URL: https://github.com/freeipa/freeipa/pull/673
Author: tjaalton
 Title: #673: Conf template
Action: opened

PR body:
"""
Move conf templates to a common location, make ipa.conf and named.conf portable.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/673/head:pr673
git checkout pr673
From 134fec33ecbbb462a18fb9dd135b3b3cf23d80fd Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Wed, 15 Mar 2017 19:28:07 +0200
Subject: [PATCH 1/3] Move config templates from install/conf to install/share

---
 configure.ac                              |   1 -
 freeipa.spec.in                           |   3 -
 install/Makefile.am                       |   1 -
 install/conf/Makefile.am                  |  13 --
 install/conf/ipa-kdc-proxy.conf.template  |  30 ----
 install/conf/ipa-pki-proxy.conf           |  46 ------
 install/conf/ipa-rewrite.conf             |  22 ---
 install/conf/ipa.conf                     | 227 ------------------------------
 install/share/Makefile.am                 |   4 +
 install/share/ipa-kdc-proxy.conf.template |  30 ++++
 install/share/ipa-pki-proxy.conf.template |  46 ++++++
 install/share/ipa-rewrite.conf.template   |  22 +++
 install/share/ipa.conf.template           | 227 ++++++++++++++++++++++++++++++
 ipaserver/install/dogtaginstance.py       |   2 +-
 ipaserver/install/httpinstance.py         |   4 +-
 ipaserver/install/server/upgrade.py       |   6 +-
 16 files changed, 335 insertions(+), 349 deletions(-)
 delete mode 100644 install/conf/Makefile.am
 delete mode 100644 install/conf/ipa-kdc-proxy.conf.template
 delete mode 100644 install/conf/ipa-pki-proxy.conf
 delete mode 100644 install/conf/ipa-rewrite.conf
 delete mode 100644 install/conf/ipa.conf
 create mode 100644 install/share/ipa-kdc-proxy.conf.template
 create mode 100644 install/share/ipa-pki-proxy.conf.template
 create mode 100644 install/share/ipa-rewrite.conf.template
 create mode 100644 install/share/ipa.conf.template

diff --git a/configure.ac b/configure.ac
index f5c5270..2125d05 100644
--- a/configure.ac
+++ b/configure.ac
@@ -538,7 +538,6 @@ AC_CONFIG_FILES([
     init/Makefile
     install/Makefile
     install/certmonger/Makefile
-    install/conf/Makefile
     install/html/Makefile
     install/migration/Makefile
     install/share/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 829c3f0..5235e13 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1312,9 +1312,6 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
-%{_usr}/share/ipa/ipa.conf
-%{_usr}/share/ipa/ipa-rewrite.conf
-%{_usr}/share/ipa/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
diff --git a/install/Makefile.am b/install/Makefile.am
index f895bcc..f0ec9c7 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -6,7 +6,6 @@ NULL =
 
