $SUFFIX
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
dnaInterval: eval($SUBID_COUNT)
# Enable the DNA plugin
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify

2
install/share/dns.ldif
View File

@@ -8,7 +8,7 @@ objectClass: top
cn: dns
ipaConfigString: DNSVersion 1
ipaDNSVersion: 2
aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)
aci: (targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)

2
install/share/ds-ipa-env.conf.template
View File

@@ -1,5 +1,7 @@
# Installed and maintained by ipa update tools, please do not modify
[Service]
Environment=LC_ALL=C.UTF-8
Environment=KRB5_KTNAME=$KRB5_KTNAME
Environment=KRB5_CLIENT_KTNAME=$KRB5_KTNAME
Environment=KRB5CCNAME=$KRB5CCNAME

8
install/share/gssproxy.conf.template
View File

@@ -11,8 +11,14 @@
[service/ipa-api]
mechs = krb5
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = initiate
euid = $IPAAPI_USER
[service/ipa-sweeper]
mechs = krb5
cred_store = keytab:$HTTP_KEYTAB
socket = $SWEEPER_SOCKET
euid = $IPAAPI_USER
cred_usage = initiate

429
install/share/indices.ldif
View File

@@ -1,429 +0,0 @@
dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:krbPrincipalName
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
nsIndexType:pres
nsMatchingRule:caseIgnoreIA5Match
nsMatchingRule:caseExactIA5Match
dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:ou
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:carLicense
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:title
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:manager
nsSystemIndex:false
nsIndexType:eq
nsIndexType:pres
nsIndexType:sub
dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:secretary
nsSystemIndex:false
nsIndexType:eq
nsIndexType:pres
nsIndexType:sub
dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:displayname
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: nsIndexType
nsIndexType:sub
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:uidnumber
nsSystemIndex:false
nsIndexType:eq
nsMatchingRule: integerOrderingMatch
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:gidnumber
nsSystemIndex:false
nsIndexType:eq
nsMatchingRule: integerOrderingMatch
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsIndexType
nsIndexType: eq
nsIndexType: pres
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsIndexType
nsIndexType: eq
nsIndexType: pres
dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
ObjectClass: top
ObjectClass: nsIndex
cn: fqdn
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
ObjectClass: top
ObjectClass: nsIndex
cn: macAddress
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberHost
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberUser
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: sourcehost
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberservice
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: managedby
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberallowcmd
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberdenycmd
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipasudorunas
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipasudorunasgroup
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: automountkey
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: automountMapName
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaConfigString
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaEnabledFlag
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaKrbAuthzData
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: sub
dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipakrbprincipalalias
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipauniqueid
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaMemberCa
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaMemberCertProfile
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: userCertificate
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipalocation
ObjectClass: top
ObjectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres
dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: krbCanonicalName
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: sub
dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: serverhostname
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: sub
dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: description
objectClass: top
objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: l
objectClass: top
objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: nsOsVersion
objectClass: top
objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: nsHardwarePlatform
objectClass: top
objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: nsHostLocation
objectClass: top
objectClass: nsindex
nssystemindex: false
nsindextype: eq
nsindextype: sub
# NOTE: There is no index on ipServiceProtocol because the index would have
# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol.
dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipServicePort
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: accessRuleType
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: hostCategory
objectClass:top
objectClass:nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: idnsName
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: ipaCertmapData
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: altSecurityIdentities
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: memberManager
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
nsIndexType: eq
nsIndexType: pres

7
install/share/ipa-kdc-proxy.conf.template
View File

@@ -19,14 +19,11 @@
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
user=kdcproxy group=kdcproxy display-name=%{GROUP}
WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \
process-group=kdcproxy application-group=kdcproxy
WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi
WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi \
process-group=kdcproxy application-group=%{GLOBAL}
WSGIScriptReloading Off
<Location "/KdcProxy">
Satisfy Any
Require all granted
WSGIProcessGroup kdcproxy
WSGIApplicationGroup kdcproxy
</Location>

14
install/share/ipa-pki-proxy.conf.template
View File

@@ -1,4 +1,4 @@
# VERSION 15 - DO NOT REMOVE THIS LINE
# VERSION 17 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -11,7 +11,7 @@ ProxyRequests Off
</LocationMatch>
# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
@@ -34,5 +34,15 @@ ProxyRequests Off
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
# Matches for ACME service
<LocationMatch "^/acme">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
# RFC 8555 says HTTPS is REQUIRED
SSLRequireSSL
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
# Only enable this on servers that are not generating a CRL
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

8
install/share/ipa-rewrite.conf.template
View File

@@ -1,4 +1,4 @@
# VERSION 6 - DO NOT REMOVE THIS LINE
# VERSION 7 - DO NOT REMOVE THIS LINE
RewriteEngine on
@@ -9,6 +9,7 @@ ${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC]
RewriteCond %{HTTP_HOST} !^ipa-ca.$DOMAIN$$ [NC]
RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301]
# Redirect to the secure port if not displaying an error or retrieving
@@ -18,5 +19,10 @@ RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
RewriteCond %{HTTP_HOST} ^ipa-ca.$DOMAIN$$ [NC]
RewriteCond %{REQUEST_URI} !^/ipa/crl
RewriteCond %{REQUEST_URI} !^/(ca|kra|pki|acme)
RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301]
# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$ /ipa/wsgi/plugins.py [PT]

15
install/share/ipa.conf.template
View File

@@ -1,5 +1,5 @@
#
# VERSION 31 - DO NOT REMOVE THIS LINE
# VERSION 33 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -39,13 +39,12 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml \
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix $WSGI_PREFIX_DIR
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
lang=C.UTF-8 locale=C.UTF-8
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py process-group=ipa \
application-group=%{GLOBAL}
WSGIScriptReloading Off
@@ -75,13 +74,12 @@ WSGIScriptReloading Off
GssapiImpersonate On
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
@@ -116,7 +114,8 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
<Location "/ipa/session/login_x509">
AuthType none
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
LookupUserByCertificate On

1
install/share/ipaca_customize.ini
View File

@@ -85,7 +85,6 @@ pki_subsystem_key_type=%(ipa_key_type)s
pki_subsystem_token=%(pki_token_name)s
[CA]
pki_random_serial_numbers_enable=False
## caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s

