[Pkg-freeipa-devel] freeipa: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Jan 8 00:12:18 UTC 2016
.gitignore | 2
.mailmap | 2
ACI.txt | 48
API.txt | 457 +
COPYING.openssl | 16
Contributors.txt | 94
Makefile | 17
VERSION | 25
asn1/Makefile.am | 8
asn1/README | 17
asn1/asn1c/BIT_STRING.c | 188
asn1/asn1c/BIT_STRING.h | 33
asn1/asn1c/GKCurrentKeys.c | 61
asn1/asn1c/GKCurrentKeys.h | 37
asn1/asn1c/GKNewKeys.c | 126
asn1/asn1c/GKNewKeys.h | 47
asn1/asn1c/GKReply.c | 115
asn1/asn1c/GKReply.h | 51
asn1/asn1c/GetKeytabControl.c | 77
asn1/asn1c/GetKeytabControl.h | 52
asn1/asn1c/INTEGER.c | 835 +++
asn1/asn1c/INTEGER.h | 65
asn1/asn1c/Int32.c | 127
asn1/asn1c/Int32.h | 38
asn1/asn1c/KrbKey.c | 81
asn1/asn1c/KrbKey.h | 46
asn1/asn1c/Makefile.am | 93
asn1/asn1c/NativeEnumerated.c | 204
asn1/asn1c/NativeEnumerated.h | 32
asn1/asn1c/NativeInteger.c | 314 +
asn1/asn1c/NativeInteger.h | 37
asn1/asn1c/OCTET_STRING.c | 1550 ++++++
asn1/asn1c/OCTET_STRING.h | 80
asn1/asn1c/TypeValuePair.c | 71
asn1/asn1c/TypeValuePair.h | 39
asn1/asn1c/asn_SEQUENCE_OF.c | 41
asn1/asn1c/asn_SEQUENCE_OF.h | 52
asn1/asn1c/asn_SET_OF.c | 88
asn1/asn1c/asn_SET_OF.h | 62
asn1/asn1c/asn_application.h | 47
asn1/asn1c/asn_codecs.h | 109
asn1/asn1c/asn_codecs_prim.c | 295 +
asn1/asn1c/asn_codecs_prim.h | 53
asn1/asn1c/asn_internal.h | 111
asn1/asn1c/asn_system.h | 104
asn1/asn1c/ber_decoder.c | 283 +
asn1/asn1c/ber_decoder.h | 63
asn1/asn1c/ber_tlv_length.c | 178
asn1/asn1c/ber_tlv_length.h | 50
asn1/asn1c/ber_tlv_tag.c | 144
asn1/asn1c/ber_tlv_tag.h | 60
asn1/asn1c/constr_CHOICE.c | 1101 ++++
asn1/asn1c/constr_CHOICE.h | 57
asn1/asn1c/constr_SEQUENCE.c | 1251 +++++
asn1/asn1c/constr_SEQUENCE.h | 60
asn1/asn1c/constr_SEQUENCE_OF.c | 208
asn1/asn1c/constr_SEQUENCE_OF.h | 33
asn1/asn1c/constr_SET_OF.c | 942 +++
asn1/asn1c/constr_SET_OF.h | 42
asn1/asn1c/constr_TYPE.c | 77
asn1/asn1c/constr_TYPE.h | 180
asn1/asn1c/constraints.c | 93
asn1/asn1c/constraints.h | 63
asn1/asn1c/der_encoder.c | 199
asn1/asn1c/der_encoder.h | 67
asn1/asn1c/ipa.asn1 | 37
asn1/asn1c/per_decoder.c | 55
asn1/asn1c/per_decoder.h | 44
asn1/asn1c/per_encoder.c | 95
asn1/asn1c/per_encoder.h | 49
asn1/asn1c/per_support.c | 318 +
asn1/asn1c/per_support.h | 105
asn1/asn1c/xer_decoder.c | 363 +
asn1/asn1c/xer_decoder.h | 106
asn1/asn1c/xer_encoder.c | 67
asn1/asn1c/xer_encoder.h | 59
asn1/asn1c/xer_support.c | 233
asn1/asn1c/xer_support.h | 55
asn1/configure.ac | 24
asn1/ipa_asn1.c | 238
asn1/ipa_asn1.h | 76
daemons/Makefile.am | 2
daemons/configure.ac | 51
daemons/dnssec/ipa-dnskeysync-replica | 165
daemons/dnssec/ipa-dnskeysyncd | 110
daemons/dnssec/ipa-dnskeysyncd.service | 15
daemons/dnssec/ipa-ods-exporter | 502 ++
daemons/dnssec/ipa-ods-exporter.service | 15
daemons/dnssec/ipa-ods-exporter.socket | 5
daemons/ipa-kdb/ipa_kdb.c | 19
daemons/ipa-kdb/ipa_kdb.h | 7
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4
daemons/ipa-kdb/ipa_kdb_mspac.c | 20
daemons/ipa-kdb/ipa_kdb_principals.c | 77
daemons/ipa-sam/Makefile.am | 3
daemons/ipa-sam/ipa_sam.c | 23
daemons/ipa-slapi-plugins/Makefile.am | 1
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 19
daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c | 42
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 35
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h | 41
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c | 226
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 1069 +++-
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 39
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group | 2
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd | 2
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh | 3
daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am | 21
daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c | 96
daemons/ipa-slapi-plugins/ipa-otp-counter/berval.h | 66
daemons/ipa-slapi-plugins/ipa-otp-counter/ipa-otp-counter.sym | 1
daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c | 462 +
daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.c | 110
daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h | 54
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am | 1
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 262 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 10
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c | 280 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h | 82
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 325 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 127
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 17
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h | 4
daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 5
daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 2
daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c | 40
daemons/ipa-slapi-plugins/libotp/Makefile.am | 14
daemons/ipa-slapi-plugins/libotp/hotp.c | 170
daemons/ipa-slapi-plugins/libotp/hotp.h | 60
daemons/ipa-slapi-plugins/libotp/libotp.c | 583 --
daemons/ipa-slapi-plugins/libotp/libotp.h | 93
daemons/ipa-slapi-plugins/libotp/librfc.c | 170
daemons/ipa-slapi-plugins/libotp/librfc.h | 63
daemons/ipa-slapi-plugins/libotp/otp_config.c | 364 +
daemons/ipa-slapi-plugins/libotp/otp_config.h | 82
daemons/ipa-slapi-plugins/libotp/otp_token.c | 533 ++
daemons/ipa-slapi-plugins/libotp/otp_token.h | 88
daemons/ipa-slapi-plugins/libotp/t_hotp.c | 121
daemons/ipa-slapi-plugins/libotp/t_librfc.c | 121
debian/TODO | 5
debian/changelog | 32
debian/control | 34
debian/freeipa-client.dirs | 1
debian/freeipa-client.install | 2
debian/freeipa-client.postinst | 13
debian/freeipa-client.postrm | 8
debian/freeipa-server.install | 7
debian/freeipa-server.links | 4
debian/freeipa-server.postinst | 9
debian/freeipa-server.postrm | 42
debian/patches/add-a-clear-openssl-exception.diff | 49
debian/patches/add-debian-platform.diff | 72
debian/patches/disable-dnssec-support.patch | 524 ++
debian/patches/fix-bind-conf.diff | 39
debian/patches/fix-hyphen-used-as-minus-sign.patch | 2
debian/patches/fix-manpage-has-errors-from-man.patch | 13
debian/patches/fix-pykerberos-api.diff | 5
debian/patches/no-test-lang.diff | 2
debian/patches/port-ipa-client-automount.diff | 2
debian/patches/prefix.patch | 6
debian/patches/revert-dnssec-aci.diff | 98
debian/patches/revert-dnssec-schema.diff | 131
debian/patches/revert-pykerberos-api-change.diff | 2
debian/patches/revert-revert-removal-of-cn-attribute.diff | 21
debian/patches/series | 7
debian/patches/work-around-apache-fail.diff | 4
freeipa.spec.in | 112
install/certmonger/Makefile.am | 1
install/certmonger/dogtag-ipa-ca-renew-agent-submit | 246
install/certmonger/ipa-server-guard | 55
install/ffextension/chrome/content/kerberosauth.js | 24
install/restart_scripts/renew_ca_cert | 152
install/restart_scripts/renew_ra_cert | 44
install/restart_scripts/restart_dirsrv | 10
install/restart_scripts/restart_httpd | 10
install/restart_scripts/stop_pkicad | 4
install/share/05rfc2247.ldif | 39
install/share/60basev2.ldif | 4
install/share/60basev3.ldif | 10
install/share/60ipadns.ldif | 13
install/share/60ipapk11.ldif | 42
install/share/60policyv2.ldif | 30
install/share/65ipacertstore.ldif | 8
install/share/70ipaotp.ldif | 7
install/share/71idviews.ldif | 8
install/share/Makefile.am | 9
install/share/bind.named.conf.template | 15
install/share/bind.zone.db.template | 2
install/share/bootstrap-template.ldif | 6
install/share/certmap.conf.template | 43
install/share/copy-schema-to-ca.py | 7
install/share/default-trust-view.ldif | 6
install/share/dns.ldif | 2
install/share/dnssec.ldif | 11
install/share/krb5.conf.template | 1
install/share/opendnssec_conf.template | 46
install/share/opendnssec_kasp.template | 150
install/share/schema_compat.uldif | 8
install/share/uuid-ipauniqueid.ldif | 11
install/share/uuid.ldif | 23
