Import Upstream version 4.12.4

install/updates/10-config.update

@@ -16,7 +16,7 @@ only: nsslapd-pluginPrecedence: 60
 # Set limits to suite better IPA deployment sizes, defaults are too
 # conservative
 dn: cn=config
-default: nsslapd-sizelimit:100000
+replace: nsslapd-sizelimit:2000::100000
 
 dn: cn=config,cn=ldbm database,cn=plugins,cn=config
 replace: nsslapd-lookthroughlimit:5000::100000

install/updates/10-enable-betxn.update

@@ -18,7 +18,7 @@ only: nsslapd-pluginType: betxnpreoperation
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 only: nsslapd-pluginType: betxnpostoperation
 
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 only: nsslapd-pluginbetxn: on
 
 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config

install/updates/10-uniqueness.update

@@ -109,3 +109,22 @@ default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
 default:nsslapd-pluginVendor: Fedora Project
+
+dn: cn=ipaSubordinateIdEntry ipaOwner uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: ipaSubordinateIdEntry ipaOwner uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values of ipaOwner
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: ipaOwner
+default:uniqueness-subtrees: cn=subids,cn=accounts,$SUFFIX
+default:uniqueness-across-all-subtrees: on
+default:uniqueness-subtree-entries-oc: ipaSubordinateIdEntry
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project

install/updates/20-aci.update

@@ -84,6 +84,7 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
+remove: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 # replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
 dn: cn=mapping tree,cn=config
@@ -93,7 +94,7 @@ remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreemen
 add:aci: (targetattr = "*")(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 add:aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 add:aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastinitstatusjson || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalastupdatestatusjson || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
@@ -140,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
 
 # Allow member managers to modify members of user groups
 dn: cn=groups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
 
 # Allow member managers to modify members of host groups
 dn: cn=hostgroups,cn=accounts,$SUFFIX
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
 
 # Hosts can add and delete their own services
 dn: cn=services,cn=accounts,$SUFFIX

install/updates/20-autobind.update

@@ -0,0 +1,15 @@
+# countainer for autobind, already exists in new 389-DS instances
+dn: cn=auto_bind,cn=config
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: auto_bind
+
+# map LDAPI autobind uid/gid to user entries (not used by root autobind)
+dn: cn=config
+only: nsslapd-ldapimaptoentries: on
+only: nsslapd-ldapientrysearchbase: cn=auto_bind,cn=config
+only: nsslapd-ldapidnmappingbase: cn=auto_bind,cn=config
+
+# lib389 configures 389-DS for root-autobind. This entry is no longer needed.
+dn: cn=root-autobind,cn=config
+deleteentry: cn=root-autobind,cn=config

install/updates/20-enable_dirsrv_plugins.update

@@ -50,8 +50,8 @@ replace: nsslapd-pluginEnabled:off::on
 dn: cn=Managed Entries,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
-# Multimaster Replication Plugin, plugins, config
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+# Replication Plugin may be Multisupplier or Multimaster
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
 # Roles Plugin, plugins, config

install/updates/20-idoverride_index.update

@@ -1,22 +0,0 @@
-#
-# Make sure ID override attributes have the correct indexing
-#
-
-dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: ipaOriginalUid
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: pres
-
-dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-default:cn: ipaAnchorUUID
-default:ObjectClass: top
-default:ObjectClass: nsIndex
-default:nsSystemIndex: false
-only: nsIndexType: eq
-only: nsIndexType: pres
-
-dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-remove:cn: ipaOriginalUid

install/updates/20-replication.update

@@ -58,7 +58,7 @@ default: nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysa
 default: nsslapd-topo-plugin-startup-delay: 20
 default: nsslapd-pluginId: none
 default: nsslapd-plugin-depends-on-named: ldbm database
-default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+default: nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 default: nsslapd-pluginVersion: 1.0
 default: nsslapd-pluginVendor: none
 default: nsslapd-pluginDescription: none

install/updates/20-winsync_index.update

@@ -1,12 +0,0 @@
-#
-# Make sure winsync attributes have the correct indexing
-#
-
-dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq
-only: nsIndexType: pres
-
-dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only: nsIndexType: eq
-only: nsIndexType: pres
-

install/updates/25-referint.update

@@ -21,3 +21,5 @@ add: referint-membership-attr: ipamemberca
 add: referint-membership-attr: ipamembercertprofile
 add: referint-membership-attr: ipalocation
 add: referint-membership-attr: membermanager
+add: referint-membership-attr: ipaowner
+add: referint-membership-attr: ipaidpconfiglink

install/updates/40-delegation.update

@@ -299,3 +299,10 @@ default:objectClass: groupofnames
 default:objectClass: nestedgroup
 default:cn: DNS Servers
 default:description: DNS Servers
+
+dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: External IdP server Administrators
+default:description: External IdP server Administrators