 SUBDIRS =			\
         certmonger		\
-        conf			\
         html			\
         migration		\
         share			\
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
deleted file mode 100644
index 751bb16..0000000
--- a/install/conf/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-NULL =
-
-appdir = $(IPA_DATA_DIR)
-app_DATA =                              \
-	ipa.conf			\
-	ipa-kdc-proxy.conf.template	\
-	ipa-pki-proxy.conf		\
-	ipa-rewrite.conf		\
-	$(NULL)
-
-EXTRA_DIST =                            \
-        $(app_DATA)                     \
-        $(NULL)
diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template
deleted file mode 100644
index 9290ceb..0000000
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ /dev/null
@@ -1,30 +0,0 @@
-# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
-#
-# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
-# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
-# httpd.service. The service also sets the environment variable
-# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
-#
-# Disable KDC Proxy on the current host:
-#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
-#   # systemctl restart httpd.service
-#
-# Enable KDC Proxy on the current host:
-#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
-#   # systemctl restart httpd.service
-#
-
-WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
-  user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
-  process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
-WSGIScriptReloading Off
-
-<Location "/KdcProxy">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-  WSGIProcessGroup kdcproxy
-  WSGIApplicationGroup kdcproxy
-</Location>
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
deleted file mode 100644
index b48a302..0000000
--- a/install/conf/ipa-pki-proxy.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# VERSION 10 - DO NOT REMOVE THIS LINE
-
-ProxyRequests Off
-
-# matches for ee port
-<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for agent port and eeca port
-<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for CA REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for KRA REST API
-<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# Only enable this on servers that are not generating a CRL
-${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf
deleted file mode 100644
index 37661b8..0000000
--- a/install/conf/ipa-rewrite.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
-
-RewriteEngine on
-
-# By default forward all requests to /ipa. If you don't want IPA
-# to be the default on your web server comment this line out.
-${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
-
-# Redirect to the fully-qualified hostname. Not redirecting to secure
-# port so configuration files can be retrieved without requiring SSL.
-RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
-RewriteRule ^/ipa/(.*)      http://$FQDN/ipa/$$1 [L,R=301]
-
-# Redirect to the secure port if not displaying an error or retrieving
-# configuration.
-RewriteCond %{SERVER_PORT}  !^443$$
-RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
-RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
-RewriteRule ^/ipa/(.*)      https://$FQDN/ipa/$$1 [L,R=301,NC]
-
-# Rewrite for plugin index, make it like it's a static file
-RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$    /ipa/wsgi/plugins.py [PT]
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
deleted file mode 100644
index e1f1a58..0000000
--- a/install/conf/ipa.conf
+++ /dev/null
@@ -1,227 +0,0 @@
-#
-# VERSION 25 - DO NOT REMOVE THIS LINE
-#
-# This file may be overwritten on upgrades.
-#
-
-# Load lookup_identity module in case it has not been loaded yet
-# The module is used to search users according the certificate.
-<IfModule !lookup_identity_module>
-    LoadModule lookup_identity_module modules/mod_lookup_identity.so
-</IfModule>
-
-ProxyRequests Off
-
-#We use xhtml, a file format that the browser validates
-DirectoryIndex index.html
-
-
-# Substantially increase the request field size to support MS-PAC
-# requests, ticket #2767. This should easily support a 64KiB PAC.
-LimitRequestFieldSize 100000
-
-# Increase connection keep alive time. Default value is 5 seconds, which is too
-# short for interactive ipa commands. 30 seconds is a good compromise.
-KeepAlive On
-KeepAliveTimeout 30
-
-# ipa-rewrite.conf is loaded separately
-
-# This is required so the auto-configuration works with Firefox 2+
-AddType application/java-archive        jar
-AddType application/x-xpinstall         xpi
-
-# Proper header for .tff fonts
-AddType application/x-font-ttf          ttf
-
-# Enable compression
-AddOutputFilterByType DEFLATE text/html text/plain text/xml \
- application/javascript application/json text/css \
- application/x-font-ttf
-
-# Disable etag http header. Doesn't work well with mod_deflate
-# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
-# Usage of last-modified header and modified-since validator is sufficient.
-Header unset ETag
-FileETag None
-
-# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
-# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
-WSGISocketPrefix /run/httpd/wsgi
-
-
-# Configure mod_wsgi handler for /ipa
-WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
- user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
-WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
-WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
-WSGIScriptReloading Off
-
-
-# Turn off mod_msgi handler for errors, config, crl:
-<Location "/ipa/errors">
-  SetHandler None
-</Location>
-<Location "/ipa/config">
-  SetHandler None
-</Location>
-<Location "/ipa/crl">
-  SetHandler None
-</Location>
-
-# Protect /ipa and everything below it in webspace with Apache Kerberos auth
-<Location "/ipa">
-  AuthType GSSAPI
-  AuthName "Kerberos Login"
-  GssapiUseSessions On
-  Session On
-  SessionCookieName ipa_session path=/ipa;httponly;secure;
-  SessionHeader IPASESSION
-  SessionMaxAge 1800
-  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
-
-  GssapiImpersonate On
-  GssapiDelegCcacheDir /var/run/ipa/ccaches
-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
-  GssapiUseS4U2Proxy on
-  GssapiAllowedMech krb5
-  Require valid-user
-  ErrorDocument 401 /ipa/errors/unauthorized.html
-  WSGIProcessGroup ipa
-  WSGIApplicationGroup ipa
-  Header always append X-Frame-Options DENY
-  Header always append Content-Security-Policy "frame-ancestors 'none'"
-
-  # mod_session always sets two copies of the cookie, and this confuses our
-  # legacy clients, the unset here works because it ends up unsetting only one
-  # of the 2 header tables set by mod_session, leaving the other intact
-  Header unset Set-Cookie
-</Location>
-
-# Target for login with internal connections
-Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
-
-# Turn off Apache authentication for password/token based login pages
-<Location "/ipa/session/login_password">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
-
-# Login with user certificate/smartcard configuration
-# This configuration needs to be loaded after <Location "/ipa">
-<Location "/ipa/session/login_x509">
-  AuthType none
-  GssapiDelegCcacheDir /var/run/ipa/ccaches
-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
-  NSSVerifyClient require
-  NSSUserName SSL_CLIENT_CERT
-  LookupUserByCertificate On
-  WSGIProcessGroup ipa
-  WSGIApplicationGroup ipa
-  GssapiImpersonate On
-
-  GssapiUseSessions On
-  Session On
-  SessionCookieName ipa_session path=/ipa;httponly;secure;
-  SessionHeader IPASESSION
-  SessionMaxAge 1800
-  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
-
-  Header unset Set-Cookie
-</Location>
-
-<Location "/ipa/session/change_password">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
-
-<Location "/ipa/session/sync_token">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
-
-# Custodia stuff is redirected to the custodia daemon
-# after authentication
-<Location "/ipa/keys/">
-    ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/";
-    RequestHeader set GSS_NAME %{GSS_NAME}s
-    RequestHeader set REMOTE_USER %{REMOTE_USER}s
-</Location>
-
-# This is where we redirect on failed auth
-Alias /ipa/errors "/usr/share/ipa/html"
-
-# For the MIT Windows config files
-Alias /ipa/config "/usr/share/ipa/html"
-
-# Do no authentication on the directory that contains error messages
-<Directory "/usr/share/ipa/html">
-  SetHandler None
-  AllowOverride None
-  Satisfy Any
-  Allow from all
-  ExpiresActive On
-  ExpiresDefault "access plus 0 seconds"
-</Directory>
-
-
-# For CRL publishing
-Alias /ipa/crl "$CRL_PUBLISH_PATH"
-<Directory "$CRL_PUBLISH_PATH">
-  SetHandler None
-  AllowOverride None
-  Options Indexes FollowSymLinks
-  Satisfy Any
-  Allow from all
-</Directory>
-
-
-#  List explicitly only the fonts we want to serve
-Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
-Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
-<Directory "/usr/share/fonts">
-  SetHandler None
-  AllowOverride None
-  Satisfy Any
-  Allow from all
-  ExpiresActive On
-  ExpiresDefault "access plus 1 year"
-</Directory>
-
-
-#  webUI  is now completely static, and served out of that directory
-Alias /ipa/ui "/usr/share/ipa/ui"
-<Directory "/usr/share/ipa/ui">
-  SetHandler None
-  AllowOverride None
-  Satisfy Any
-  Allow from all
-  ExpiresActive On
-  ExpiresDefault "access plus 1 year"
-  <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
-        ExpiresDefault "access plus 0 seconds"
-  </FilesMatch>
-</Directory>
-
-#  Simple wsgi scripts required by ui
-Alias /ipa/wsgi "/usr/share/ipa/wsgi"
-<Directory "/usr/share/ipa/wsgi">
-    AllowOverride None
-    Satisfy Any
-    Allow from all
-    Options ExecCGI
-    AddHandler wsgi-script .py
-</Directory>
-
-# migration related pages
-Alias /ipa/migration "/usr/share/ipa/migration"
-<Directory "/usr/share/ipa/migration">
-    AllowOverride None
-    Satisfy Any
-    Allow from all
-    Options ExecCGI
-    AddHandler wsgi-script .py
-</Directory>
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 9e539a3..11359ae 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,10 @@ dist_app_DATA =				\
 	gssapi.login			\
 	ipa.conf.tmpfiles		\