install/tools/Makefile.am | 1
install/tools/ipa-adtrust-install | 4
install/tools/ipa-ca-install | 241
install/tools/ipa-cacert-manage | 23
install/tools/ipa-csreplica-manage | 2
install/tools/ipa-dns-install | 148
install/tools/ipa-replica-conncheck | 1
install/tools/ipa-replica-install | 129
install/tools/ipa-replica-manage | 15
install/tools/ipa-server-install | 463 +
install/tools/ipa-upgradeconfig | 346 +
install/tools/ipactl | 12
install/tools/man/Makefile.am | 1
install/tools/man/ipa-ca-install.1 | 20
install/tools/man/ipa-cacert-manage.1 | 88
install/tools/man/ipa-dns-install.1 | 3
install/tools/man/ipa-replica-install.1 | 3
install/tools/man/ipa-replica-prepare.1 | 45
install/tools/man/ipa-restore.1 | 11
install/tools/man/ipa-server-certinstall.1 | 9
install/tools/man/ipa-server-install.1 | 55
install/ui/doc/categories.json | 7
install/ui/ipa.css | 6
install/ui/less/widgets.less | 132
install/ui/reset_password.html | 3
install/ui/reset_password.js | 65
install/ui/src/freeipa/Application_controller.js | 4
install/ui/src/freeipa/FieldBinder.js | 13
install/ui/src/freeipa/_base/Builder.js | 2
install/ui/src/freeipa/_base/Singleton_registry.js | 17
install/ui/src/freeipa/_base/construct.js | 8
install/ui/src/freeipa/add.js | 2
install/ui/src/freeipa/app.js | 3
install/ui/src/freeipa/association.js | 40
install/ui/src/freeipa/certificate.js | 2
install/ui/src/freeipa/config.js | 13
install/ui/src/freeipa/dialog.js | 26
install/ui/src/freeipa/dns.js | 170
install/ui/src/freeipa/facet.js | 104
install/ui/src/freeipa/field.js | 34
install/ui/src/freeipa/host.js | 96
install/ui/src/freeipa/idrange.js | 111
install/ui/src/freeipa/idviews.js | 798 +++
install/ui/src/freeipa/ipa.js | 20
install/ui/src/freeipa/navigation/MenuItem.js | 2
install/ui/src/freeipa/navigation/menu_spec.js | 1
install/ui/src/freeipa/otptoken.js | 83
install/ui/src/freeipa/rule.js | 5
install/ui/src/freeipa/search.js | 3
install/ui/src/freeipa/serverconfig.js | 7
install/ui/src/freeipa/service.js | 88
install/ui/src/freeipa/user.js | 81
install/ui/src/freeipa/util.js | 19
install/ui/src/freeipa/widget.js | 333 +
install/ui/src/freeipa/widgets/LoginScreen.js | 80
install/ui/src/freeipa/widgets/LoginScreenBase.js | 8
install/ui/src/freeipa/widgets/SyncOTPScreen.js | 2
install/ui/test/data/ipa_init.json | 66
install/updates/10-schema_compat.update | 16
install/updates/10-uniqueness.update | 34
install/updates/20-aci.update | 2
install/updates/20-indices.update | 7
install/updates/20-uuid.update | 11
install/updates/21-certstore_container.update | 4
install/updates/25-referint.update | 14
install/updates/30-policy.update | 44
install/updates/40-delegation.update | 62
install/updates/40-dns.update | 1
install/updates/40-otp.update | 24
install/updates/40-replication.update | 11
install/updates/59-trusts-sysacount.update | 8
install/updates/60-trusts.update | 6
install/updates/71-idviews.update | 4
install/updates/Makefile.am | 4
ipa-client/Makefile.am | 4
ipa-client/configure.ac | 2
ipa-client/ipa-getkeytab.c | 248
ipa-client/ipa-install/Makefile.am | 1
ipa-client/ipa-install/ipa-certupdate | 23
ipa-client/ipa-install/ipa-client-automount | 10
ipa-client/ipa-install/ipa-client-install | 523 +-
ipa-client/ipa-join.c | 23
ipa-client/ipa-rmkeytab.c | 4
ipa-client/ipaclient/Makefile.am | 1
ipa-client/ipaclient/ipa_certupdate.py | 181
ipa-client/ipaclient/ipachangeconf.py | 3
ipa-client/ipaclient/ipadiscovery.py | 5
ipa-client/ipaclient/ntpconf.py | 8
ipa-client/man/Makefile.am | 1
ipa-client/man/default.conf.5 | 4
ipa-client/man/ipa-certupdate.1 | 39
ipa-client/man/ipa-client-install.1 | 4
ipa-client/man/ipa-rmkeytab.1 | 2
ipa.1 | 3
ipalib/backend.py | 2
ipalib/certstore.py | 427 +
ipalib/constants.py | 8
ipalib/errors.py | 15
ipalib/messages.py | 57
ipalib/parameters.py | 35
ipalib/plugins/automember.py | 5
ipalib/plugins/baseldap.py | 54
ipalib/plugins/cert.py | 38
ipalib/plugins/dns.py | 882 ++-