install/updates/40-idp.update

@@ -0,0 +1,13 @@
+dn: cn=idp,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: idp
+
+dn: cn=ipaidpconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaidpconfiglink
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+add:nsIndexType: pres
+add:nsIndexType: sub

install/updates/40-replication.update

@@ -28,3 +28,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 remove:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
 add:aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Read domain level
+default:ipapermissiontype: SYSTEM
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci: (targetattr = "ipamaxdomainlevel || ipamindomainlevel")(version 3.0;acl "permission:Read domain level";allow (read, search, compare) groupdn = "ldap:///cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX";)

install/updates/49-autobind-services.update

@@ -0,0 +1,7 @@
+# create / update LDAPI autobind rules for services
+# also used by ipa-restore to ensure correct mappings
+# NOTE: ipa-ldap-updater runs reload ldapi mappings tasks
+
+dn: cn=named,cn=auto_bind,cn=config
+onlyifexist: uidNumber: $NAMED_UID
+onlyifexist: gidNumber: $NAMED_GID

install/updates/50-dogtag10-migration.update

@@ -14,6 +14,9 @@ addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group
 addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
 addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
-replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+# new installation
+replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+# upgraded installation
+replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
 addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles

install/updates/50-krbenctypes.update

@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
 add: krbSupportedEncSaltTypes: aes128-sha2:special
 add: krbSupportedEncSaltTypes: aes256-sha2:normal
 add: krbSupportedEncSaltTypes: aes256-sha2:special
+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
+remove: krbDefaultEncSaltTypes: arcfour-hmac:special

install/updates/60-trusts.update

@@ -41,6 +41,11 @@ dn: $SUFFIX
 add:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
 remove:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
 
+# Allow Samba to read POSIX information with an explicit ACI
+dn: cn=accounts,$SUFFIX
+add:aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || ipantsecurityidentifier || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "Allow reading POSIX information about users and group objects";allow (compare,read,search) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
+
+
 # For Samba as a domain member setup we need to allow synchronizing ipaNTHash value
 dn: cn=services,cn=accounts,$SUFFIX
 add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX")(targetattr="ipaNTHash")(version 3.0; acl "CIFS service can modify own ipaNTHash"; allow(write) userdn="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX" or userattr="managedby#SELFDN";)
@@ -49,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
 
 # Add the default PAC type to configuration
 dn: cn=ipaConfig,cn=etc,$SUFFIX
-addifnew: ipaKrbAuthzData: MS-PAC
+add: ipaKrbAuthzData: MS-PAC

install/updates/73-passkey.update

@@ -0,0 +1,17 @@
+# Configuration for Passkey Authentication
+dn: cn=passkeyconfig,cn=etc,$SUFFIX
+default:objectclass: top
+default:objectclass: nscontainer
+default:objectclass: ipaPasskeyConfigObject
+default:ipaRequireUserVerification: TRUE
+
+# Passkey Administrators
+dn: cn=Passkey Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Passkey Administrators
+default:description: Passkey Administrators
+
+dn: $SUFFIX
+add:aci: (targetattr = "ipapasskey")(targattrfilters="add=objectclass:(objectclass=ipapasskeyuser)")(version 3.0;acl "selfservice:Users can manage their own passkey mappings";allow (write) userdn = "ldap:///self";)

install/updates/73-service-rbcd.update

@@ -0,0 +1,5 @@
+dn: $SUFFIX
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Kerberos principals can manage resource-based constrained delegation for themselves";allow (write) userdn = "ldap:///self";)
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Managing principals can manage resource-based constrained delegation for other principals";allow (write) userattr = "managedby#GROUPDN" or userattr = "managedby#USERDN";)
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Delegated permission to manage resource-based constrained delegation for other principals";allow (write) userattr="ipaAllowedToPerform;write_delegation#GROUPDN" or userattr="ipaAllowedToPerform;write_delegation#USERDN" ;)
+