16
install/share/ipaca_default.ini
View File

@@ -2,7 +2,7 @@
# Dogtag PKI configuration file
#
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
# by a user without breaking FreeIPA internals.
# by a user without breaking IPA internals.
#
# Note: "%" must be quoted as "%%".
#
@@ -40,7 +40,7 @@ pki_ca_port=%(pki_security_domain_https_port)s
# nickname and subject are hard-coded
pki_ca_signing_nickname=caSigningCert cert-pki-ca
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
pki_ca_signing_cert_path=
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
pki_client_database_password=
@@ -67,7 +67,6 @@ pki_replication_password=
pki_enable_proxy=True
pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
pki_security_domain_name=IPA
@@ -81,7 +80,6 @@ pki_skip_installation=False
pki_skip_sd_verify=False
pki_sslserver_token=internal
pki_ssl_server_token=%(pki_sslserver_token)s
pki_sslserver_nickname=Server-Cert cert-pki-ca
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
@@ -89,14 +87,12 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
pki_theme_enable=True
pki_theme_server_dir=/usr/share/pki/common-ui
pki_audit_group=pkiaudit
pki_group=pkiuser
pki_user=pkiuser
pki_existing=False
pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
pki_cert_chain_path=
pki_cert_chain_nickname=caSigningCert External CA
pki_pkcs12_path=
@@ -110,7 +106,7 @@ pki_ca_signing_record_create=True
pki_ca_signing_serial_number=1
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
pki_ca_signing_csr_path=/root/ipa.csr
pki_ca_signing_csr_path=
pki_ca_starting_crl_number=0
@@ -132,6 +128,7 @@ pki_audit_signing_nickname=auditSigningCert cert-pki-ca
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
pki_share_db=False
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
pki_master_crl_enable=True
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
@@ -167,3 +164,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
# KRA padding, set RSA-OAEP in FIPS mode
pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s

3
install/share/kdc.conf.template
View File

@@ -6,7 +6,8 @@
[realms]
$REALM = {
master_key_type = aes256-cts
master_key_type = $MASTER_KEY_TYPE
supported_enctypes = $SUPPORTED_ENCTYPES
max_life = 7d
max_renewable_life = 14d
acl_file = $KRB5KDC_KADM5_ACL

5
install/share/kerberos.ldif
View File

@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-sha2:special
krbDefaultEncSaltTypes: aes128-sha2:special
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
@@ -37,6 +39,7 @@ changetype: add
objectClass: top
objectClass: nsContainer
objectClass: krbPwdPolicy
objectClass: ipaPwdPolicy
krbMinPwdLife: 3600
krbPwdMinDiffChars: 0
krbPwdMinLength: 8
@@ -45,4 +48,4 @@ krbMaxPwdLife: 7776000
krbPwdMaxFailure: 6
krbPwdFailureCountInterval: 60
krbPwdLockoutDuration: 600
passwordGraceLimit: -1

2
install/share/krb5.conf.template
View File

@@ -1,5 +1,4 @@
$INCLUDES
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
@@ -19,6 +18,7 @@ $OTHER_LIBDEFAULTS
$REALM = {
kdc = $FQDN:88
master_kdc = $FQDN:88
kpasswd_server = $FQDN:464
admin_server = $FQDN:749
default_domain = $DOMAIN
pkinit_anchors = FILE:$KDC_CA_BUNDLE_PEM

4
install/share/memberof-conf.ldif
View File

@@ -8,4 +8,6 @@ memberofgroupattr: memberUser
-
add: memberofgroupattr
memberofgroupattr: memberHost
-
add: memberofgroupattr
memberofgroupattr: ipaOwner

3
install/share/pki-acme-configsources.conf.template Normal file
View File

@@ -0,0 +1,3 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
engine.class=org.dogtagpki.acme.server.ACMEEngineConfigFileSource
engine.filename=/etc/pki/pki-tomcat/acme/engine.conf

4
install/share/pki-acme-database.conf.template Normal file
View File

@@ -0,0 +1,4 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
class=org.dogtagpki.acme.database.LDAPDatabase
basedn=ou=acme,o=ipaca
configFile=/etc/pki/pki-tomcat/ca/CS.cfg

14
install/share/pki-acme-engine.conf.template Normal file
View File

@@ -0,0 +1,14 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
# Parameters read by ACMEEngineConfigFileSource, i.e. these are
# expected to be in the file pointed to by the 'filename' directive
# above.
#
# IPA only sets the values it uses.
#
# Whether to enable the ACME service:
enabled=false
# Whether to accept wildcard DNS identifiers:
policy.wildcard=false
baseURL=https://$FQDN/acme

6
install/share/pki-acme-issuer.conf.template Normal file
View File

@@ -0,0 +1,6 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
class=org.dogtagpki.acme.issuer.PKIIssuer
url=https://$FQDN:8443
profile=acmeIPAServerCert
username=$USER
password=$PASSWORD

9
install/share/pki-acme-realm.conf.template Normal file
View File

@@ -0,0 +1,9 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
authType=BasicAuth
class=org.dogtagpki.acme.realm.DSRealm
groupsDN=ou=groups,o=ipaca
usersDN=ou=people,o=ipaca
url=ldaps://$FQDN:636
configFile=/etc/pki/pki-tomcat/ca/CS.cfg
username=$USER
password=$PASSWORD

2
install/share/profiles/IECUserRoles.cfg
View File

@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-

8
install/share/profiles/KDCs_PKINIT_Certs.cfg
View File

@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name

1
install/share/profiles/Makefile.am
View File

@@ -7,6 +7,7 @@ app_DATA = \
caIPAserviceCert.UPGRADE.cfg \
IECUserRoles.cfg \
KDCs_PKINIT_Certs.cfg \
acmeIPAServerCert.cfg \
$(NULL)
EXTRA_DIST = \

44
install/share/profiles/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -390,6 +409,7 @@ app_DATA = \
caIPAserviceCert.UPGRADE.cfg \
IECUserRoles.cfg \
KDCs_PKINIT_Certs.cfg \
acmeIPAServerCert.cfg \
$(NULL)
EXTRA_DIST = \
@@ -461,7 +481,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -526,8 +545,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -619,3 +638,10 @@ uninstall-am: uninstall-appDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

107
install/share/profiles/acmeIPAServerCert.cfg Normal file
View File

@@ -0,0 +1,107 @@
profileId=acmeIPAServerCert
classId=caEnrollImpl
desc=ACME profile for use in IPA deployments
visible=true
enable=true
enableBy=admin
auth.instance_id=SessionAuthentication
authz.acl=group="$ACME_AGENT_GROUP"
name=IPA ACME Service Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
policyset.serverCertSet.1.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.1.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.1.constraint.params.keyUsageCritical=true
policyset.serverCertSet.1.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.1.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.1.constraint.params.keyUsageDataEncipherment=false
policyset.serverCertSet.1.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.1.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.1.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.1.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.1.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.1.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.1.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.1.default.name=Key Usage Default
policyset.serverCertSet.1.default.params.keyUsageCritical=true
policyset.serverCertSet.1.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.1.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.1.default.params.keyUsageDataEncipherment=false
policyset.serverCertSet.1.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.1.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.1.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.1.default.params.keyUsageCrlSign=false
policyset.serverCertSet.1.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.1.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.2.constraint.class_id=noConstraintImpl
policyset.serverCertSet.2.constraint.name=No Constraint
policyset.serverCertSet.2.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.2.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.2.default.params.exKeyUsageCritical=false
policyset.serverCertSet.2.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.3.constraint.class_id=noConstraintImpl
policyset.serverCertSet.3.constraint.name=No Constraint
policyset.serverCertSet.3.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.3.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.3.default.params.critical=false
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=noConstraintImpl
policyset.serverCertSet.6.constraint.name=No Constraint
policyset.serverCertSet.6.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.6.default.name=User supplied extension in CSR
policyset.serverCertSet.6.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.7.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.7.constraint.name=Validity Constraint
policyset.serverCertSet.7.constraint.params.range=90
policyset.serverCertSet.7.constraint.params.notBeforeCheck=false
policyset.serverCertSet.7.constraint.params.notAfterCheck=false
policyset.serverCertSet.7.default.class_id=validityDefaultImpl
policyset.serverCertSet.7.default.name=Validity Default
policyset.serverCertSet.7.default.params.range=90
policyset.serverCertSet.7.default.params.startTime=0
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=sanToCNDefaultImpl
policyset.serverCertSet.9.default.name=SAN to CN Default
policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.10.constraint.name=Key Constraint
policyset.serverCertSet.10.constraint.params.keyType=RSA
policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096,8192
policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.10.default.name=Key Default
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.11.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.11.default.params.crlDistPointsCritical=false
policyset.serverCertSet.11.default.params.crlDistPointsNum=1
policyset.serverCertSet.11.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.11.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
policyset.serverCertSet.11.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.11.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
policyset.serverCertSet.11.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.11.default.params.crlDistPointsReasons_0=