ipalib/plugins/group.py | 15
ipalib/plugins/hbacsvcgroup.py | 2
ipalib/plugins/host.py | 216
ipalib/plugins/hostgroup.py | 32
ipalib/plugins/idrange.py | 62
ipalib/plugins/idviews.py | 894 +++
ipalib/plugins/internal.py | 68
ipalib/plugins/migration.py | 28
ipalib/plugins/netgroup.py | 2
ipalib/plugins/otpconfig.py | 121
ipalib/plugins/otptoken.py | 79
ipalib/plugins/otptoken_yubikey.py | 11
ipalib/plugins/permission.py | 10
ipalib/plugins/privilege.py | 2
ipalib/plugins/role.py | 4
ipalib/plugins/service.py | 158
ipalib/plugins/sudocmdgroup.py | 2
ipalib/plugins/trust.py | 2
ipalib/plugins/user.py | 25
ipalib/rpc.py | 29
ipalib/util.py | 92
ipalib/x509.py | 181
ipaplatform/base/paths.py | 49
ipaplatform/base/services.py | 65
ipaplatform/base/tasks.py | 87
ipaplatform/redhat/paths.py | 6
ipaplatform/redhat/services.py | 66
ipaplatform/redhat/tasks.py | 230
ipapython/Makefile | 2
ipapython/certdb.py | 493 +
ipapython/certmonger.py | 38
ipapython/dnssec/abshsm.py | 187
ipapython/dnssec/bindmgr.py | 206
ipapython/dnssec/keysyncer.py | 181
ipapython/dnssec/ldapkeydb.py | 351 +
ipapython/dnssec/localhsm.py | 229
ipapython/dnssec/odsmgr.py | 197
ipapython/dnssec/syncrepl.py | 123
ipapython/dnssec/temp.py | 23
ipapython/dnsutil.py | 20
ipapython/dogtag.py | 24
ipapython/errors.py | 47
ipapython/ipaldap.py | 39
ipapython/ipap11helper/Makefile | 20
ipapython/ipap11helper/library.c | 87
ipapython/ipap11helper/library.h | 48
ipapython/ipap11helper/p11helper.c | 2358 +++++++++
ipapython/ipap11helper/setup.py | 43
ipapython/ipautil.py | 12
ipapython/nsslib.py | 17
ipapython/p11helper.py | 40
ipapython/setup.py.in | 2
ipaserver/dcerpc.py | 68
ipaserver/install/adtrustinstance.py | 84
ipaserver/install/bindinstance.py | 393 +
ipaserver/install/cainstance.py | 178
ipaserver/install/certs.py | 381 -
ipaserver/install/dnskeysyncinstance.py | 509 ++
ipaserver/install/dsinstance.py | 114
ipaserver/install/httpinstance.py | 182
ipaserver/install/installutils.py | 337 -
ipaserver/install/ipa_backup.py | 27
ipaserver/install/ipa_cacert_manage.py | 370 +
ipaserver/install/ipa_otptoken_import.py | 2
ipaserver/install/ipa_replica_prepare.py | 266 -
ipaserver/install/ipa_restore.py | 397 +
ipaserver/install/ipa_server_certinstall.py | 48
ipaserver/install/odsexporterinstance.py | 180
ipaserver/install/opendnssecinstance.py | 300 +
ipaserver/install/plugins/Makefile.am | 3
ipaserver/install/plugins/adtrust.py | 48
ipaserver/install/plugins/dns.py | 73
ipaserver/install/plugins/update_idranges.py | 69
ipaserver/install/plugins/update_managed_permissions.py | 100
ipaserver/install/plugins/update_passsync.py | 78
ipaserver/install/plugins/update_referint.py | 90
ipaserver/install/plugins/update_uniqueness.py | 115
ipaserver/install/plugins/upload_cacrt.py | 77
ipaserver/install/replication.py | 165
ipaserver/install/schemaupdate.py | 133
ipaserver/install/service.py | 163
ipaserver/install/sysupgrade.py | 10
ipaserver/install/upgradeinstance.py | 19
ipaserver/rpcserver.py | 3
ipatests/test_cmdline/test_cli.py | 79
ipatests/test_integration/tasks.py | 10
ipatests/test_integration/test_advise.py | 134
ipatests/test_integration/test_backup_and_restore.py | 206
ipatests/test_integration/test_caless.py | 33
ipatests/test_integration/test_external_ca.py | 4
ipatests/test_integration/test_service_permissions.py | 82
ipatests/test_ipaserver/test_otptoken_import.py | 5
ipatests/test_webui/task_range.py | 20
ipatests/test_webui/test_dns.py | 3
ipatests/test_webui/test_range.py | 4
ipatests/test_xmlrpc/objectclasses.py | 20
ipatests/test_xmlrpc/test_automember_plugin.py | 35
ipatests/test_xmlrpc/test_batch_plugin.py | 5
ipatests/test_xmlrpc/test_dns_plugin.py | 2502 +++++++---
ipatests/test_xmlrpc/test_dns_realmdomains_integration.py | 15
ipatests/test_xmlrpc/test_host_plugin.py | 485 +
ipatests/test_xmlrpc/test_idviews_plugin.py | 1477 +++++
ipatests/test_xmlrpc/test_range_plugin.py | 167
