Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -3,6 +3,7 @@
 ## Attributes:		2.16.840.1.113730.3.8.3 - V2 base attributres
 ## ObjectClasses:	2.16.840.1.113730.3.8.4 - V2 base objectclasses
 ## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
+## ObjectClasses:	2.16.840.1.113730.3.8.24 - V4 base objectclasses
 ##
 dn: cn=schema
 attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
@@ -52,3 +53,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.17 NAME 'hostCApolicy' DESC 'Policy on
 objectClasses: (2.16.840.1.113730.3.8.4.9 NAME 'ipaCAaccess' STRUCTURAL MAY (member $ hostCApolicy) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' STRUCTURAL MUST ( cn ) MAY ( description $ memberOf ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP groupOfNames STRUCTURAL X-ORIGIN 'IPA v2' )
+# IPA password policy configuration via libpwquality
+attributeTypes: (2.16.840.1.113730.3.8.23.2 NAME 'ipaPwdMaxRepeat' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4')
+attributeTypes: (2.16.840.1.113730.3.8.23.3 NAME 'ipaPwdMaxSequence' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4')
+attributeTypes: (2.16.840.1.113730.3.8.23.4 NAME 'ipaPwdDictCheck' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4')
+attributeTypes: (2.16.840.1.113730.3.8.23.5 NAME 'ipaPwdUserCheck' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4')
+objectClasses: (2.16.840.1.113730.3.8.24.1 NAME 'ipaPwdPolicy' DESC 'IPA Password policy object class' SUP top MAY (ipaPwdMaxRepeat $ ipaPwdMaxSequence $ ipaPwdDictCheck $ ipaPwdUserCheck $ passwordGraceLimit) X-ORIGIN 'IPA v4')
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -62,6 +62,7 @@ attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vaul
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
 attributeTypes: (2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey' DESC 'IPA vault public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
+attributeTypes: (2.16.840.1.113730.3.8.23.6 NAME 'ipaAutoPrivateGroups' DESC 'Auto private groups' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v4.9' )
 objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -76,7 +77,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfP
 objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) MAY ( ipaAutoPrivateGroups ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' )
--- a/install/share/60basev4.ldif
+++ b/install/share/60basev4.ldif
@@ -0,0 +1,39 @@
+## IPA Base OID:	2.16.840.1.113730.3.8
+##
+## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
+## ObjectClasses:	2.16.840.1.113730.3.8.24 - V4 base objectclasses
+##
+dn: cn=schema
+# subordinate ids
+# range ceiling OIDs are reserved for future use
+attributeTypes: ( 2.16.840.1.113730.3.8.23.7 NAME 'ipaSubUidNumber' DESC 'Numerical subordinate user ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.8 NAME 'ipaSubUidCount' DESC 'Subordinate user ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.9 NAME 'ipaSubUidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.10 NAME 'ipaSubGidNumber' DESC 'Numerical subordinate group ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.11 NAME 'ipaSubGidCount' DESC 'Subordinate group ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.12 NAME 'ipaSubGidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.13 NAME 'ipaOwner' DESC 'Owner of an entry' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+# attribute 2.16.840.1.113730.3.8.23.14 'ipaUserDefaultSubordinateId' is defined in 60ipaconfig.ldif
+objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subordinate uids for users, see subuid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.5 NAME 'ipaSubordinateIdEntry' DESC 'Subordinate uid and gid entry' SUP top STRUCTURAL MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9')
+# External IdP support
+attributeTypes: (2.16.840.1.113730.3.8.23.15 NAME 'ipaIdpDevAuthEndpoint' DESC 'Identity Provider Device Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.16 NAME 'ipaIdpAuthEndpoint' DESC 'Identity Provider Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.17 NAME 'ipaIdpTokenEndpoint' DESC 'Identity Provider Token Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.18 NAME 'ipaIdpClientId' DESC 'Identity Provider Client Identifier' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.19 NAME 'ipaIdpClientSecret' DESC 'Identity Provider Client Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.20 NAME 'ipaIdpScope' DESC 'Identity Provider Scope' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.21 NAME 'ipaIdpConfigLink' DESC 'Corresponding Identity Provider Configuration link' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: (2.16.840.1.113730.3.8.23.22 NAME 'ipaIdpSub' DESC 'Identity Provider User Subject' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.23 NAME 'ipaIdpIssuerURL' DESC 'Identity Provider OIDC URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.24 NAME 'ipaIdpUserInfoEndpoint' DESC 'Identity Provider UserInfo Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+attributeTypes: (2.16.840.1.113730.3.8.23.25 NAME 'ipaIdpKeysEndpoint' DESC 'Identity Provider JWKS Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
+objectClasses: (2.16.840.1.113730.3.8.24.6 NAME 'ipaIdP' SUP top STRUCTURAL DESC 'Identity Provider Configuration' MUST ( cn ) MAY ( ipaIdpDevAuthEndpoint $ ipaIdpAuthEndpoint $ ipaIdpTokenEndpoint $ ipaIdpUserInfoEndpoint $ ipaIdpKeysEndpoint $ ipaIdpClientId $ description $ ipaIdpClientSecret $ ipaIdpScope $ ipaIdpIssuerURL $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
+objectClasses: (2.16.840.1.113730.3.8.24.7 NAME 'ipaIdpUser' SUP top AUXILIARY DESC 'User from an external Identity Provider ' MAY ( ipaIdpConfigLink $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
+### Passkey support
+attributeTypes: ( 2.16.840.1.113730.3.8.23.26 NAME 'ipaRequireUserVerification' DESC 'require passkey user verification' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.10')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.27 NAME 'ipapasskey' DESC 'Passkey mapping' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.10' )
+objectclasses: ( 2.16.840.1.113730.3.8.24.8 NAME 'ipaPasskeyConfigObject' DESC 'IPA passkey global config options' AUXILIARY MUST ipaRequireUserVerification X-ORIGIN 'IPA v4.10')
+objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'ipaPasskeyUser' DESC 'IPA passkey user' AUXILIARY MAY ipapasskey X-ORIGIN 'IPA v4.10')
--- a/install/share/60certificate-profiles.ldif
+++ b/install/share/60certificate-profiles.ldif
@@ -7,6 +7,8 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC
 attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' )
 attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' )
 attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' )
+attributeTypes: (2.16.840.1.113730.3.8.21.1.9 NAME 'ipaCaRandomSerialNumberVersion' DESC 'Random Serial Number Version' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9 RSNv3' )
+attributeTypes: (2.16.840.1.113730.3.8.21.1.10 NAME 'ipaCaHSMConfiguration' DESC 'HSM Configuration' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.10 HSM' )
 objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' )
-objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' )
+objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY ( description $ ipaCaRandomSerialNumberVersion $ ipaCaHSMConfiguration) X-ORIGIN 'IPA v4.4 Lightweight CAs' )
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -6,6 +6,7 @@
 ## ObjectClasses:	2.16.840.1.113730.3.8.2 - V1
 ## Attributes:		2.16.840.1.113730.3.8.3 - V2
 ## ObjectClasses:	2.16.840.1.113730.3.8.4 - V2
+## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
 dn: cn=schema
 ###############################################
 ##
@@ -45,11 +46,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' DES
 attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 ## ipaMaxHostnameLength - maximum hostname length to allow
 attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
+attributeTypes: ( 2.16.840.1.113730.3.8.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
 ###############################################
 ##
 ## ObjectClasses
 ##
 ## ipaGuiConfig - GUI config parameters objectclass
-objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength) )
+objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnabled $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapOrder $ ipaKrbAuthzData $ ipaMaxHostnameLength $ ipaUserDefaultSubordinateId) )
 ## ipaConfigObject - Generic config strings object holder
 objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'generic config object for IPA' AUXILIARY MAY ( ipaConfigString ) X-ORIGIN 'IPA v2' )
--- a/install/share/61kerberos-ipav3.ldif
+++ b/install/share/61kerberos-ipav3.ldif
@@ -1,3 +1,5 @@
 dn: cn=schema
 attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'DEPRECATED - DO NOT USE' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
+# Resource delegation object class uses memberPrincipal to specify targets and requires a Kerberos principal
+objectClasses: (2.16.840.1.113730.3.8.24.10 NAME 'resourceDelegation' SUP krbPrincipal AUXILIARY MAY ( memberPrincipal ) X-ORIGIN 'IPA v4.10' )
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ dist_app_DATA =				\
 	60ipaconfig.ldif		\
 	60basev2.ldif			\
 	60basev3.ldif			\
+	60basev4.ldif			\
 	60ipadns.ldif			\
 	60ipapk11.ldif			\
 	60certificate-profiles.ldif	\
@@ -37,17 +38,18 @@ dist_app_DATA =				\
 	default-trust-view.ldif		\
 	delegation.ldif			\
 	replica-acis.ldif		\
-	replica-prevent-time-skew.ldif  \
 	ds-nfiles.ldif			\
 	ds-ipa-env.conf.template	\
 	dns.ldif			\
 	dnssec.ldif			\
 	domainlevel.ldif			\
 	kerberos.ldif			\
-	indices.ldif			\
 	bind.ipa-ext.conf.template		\
 	bind.ipa-options-ext.conf.template	\
+	bind.ipa-logging-ext.conf.template	\
 	bind.named.conf.template	\
+	bind.openssl.cnf.template	\
+	bind.openssl.cryptopolicy.cnf.template	\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
@@ -79,7 +81,6 @@ dist_app_DATA =				\
 	uuid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
-	root-autobind.ldif		\
 	pw-logging-conf.ldif	\
 	sudobind.ldif			\
 	automember.ldif			\
@@ -102,6 +103,11 @@ dist_app_DATA =				\
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
+	pki-acme-configsources.conf.template	\
+	pki-acme-database.conf.template	\
+	pki-acme-engine.conf.template	\
+	pki-acme-issuer.conf.template	\
+	pki-acme-realm.conf.template	\
 	ldbm-tuning.ldif		\
 	$(NULL)

