[Freeipa-devel] [PATCH] 628 use KDC schema file

Rob Crittenden Fri, 03 Dec 2010 13:52:39 -0800

Rather than shipping and maintaining our own kerberos schema file usethe one provided by MIT instead.


ticket 505

rob

>From 59f4f9eb8a4abf867ac4b0f6643db1b563268f30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 3 Dec 2010 16:48:25 -0500
Subject: [PATCH] Use the kerberos schema file provided by the KDC ldap connector directly.

Rather than shipping and maintaining our own schema file use the one provided
by MIT.

ticket 505
---
 install/share/60kerberos.ldif   |  303 ---------------------------------------
 install/share/Makefile.am       |    1 -
 ipaserver/install/dsinstance.py |    9 +-
 3 files changed, 8 insertions(+), 305 deletions(-)
 delete mode 100644 install/share/60kerberos.ldif

diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif
deleted file mode 100644
index f08329c..0000000
--- a/install/share/60kerberos.ldif
+++ /dev/null
@@ -1,303 +0,0 @@
-dn: cn=schema
-# Novell Kerberos Schema Definitions
-# Novell Inc.
-# 1800 South Novell Place
-# Provo, UT 84606
-#
-# VeRsIoN=1.0
-# CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved
-#
-# OIDs:
-#    joint-iso-ccitt(2)
-#      country(16)
-#        us(840)
-#          organization(1)
-#            Novell(113719)
-#              applications(1)
-#                kerberos(301)
-#                 Kerberos Attribute Type(4) attr# version#
-#                    specific attribute definitions
-#                 Kerberos Attribute Syntax(5)
-#                    specific syntax definitions
-#                 Kerberos Object Class(6) class# version#
-#                    specific class definitions
-#
-#    iso(1)
-#      member-body(2)
-#        United States(840)
-#          mit (113554)
-#            infosys(1)
-#              ldap(4)
-#                attributeTypes(1)
-#                  Kerberos(6)
-########################################################################
-########################################################################
-# 		      Attribute Type Definitions                       #
-########################################################################
-##### This is the principal name in the RFC 1964 specified format
-attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
-##### If there are multiple krbPrincipalName values for an entry, this
-##### is the canonical principal name in the RFC 1964 specified
-##### format.  (If this attribute does not exist, then all
-##### krbPrincipalName values are treated as canonical.)
-attributetypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
-##### This specifies the type of the principal, the types could be any of
-##### the types mentioned in section 6.2 of RFC 4120
-attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### This flag is used to find whether directory User Password has to be used
-##### as kerberos password.
-##### TRUE, if User Password is to be used as the kerberos password.
-##### FALSE, if User Password and the kerberos password are different.
-attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
-##### The time at which the principal expires
-attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
-##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
-##### The values (0x00000001 - 0x00800000) are reserved for standards and 
-##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
-##### The flags and values as per RFC 4120 and MIT implementation are,
-##### DISALLOW_POSTDATED	0x00000001
-##### DISALLOW_FORWARDABLE	0x00000002
-##### DISALLOW_TGT_BASED        0x00000004
-##### DISALLOW_RENEWABLE        0x00000008
-##### DISALLOW_PROXIABLE        0x00000010
-##### DISALLOW_DUP_SKEY         0x00000020
-##### DISALLOW_ALL_TIX          0x00000040
-##### REQUIRES_PRE_AUTH         0x00000080
-##### REQUIRES_HW_AUTH          0x00000100
-##### REQUIRES_PWCHANGE         0x00000200
-##### DISALLOW_SVR              0x00001000
-##### PWCHANGE_SERVICE          0x00002000
-attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### The maximum ticket lifetime for a principal in seconds
-attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Maximum renewable lifetime for a principal's ticket in seconds
-attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Forward reference to the Realm object.
-##### (FDN of the krbRealmContainer object).
-##### Example:   cn=ACME.COM, cn=Kerberos, cn=Security
-attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### List of LDAP servers that kerberos servers can contact.
-##### The attribute holds data in the ldap uri format,
-##### Example: ldaps://acme.com:636
-#####
-##### The values of this attribute need to be updated, when
-##### the LDAP servers listed here are renamed, moved or deleted.
-attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
-##### A set of forward references to the KDC Service objects.
-##### (FDNs of the krbKdcService objects).
-##### Example:   cn=kdc - server 1, ou=uvw, o=xyz
-attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### A set of forward references to the Password Service objects.
-##### (FDNs of the krbPwdService objects).
-##### Example:   cn=kpasswdd - server 1, ou=uvw, o=xyz
-attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### This attribute holds the Host Name or the ip address, 
-##### transport protocol and ports of the kerberos service host
-##### The format is host_name-or-ip_address#protocol#port
-##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
-attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
-##### This attribute holds the scope for searching the principals
-##### under krbSubTree attribute of krbRealmContainer
-##### The value can either be 1 (ONE) or 2 (SUB_TREE).
-attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### FDNs pointing to Kerberos principals
-attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### This attribute specifies which attribute of the user objects  
-##### be used as the principal name component for Kerberos.
-##### The allowed values are cn, sn, uid, givenname, fullname.
-attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
-##### A set of forward references to the Administration Service objects.
-##### (FDNs of the krbAdmService objects).
-##### Example:   cn=kadmindd - server 1, ou=uvw, o=xyz
-attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### Maximum lifetime of a principal's password
-attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Minimum lifetime of a principal's password
-attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Minimum number of character clases allowed in a password
-attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Minimum length of the password
-attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Number of previous versions of passwords that are stored
-attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Number of consecutive pre-authentication failures before lockout
-attributetypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Period after which bad preauthentication count will be reset
-attributetypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### Period in which lockout is enforced
-attributetypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### FDN pointing to a Kerberos Password Policy object
-attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
-##### The time at which the principal's password expires
-attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
-##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
-##### the master key (krbMKey). 
-##### The attribute is ASN.1 encoded.
-#####
-##### The format of the value for this attribute is explained below,
-##### KrbKeySet ::= SEQUENCE {
-##### attribute-major-vno       [0] UInt16,
-##### attribute-minor-vno       [1] UInt16,
-##### kvno                      [2] UInt32,
-##### mkvno                     [3] UInt32 OPTIONAL,
-##### keys                      [4] SEQUENCE OF KrbKey,
-##### ...
-##### }
-#####
-##### KrbKey ::= SEQUENCE {
-##### salt      [0] KrbSalt OPTIONAL,
-##### key       [1] EncryptionKey,
-##### s2kparams [2] OCTET STRING OPTIONAL,
-##### ...
-##### }
-#####
-##### KrbSalt ::= SEQUENCE {
-##### type      [0] Int32,
-##### salt      [1] OCTET STRING OPTIONAL
-##### }
-#####
-##### EncryptionKey ::= SEQUENCE {
-##### keytype   [0] Int32,
-##### keyvalue  [1] OCTET STRING
-##### }
-attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### FDN pointing to a Kerberos Ticket Policy object.
-attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
-##### Forward reference to an entry that starts sub-trees
-##### where principals and other kerberos objects in the realm are configured.
-##### Example:   ou=acme, ou=pq, o=xyz
-attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### Holds the default encryption/salt type combinations of principals for
-##### the Realm. Stores in the form of key:salt strings.
-##### Example: des-cbc-crc:normal
-attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
-##### Holds the Supported encryption/salt type combinations of principals for
-##### the Realm. Stores in the form of key:salt strings.
-##### The supported encryption types are mentioned in RFC 3961
-##### The supported salt types are,
-##### NORMAL          
-##### V4              
-##### NOREALM         
-##### ONLYREALM       
-##### SPECIAL         
-##### AFS3            
-##### Example: des-cbc-crc:normal
-#####
-##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
-##### attributes.
-attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
-##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
-##### the kadmin/history key.
-##### The attribute is ASN.1 encoded.
-#####
-##### The format of the value for this attribute is explained below,
-##### KrbKeySet ::= SEQUENCE {
-##### attribute-major-vno       [0] UInt16,
-##### attribute-minor-vno       [1] UInt16,
-##### kvno                      [2] UInt32,
-##### mkvno                     [3] UInt32 OPTIONAL -- actually kadmin/history key,
-##### keys                      [4] SEQUENCE OF KrbKey,
-##### ...
-##### }
-#####
-##### KrbKey ::= SEQUENCE {
-##### salt      [0] KrbSalt OPTIONAL,
-##### key       [1] EncryptionKey,
-##### s2kparams [2] OCTET STRING OPTIONAL,
-##### ...
-##### }
-#####
-##### KrbSalt ::= SEQUENCE {
-##### type      [0] Int32,
-##### salt      [1] OCTET STRING OPTIONAL
-##### }
-#####
-##### EncryptionKey ::= SEQUENCE {
-##### keytype   [0] Int32,
-##### keyvalue  [1] OCTET STRING
-##### }
-attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### The time at which the principal's password last password change happened.
-attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
-##### This attribute holds the kerberos master key.
-##### This can be used to encrypt principal keys. 
-##### This attribute has to be secured in directory.
-#####
-##### This attribute is ASN.1 encoded.
-##### The format of the value for this attribute is explained below,
-##### KrbMKey ::= SEQUENCE {
-##### kvno    [0] UInt32,
-##### key     [1] MasterKey
-##### }
-#####
-##### MasterKey ::= SEQUENCE {
-##### keytype         [0] Int32,
-##### keyvalue        [1] OCTET STRING
-##### }
-attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### This stores the alternate principal names for the principal in the RFC 1961 specified format
-attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
-##### The time at which the principal's last successful authentication happened.
-attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
-##### The time at which the principal's last failed authentication happened.
-attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
-##### This attribute stores the number of failed authentication attempts
-##### happened for the principal since the last successful authentication.
-attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
-##### This attribute holds the application specific data.
-attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
-##### This attributes holds references to the set of directory objects.
-##### This stores the DNs of the directory objects to which the 
-##### principal object belongs to.
-attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-##### This attribute holds references to a Container object where 
-##### the additional principal objects and stand alone principal 
-##### objects (krbPrincipal) can be created.
-attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
-########################################################################
-########################################################################
-# 		        Object Class Definitions                       #
-########################################################################
-#### This is a kerberos container for all the realms in a tree.
-objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top MUST ( cn ) )
-##### The krbRealmContainer is created per realm and holds realm specific data.
-objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
-##### An instance of a class derived from krbService is created per
-##### kerberos authentication or administration server in an realm and holds
-##### references to the realm objects. These references is used to further read
-##### realm specific data to service AS/TGS requests. Additionally this object
-##### contains some server specific data like pathnames and ports that the
-##### server uses. This is the identity the kerberos server logs in with. A key
-##### pair for the same is created and the kerberos server logs in with the same.
-#####
-##### krbKdcService, krbAdmService and krbPwdService derive from this class.
-objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' ABSTRACT SUP ( top ) MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences ) )
-##### Representative object for the KDC server to bind into a LDAP directory
-##### and have a connection to access Kerberos data with the required 
-##### access rights.
-objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) )
-##### Representative object for the Kerberos Password server to bind into a LDAP directory
-##### and have a connection to access Kerberos data with the required
-##### access rights.
-objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
-###### The principal data auxiliary class. Holds principal information
-###### and is used to store principal information for Person, Service objects.
-objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
-###### This class is used to create additional principals and stand alone principals.
-objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
-###### The principal references auxiliary class. Holds all principals referred
-###### from a service
-objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
-##### Representative object for the Kerberos Administration server to bind into a LDAP directory
-##### and have a connection Id to access Kerberos data with the required access rights.
-objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbService ) )
-##### The krbPwdPolicy object is a template password policy that 
-##### can be applied to principals when they are created. 
-##### These policy attributes will be in effect, when the Kerberos
-##### passwords are different from users' passwords (UP).
-objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration ) )
-##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
-##### This class can be attached to a principal object or realm object.
-objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
-##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
-objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index c7e1c5c..b8f2c70 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -3,7 +3,6 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	05rfc2247.ldif			\
-	60kerberos.ldif			\
 	60samba.ldif			\
 	60radius.ldif			\
 	60ipaconfig.ldif		\
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index d4f0683..f70e5ea 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -42,6 +42,7 @@ from ipaserver.install import ldapupdate
 from ipaserver.install import httpinstance
 from ipalib import util, errors
 from ipaserver.plugins.ldap2 import ldap2
+from distutils import version
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -325,7 +326,13 @@ class DsInstance(service.Service):
         os.remove("/var/lib/dirsrv/boot.ldif")
 
     def __add_default_schemas(self):
-        shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",
+        (stdout, stderr, rc) = ipautil.run(['klist', '-V'], raiseonerr=False)
+        if rc == 0:
+            verstr = stdout.split()[-1]
+            ver = version.LooseVersion(verstr)
+        else:
+            raise RuntimeError("Unable to determine KDC version from: %s" % stdout)
+        shutil.copyfile("/usr/share/doc/krb5-server-ldap-%s/60kerberos.ldif" % ver,
                         schema_dirname(self.serverid) + "60kerberos.ldif")
         shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif",
                         schema_dirname(self.serverid) + "60samba.ldif")
-- 
1.7.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 628 use KDC schema file

Reply via email to