ipatests/test_xmlrpc/test_role_plugin.py | 2
ipatests/test_xmlrpc/test_service_plugin.py | 570 ++
ipatests/test_xmlrpc/test_user_plugin.py | 19
util/ipa_krb5.c | 4
util/ipa_krb5.h | 3
util/ipa_pwd_ntlm.c | 5
415 files changed, 41277 insertions(+), 6199 deletions(-)
New commits:
commit 2c1bb40f7843698dbc777bf953c9c4ebd8949e8d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 14:25:50 2015 +0300
releasing package freeipa version 4.1.4-1
diff --git a/debian/changelog b/debian/changelog
index 2bbc7ba..0b968d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-freeipa (4.1.4-1) UNRELEASED; urgency=medium
+freeipa (4.1.4-1) experimental; urgency=medium
* New upstream release. (LP: #1492226)
- Refresh patches
@@ -28,7 +28,7 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
* server.postrm: Clean logs on purge and disable apache modules on
remove/purge.
- -- Timo Aaltonen <tjaalton at debian.org> Thu, 02 Apr 2015 13:16:49 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Fri, 25 Sep 2015 14:07:40 +0300
freeipa (4.0.5-6) unstable; urgency=medium
commit e4390c363e82ec22132bf31c655a0c5e80f23156
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 12:53:40 2015 +0300
server.postrm: Clean logs on purge and disable apache modules on remove/purge.
diff --git a/debian/changelog b/debian/changelog
index e7ebcc4..2bbc7ba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,8 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
* server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
* Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
+ * server.postrm: Clean logs on purge and disable apache modules on
+ remove/purge.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 02 Apr 2015 13:16:49 +0300
diff --git a/debian/freeipa-server.postrm b/debian/freeipa-server.postrm
new file mode 100644
index 0000000..fd71998
--- /dev/null
+++ b/debian/freeipa-server.postrm
@@ -0,0 +1,42 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+ remove|purge)
+ if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+ . /usr/share/apache2/apache2-maintscript-helper
+
+ if [ -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
+ apache2_invoke dismod auth_kerb || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/authz_user.load ]; then
+ apache2_invoke dismod authz_user || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/deflate.load ]; then
+ apache2_invoke dismod deflate || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/expires.load ]; then
+ apache2_invoke dismod expires || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/headers.load ]; then
+ apache2_invoke dismod headers || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/proxy.load ]; then
+ apache2_invoke dismod proxy || exit $?
+ fi
+ if [ -e /etc/apache2/mods-enabled/rewrite.load ]; then
+ apache2_invoke dismod rewrite || exit $?
+ fi
+ fi
+ ;;
+esac
+case "$1" in
+ purge)
+ rm -f \
+ /var/log/ipareplica-conncheck.log \
+ /var/log/ipareplica-install.log \
+ /var/log/ipaserver-install.log \
+ /var/log/ipaserver-uninstall.log \
+ /var/log/ipaupgrade.log
+ ;;
+esac
commit a59df18572d3213e5450564111c298ac357e209e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 07:58:16 2015 +0300
server.postinst: Run upgraders only if IPA is configured
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index cc29c01..49cdcb6 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -28,10 +28,14 @@ if [ "$1" = configure ]; then
fi
chown root:bind /var/cache/bind/data
- echo "Running ipa-ldap-updater..."
- ipa-ldap-updater --upgrade --quiet >/dev/null
- echo "Running ipa-upgradeconfig..."
- ipa-upgradeconfig --quiet >/dev/null
+ # check if IPA is set up
+ is_configured=`python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";'`
+ if [ $is_configured = yes ]; then
+ echo "Running ipa-ldap-updater..."
+ ipa-ldap-updater --upgrade --quiet >/dev/null
+ echo "Running ipa-upgradeconfig..."