2
install/share/profiles/caIPAserviceCert.UPGRADE.cfg
View File

@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-

2
install/share/profiles/caIPAserviceCert.cfg
View File

@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-

4
install/share/replica-prevent-time-skew.ldif
View File

@@ -1,4 +0,0 @@
dn: cn=config
changetype: modify
replace: nsslapd-ignore-time-skew
nsslapd-ignore-time-skew: $SKEWVALUE

19
install/share/root-autobind.ldif
View File

@@ -1,19 +0,0 @@
# root-autobind, config
dn: cn=root-autobind,cn=config
changetype: add
objectClass: extensibleObject
objectClass: top
cn: root-autobind
uidNumber: 0
gidNumber: 0
dn: cn=config
changetype: modify
replace: nsslapd-ldapiautobind
nsslapd-ldapiautobind: on
dn: cn=config
changetype: modify
replace: nsslapd-ldapimaptoentries
nsslapd-ldapimaptoentries: on

45
install/share/schema.d/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -155,10 +157,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
@@ -187,8 +188,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in README
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -236,6 +235,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -249,8 +250,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -258,6 +261,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -270,9 +274,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -281,6 +288,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -340,6 +349,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -348,9 +359,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -389,8 +403,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -436,6 +452,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -612,7 +629,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -703,8 +719,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -797,3 +813,10 @@ uninstall-am: uninstall-appDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

4
install/share/schema.d/README
View File

@@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
also installed when upgrade happens within the process of ipa-server-install.
The directory is installed as /usr/share/ipa/schema.d and is owned by a
freeipa-server-common package. Therefore, a 3rd-party plugin would need to
depend on the freeipa-server-common package if it delivers the schema file(s).
ipa-server-common package. Therefore, a 3rd-party plugin would need to
depend on the ipa-server-common package if it delivers the schema file(s).
You may place your schema files in a subdirectory too, the code that loads
schema files processes recursively all subdirectories of schema.d.

1
install/share/smb.conf.registry.template
View File

@@ -5,6 +5,7 @@ realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
server role = $SERVER_ROLE
security = user
domain master = yes
domain logons = yes

41
install/share/wsgi.py
View File

@@ -21,43 +21,8 @@
#
"""
WSGI appliction for IPA server.
WSGI application for IPA server.
"""
from __future__ import absolute_import
from ipaserver.wsgi import create_application
import logging
import os
import sys
# Some dependencies like Dogtag's pki.client library and custodia use
# python-requsts to make HTTPS connection. python-requests prefers
# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
# of python-cryptography which trigger a execmem SELinux violation
# in the context of Apache HTTPD (httpd_execmem).
# When requests is imported, it always tries to import pyopenssl glue
# code from urllib3's contrib directory. The import of PyOpenSSL is
# enough to trigger the SELinux denial.
# Block any import of PyOpenSSL's SSL module by raising an ImportError
sys.modules['OpenSSL.SSL'] = None
from ipaplatform.paths import paths
from ipalib import api
logger = logging.getLogger(os.path.basename(__file__))
api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None)
try:
api.finalize()
except Exception as e:
logger.error('Failed to start IPA: %s', e)
else:
logger.info('*** PROCESS START ***')
# This is the WSGI callable:
def application(environ, start_response):
if not environ['wsgi.multithread']:
return api.Backend.wsgi_dispatch(environ, start_response)
else:
logger.error("IPA does not work with the threaded MPM, "
"use the pre-fork MPM")
raise RuntimeError('threaded MPM detected')
application = create_application()

8
install/tools/Makefile.am
View File

@@ -6,6 +6,7 @@ SUBDIRS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-ccache-sweeper.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
@@ -36,6 +37,9 @@ dist_noinst_DATA = \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
ipa-acme-manage.in \
ipa-subids.in \
ipa-migrate.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -64,16 +68,20 @@ nodist_sbin_SCRIPTS = \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
ipa-acme-manage \
ipa-migrate \
$(NULL)
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-ccache-sweeper \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
ipa-subids \
$(NULL)
PYTHON_SHEBANG = \

55
install/tools/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -130,10 +132,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"
SCRIPTS = $(nodist_app_SCRIPTS) $(nodist_sbin_SCRIPTS)
@@ -190,8 +191,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.pythonscripts.am
@@ -240,6 +239,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -253,8 +254,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -262,6 +265,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -274,9 +278,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -285,6 +292,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -344,6 +353,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -352,9 +363,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -393,8 +407,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -440,6 +456,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -453,6 +470,7 @@ SUBDIRS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-ccache-sweeper.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
@@ -483,6 +501,9 @@ dist_noinst_DATA = \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
ipa-acme-manage.in \
ipa-subids.in \
ipa-migrate.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -511,16 +532,20 @@ nodist_sbin_SCRIPTS = \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
ipa-acme-manage \
ipa-migrate \
$(NULL)
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-ccache-sweeper \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
ipa-subids \
$(NULL)
PYTHON_SHEBANG = \
@@ -737,7 +762,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -826,11 +850,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -932,3 +956,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

8
install/tools/ipa-acme-manage.in Executable file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_acme_manage import IPAACMEManage
IPAACMEManage.run_cli()