--- a/install/share/Makefile.in
+++ b/install/share/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -156,10 +158,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(kdcproxyconfdir)"
 DATA = $(dist_app_DATA) $(dist_kdcproxyconf_DATA)
@@ -188,8 +189,6 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -237,6 +236,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -250,8 +251,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -259,6 +262,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -271,9 +275,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -282,6 +289,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -341,6 +350,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -349,9 +360,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -390,8 +404,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -437,6 +453,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -460,6 +477,7 @@ dist_app_DATA = \
 	60ipaconfig.ldif		\
 	60basev2.ldif			\
 	60basev3.ldif			\
+	60basev4.ldif			\
 	60ipadns.ldif			\
 	60ipapk11.ldif			\
 	60certificate-profiles.ldif	\
@@ -481,17 +499,18 @@ dist_app_DATA = \
 	default-trust-view.ldif		\
 	delegation.ldif			\
 	replica-acis.ldif		\
-	replica-prevent-time-skew.ldif  \
 	ds-nfiles.ldif			\
 	ds-ipa-env.conf.template	\
 	dns.ldif			\
 	dnssec.ldif			\
 	domainlevel.ldif			\
 	kerberos.ldif			\
-	indices.ldif			\
 	bind.ipa-ext.conf.template		\
 	bind.ipa-options-ext.conf.template	\
+	bind.ipa-logging-ext.conf.template	\
 	bind.named.conf.template	\
+	bind.openssl.cnf.template	\
+	bind.openssl.cryptopolicy.cnf.template	\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
@@ -523,7 +542,6 @@ dist_app_DATA = \
 	uuid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
-	root-autobind.ldif		\
 	pw-logging-conf.ldif	\
 	sudobind.ldif			\
 	automember.ldif			\
@@ -546,6 +564,11 @@ dist_app_DATA = \
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
+	pki-acme-configsources.conf.template	\
+	pki-acme-database.conf.template	\
+	pki-acme-engine.conf.template	\
+	pki-acme-issuer.conf.template	\
+	pki-acme-realm.conf.template	\
 	ldbm-tuning.ldif		\
 	$(NULL)