install/updates/73-subid.update

@@ -0,0 +1,106 @@
+# subordinate ids
+
+# create memberOf attributes for ipaOwner
+dn: cn=MemberOf Plugin,cn=plugins,cn=config
+add: memberofgroupattr: ipaOwner
+
+# container
+dn: cn=subids,cn=accounts,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: subids
+
+# self-service RBAC
+dn: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:objectClass: top
+default:cn: Subordinate ID Selfservice User
+default:description: User that can self-request subordinate ids
+replace:description: User that can self-request subordiante ids::User that can self-request subordinate ids
+# default: member: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
+
+dn: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Subordinate ID Selfservice Users
+default:description: Subordinate ID Selfservice User
+default:member: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
+
+dn: cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Self-service subordinate ID
+default:ipapermissiontype: SYSTEM
+default:member: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX
+
+# Administrator RBAC
+dn: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Subordinate ID Administrators
+default:description: Subordinate ID Administrators
+default:member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
+
+dn: cn=Manage subordinate ID,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage subordinate ID
+default:ipapermissiontype: SYSTEM
+default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+# ACIs (in domain database root so they also apply to staging area)
+#
+# - allow users to request new subid with DNA_MAGIC value, subid count=65536,
+#   and subgid == subuid.
+# - allow user admins to set subids. count=65536 and subgid == subuid
+#   properties are enforced as wel.
+#
+# The delete-when-empty check is required because IPA uses MOD_REPLACE to
+# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
+#
+dn: cn=subids,cn=accounts,$SUFFIX
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
+
+# DNA plugin and idrange configuration
+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: subordinate-ids
+
+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+default: objectclass: top
+default: objectclass: extensibleObject
+default: cn: Subordinate IDs
+default: dnaType: ipasubuidnumber
+default: dnaType: ipasubgidnumber
+default: dnaNextValue: eval($SUBID_RANGE_START)
+default: dnaMaxValue: eval($SUBID_RANGE_MAX)
+default: dnaMagicRegen: -1
+default: dnaFilter: (objectClass=ipaSubordinateId)
+default: dnaScope: $SUFFIX
+default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
+add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: ipaIDrange
+default: objectClass: ipaTrustedADDomainRange
+default: cn: ${REALM}_subid_range
+default: ipaBaseID: $SUBID_RANGE_START
+default: ipaIDRangeSize: $SUBID_RANGE_SIZE
+# HACK: RIDs to work around adtrust sidgen issue
+default: ipaBaseRID: eval($SUBID_BASE_RID)
+default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+default: ipaRangeType: ipa-ad-trust

install/updates/90-post_upgrade_plugins.update

@@ -25,6 +25,9 @@ plugin: update_upload_cacrt
 plugin: update_ra_cert_store
 plugin: update_mapping_Guests_to_nobody
 plugin: fix_kra_people_entry
+plugin: update_pwpolicy
+plugin: update_pwpolicy_grace
+plugin: add_admin_krbcanonicalname
 
 # last
 # DNS version 1
@@ -40,3 +43,4 @@ plugin: update_dnsserver_configuration_into_ldap
 plugin: update_ldap_server_list
 plugin: update_dna_shared_config
 plugin: update_unhashed_password
+plugin: update_krb_uri_txt_records_for_locations

install/updates/Makefile.am

@@ -12,6 +12,7 @@ app_DATA =				\
 	10-uniqueness.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
+	20-autobind.update		\
 	20-dna.update			\
 	20-enable_dirsrv_plugins.update	\
 	20-host_nis_groups.update	\
@@ -22,8 +23,6 @@ app_DATA =				\
 	20-sslciphers.update		\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
-	20-winsync_index.update		\
-	20-idoverride_index.update	\
 	20-uuid.update  \
 	20-default_password_policy.update \
 	20-whoami.update	\
@@ -41,11 +40,13 @@ app_DATA =				\
 	40-dns.update			\
 	40-automember.update		\
 	40-certprofile.update		\
+	40-idp.update			\
 	40-otp.update			\
 	40-vault.update			\
 	41-caacl.update			\
 	41-lightweight-cas.update	\
 	45-roles.update			\
+	49-autobind-services.update	\
 	50-7_bit_check.update	        \
 	50-dogtag10-migration.update	\
 	50-groupuuid.update		\
@@ -62,8 +63,11 @@ app_DATA =				\
 	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
+	73-subid.update		\
 	73-winsync.update		\
 	73-certmap.update		\
+	73-passkey.update		\
+	73-service-rbcd.update		\
 	75-user-trust-attributes.update	\
 	80-schema_compat.update 	\
 	81-externalmembers.update	\

install/updates/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
   test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
   }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -395,6 +414,7 @@ app_DATA = \
 	10-uniqueness.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
+	20-autobind.update		\
 	20-dna.update			\
 	20-enable_dirsrv_plugins.update	\
 	20-host_nis_groups.update	\
@@ -405,8 +425,6 @@ app_DATA = \
 	20-sslciphers.update		\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
-	20-winsync_index.update		\
-	20-idoverride_index.update	\
 	20-uuid.update  \
 	20-default_password_policy.update \
 	20-whoami.update	\
@@ -424,11 +442,13 @@ app_DATA = \
 	40-dns.update			\
 	40-automember.update		\
 	40-certprofile.update		\
+	40-idp.update			\
 	40-otp.update			\
 	40-vault.update			\
 	41-caacl.update			\
 	41-lightweight-cas.update	\
 	45-roles.update			\
+	49-autobind-services.update	\
 	50-7_bit_check.update	        \
 	50-dogtag10-migration.update	\
 	50-groupuuid.update		\
@@ -445,8 +465,11 @@ app_DATA = \
 	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
+	73-subid.update		\
 	73-winsync.update		\
 	73-certmap.update		\
+	73-passkey.update		\
+	73-service-rbcd.update		\
 	75-user-trust-attributes.update	\
 	80-schema_compat.update 	\
 	81-externalmembers.update	\
@@ -522,7 +545,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -587,8 +609,8 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -680,3 +702,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%