 	gssproxy.conf.template		\
+	ipa.conf.template		\
+	ipa-kdc-proxy.conf.template	\
+	ipa-pki-proxy.conf.template	\
+	ipa-rewrite.conf.template	\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/ipa-kdc-proxy.conf.template b/install/share/ipa-kdc-proxy.conf.template
new file mode 100644
index 0000000..9290ceb
--- /dev/null
+++ b/install/share/ipa-kdc-proxy.conf.template
@@ -0,0 +1,30 @@
+# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
+#
+# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
+# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
+# httpd.service. The service also sets the environment variable
+# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
+#
+# Disable KDC Proxy on the current host:
+#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
+#   # systemctl restart httpd.service
+#
+# Enable KDC Proxy on the current host:
+#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
+#   # systemctl restart httpd.service
+#
+
+WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
+  user=kdcproxy group=kdcproxy display-name=%{GROUP}
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+  process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptReloading Off
+
+<Location "/KdcProxy">
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+  WSGIProcessGroup kdcproxy
+  WSGIApplicationGroup kdcproxy
+</Location>
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
new file mode 100644
index 0000000..b48a302
--- /dev/null
+++ b/install/share/ipa-pki-proxy.conf.template
@@ -0,0 +1,46 @@
+# VERSION 10 - DO NOT REMOVE THIS LINE
+
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+# matches for admin port and installer
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+# matches for CA REST API
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient optional
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+# matches for KRA REST API
+<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient optional
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+# Only enable this on servers that are not generating a CRL
+${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
diff --git a/install/share/ipa-rewrite.conf.template b/install/share/ipa-rewrite.conf.template
new file mode 100644
index 0000000..37661b8
--- /dev/null
+++ b/install/share/ipa-rewrite.conf.template
@@ -0,0 +1,22 @@
+# VERSION 6 - DO NOT REMOVE THIS LINE
+
+RewriteEngine on
+
+# By default forward all requests to /ipa. If you don't want IPA
+# to be the default on your web server comment this line out.
+${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
+
+# Redirect to the fully-qualified hostname. Not redirecting to secure
+# port so configuration files can be retrieved without requiring SSL.
+RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
+RewriteRule ^/ipa/(.*)      http://$FQDN/ipa/$$1 [L,R=301]
+
+# Redirect to the secure port if not displaying an error or retrieving
+# configuration.
+RewriteCond %{SERVER_PORT}  !^443$$
+RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
+RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
+RewriteRule ^/ipa/(.*)      https://$FQDN/ipa/$$1 [L,R=301,NC]
+
+# Rewrite for plugin index, make it like it's a static file
+RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$    /ipa/wsgi/plugins.py [PT]
diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
new file mode 100644
index 0000000..e1f1a58
--- /dev/null
+++ b/install/share/ipa.conf.template
@@ -0,0 +1,227 @@
+#
+# VERSION 25 - DO NOT REMOVE THIS LINE
+#
+# This file may be overwritten on upgrades.
+#
+
+# Load lookup_identity module in case it has not been loaded yet
+# The module is used to search users according the certificate.
+<IfModule !lookup_identity_module>
+    LoadModule lookup_identity_module modules/mod_lookup_identity.so
+</IfModule>
+
+ProxyRequests Off
+
+#We use xhtml, a file format that the browser validates
+DirectoryIndex index.html
+
+
+# Substantially increase the request field size to support MS-PAC
+# requests, ticket #2767. This should easily support a 64KiB PAC.
+LimitRequestFieldSize 100000
+
+# Increase connection keep alive time. Default value is 5 seconds, which is too
+# short for interactive ipa commands. 30 seconds is a good compromise.
+KeepAlive On
+KeepAliveTimeout 30
+
+# ipa-rewrite.conf is loaded separately
+
+# This is required so the auto-configuration works with Firefox 2+
+AddType application/java-archive        jar
+AddType application/x-xpinstall         xpi
+
+# Proper header for .tff fonts
+AddType application/x-font-ttf          ttf
+
+# Enable compression
+AddOutputFilterByType DEFLATE text/html text/plain text/xml \
+ application/javascript application/json text/css \
+ application/x-font-ttf
+
+# Disable etag http header. Doesn't work well with mod_deflate
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
+# Usage of last-modified header and modified-since validator is sufficient.
+Header unset ETag
+FileETag None
+
+# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
+# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
+WSGISocketPrefix /run/httpd/wsgi
+
+