+ ipa-upgradeconfig --quiet >/dev/null
+ fi
fi
if [ ! -e /run/ipa_memcached ]; then
commit d1f383fe85c3c25db6603898ae464b3b592f35c9
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 07:06:28 2015 +0300
Add some verbosity to server postinst
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index 9f94a45..cc29c01 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -28,7 +28,9 @@ if [ "$1" = configure ]; then
fi
chown root:bind /var/cache/bind/data
+ echo "Running ipa-ldap-updater..."
ipa-ldap-updater --upgrade --quiet >/dev/null
+ echo "Running ipa-upgradeconfig..."
ipa-upgradeconfig --quiet >/dev/null
fi
commit cca5d0e90f364f666c3d6c99311fc5de4c6de604
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 06:50:59 2015 +0300
begone, dnssec
diff --git a/debian/patches/disable-dnssec-support.patch b/debian/patches/disable-dnssec-support.patch
index e62d27c..24781ce 100644
--- a/debian/patches/disable-dnssec-support.patch
+++ b/debian/patches/disable-dnssec-support.patch
@@ -383,15 +383,15 @@ Subject: [PATCH] Disable DNSSEC support
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
setup_firefox_extension(fstore)
-@@ -1457,13 +1448,9 @@ def main():
+@@ -1457,13 +1448,6 @@ def main():
named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
- named_enable_dnssec(),
- named_validate_dnssec(),
- named_bindkey_file_option(),
- named_managed_keys_dir_option(),
- named_root_key_include(),
+- named_bindkey_file_option(),
+- named_managed_keys_dir_option(),
+- named_root_key_include(),
- mask_named_regular(),
- fix_dyndb_ldap_workdir_permissions(),
)
commit e968c1e1667319ab239ba2141431982fa2cc37ef
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Fri Sep 25 06:05:08 2015 +0300
Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
diff --git a/debian/changelog b/debian/changelog
index eec3c17..e7ebcc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
* platform, disable-dnssec-support.patch: Fix named.conf template.
* server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
+ * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 02 Apr 2015 13:16:49 +0300
diff --git a/debian/patches/revert-dnssec-aci.diff b/debian/patches/revert-dnssec-aci.diff
new file mode 100644
index 0000000..eb49b53
--- /dev/null
+++ b/debian/patches/revert-dnssec-aci.diff
@@ -0,0 +1,98 @@
+commit d37678b62dc588180b7207dd9226f1e328f995eb
+Author: Timo Aaltonen <tjaalton at debian.org>
+Date: Fri Sep 25 06:28:37 2015 +0300
+
+ Revert "DNSSEC: ACI"
+
+ This reverts commit 4ddc978cea5229f6429221a37cc657b88a734736.
+
+diff --git a/ACI.txt b/ACI.txt
+index 933b57c..12726ee 100644
+--- a/ACI.txt
++++ b/ACI.txt
+@@ -39,14 +39,8 @@ aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || i
+ dn: dc=ipa,dc=example
+ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+-aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+-aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+-aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+-dn: dc=ipa,dc=example
+ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: dc=ipa,dc=example
+ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index f589ab5..ccca6d1 100644
+--- a/ipalib/plugins/dns.py
++++ b/ipalib/plugins/dns.py
+@@ -2471,7 +2471,6 @@ class dnszone(DNSZoneBase):
+ ),
+ )
+ # Permissions will be apllied for forwardzones too
+- # Store permissions into api.env.basedn, dns container could not exists
+ managed_permissions = {
+ 'System: Add DNS Entries': {
+ 'non_object': True,
+@@ -2546,58 +2545,6 @@ class dnszone(DNSZoneBase):
+ ],
+ 'default_privileges': {'DNS Administrators', 'DNS Servers'},
+ },
+- 'System: Read DNSSEC metadata': {
+- 'non_object': True,
+- 'ipapermright': {'read', 'search', 'compare'},
+- 'ipapermlocation': api.env.basedn,
+- 'ipapermtarget': DN('cn=dns', api.env.basedn),
+- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
+- 'ipapermdefaultattr': {
+- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
+- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
+- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
+- 'idnsSecKeyRef', 'cn', 'objectclass',
+- },
+- 'default_privileges': {'DNS Administrators'},
+- },
+- 'System: Manage DNSSEC metadata': {
+- 'non_object': True,
+- 'ipapermright': {'all'},
+- 'ipapermlocation': api.env.basedn,
+- 'ipapermtarget': DN('cn=dns', api.env.basedn),
+- 'ipapermtargetfilter': ['(objectclass=idnsSecKey)'],
+- 'ipapermdefaultattr': {
+- 'idnsSecAlgorithm', 'idnsSecKeyCreated', 'idnsSecKeyPublish',
+- 'idnsSecKeyActivate', 'idnsSecKeyInactive', 'idnsSecKeyDelete',
+- 'idnsSecKeyZone', 'idnsSecKeyRevoke', 'idnsSecKeySep',
+- 'idnsSecKeyRef', 'cn', 'objectclass',
+- },
+- 'default_privileges': {'DNS Servers'},
+- },
+- 'System: Manage DNSSEC keys': {
+- 'non_object': True,
+- 'ipapermright': {'all'},
+- 'ipapermlocation': api.env.basedn,
+- 'ipapermtarget': DN('cn=keys', 'cn=sec', 'cn=dns', api.env.basedn),
+- 'ipapermdefaultattr': {
+- 'ipaPublicKey', 'ipaPrivateKey', 'ipaSecretKey',
+- 'ipaWrappingMech','ipaWrappingKey',
+- 'ipaSecretKeyRef', 'ipk11Private', 'ipk11Modifiable', 'ipk11Label',
+- 'ipk11Copyable', 'ipk11Destroyable', 'ipk11Trusted',
+- 'ipk11CheckValue', 'ipk11StartDate', 'ipk11EndDate',
+- 'ipk11UniqueId', 'ipk11PublicKeyInfo', 'ipk11Distrusted',
+- 'ipk11Subject', 'ipk11Id', 'ipk11Local', 'ipk11KeyType',
+- 'ipk11Derive', 'ipk11KeyGenMechanism', 'ipk11AllowedMechanisms',
+- 'ipk11Encrypt', 'ipk11Verify', 'ipk11VerifyRecover', 'ipk11Wrap',
+- 'ipk11WrapTemplate', 'ipk11Sensitive', 'ipk11Decrypt',
+- 'ipk11Sign', 'ipk11SignRecover', 'ipk11Unwrap',
+- 'ipk11Extractable', 'ipk11AlwaysSensitive',
+- 'ipk11NeverExtractable', 'ipk11WrapWithTrusted',
+- 'ipk11UnwrapTemplate', 'ipk11AlwaysAuthenticate',
+- 'objectclass',
+- },
+- 'default_privileges': {'DNS Servers'},
+- },
+ }
+
+ def _rr_zone_postprocess(self, record, **options):
diff --git a/debian/patches/revert-dnssec-schema.diff b/debian/patches/revert-dnssec-schema.diff
new file mode 100644
index 0000000..e888893
--- /dev/null
+++ b/debian/patches/revert-dnssec-schema.diff
@@ -0,0 +1,131 @@