24
install/tools/ipa-adtrust-install.in
View File

@@ -29,19 +29,17 @@ import sys
import six
from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module
from ipalib.install import sysrestore
from ipaserver.install import adtrust, service
from ipaserver.install.installutils import (
read_password,
check_server_configuration,
run_script)
from ipapython.admintool import ScriptError
from ipapython.admintool import ScriptError, admin_cleanup_global_argv
from ipapython import version
from ipapython import ipautil
from ipalib import api, errors, krb_utils
from ipapython.config import IPAOptionParser
from ipapython.config import IPAOptionParser, SUPPRESS_HELP
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import standard_logging_setup
@@ -50,7 +48,7 @@ if six.PY3:
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
log_file_name = paths.IPASERVER_ADTRUST_INSTALL_LOG
def parse_options():
@@ -64,10 +62,11 @@ def parse_options():
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
default=False, help=SUPPRESS_HELP)
parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
parser.add_option("--rid-base", dest="rid_base", type=int,
default=adtrust.DEFAULT_PRIMARY_RID_BASE,
help="Start value for mapping UIDs and GIDs to RIDs")
parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
type=int, default=100000000,
type=int, default=adtrust.DEFAULT_SECONDARY_RID_BASE,
help="Start value of the secondary range for mapping "
"UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended",
@@ -94,6 +93,7 @@ def parse_options():
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
return safe_options, options
@@ -141,11 +141,11 @@ def main():
"==============")
print("This program will setup components needed to establish trust to "
"AD domains for")
print("the FreeIPA Server.")
print("the IPA Server.")
print("")
print("This includes:")
print(" * Configure Samba")
print(" * Add trust related objects to FreeIPA LDAP server")
print(" * Add trust related objects to IPA LDAP server")
# TODO:
# print " * Add a SID to all users and Posix groups"
print("")
@@ -161,7 +161,7 @@ def main():
api.bootstrap(
in_server=True,
debug=options.debug,
context='install',
context='installer',
confdir=paths.ETC_IPA
)
api.finalize()
@@ -201,7 +201,7 @@ def main():
if not (user['uid'][0] in group['member_user'] and
group['cn'][0] in user['memberof_group']):
raise errors.RequirementError(name='admins group membership')
except errors.RequirementError as e:
except errors.RequirementError:
raise ScriptError(
"Must have administrative privileges to setup AD trusts on server"
)
@@ -209,6 +209,8 @@ def main():
raise ScriptError(
"Unrecognized error during check of admin rights: %s" % e)
# Force options.setup_adtrust
options.setup_adtrust = True
adtrust.install_check(True, options, api)
adtrust.install(True, options, fstore, api)

41
install/tools/ipa-ca-install.in
View File

@@ -42,6 +42,7 @@ from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
from ipaplatform.paths import paths
from ipapython.admintool import admin_cleanup_global_argv
logger = logging.getLogger(os.path.basename(__file__))
@@ -81,7 +82,7 @@ def parse_options():
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA')
ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA384withRSA', 'SHA512withRSA')
parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
type="choice", choices=ca_algos,
metavar="{{{0}}}".format(",".join(ca_algos)),
@@ -101,13 +102,38 @@ def parse_options():
"The CA certificate subject DN "
"(default CN=Certificate Authority,O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--token-name", dest="token_name",
default=None,
help=(
"The PKCS#11 token name if using an HSM to store "
"and generate private keys."))
parser.add_option("--token-library-path", dest="token_library_path",
default=None,
help=(
"The full path to the PKCS#11 shared library "
"needed to access the HSM device."))
parser.add_option("--token-password", dest="token_password",
default=None,
sensitive=True,
help=(
"The PKCS#11 token password for the HSM."))
parser.add_option("--token-password-file", dest="token_password_file",
default=None,
help=(
"The full path to a file containing the PKCS#11 "
" token password."))
parser.add_option("--pki-config-override", dest="pki_config_override",
default=None,
help="Path to ini file with config overrides.")
parser.add_option("--random-serial-numbers", dest="random_serial_numbers",
default=False, help="Enable random serial numbers",
action="store_true")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
if args:
parser.error("Too many arguments provided")
@@ -162,7 +188,9 @@ def install_replica(safe_options, options):
# Run ipa-certupdate to ensure we have the CA cert. This is
# necessary if the admin has just promoted the topology from
# CA-less to CA-ful, and ipa-certupdate has not been run yet.
print("Running ipa-certupdate...", end="", flush=True)
ipa_certupdate.run_with_args(api)
print("done")
# CertUpdate restarts DS causing broken pipe on the original
# connection, so reconnect the backend.
@@ -226,6 +254,10 @@ def install_master(safe_options, options):
options.ca_subject = str(
installutils.default_ca_subject_dn(options.subject_base))
try:
ca.random_serial_numbers_validator(options.random_serial_numbers)
except ValueError as e:
sys.exit(str(e))
try:
ca.subject_validator(ca.VALID_SUBJECT_BASE_ATTRS, options.subject_base)
except ValueError as e:
@@ -270,6 +302,11 @@ def install(safe_options, options):
if ca_host is None:
install_master(safe_options, options)
else:
if options.random_serial_numbers:
if ca.lookup_random_serial_number_version(api) == 0:
sys.exit(
"\nRandom serial numbers cannot be enabled in an "
"existing CA installation.\n")
install_replica(safe_options, options)
@@ -294,7 +331,7 @@ def main():
# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
context='installer', confdir=paths.ETC_IPA,
in_server=True, ra_plugin='dogtag'
)
api.finalize()

75
install/tools/ipa-ccache-sweeper.in Normal file
View File

@@ -0,0 +1,75 @@
#!/usr/bin/python3
# Based heavily on
# https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py
# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
# If one uses both sessions and unique ccache names, then the filesystem will
# become littered with ccache files unless the accessed application cleans
# them up itself. This script will minimize ccache file proliferation by
# removing any ccaches that have expired from the filesystem, and serves as an
# example of how this cleaning can be performed.
import argparse
import os
import stat
import sys
import time
from ipalib.krb_utils import get_credentials_if_valid
from ipaplatform.paths import paths
def should_delete(fname, t, minlife):
"""Process file as a ccache and indicate whether it is expired"""
# skip directories and other non-files
st = os.stat(fname)
if not stat.S_ISREG(st.st_mode):
return False
# ignore files that are newer than minlife minutes
if t - st.st_mtime < minlife * 60:
return False
# gssproxy inquires input credentials. If they are expired
# then gssproxy acquires creds from cred_store according to
# the configuration of gssproxy's service, which in this case
# hasn't cred_store(besides `keytab:`, used for decryption of
# ccache). If there is no ccache within cred_store then gssproxy
# adds its own one("MEMORY:internal_%d"), which hasn't
# any credentials, thus, scan_ccache fails with KRB5_FCC_NOFILE.
# Since the caller requires INITIATE-ONLY and the client keytab
# is not provided in cred_store the result of gss_acquire_cred_from
# is KRB5_FCC_NOFILE, which is mapped by gssproxy to
# 0x04200000 + KRB5_FCC_NOFILE.
creds = get_credentials_if_valid(ccache_name=fname)
return creds is None
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Sweep expired ccaches")
parser.add_argument("-m", dest="minlife", type=int,
help="ignore newer files than this (default: 30)",
default=30)
args = parser.parse_args()
os.environ["GSS_USE_PROXY"] = "yes"
os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_ONLY"
os.environ["GSSPROXY_SOCKET"] = paths.IPA_CCACHE_SWEEPER_GSSPROXY_SOCK
print("Running sweeper...")
t = time.time()
os.chdir(paths.IPA_CCACHES)
for fname in os.listdir(paths.IPA_CCACHES):
try:
if should_delete(fname, t, args.minlife):
os.unlink(fname)
except FileNotFoundError:
# someone else did the work for us
pass
print("Sweeper finished successfully!")
sys.exit(0)