+# Configure mod_wsgi handler for /ipa
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
+ user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
+WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptReloading Off
+
+
+# Turn off mod_msgi handler for errors, config, crl:
+<Location "/ipa/errors">
+  SetHandler None
+</Location>
+<Location "/ipa/config">
+  SetHandler None
+</Location>
+<Location "/ipa/crl">
+  SetHandler None
+</Location>
+
+# Protect /ipa and everything below it in webspace with Apache Kerberos auth
+<Location "/ipa">
+  AuthType GSSAPI
+  AuthName "Kerberos Login"
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  SessionMaxAge 1800
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
+  GssapiImpersonate On
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiUseS4U2Proxy on
+  GssapiAllowedMech krb5
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+  Header always append X-Frame-Options DENY
+  Header always append Content-Security-Policy "frame-ancestors 'none'"
+
+  # mod_session always sets two copies of the cookie, and this confuses our
+  # legacy clients, the unset here works because it ends up unsetting only one
+  # of the 2 header tables set by mod_session, leaving the other intact
+  Header unset Set-Cookie
+</Location>
+
+# Target for login with internal connections
+Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
+
+# Turn off Apache authentication for password/token based login pages
+<Location "/ipa/session/login_password">
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+</Location>
+
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after <Location "/ipa">
+<Location "/ipa/session/login_x509">
+  AuthType none
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  NSSVerifyClient require
+  NSSUserName SSL_CLIENT_CERT
+  LookupUserByCertificate On
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+  GssapiImpersonate On
+
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  SessionMaxAge 1800
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
+  Header unset Set-Cookie
+</Location>
+
+<Location "/ipa/session/change_password">
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+</Location>
+
+<Location "/ipa/session/sync_token">
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+</Location>
+
+# Custodia stuff is redirected to the custodia daemon
+# after authentication
+<Location "/ipa/keys/">
+    ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/";
+    RequestHeader set GSS_NAME %{GSS_NAME}s
+    RequestHeader set REMOTE_USER %{REMOTE_USER}s
+</Location>
+
+# This is where we redirect on failed auth
+Alias /ipa/errors "/usr/share/ipa/html"
+
+# For the MIT Windows config files
+Alias /ipa/config "/usr/share/ipa/html"
+
+# Do no authentication on the directory that contains error messages
+<Directory "/usr/share/ipa/html">
+  SetHandler None
+  AllowOverride None
+  Satisfy Any
+  Allow from all
+  ExpiresActive On
+  ExpiresDefault "access plus 0 seconds"
+</Directory>
+
+
+# For CRL publishing
+Alias /ipa/crl "$CRL_PUBLISH_PATH"
+<Directory "$CRL_PUBLISH_PATH">
+  SetHandler None
+  AllowOverride None
+  Options Indexes FollowSymLinks
+  Satisfy Any
+  Allow from all
+</Directory>
+
+
+#  List explicitly only the fonts we want to serve
+Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
+Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
+<Directory "/usr/share/fonts">
+  SetHandler None
+  AllowOverride None
+  Satisfy Any
+  Allow from all
+  ExpiresActive On
+  ExpiresDefault "access plus 1 year"
+</Directory>
+
+
+#  webUI  is now completely static, and served out of that directory
+Alias /ipa/ui "/usr/share/ipa/ui"
+<Directory "/usr/share/ipa/ui">
+  SetHandler None
+  AllowOverride None
+  Satisfy Any
+  Allow from all
+  ExpiresActive On
+  ExpiresDefault "access plus 1 year"
+  <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
+        ExpiresDefault "access plus 0 seconds"
+  </FilesMatch>
+</Directory>
+
+#  Simple wsgi scripts required by ui
+Alias /ipa/wsgi "/usr/share/ipa/wsgi"
+<Directory "/usr/share/ipa/wsgi">
+    AllowOverride None
+    Satisfy Any
+    Allow from all
+    Options ExecCGI
+    AddHandler wsgi-script .py
+</Directory>
+
+# migration related pages
+Alias /ipa/migration "/usr/share/ipa/migration"
+<Directory "/usr/share/ipa/migration">
+    AllowOverride None
+    Satisfy Any
+    Allow from all
+    Options ExecCGI
+    AddHandler wsgi-script .py
+</Directory>
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 356358a..d48f2ba 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -241,7 +241,7 @@ def uninstall(self):
     def http_proxy(self):
         """ Update the http proxy file  """
         template_filename = (
-            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf"))
+            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template"))
         sub_dict = dict(
             DOGTAG_PORT=8009,
             CLONE='' if self.clone else '#',
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 01b55e7..2bd2c76 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -220,7 +220,7 @@ def __configure_http(self):
 