+commit 69cb61ab1ef5c232e4270b49388a8f730e89e84b
+Author: Timo Aaltonen <tjaalton at debian.org>
+Date: Fri Sep 25 06:02:29 2015 +0300
+
+ Revert "DNSSEC: schema"
+
+ This reverts commit 3f0440f1950319febabcf726304bc10954c8b2b8.
+
+diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
+index 4efb1fe..7ce7777 100644
+--- a/install/share/60basev3.ldif
++++ b/install/share/60basev3.ldif
+@@ -49,11 +49,9 @@ attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA perm
+ attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA v4.0')
+ attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+ attributeTypes: (2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
++attributeTypes: (2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Private key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
++attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+ attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1')
+ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
+ objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
+ objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
+@@ -74,6 +72,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid
+ objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' )
+ objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
+ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
++objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
++objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
+index 678a5b4..eccc4fe 100644
+--- a/install/share/60ipadns.ldif
++++ b/install/share/60ipadns.ldif
+@@ -53,19 +53,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DNSSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DNSSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'DNSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'DNSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributetypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNSSEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKEY ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )
+-objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/60ipapk11.ldif b/install/share/60ipapk11.ldif
+deleted file mode 100644
+index 9db113d..0000000
+--- a/install/share/60ipapk11.ldif
++++ /dev/null
+@@ -1,42 +0,0 @@
+-dn: cn=schema
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is private to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'Can be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Description' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC 'Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'Checksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Validity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Validity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Meaningless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'Must not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER-encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key association identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was created locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key supports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DESC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key supports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key supports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Key is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key supports signatures where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC 'Key supports signatures where data can be recovered from the signature' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key supports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC 'Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DESC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' DESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DESC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DESC 'DN of template to apply to keys unwrapped using this key' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-attributeTypes: (2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC 'Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP ipk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ipk11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMechanisms ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Public key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verify $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Private key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11Decrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11UnwrapTemplate $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN 'IPA v4.1' )
+-objectClasses: (2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secret key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Decrypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWithTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN 'IPA v4.1' )
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index 878d886..3f8fa9a 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -15,7 +15,6 @@ app_DATA = \
+ 60basev2.ldif \
+ 60basev3.ldif \
+ 60ipadns.ldif \
+- 60ipapk11.ldif \
+ 61kerberos-ipav3.ldif \
+ 65ipacertstore.ldif \
+ 65ipasudo.ldif \
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 0ab4ae7..7e1ef20 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -54,7 +54,6 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
+ "60ipaconfig.ldif",
+ "60basev2.ldif",
+ "60basev3.ldif",
+- "60ipapk11.ldif",
+ "60ipadns.ldif",
+ "61kerberos-ipav3.ldif",
+ "65ipacertstore.ldif",
diff --git a/debian/patches/revert-revert-removal-of-cn-attribute.diff b/debian/patches/revert-revert-removal-of-cn-attribute.diff
new file mode 100644
index 0000000..28b0bc6
--- /dev/null
+++ b/debian/patches/revert-revert-removal-of-cn-attribute.diff
@@ -0,0 +1,21 @@
+commit 323bc2dc6b6a3f7919b6cb477df357119abdee8d
+Author: Timo Aaltonen <tjaalton at debian.org>
+Date: Fri Sep 25 06:02:10 2015 +0300
+
+ Revert "revert removal of cn attribute from idnsRecord"
+
+ This reverts commit 2fa07b1d24f61f9bcff5adb804a18c9eae72932d.