9
install/tools/ipa-compat-manage.in
View File

@@ -24,13 +24,13 @@ from __future__ import print_function
import sys
from ipaplatform.paths import paths
try:
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.admintool import admin_cleanup_global_argv
except ImportError as e:
print("""\
There was a problem importing one of the required Python modules. The
@@ -46,7 +46,8 @@ nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable|status>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
@@ -55,6 +56,7 @@ def parse_options():
config.add_standard_options(parser)
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
return options, args
@@ -131,8 +133,9 @@ def main():
else:
print("Enabling plugin")
# https://github.com/PyCQA/pylint/issues/872
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
ld = LDAPUpdate()
if not ld.update(files):
print("Updating Directory Server failed.")
retval = 1

50
install/tools/ipa-csreplica-manage.in
View File

@@ -30,9 +30,10 @@ from ipaplatform.paths import paths
from ipaserver.install import (replication, installutils, bindinstance,
cainstance)
from ipalib import api, errors
from ipalib.util import has_managed_topology
from ipapython import ipautil, ipaldap, version
from ipapython.admintool import ScriptError
from ipalib.constants import FQDN
from ipalib.util import has_managed_topology, print_replication_status
from ipapython import ipautil, ipaldap, version, config
from ipapython.admintool import admin_cleanup_global_argv, ScriptError
from ipapython.dn import DN
logger = logging.getLogger(os.path.basename(__file__))
@@ -53,11 +54,10 @@ commands = {
def parse_options():
from optparse import OptionParser # pylint: disable=deprecated-module
parser = OptionParser(version=version.VERSION)
parser = config.IPAOptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True,
help="Directory Manager password")
parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="provide additional information")
parser.add_option("-f", "--force", dest="force", action="store_true", default=False,
@@ -65,23 +65,27 @@ def parse_options():
parser.add_option("--from", dest="fromhost", help="Host to get data from")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
valid_syntax = False
if len(args):
n = len(args) - 1
for cmd in commands:
for cmd, args_info in commands.items():
if cmd == args[0]:
v = commands[cmd]
err = None
if n < v[0]:
err = v[3]
elif n > v[1]:
if n < args_info[0]:
err = args_info[3]
elif n > args_info[1]:
err = "too many arguments"
else:
valid_syntax = True
if err:
parser.error("Invalid syntax: %s\nUsage: %s [options] %s" % (err, cmd, v[2]))
parser.error(
"Invalid syntax: %s\nUsage: %s [options] %s" % (
err, cmd, args_info[2]
)
)
if not valid_syntax:
cmdstr = " | ".join(commands.keys())
@@ -132,19 +136,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
for entry in entries:
print('%s' % entry.single_value.get('nsds5replicahost'))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
print_replication_status(entry, verbose)
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
@@ -343,7 +335,7 @@ def re_initialize(realm, options):
if not options.fromhost:
sys.exit("re-initialize requires the option --from <host name>")
thishost = installutils.get_fqdn()
thishost = FQDN
try:
repl = replication.get_cs_replication_manager(realm, options.fromhost,
@@ -383,7 +375,7 @@ def force_sync(realm, thishost, fromhost, dirman_passwd):
def set_renewal_master(realm, replica):
if not replica:
replica = installutils.get_fqdn()
replica = FQDN
ca = cainstance.CAInstance(realm)
if ca.is_renewal_master(replica):
@@ -434,7 +426,7 @@ def main():
if options.host:
host = options.host
else:
host = installutils.get_fqdn()
host = FQDN
options.host = host

27
install/tools/ipa-custodia-check.in
View File

@@ -9,10 +9,9 @@ import argparse
import logging
import os
import platform
import socket
import warnings
from custodia.message.kem import KEY_USAGE_SIG, KEY_USAGE_ENC, KEY_USAGE_MAP
from ipaserver.custodia.message.kem import KEY_USAGE_SIG, KEY_USAGE_ENC, KEY_USAGE_MAP
from jwcrypto.common import json_decode
from jwcrypto.jwk import JWK
@@ -49,6 +48,8 @@ KEYS = [
'dm/DMHash',
'ra/ipaCert',
'ca/auditSigningCert cert-pki-ca',
'ca_wrapped/auditSigningCert cert-pki-ca',
'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7',
'ca/caSigningCert cert-pki-ca',
'ca/ocspSigningCert cert-pki-ca',
'ca/subsystemCert cert-pki-ca',
@@ -134,7 +135,6 @@ class IPACustodiaTester:
def check(self):
self.status()
self.check_fqdn()
self.check_files()
self.check_client()
self.check_jwk()
@@ -154,13 +154,6 @@ class IPACustodiaTester:
if self.host == self.args.server:
self.warning("Performing self-test only.")
def check_fqdn(self):
fqdn = socket.getfqdn()
if self.host != fqdn:
self.warning(
"socket.getfqdn() reports hostname '{}'".format(fqdn)
)
def check_files(self):
for filename in self.files:
if not os.path.isfile(filename):
@@ -191,7 +184,7 @@ class IPACustodiaTester:
pkey = JWK(**dictkeys[usage_id])
local_pubkey = json_decode(pkey.export_public())
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Failed to load and parse local JWK.", fatal=True
)
else:
@@ -199,10 +192,10 @@ class IPACustodiaTester:
usage, IPA_CUSTODIA_KEYFILE
))
if pkey.key_id != self.host_spn:
raise self.error(
if pkey.get('kid') != self.host_spn:
raise self.error( # pylint: disable=raising-bad-type, #4772
"KID '{}' != host service principal name '{}' "
"(usage: {})".format(pkey.key_id, self.host_spn, usage),
"(usage: {})".format(pkey.get('kid'), self.host_spn, usage),
fatal=True
)
else:
@@ -217,7 +210,7 @@ class IPACustodiaTester:
try:
host_pubkey = json_decode(find_key(self.host_spn, usage_id))
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Fetching host keys {} (usage: {}) failed.".format(
self.host_spn, usage),
fatal=True
@@ -230,7 +223,7 @@ class IPACustodiaTester:
if host_pubkey != local_pubkey:
self.debug("LDAP: '{}'".format(host_pubkey))
self.debug("Local: '{}'".format(local_pubkey))
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Host key in LDAP does not match local key.",
fatal=True
)
@@ -242,7 +235,7 @@ class IPACustodiaTester:
try:
server_pubkey = json_decode(find_key(self.server_spn, usage_id))
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Fetching server keys {} (usage: {}) failed.".format(
self.server_spn, usage),
fatal=True

4
install/tools/ipa-dns-install.in
View File

@@ -38,7 +38,7 @@ from ipaserver.install import dns as dns_installer
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
log_file_name = paths.IPASERVER_DNS_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
@@ -131,7 +131,7 @@ def main():
# Initialize the ipalib api
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
context='installer', confdir=paths.ETC_IPA,
in_server=True, debug=options.debug,
)
api.finalize()