@@ -732,7 +755,6 @@ cscopelist-am: $(am__tagged_files)

 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -823,8 +845,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -918,3 +940,10 @@ uninstall-am: uninstall-dist_appDATA uninstall-dist_kdcproxyconfDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/advise/Makefile.in
+++ b/install/share/advise/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -155,10 +157,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -187,8 +188,6 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -236,6 +235,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -249,8 +250,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -258,6 +261,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -270,9 +274,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -281,6 +288,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -340,6 +349,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -348,9 +359,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -389,8 +403,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -436,6 +452,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -613,7 +630,6 @@ cscopelist-am: $(am__tagged_files)

 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -704,8 +720,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -798,3 +814,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/advise/legacy/Makefile.in
+++ b/install/share/advise/legacy/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -460,7 +479,6 @@ ctags CTAGS:

 cscope cscopelist:

-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -525,8 +543,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -618,3 +636,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/bind.ipa-logging-ext.conf.template
+++ b/install/share/bind.ipa-logging-ext.conf.template
@@ -0,0 +1,91 @@
+channel named {
+	file "${NAMED_DATA_DIR}named.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-category yes;
+	print-severity yes;
+};
+
+channel security {
+	file "${NAMED_DATA_DIR}security.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel dnssec {
+	file "${NAMED_DATA_DIR}dnssec.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel resolver {
+	file "${NAMED_DATA_DIR}resolver.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel query_log {
+	file "${NAMED_DATA_DIR}query.log" versions 10 size 80M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel query_error {
+	file "${NAMED_DATA_DIR}query_errors.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel lame_servers {
+	file "${NAMED_DATA_DIR}lame-servers.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel capacity {
+	file "${NAMED_DATA_DIR}capacity.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel database {
+	file "${NAMED_DATA_DIR}database.log" versions 10 size 20M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+channel update {
+	file "${NAMED_DATA_DIR}update.log" versions 10 size 10M;
+	severity info;
+	print-time yes;
+	print-severity yes;
+};
+
+category default        { default_syslog; named; };
+category general        { default_syslog; named; };
+category security       { security; };
+category queries        { query_log; };
+category query-errors   { query_error; };
+category lame-servers   { lame_servers; };
+category dnssec         { dnssec; };
+category edns-disabled  { default_syslog; resolver; };
+category config         { default_syslog; named; };
+category resolver       { resolver; };
+category cname          { resolver; };
+category spill          { capacity; };
+category rate-limit     { capacity; };
+category database       { database; };
+category client         { default_syslog; named; };
+category network        { default_syslog; named; };
+category unmatched      { named; };
+category delegation-only { named; };
+category update         { default_syslog; update; };
+category update-security { default_syslog; update; };
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,6 +4,7 @@
 *
 *
 * - $NAMED_CUSTOM_OPTIONS_CONF (for options)
+ * - $NAMED_LOGGING_OPTIONS_CONF (for logging options)
 * - $NAMED_CUSTOM_CONF (all other settings)
 */

@@ -37,6 +38,7 @@ logging {
 		severity dynamic;
 		print-time yes;
 	};
+	include "$NAMED_LOGGING_OPTIONS_CONF";
 };