+
+diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
+index 8fd0bb9..678a5b4 100644
+--- a/install/share/60ipadns.ldif
++++ b/install/share/60ipadns.ldif
+@@ -63,7 +63,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
+ attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
+-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
++objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
+ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
diff --git a/debian/patches/series b/debian/patches/series
index 8516c75..4d05e0e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,6 @@ fix-pykerberos-api.diff
revert-pykerberos-api-change.diff
disable-dnssec-support.patch
+revert-revert-removal-of-cn-attribute.diff
+revert-dnssec-schema.diff
+revert-dnssec-aci.diff
commit c015bbd52cb719ec9c07308ae11c27b125eaca2f
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Sep 24 19:14:37 2015 +0300
client.postrm: make rmdir non-fatal
diff --git a/debian/freeipa-client.postrm b/debian/freeipa-client.postrm
index a388898..9ee8a95 100644
--- a/debian/freeipa-client.postrm
+++ b/debian/freeipa-client.postrm
@@ -10,10 +10,11 @@ if [ "$1" = purge ]; then
rm -f /etc/ipa/nssdb/cert8.db \
/etc/ipa/nssdb/key3.db \
/etc/ipa/nssdb/pwdfile.txt \
- /etc/ipa/nssdb/secmod.db
- rmdir /etc/pki/nssdb
- rmdir /etc/ipa/nssdb
- rmdir /etc/ipa
+ /etc/ipa/nssdb/secmod.db \
+ /etc/ipa/nssdb/*.orig
+ rmdir /etc/pki/nssdb || true
+ rmdir /etc/ipa/nssdb || true
+ rmdir /etc/ipa || true
fi
#DEBHELPER#
commit 1164026eb2e039cb69dd4ab462e000624c97e81a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Sep 24 17:37:07 2015 +0300
server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on postinst.
diff --git a/debian/changelog b/debian/changelog
index 504285d..7639118 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,8 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
* freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
* platform: Add DebianNamedService.
* platform, disable-dnssec-support.patch: Fix named.conf template.
+ * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
+ postinst.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 02 Apr 2015 13:16:49 +0300
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index 198d52b..9f94a45 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -27,6 +27,9 @@ if [ "$1" = configure ]; then
fi
fi
chown root:bind /var/cache/bind/data
+
+ ipa-ldap-updater --upgrade --quiet >/dev/null
+ ipa-upgradeconfig --quiet >/dev/null
fi
if [ ! -e /run/ipa_memcached ]; then
commit 0d344d09d89a3ac2b490e16fe959f3a0671de5d7
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Sep 24 17:34:13 2015 +0300
disable dnssec some more
diff --git a/debian/patches/disable-dnssec-support.patch b/debian/patches/disable-dnssec-support.patch
index 156b43a..e62d27c 100644
--- a/debian/patches/disable-dnssec-support.patch
+++ b/debian/patches/disable-dnssec-support.patch
@@ -383,14 +383,20 @@ Subject: [PATCH] Disable DNSSEC support
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
setup_firefox_extension(fstore)
-@@ -1462,7 +1453,6 @@ def main():
+@@ -1457,13 +1448,9 @@ def main():
+ named_enable_serial_autoincrement(),
+ named_update_gssapi_configuration(),
+ named_update_pid_file(),
+- named_enable_dnssec(),
+- named_validate_dnssec(),
named_bindkey_file_option(),
named_managed_keys_dir_option(),
named_root_key_include(),
- mask_named_regular(),
- fix_dyndb_ldap_workdir_permissions(),
+- fix_dyndb_ldap_workdir_permissions(),
)
+ if any(named_conf_changes):
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase):
commit f3f8f667b1fb2214dcaab8ab810cb99d0d8e4857
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Sep 24 16:38:33 2015 +0300
close a few bugs on LP
diff --git a/debian/changelog b/debian/changelog
index 8d7b806..504285d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
freeipa (4.1.4-1) UNRELEASED; urgency=medium
More information about the Pkg-freeipa-devel
mailing list