8
install/tools/ipa-managed-entries.in
View File

@@ -24,7 +24,6 @@ import logging
import os
import re
import sys
from optparse import OptionParser # pylint: disable=deprecated-module
from ipaplatform.paths import paths
from ipapython import config
@@ -32,6 +31,7 @@ from ipaserver.install import installutils
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.admintool import admin_cleanup_global_argv
logger = logging.getLogger(os.path.basename(__file__))
@@ -39,7 +39,8 @@ logger = logging.getLogger(os.path.basename(__file__))
def parse_options():
usage = "%prog [options] <status|enable|disable>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
@@ -50,9 +51,10 @@ def parse_options():
action="store_true",
help="List available Managed Entries")
parser.add_option("-p", "--password", dest="dirman_password",
help="Directory Manager password")
sensitive=True, help="Directory Manager password")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
return options, args

10
install/tools/ipa-migrate.in Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/python3
#
# Copyright (C) 2023 FreeIPA Contributors see COPYING for license
#
# PYTHON_ARGCOMPLETE_OK
from ipaserver.install.ipa_migrate import IPAMigrate
ipa_migrate = IPAMigrate()
ipa_migrate.run()

2
install/tools/ipa-nis-manage.in
View File

@@ -149,7 +149,7 @@ def main():
# could be turned off, handle both cases.
if entry is None:
print("Enabling plugin")
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
ld = LDAPUpdate()
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':

1
install/tools/ipa-pki-retrieve-key.in
View File

@@ -34,7 +34,6 @@ def main():
"File '{}' missing or not readable.\n".format(filename)
)
# pylint: disable=no-member
client = CustodiaClient(
client_service="{}@{}".format(service, env.host),
server=args.servername,

18
install/tools/ipa-pki-wait-running.in
View File

@@ -13,6 +13,7 @@ import logging
import sys
import time
from xml.etree import ElementTree
import json
from ipalib import api
from ipaplatform.paths import paths
@@ -74,10 +75,19 @@ def get_status(conn, timeout):
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logging.debug("Got status '%s', error '%s'", status, error)
status = None
error = None
try:
json_response = json.loads(response)
status = json_response['Response']['Status']
except KeyError as e:
error = repr(e)
except json.JSONDecodeError:
logger.debug("Response is not valid JSON, try XML")
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logger.debug("Got status '%s', error '%s'", status, error)
return status, error

20
install/tools/ipa-replica-conncheck.in
View File

@@ -23,14 +23,15 @@ from __future__ import print_function
import logging
from ipapython import ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.config import (IPAOptionParser, OptionGroup,
OptionValueError)
from ipapython.admintool import admin_cleanup_global_argv
from ipapython.dn import DN
from ipapython import version
from ipapython import ipautil, certdb
from ipalib import api, errors, x509
from ipalib.constants import FQDN
from ipaserver.install import installutils
# pylint: disable=deprecated-module
from optparse import OptionGroup, OptionValueError
# pylint: enable=deprecated-module
from ipapython.ipa_log_manager import standard_logging_setup
import copy
@@ -44,7 +45,7 @@ import time
import threading
import traceback
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
import shutil
from ipaplatform.paths import paths
import gssapi
@@ -61,7 +62,7 @@ class SshExec:
def __init__(self, user, addr):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
self.cmd = shutil.which('ssh')
# Bail if ssh is not installed
if self.cmd is None:
raise RuntimeError("ssh not installed")
@@ -188,6 +189,7 @@ def parse_options():
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
if options.master and options.replica:
parser.error("on-master and on-replica options are mutually exclusive!")
@@ -205,7 +207,7 @@ def parse_options():
parser.error("No action: you should select either --replica or --master option.")
if not options.hostname:
options.hostname = socket.getfqdn()
options.hostname = FQDN
return safe_options, options
@@ -290,7 +292,7 @@ class PortResponder(threading.Thread):
self._sockets = []
self._close = False
self._close_lock = threading.Lock()
self.responder_data = b'FreeIPA'
self.responder_data = b'IPA'
self.ports_opened = False
self.ports_open_cond = threading.Condition()
@@ -318,7 +320,7 @@ class PortResponder(threading.Thread):
logger.debug('%d %s: Stopped listening', port, proto)
def _is_closing(self):
with self._close_lock: # pylint: disable=not-context-manager
with self._close_lock:
return self._close
def _bind_to_port(self, port, socket_type):
@@ -369,7 +371,7 @@ class PortResponder(threading.Thread):
def stop(self):
logger.debug('Stopping listening thread.')
with self._close_lock: # pylint: disable=not-context-manager
with self._close_lock:
self._close = True