         target_fname = paths.HTTPD_IPA_CONF
         http_txt = ipautil.template_file(
-            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict)
+            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"), self.sub_dict)
         self.fstore.backup_file(paths.HTTPD_IPA_CONF)
         http_fd = open(target_fname, "w")
         http_fd.write(http_txt)
@@ -229,7 +229,7 @@ def __configure_http(self):
 
         target_fname = paths.HTTPD_IPA_REWRITE_CONF
         http_txt = ipautil.template_file(
-            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"),
+            os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"),
             self.sub_dict)
         self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
         http_fd = open(target_fname, "w")
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..0f10e9f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1597,14 +1597,14 @@ def upgrade_configuration():
         ds_dirname = dsinstance.config_dirname(ds_serverid)
 
         upgrade_file(sub_dict, paths.HTTPD_IPA_CONF,
-                     os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"))
+                     os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"))
         upgrade_file(sub_dict, paths.HTTPD_IPA_REWRITE_CONF,
-                     os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"))
+                     os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"))
         if ca.is_configured():
             upgrade_file(
                 sub_dict,
                 paths.HTTPD_IPA_PKI_PROXY_CONF,
-                os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf"),
+                os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template"),
                 add=True)
         else:
             if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF):

From 02d2d20f1b30f581f7d8ac8781203b25013acde7 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Wed, 29 Mar 2017 11:33:32 +0300
Subject: [PATCH 2/3] ipaplatform, ipa.conf: Use paths variables in
 ipa.conf.template

---
 install/share/ipa.conf.template   | 18 +++++++++---------
 ipaplatform/base/paths.py         |  3 +++
 ipaplatform/debian/paths.py       |  3 +++
 ipaserver/install/httpinstance.py |  5 +++++
 4 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
index e1f1a58..2f40b61 100644
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -47,7 +47,7 @@ FileETag None
 
 # FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
 # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
-WSGISocketPrefix /run/httpd/wsgi
+WSGISocketPrefix $WSGI_PREFIX_DIR
 
 
 # Configure mod_wsgi handler for /ipa
@@ -78,10 +78,10 @@ WSGIScriptReloading Off
   SessionCookieName ipa_session path=/ipa;httponly;secure;
   SessionHeader IPASESSION
   SessionMaxAge 1800
-  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+  GssapiSessionKey file:$GSSAPI_SESSION_KEY
 