 ${NAMED_ZONE_COMMENT}zone "." IN {
@@ -55,6 +57,6 @@ dyndb "ipa" "$BIND_LDAP_SO" {
 	base "cn=dns,$SUFFIX";
 	server_id "$FQDN";
 	auth_method "sasl";
-	sasl_mech "GSSAPI";
-	sasl_user "DNS/$FQDN";
+	sasl_mech "EXTERNAL";
+	krb5_keytab "FILE:$NAMED_KEYTAB";
 };
--- a/install/share/bind.openssl.cnf.template
+++ b/install/share/bind.openssl.cnf.template
@@ -0,0 +1,14 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/install/share/bind.openssl.cryptopolicy.cnf.template
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_configuration
+engines = engine_section
+
+[ssl_configuration]
+system_default = crypto_policy
+
+[crypto_policy]
+.include $CRYPTO_POLICY_FILE
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -167,6 +167,12 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids

+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: subordinate-ids
+
 dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
 changetype: add
 objectClass: nsContainer
@@ -233,6 +239,7 @@ objectClass: ipasshuser
 uid: admin
 krbPrincipalName: admin@$REALM
 krbPrincipalName: root@$REALM
+krbCanonicalName: admin@$REALM
 cn: Administrator
 sn: Administrator
 uidNumber: $IDSTART
@@ -476,6 +483,22 @@ ipaBaseID: $IDSTART
 ipaIDRangeSize: $IDRANGE_SIZE
 ipaRangeType: ipa-local

+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaIDrange
+objectClass: ipaTrustedADDomainRange
+cn: ${REALM}_subid_range
+ipaBaseID: eval($SUBID_RANGE_START)
+ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
+# HACK: RIDs to work around adtrust sidgen issue
+ipaBaseRID: eval($SUBID_BASE_RID)
+# 738065-838566 = IPA-SUB
+ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+ipaRangeType: ipa-ad-trust
+
 dn: cn=ca,$SUFFIX
 changetype: add
 objectClass: nsContainer
--- a/install/share/custodia.conf.template
+++ b/install/share/custodia.conf.template
@@ -4,12 +4,12 @@ server_socket = $IPA_CUSTODIA_SOCKET
 auditlog = $IPA_CUSTODIA_AUDIT_LOG

 [auth:simple]
-handler = custodia.httpd.authenticators.SimpleCredsAuth
+handler = ipaserver.custodia.httpd.authenticators.SimpleCredsAuth
 uid = $UID
 gid = $GID

 [auth:header]
-handler = custodia.httpd.authenticators.SimpleHeaderAuth
+handler = ipaserver.custodia.httpd.authenticators.SimpleHeaderAuth
 header = GSS_NAME

 [authz:kemkeys]
@@ -23,6 +23,6 @@ handler = ipaserver.secrets.store.IPASecStore
 ldap_uri = $LDAP_URI

 [/keys]
-handler = custodia.secrets.Secrets
+handler = ipaserver.custodia.secrets.Secrets
 allowed_keytypes = kem
 store = ipa
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -307,3 +307,11 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: External IdP server Administrators
+description: External IdP server Administrators
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -16,6 +16,23 @@ dnaThreshold: 500
 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
 dnaExcludeScope: cn=provisioning,$SUFFIX

+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+changetype: add
+objectclass: top
+objectclass: extensibleObject
+cn: Subordinate IDs
+dnaType: ipasubuidnumber
+dnaType: ipasubgidnumber
+dnaNextValue: eval($SUBID_RANGE_START)
+dnaMaxValue: eval($SUBID_RANGE_MAX)
+dnaMagicRegen: -1
+dnaFilter: (objectClass=ipaSubordinateId)
+dnaScope: $SUFFIX
+dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+dnaExcludeScope: cn=provisioning,$SUFFIX
+dnaInterval: eval($SUBID_COUNT)
+
 # Enable the DNA plugin
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 changetype: modify
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -8,7 +8,7 @@ objectClass: top
 cn: dns
 ipaConfigString: DNSVersion 1
 ipaDNSVersion: 2
-aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)
+aci: (targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
 aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
--- a/install/share/ds-ipa-env.conf.template
+++ b/install/share/ds-ipa-env.conf.template
@@ -1,5 +1,7 @@
 # Installed and maintained by ipa update tools, please do not modify