133
install/tools/ipa-replica-manage.in
View File

@@ -26,7 +26,6 @@ import os
import re
import socket
import traceback
from urllib.parse import urlparse
from xmlrpc.client import MAXINT
import ldap
@@ -38,7 +37,13 @@ from ipaserver.install import bindinstance, cainstance
from ipaserver.install import opendnssecinstance, dnskeysyncinstance
from ipapython import version, ipaldap
from ipalib import api, errors
from ipalib.util import has_managed_topology, verify_host_resolvable
from ipalib.constants import FQDN
from ipalib.util import (
has_managed_topology,
print_replication_status,
verify_host_resolvable,
)
from ipapython.admintool import admin_cleanup_global_argv
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
@@ -80,7 +85,8 @@ class NoRUVsFound(Exception):
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True,
help="Directory Manager password")
parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="provide additional information")
parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False,
@@ -91,7 +97,7 @@ def parse_options():
help="DANGER: clean up references to a ghost master")
parser.add_option("--binddn", dest="binddn", default=None, type="dn",
help="Bind DN to use with remote server")
parser.add_option("--bindpw", dest="bindpw", default=None,
parser.add_option("--bindpw", dest="bindpw", default=None, sensitive=True,
help="Password for Bind DN to use with remote server")
parser.add_option("--winsync", dest="winsync", action="store_true", default=False,
help="This is a Windows Sync Agreement")
@@ -99,30 +105,35 @@ def parse_options():
help="Full path and filename of CA certificate to use with TLS/SSL to the remote server")
parser.add_option("--win-subtree", dest="win_subtree", default=None,
help="DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix)")
parser.add_option("--passsync", dest="passsync", default=None,
parser.add_option("--passsync", dest="passsync",
default=None, sensitive=True,
help="Password for the IPA system user used by the Windows PassSync plugin to synchronize passwords")
parser.add_option("--from", dest="fromhost", help="Host to get data from")
parser.add_option("--no-lookup", dest="nolookup", action="store_true", default=False,
help="do not perform DNS lookup checks")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
valid_syntax = False
if len(args):
n = len(args) - 1
for cmd in commands:
for cmd, args_info in commands.items():
if cmd == args[0]:
v = commands[cmd]
err = None
if n < v[0]:
err = v[3]
elif n > v[1]:
if n < args_info[0]:
err = args_info[3]
elif n > args_info[1]:
err = "too many arguments"
else:
valid_syntax = True
if err:
parser.error("Invalid syntax: %s\nUsage: %s [options] %s" % (err, cmd, v[2]))
parser.error(
"Invalid syntax: %s\nUsage: %s [options] %s" % (
err, cmd, args_info[2]
)
)
if not valid_syntax:
cmdstr = " | ".join(commands.keys())
@@ -234,19 +245,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
for entry in entries:
print('%s: %s' % (entry.single_value.get('nsds5replicahost'), ent_type))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
print_replication_status(entry, verbose)
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
@@ -362,9 +361,14 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
return True
def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False,
strict=True):
"""
Return the RUV entries as a list of tuples: (hostname, rid)
If strict is True then the RUV must contain the ldap url, otherwise it is
ok to proceed with just the rid
"""
if not nolookup:
@@ -375,10 +379,9 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd)
else:
thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
except Exception as e:
except Exception as ex:
logger.debug("%s", traceback.format_exc())
raise RuntimeError("Failed to connect to server {host}: {err}"
.format(host=host, err=e))
raise RuntimeError(f"Failed to connect to server {host}: {ex}")
search_filter = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
try:
@@ -390,24 +393,42 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
raise NoRUVsFound("No RUV records found.")
servers = []
for e in entries:
for ruv in e['nsds50ruv']:
for entry in entries:
for ruv in entry['nsds50ruv']:
if ruv.startswith('{replicageneration'):
continue
data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
if data:
rid = data.group(1)
(
_scheme, netloc, _path, _params, _query, _fragment
) = urlparse(data.group(2))
servers.append((netloc, rid))
# Get the RID, this is required in all cases
rid_data = re.match(
r'\{replica (\d+)',
ruv
)
if rid_data:
rid = rid_data.group(1)
else:
print("unable to decode: %s" % ruv)
print(f"unable to decode: {ruv} --> missing replica ID")
continue
# Attempt to extract ldap url from ruv (it's not always present)
netloc = "unknown host"
host_data = re.match(
r'(\{\w+\s+\d+\s+)ldap://(.+:\d+)',
ruv
)
if host_data:
netloc = host_data.group(2)
elif strict:
print(f"unable to decode: {ruv} --> missing LDAP url")
continue
# Ok update server list
servers.append((netloc, rid))
return servers
def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False):
def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False,
strict=True):
"""
Get RUVs for both domain and ipaca suffixes
"""
@@ -415,19 +436,20 @@ def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False):
fail_gracefully = True
try:
ruvs['ca'] = get_ruv(realm, host, dirman_passwd, nolookup, True)
ruvs['ca'] = get_ruv(realm, host, dirman_passwd, nolookup, True,
strict)
except (NoRUVsFound, RuntimeError) as e:
err = "Failed to get CS-RUVs from {host}: {err}".format(host=host,
err=e)
err = f"Failed to get CS-RUVs from {host}: {e}"
if isinstance(e, RuntimeError):
fail_gracefully = False
if verbose:
print(err)
logger.debug('%s', err)
try:
ruvs['domain'] = get_ruv(realm, host, dirman_passwd, nolookup)
ruvs['domain'] = get_ruv(realm, host, dirman_passwd, nolookup, False,
strict)
except (NoRUVsFound, RuntimeError) as e:
err = "Failed to get RUVs from {host}: {err}".format(host=host, err=e)
err = f"Failed to get RUVs from {host}: {e}"
if isinstance(e, RuntimeError):
if not fail_gracefully:
raise
@@ -499,7 +521,8 @@ def clean_ruv(realm, ruv, options):
servers = get_ruv_both_suffixes(realm, options.host,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (NoRUVsFound, RuntimeError) as e:
print(e)
sys.exit(0 if isinstance(e, NoRUVsFound) else 1)
@@ -555,7 +578,8 @@ def abort_clean_ruv(realm, ruv, options):
servers = get_ruv_both_suffixes(realm, options.host,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (NoRUVsFound, RuntimeError) as e:
print(e)
sys.exit(0 if isinstance(e, NoRUVsFound) else 1)
@@ -714,7 +738,8 @@ def clean_dangling_ruvs(realm, host, options):
ruv_dict = get_ruv_both_suffixes(realm, master_cn,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (RuntimeError, NoRUVsFound):
continue
@@ -722,12 +747,12 @@ def clean_dangling_ruvs(realm, host, options):
# This needs needs to be split off
if ruv_dict.get('domain'):
master_info['ruvs'] = {
(re.sub(':\d+', '', x), y)
(re.sub(r':\d+', '', x), y)
for (x, y) in ruv_dict['domain']
}
if ruv_dict.get('ca'):
master_info['csruvs'] = {
(re.sub(':\d+', '', x), y)
(re.sub(r':\d+', '', x), y)
for (x, y) in ruv_dict['ca']
}
except Exception as e:
@@ -876,12 +901,12 @@ def ensure_last_services(conn, hostname, masters, options):
if ca_hostname is None and 'CA' in services_cns:
ca_hostname = master_cn
if 'CA' in this_services and not any(['CA' in o for o in other_services]):
if 'CA' in this_services and not any('CA' in o for o in other_services):
print("Deleting this server is not allowed as it would leave your installation without a CA.")
sys.exit(1)
other_dns = True
if 'DNS' in this_services and not any(['DNS' in o for o in other_services]):
if 'DNS' in this_services and not any('DNS' in o for o in other_services):
other_dns = False
print("Deleting this server will leave your installation without a DNS.")
if not options.force and not ipautil.user_input("Continue to delete?", False):
@@ -1241,12 +1266,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
ds.replica_manage_time_skew(prevent=False)
ds.replica_ignore_initial_time_skew()
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_update(repl.conn, agreement.dn)
ds.replica_manage_time_skew(prevent=True)
ds.replica_revert_time_skew()
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
nolookup=False):
@@ -1525,7 +1550,7 @@ def main(options, args):
if options.host:
host = options.host
else:
host = installutils.get_fqdn()
host = FQDN
options.host = host

8
install/tools/ipa-subids.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_subids import IPASubids
IPASubids.run_cli()

4
install/tools/man/Makefile.am
View File

@@ -29,7 +29,9 @@ dist_man1_MANS = \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
ipa-acme-manage.1 \
ipa-migrate.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \

47
install/tools/man/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -148,10 +150,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
man1dir = $(mandir)/man1
am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
@@ -181,6 +182,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -194,8 +197,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -203,6 +208,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -215,9 +221,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -226,6 +235,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -285,6 +296,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -293,9 +306,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -334,8 +350,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -381,6 +399,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -414,7 +433,9 @@ dist_man1_MANS = \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
ipa-acme-manage.1 \
ipa-migrate.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \
@@ -546,7 +567,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -611,8 +631,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -706,3 +726,10 @@ uninstall-man: uninstall-man1 uninstall-man8
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