 [Service]
+Environment=LC_ALL=C.UTF-8
 Environment=KRB5_KTNAME=$KRB5_KTNAME
+Environment=KRB5_CLIENT_KTNAME=$KRB5_KTNAME
 Environment=KRB5CCNAME=$KRB5CCNAME
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -11,8 +11,14 @@
 [service/ipa-api]
  mechs = krb5
  cred_store = keytab:$HTTP_KEYTAB
-  cred_store = client_keytab:$HTTP_KEYTAB
  allow_constrained_delegation = true
  allow_client_ccache_sync = true
  cred_usage = initiate
  euid = $IPAAPI_USER
+
+[service/ipa-sweeper]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  socket = $SWEEPER_SOCKET
+  euid = $IPAAPI_USER
+  cred_usage = initiate
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -1,429 +0,0 @@
-dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:krbPrincipalName
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:sub
-nsIndexType:pres
-nsMatchingRule:caseIgnoreIA5Match
-nsMatchingRule:caseExactIA5Match
-
-dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:ou
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:sub
-
-dn: cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:carLicense
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:sub
-
-dn: cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:title
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:sub
-
-dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:manager
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:pres
-nsIndexType:sub
-
-dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:secretary
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:pres
-nsIndexType:sub
-
-dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:displayname
-nsSystemIndex:false
-nsIndexType:eq
-nsIndexType:sub
-
-dn: cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: modify
-add: nsIndexType
-nsIndexType:sub
-
-dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:uidnumber
-nsSystemIndex:false
-nsIndexType:eq
-nsMatchingRule: integerOrderingMatch
-
-dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectClass:top
-objectClass:nsIndex
-cn:gidnumber
-nsSystemIndex:false
-nsIndexType:eq
-nsMatchingRule: integerOrderingMatch
-
-dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: modify
-replace: nsIndexType
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: modify
-replace: nsIndexType
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-ObjectClass: top
-ObjectClass: nsIndex
-cn: fqdn
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-ObjectClass: top
-ObjectClass: nsIndex
-cn: macAddress
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberHost
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberUser
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: sourcehost
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberservice
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: managedby
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberallowcmd
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberdenycmd
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipasudorunas
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipasudorunasgroup
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: automountkey
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: automountMapName
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaConfigString
-objectClass:top
-objectClass:nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaEnabledFlag
-objectClass:top
-objectClass:nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaKrbAuthzData
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: sub
-
-dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipakrbprincipalalias
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipauniqueid
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaMemberCa
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaMemberCertProfile
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-nsIndexType: sub
-
-dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: userCertificate
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipalocation
-ObjectClass: top
-ObjectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
-
-dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: krbCanonicalName
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: sub
-
-dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: serverhostname
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: sub
-
-dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: description
-objectClass: top
-objectClass: nsindex
-nssystemindex: false
-nsindextype: eq
-nsindextype: sub
-
-dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: l
-objectClass: top
-objectClass: nsindex
-nssystemindex: false
-nsindextype: eq
-nsindextype: sub
-
-dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: nsOsVersion
-objectClass: top
-objectClass: nsindex
-nssystemindex: false
-nsindextype: eq
-nsindextype: sub
-
-dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: nsHardwarePlatform
-objectClass: top
-objectClass: nsindex
-nssystemindex: false
-nsindextype: eq
-nsindextype: sub
-
-dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: nsHostLocation
-objectClass: top
-objectClass: nsindex
-nssystemindex: false
-nsindextype: eq
-nsindextype: sub
-
-# NOTE: There is no index on ipServiceProtocol because the index would have
-# poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol.
-dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipServicePort
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: accessRuleType
-objectClass:top
-objectClass:nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: hostCategory
-objectClass:top
-objectClass:nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: idnsName
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: ipaCertmapData
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: altSecurityIdentities
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-
-dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-cn: memberManager
-objectClass: top
-objectClass: nsIndex
-nsSystemIndex: false
-nsIndexType: eq
-nsIndexType: pres
--- a/install/share/ipa-kdc-proxy.conf.template
+++ b/install/share/ipa-kdc-proxy.conf.template
@@ -19,14 +19,11 @@

 WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
  user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \
-  process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi
+WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi \
+  process-group=kdcproxy application-group=%{GLOBAL}
 WSGIScriptReloading Off

 <Location "/KdcProxy">
  Satisfy Any
  Require all granted
-  WSGIProcessGroup kdcproxy
-  WSGIApplicationGroup kdcproxy
 </Location>
--- a/install/share/ipa-pki-proxy.conf.template
+++ b/install/share/ipa-pki-proxy.conf.template
@@ -1,4 +1,4 @@
-# VERSION 15 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE

 ProxyRequests Off

@@ -11,7 +11,7 @@ ProxyRequests Off
 </LocationMatch>

 # matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient none
    ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
@@ -34,5 +34,15 @@ ProxyRequests Off
    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>

+# Matches for ACME service
+<LocationMatch "^/acme">
+    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    # RFC 8555 says HTTPS is REQUIRED
+    SSLRequireSSL
+    SSLVerifyClient none
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
 # Only enable this on servers that are not generating a CRL
 ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
--- a/install/share/ipa-rewrite.conf.template
+++ b/install/share/ipa-rewrite.conf.template
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE

 RewriteEngine on

@@ -9,6 +9,7 @@ ${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
 # Redirect to the fully-qualified hostname. Not redirecting to secure
 # port so configuration files can be retrieved without requiring SSL.
 RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
+RewriteCond %{HTTP_HOST}    !^ipa-ca.$DOMAIN$$ [NC]
 RewriteRule ^/ipa/(.*)      http://$FQDN/ipa/$$1 [L,R=301]

 # Redirect to the secure port if not displaying an error or retrieving
@@ -18,5 +19,10 @@ RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
 RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
 RewriteRule ^/ipa/(.*)      https://$FQDN/ipa/$$1 [L,R=301,NC]