121
install/tools/man/ipa-acme-manage.1 Normal file
View File

@@ -0,0 +1,121 @@
.\"
.\" Copyright (C) 2020 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-acme-manage" "1" "Jun 2 2020" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-acme\-manage \- Manage the IPA ACME service
.SH "SYNOPSIS"
ipa\-acme\-manage enable|disable|status
.SH "DESCRIPTION"
Use the \fIipa-acme-manage\fR command to enable, disable or retrieve
the status of the ACME service on a IPA CA server.
In a IPA topology all CA servers capable of ACME will
have the ACME service deployed. The service is not enabled
by default. It is expected that the ACME service will either be
enabled on all CA servers, or disabled on all CA servers. However
it must be enabled or disabled on each individual server.
.SH "COMMANDS"
.TP
\fBenable\fR
Enable the ACME service on this host.
.TP
\fBdisable\fR
Disable the ACME service on this host.
.TP
\fBstatus\fR
Display the status of the ACME service.
.TP
\fBpruning\fR
Configure certificate and request pruning.
.SH "PRUNING"
Pruning is a job that runs in the CA that can remove expired
certificates and certificate requests which have not been issued.
This is particularly important when using short-lived certificates
like those issued with the ACME protocol. Pruning requires that
the IPA server be installed with random serial numbers enabled.
The CA needs to be restarted after modifying the pruning configuration.
The job is a cron-like task within the CA that is controlled by a
number of options which dictate how long after the certificate or
request is considered no longer valid and removed from the LDAP
database.
The cron time and date fields are:
.IP
.ta 1.5i
field allowed values
.br
----- --------------
.br
minute 0-59
.br
hour 0-23
.br
day of month 1-31
.br
month 1-12
.br
day of week 0-6 (0 is Sunday)
.br
.PP
The cron syntax is limited to * or specific numbers. Ranges are not supported.
.TP
\fB\-\-enable\fR
Enable certificate pruning.
.TP
\fB\-\-disable\fR
Disable certificate pruning.
.TP
\fB\-\-cron=CRON\fR
Configure the pruning cron job. The syntax is similar to crontab(5) syntax.
For example, "0 0 1 * *" schedules the job to run at 12:00am on the first
day of each month.
.TP
\fB\-\-certretention=CERTRETENTION\fR
Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.
.TP
\fB\-\-certretentionunit=CERTRETENTIONUNIT\fR
Certificate retention units. Valid units are: minute, hour, day, year.
The default is days.
.TP
\fB\-\-certsearchsizelimit=CERTSEARCHSIZELIMIT\fR
LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.
.TP
\fB\-\-certsearchtimelimit=CERTSEARCHTIMELIMIT\fR
LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.
.TP
\fB\-\-requestretention=REQUESTRETENTION\fR
Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.
.TP
\fB\-\-requestretentionunit=REQUESTRETENTIONUNIT\fR
Request retention units. Valid units are: minute, hour, day, year.
The default is days.
.TP
\fB\-\-requestsearchsizelimit=REQUESTSEARCHSIZELIMIT\fR
LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.
.TP
\fB\-\-requestsearchtimelimit=REQUESTSEARCHTIMELIMIT\fR
LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.
.TP
\fB\-\-config\-show\fR
Show the current pruning configuration
.TP
\fB\-\-run\fR
Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the host is not a IPA server
3 if the host is not a CA server

4
install/tools/man/ipa-adtrust-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Sumit Bose <sbose@redhat.com>
.\"
.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-adtrust-install" "1" "April 11 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
.SH "SYNOPSIS"
@@ -87,7 +87,7 @@ ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
users from trusted forests. Starting with IPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added

6
install/tools/man/ipa-advise.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-advise \- Provide configurations advice for various use cases.
.SH "SYNOPSIS"
@@ -27,7 +27,7 @@ Provides customized advice for various IPA configuration issues.
For the list of possible ADVICEs available, run the ipa\-advise with no arguments.
.SH "OPTIONS"
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR
@@ -41,4 +41,4 @@ Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
1 if an error occurred

4
install/tools/man/ipa-backup.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-backup \- Back up an IPA master
.SH "SYNOPSIS"
@@ -54,7 +54,7 @@ Perform the backup on\-line. Requires the \-\-data option.
\fB\-\-disable\-role\-check\fR
Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR

19
install/tools/man/ipa-ca-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-ca-install" "1" "Mar 30 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
@@ -77,11 +77,26 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar
File containing overrides for CA installation.
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-random\-serial\-numbers\fR
Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
.TP
\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
The PKCS#11 token name if using an HSM to store and generate private keys.
.TP
\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
The full path to the PKCS#11 shared library needed to access the HSM device.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.
.TP
\fB\-\-skip\-conncheck\fR
Skip connection check to remote master
.TP

11
install/tools/man/ipa-cacert-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
@@ -27,6 +27,8 @@ ipa\-cacert\-manage \- Manage CA certificates in IPA
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] prune
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
.SH "COMMANDS"
@@ -72,6 +74,13 @@ Please do not forget to run ipa-certupdate on the master, all the replicas and a
.RS
Display a list of the nicknames or subjects of the CA certificates that have been installed.
.RE
.TP
\fBprune\fR
\- Prune the stored CA certificates
.sp
.RS
Removes installed CA certificates that are expired.
.RE
.SH "COMMON OPTIONS"
.TP
\fB\-\-version\fR

13
install/tools/man/ipa-cert-fix.1
View File

@@ -1,7 +1,7 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-cert\-fix \- Renew expired certificates
.SH "SYNOPSIS"
@@ -9,7 +9,7 @@ ipa\-cert\-fix [options]
.SH "DESCRIPTION"
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
prevent the normal operation of FreeIPA. It should ONLY be used in
prevent the normal operation of IPA. It should ONLY be used in
such scenarios, and backup of the system, especially certificates
and keys, is \fBSTRONGLY RECOMMENDED\fR.
@@ -22,7 +22,7 @@ This tool cannot renew certificates signed by external CAs. To
install new, externally-signed HTTP, LDAP or KDC certificates, use
\fIipa-server-certinstall(1)\fR.
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
\fIipa-cert-fix\fR will examine IPA and Certificate System
certificates and renew certificates that are expired, or close to
expiry (less than two weeks). If any "shared" certificates are
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
@@ -39,6 +39,13 @@ for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
CA server). This is to avoid unnecessary renewal of shared
certificates.
Important note: the \fIcertmonger\fR daemon does not immediately notice
the updated certificates and may trigger a renewal after \fIipa-cert-fix\fR
completes. As a consequence, \fIgetcert list\fR output may display
that a renewal is in progress even if \fIipa-cert-fix\fR just
finished. It is recommended to monitor the certmonger-initiated
renewal and wait for its completion before any other administrative task.
.SH "OPTIONS"
.TP
\fB\-\-version\fR

2
install/tools/man/ipa-compat-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"

2
install/tools/man/ipa-crlgen-manage.1
View File

@@ -1,7 +1,7 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-crlgen\-manage \- Enables or disables CRL generation
.SH "SYNOPSIS"

2
install/tools/man/ipa-csreplica-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"

4
install/tools/man/ipa-dns-install.1
View File

@@ -1,7 +1,7 @@
.\" A man page for ipa-dns-install
.\" Copyright (C) 2010-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-dns\-install \- Add DNS as a service to an IPA server
.SH "SYNOPSIS"
@@ -12,7 +12,7 @@ In cases where the IPA server name does not belong to the primary DNS domain and
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
This command requires that an IPA server is already installed and configured.

Some files were not shown because too many files have changed in this diff Show More