+RewriteCond %{HTTP_HOST}    ^ipa-ca.$DOMAIN$$ [NC]
+RewriteCond %{REQUEST_URI}  !^/ipa/crl
+RewriteCond %{REQUEST_URI}  !^/(ca|kra|pki|acme)
+RewriteRule ^/(.*)          https://$FQDN/$$1 [L,R=301]
+
 # Rewrite for plugin index, make it like it's a static file
 RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$    /ipa/wsgi/plugins.py [PT]
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -1,5 +1,5 @@
 #
-# VERSION 31 - DO NOT REMOVE THIS LINE
+# VERSION 33 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -39,13 +39,12 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
 WSGISocketPrefix $WSGI_PREFIX_DIR

-
 # Configure mod_wsgi handler for /ipa
 WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
  user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
  lang=C.UTF-8 locale=C.UTF-8
-WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
-WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py process-group=ipa \
+  application-group=%{GLOBAL}
 WSGIScriptReloading Off


@@ -75,13 +74,12 @@ WSGIScriptReloading Off

  GssapiImpersonate On
  GssapiDelegCcacheDir $IPA_CCACHES
-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiDelegCcachePerms mode:0660
+  GssapiDelegCcacheUnique On
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
-  WSGIProcessGroup ipa
-  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"

@@ -116,7 +114,8 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 <Location "/ipa/session/login_x509">
  AuthType none
  GssapiDelegCcacheDir $IPA_CCACHES
-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiDelegCcachePerms mode:0660
+  GssapiDelegCcacheUnique On
  SSLVerifyClient require
  SSLUserName SSL_CLIENT_CERT
  LookupUserByCertificate On
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -85,7 +85,6 @@ pki_subsystem_key_type=%(ipa_key_type)s
 pki_subsystem_token=%(pki_token_name)s

 [CA]
-pki_random_serial_numbers_enable=False

 ## caSigningCert cert-pki-ca
 pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -2,7 +2,7 @@
 # Dogtag PKI configuration file
 #
 # The ipaca_default.ini contains hard-coded defaults that cannot be modified
-# by a user without breaking FreeIPA internals.
+# by a user without breaking IPA internals.
 #
 # Note: "%" must be quoted as "%%".
 #
@@ -40,7 +40,7 @@ pki_ca_port=%(pki_security_domain_https_port)s

 # nickname and subject are hard-coded
 pki_ca_signing_nickname=caSigningCert cert-pki-ca
-pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+pki_ca_signing_cert_path=

 pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
 pki_client_database_password=
@@ -67,7 +67,6 @@ pki_replication_password=

 pki_enable_proxy=True
 pki_ajp_secret=%(ipa_ajp_secret)s
-pki_restart_configured_instance=False
 pki_security_domain_hostname=%(ipa_fqdn)s
 pki_security_domain_https_port=443
 pki_security_domain_name=IPA
@@ -81,7 +80,6 @@ pki_skip_installation=False
 pki_skip_sd_verify=False

 pki_sslserver_token=internal
-pki_ssl_server_token=%(pki_sslserver_token)s
 pki_sslserver_nickname=Server-Cert cert-pki-ca
 pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s

@@ -89,14 +87,12 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
 pki_subsystem_nickname=subsystemCert cert-pki-ca
 pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s

-pki_theme_enable=True
-pki_theme_server_dir=/usr/share/pki/common-ui
 pki_audit_group=pkiaudit
 pki_group=pkiuser
 pki_user=pkiuser
 pki_existing=False

-pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_cert_chain_path=
 pki_cert_chain_nickname=caSigningCert External CA

 pki_pkcs12_path=
@@ -110,7 +106,7 @@ pki_ca_signing_record_create=True
 pki_ca_signing_serial_number=1
 pki_ca_signing_subject_dn=%(ipa_ca_subject)s

-pki_ca_signing_csr_path=/root/ipa.csr
+pki_ca_signing_csr_path=

 pki_ca_starting_crl_number=0

@@ -132,6 +128,7 @@ pki_audit_signing_nickname=auditSigningCert cert-pki-ca
 pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s

 pki_share_db=False
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
 pki_master_crl_enable=True

 pki_default_ocsp_uri=%(ipa_ocsp_uri)s
@@ -167,3 +164,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
 # We will use the dbuser created for the CA.
 pki_share_db=True
 pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
+
+# KRA padding, set RSA-OAEP in FIPS mode
+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -6,7 +6,8 @@

 [realms]
 $REALM = {
-  master_key_type = aes256-cts
+  master_key_type = $MASTER_KEY_TYPE
+  supported_enctypes = $SUPPORTED_ENCTYPES
  max_life = 7d
  max_renewable_life = 14d
  acl_file = $KRB5KDC_KADM5_ACL
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
 ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-sha2:special
+krbDefaultEncSaltTypes: aes128-sha2:special
 krbDefaultEncSaltTypes: aes256-cts:special
 krbDefaultEncSaltTypes: aes128-cts:special

@@ -37,6 +39,7 @@ changetype: add
 objectClass: top
 objectClass: nsContainer
 objectClass: krbPwdPolicy
+objectClass: ipaPwdPolicy
 krbMinPwdLife: 3600
 krbPwdMinDiffChars: 0
 krbPwdMinLength: 8
@@ -45,4 +48,4 @@ krbMaxPwdLife: 7776000
 krbPwdMaxFailure: 6
 krbPwdFailureCountInterval: 60
 krbPwdLockoutDuration: 600
-
+passwordGraceLimit: -1
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,5 +1,4 @@
 $INCLUDES
-includedir /var/lib/sss/pubconf/krb5.include.d/

 [logging]
 default = FILE:/var/log/krb5libs.log
@@ -19,6 +18,7 @@ $OTHER_LIBDEFAULTS
 $REALM = {
  kdc = $FQDN:88
  master_kdc = $FQDN:88
+  kpasswd_server = $FQDN:464
  admin_server = $FQDN:749
  default_domain = $DOMAIN
  pkinit_anchors = FILE:$KDC_CA_BUNDLE_PEM
--- a/install/share/memberof-conf.ldif
+++ b/install/share/memberof-conf.ldif
@@ -8,4 +8,6 @@ memberofgroupattr: memberUser
 -
 add: memberofgroupattr
 memberofgroupattr: memberHost
-
+-
+add: memberofgroupattr
+memberofgroupattr: ipaOwner
--- a/install/share/pki-acme-configsources.conf.template
+++ b/install/share/pki-acme-configsources.conf.template
@@ -0,0 +1,3 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
+engine.class=org.dogtagpki.acme.server.ACMEEngineConfigFileSource
+engine.filename=/etc/pki/pki-tomcat/acme/engine.conf
--- a/install/share/pki-acme-database.conf.template
+++ b/install/share/pki-acme-database.conf.template
@@ -0,0 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
+class=org.dogtagpki.acme.database.LDAPDatabase
+basedn=ou=acme,o=ipaca
+configFile=/etc/pki/pki-tomcat/ca/CS.cfg
--- a/install/share/pki-acme-engine.conf.template
+++ b/install/share/pki-acme-engine.conf.template
@@ -0,0 +1,14 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
+# Parameters read by ACMEEngineConfigFileSource, i.e. these are
+# expected to be in the file pointed to by the 'filename' directive
+# above.
+#
+# IPA only sets the values it uses.
+#
+# Whether to enable the ACME service:
+enabled=false
+
+# Whether to accept wildcard DNS identifiers:
+policy.wildcard=false
+
+baseURL=https://$FQDN/acme
--- a/install/share/pki-acme-issuer.conf.template
+++ b/install/share/pki-acme-issuer.conf.template
@@ -0,0 +1,6 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
+class=org.dogtagpki.acme.issuer.PKIIssuer
+url=https://$FQDN:8443
+profile=acmeIPAServerCert
+username=$USER
+password=$PASSWORD
--- a/install/share/pki-acme-realm.conf.template
+++ b/install/share/pki-acme-realm.conf.template
@@ -0,0 +1,9 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
+authType=BasicAuth
+class=org.dogtagpki.acme.realm.DSRealm
+groupsDN=ou=groups,o=ipaca
+usersDN=ou=people,o=ipaca
+url=ldaps://$FQDN:636
+configFile=/etc/pki/pki-tomcat/ca/CS.cfg
+username=$USER
+password=$PASSWORD
--- a/install/share/profiles/IECUserRoles.cfg
+++ b/install/share/profiles/IECUserRoles.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
--- a/install/share/profiles/KDCs_PKINIT_Certs.cfg
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.serverCertSet.1.constraint.name=Subject Name Constraint
 policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint
 policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
 policyset.serverCertSet.11.default.name=User Supplied Extension Default
 policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
--- a/install/share/profiles/Makefile.am
+++ b/install/share/profiles/Makefile.am
@@ -7,6 +7,7 @@ app_DATA =				\
 	caIPAserviceCert.UPGRADE.cfg	\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
+	acmeIPAServerCert.cfg		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/profiles/Makefile.in
+++ b/install/share/profiles/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -390,6 +409,7 @@ app_DATA = \
 	caIPAserviceCert.UPGRADE.cfg	\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
+	acmeIPAServerCert.cfg		\
 	$(NULL)

 EXTRA_DIST = \
@@ -461,7 +481,6 @@ ctags CTAGS:

 cscope cscopelist:

-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -526,8 +545,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -619,3 +638,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/profiles/acmeIPAServerCert.cfg
+++ b/install/share/profiles/acmeIPAServerCert.cfg
@@ -0,0 +1,107 @@
+profileId=acmeIPAServerCert
+classId=caEnrollImpl
+desc=ACME profile for use in IPA deployments
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=SessionAuthentication
+authz.acl=group="$ACME_AGENT_GROUP"
+name=IPA ACME Service Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.1.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.1.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.1.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.1.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.1.constraint.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.1.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.1.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.1.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.1.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.1.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.1.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.1.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.1.default.name=Key Usage Default
+policyset.serverCertSet.1.default.params.keyUsageCritical=true
+policyset.serverCertSet.1.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.1.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.1.default.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.1.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.1.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.1.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.1.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.1.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.1.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.2.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.2.constraint.name=No Constraint
+policyset.serverCertSet.2.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.2.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.2.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.2.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.3.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.3.constraint.name=No Constraint
+policyset.serverCertSet.3.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.3.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.3.default.params.critical=false
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.6.default.name=User supplied extension in CSR
+policyset.serverCertSet.6.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.7.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.7.constraint.name=Validity Constraint
+policyset.serverCertSet.7.constraint.params.range=90
+policyset.serverCertSet.7.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.7.constraint.params.notAfterCheck=false
+policyset.serverCertSet.7.default.class_id=validityDefaultImpl
+policyset.serverCertSet.7.default.name=Validity Default
+policyset.serverCertSet.7.default.params.range=90
+policyset.serverCertSet.7.default.params.startTime=0
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=sanToCNDefaultImpl
+policyset.serverCertSet.9.default.name=SAN to CN Default
+policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.10.constraint.name=Key Constraint
+policyset.serverCertSet.10.constraint.params.keyType=RSA
+policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096,8192
+policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.10.default.name=Key Default
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.11.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.11.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.11.default.params.crlDistPointsNum=1
+policyset.serverCertSet.11.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.11.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
+policyset.serverCertSet.11.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.11.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.11.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.11.default.params.crlDistPointsReasons_0=
--- a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
+++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
--- a/install/share/profiles/caIPAserviceCert.cfg
+++ b/install/share/profiles/caIPAserviceCert.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
--- a/install/share/replica-prevent-time-skew.ldif
+++ b/install/share/replica-prevent-time-skew.ldif
@@ -1,4 +0,0 @@
-dn: cn=config
-changetype: modify
-replace: nsslapd-ignore-time-skew
-nsslapd-ignore-time-skew: $SKEWVALUE
--- a/install/share/root-autobind.ldif
+++ b/install/share/root-autobind.ldif
@@ -1,19 +0,0 @@
-# root-autobind, config
-dn: cn=root-autobind,cn=config
-changetype: add
-objectClass: extensibleObject
-objectClass: top
-cn: root-autobind
-uidNumber: 0
-gidNumber: 0
-
-dn: cn=config
-changetype: modify
-replace: nsslapd-ldapiautobind
-nsslapd-ldapiautobind: on
-
-dn: cn=config
-changetype: modify
-replace: nsslapd-ldapimaptoentries
-nsslapd-ldapimaptoentries: on
-
--- a/install/share/schema.d/Makefile.in
+++ b/install/share/schema.d/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -155,10 +157,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -187,8 +188,6 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in README
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -236,6 +235,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -249,8 +250,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -258,6 +261,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -270,9 +274,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -281,6 +288,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -340,6 +349,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -348,9 +359,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -389,8 +403,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -436,6 +452,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -612,7 +629,6 @@ cscopelist-am: $(am__tagged_files)

 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -703,8 +719,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -797,3 +813,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/schema.d/README
+++ b/install/share/schema.d/README
@@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
 also installed when upgrade happens within the process of ipa-server-install.

 The directory is installed as /usr/share/ipa/schema.d and is owned by a
-freeipa-server-common package. Therefore, a 3rd-party plugin would need to
-depend on the freeipa-server-common package if it delivers the schema file(s).
+ipa-server-common package. Therefore, a 3rd-party plugin would need to
+depend on the ipa-server-common package if it delivers the schema file(s).

 You may place your schema files in a subdirectory too, the code that loads
 schema files processes recursively all subdirectories of schema.d.
--- a/install/share/smb.conf.registry.template
+++ b/install/share/smb.conf.registry.template
@@ -5,6 +5,7 @@ realm = $REALM
 kerberos method = dedicated keytab
 dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
+server role = $SERVER_ROLE
 security = user
 domain master = yes
 domain logons = yes
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -21,43 +21,8 @@
 #

 """
-WSGI appliction for IPA server.
+WSGI application for IPA server.
 """
-from __future__ import absolute_import
+from ipaserver.wsgi import create_application

-import logging
-import os
-import sys
-
-# Some dependencies like Dogtag's pki.client library and custodia use
-# python-requsts to make HTTPS connection. python-requests prefers
-# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
-# of python-cryptography which trigger a execmem SELinux violation
-# in the context of Apache HTTPD (httpd_execmem).
-# When requests is imported, it always tries to import pyopenssl glue
-# code from urllib3's contrib directory. The import of PyOpenSSL is
-# enough to trigger the SELinux denial.
-# Block any import of PyOpenSSL's SSL module by raising an ImportError
-sys.modules['OpenSSL.SSL'] = None
-
-from ipaplatform.paths import paths
-from ipalib import api
-
-logger = logging.getLogger(os.path.basename(__file__))
-
-api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None)
-try:
-    api.finalize()
-except Exception as e:
-    logger.error('Failed to start IPA: %s', e)
-else:
-    logger.info('*** PROCESS START ***')
-
-    # This is the WSGI callable:
-    def application(environ, start_response):
-        if not environ['wsgi.multithread']:
-            return api.Backend.wsgi_dispatch(environ, start_response)
-        else:
-            logger.error("IPA does not work with the threaded MPM, "
-                         "use the pre-fork MPM")
-            raise RuntimeError('threaded MPM detected')
+application = create_application()