   GssapiImpersonate On
-  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcacheDir $IPA_CCACHES
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
@@ -112,7 +112,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 # This configuration needs to be loaded after <Location "/ipa">
 <Location "/ipa/session/login_x509">
   AuthType none
-  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcacheDir $IPA_CCACHES
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
   NSSVerifyClient require
   NSSUserName SSL_CLIENT_CERT
@@ -126,7 +126,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   SessionCookieName ipa_session path=/ipa;httponly;secure;
   SessionHeader IPASESSION
   SessionMaxAge 1800
-  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+  GssapiSessionKey file:$GSSAPI_SESSION_KEY
 
   Header unset Set-Cookie
 </Location>
@@ -146,7 +146,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 # Custodia stuff is redirected to the custodia daemon
 # after authentication
 <Location "/ipa/keys/">
-    ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/";
+    ProxyPass "unix:$IPA_CUSTODIA_SOCKET|http://localhost/keys/";
     RequestHeader set GSS_NAME %{GSS_NAME}s
     RequestHeader set REMOTE_USER %{REMOTE_USER}s
 </Location>
@@ -180,9 +180,9 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
 
 
 #  List explicitly only the fonts we want to serve
-Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
-Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
-<Directory "/usr/share/fonts">
+Alias /ipa/ui/fonts/open-sans "$FONTS_DIR/open-sans"
+Alias /ipa/ui/fonts/fontawesome "$FONTS_DIR/fontawesome"
+<Directory "$FONTS_DIR">
   SetHandler None
   AllowOverride None
   Satisfy Any
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9cf160f..3a3a906 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -39,6 +39,7 @@ class BasePathNamespace(object):
     HOSTS = "/etc/hosts"
     ETC_HTTPD_DIR = "/etc/httpd"
     HTTPD_ALIAS_DIR = "/etc/httpd/alias"
+    GSSAPI_SESSION_KEY = "/etc/httpd/alias/ipasession.key"
     OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
     HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
     HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
@@ -227,6 +228,7 @@ class BasePathNamespace(object):
     SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
     SMBD = "/usr/sbin/smbd"
     USERADD = "/usr/sbin/useradd"
+    FONTS_DIR = "/usr/share/fonts"
     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
     IPA_HTML_DIR = "/usr/share/ipa/html"
@@ -354,5 +356,6 @@ class BasePathNamespace(object):
     GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
     KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
     IF_INET6 = '/proc/net/if_inet6'
+    WSGI_PREFIX_DIR = "/run/httpd/wsgi"
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 331afa0..f8be056 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -56,6 +56,7 @@ class DebianPathNamespace(BasePathNamespace):
     SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
     SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
     DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
+    GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
     OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
     SBIN_SERVICE = "/usr/sbin/service"
     CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
@@ -77,6 +78,7 @@ class DebianPathNamespace(BasePathNamespace):
     HTTPD = "/usr/sbin/apache2ctl"
     REMOVE_DS_PL = "/usr/sbin/remove-ds"
     SETUP_DS_PL = "/usr/sbin/setup-ds"
+    FONTS_DIR = "/usr/share/fonts/truetype"
     VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
     VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
     CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
@@ -93,5 +95,6 @@ class DebianPathNamespace(BasePathNamespace):
     IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
     IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
+    WSGI_PREFIX_DIR = "/run/apache2/wsgi"
 
 paths = DebianPathNamespace()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 2bd2c76..ff6c4af 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -152,6 +152,11 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
             DOMAIN=self.domain,
             AUTOREDIR='' if auto_redirect else '#',
             CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
+            FONTS_DIR=paths.FONTS_DIR,
+            GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
+            IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+            IPA_CCACHES=paths.IPA_CCACHES,
+            WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
         )
         self.ca_file = ca_file
         if ca_is_configured is not None:

From f4b4eb35e6f51e1ce0fdeba0432c0ed7317f7284 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@debian.org>
Date: Wed, 29 Mar 2017 18:17:28 +0300
Subject: [PATCH 3/3] named.conf: Disable duplicate zone on debian, and modify
 data dir

zone already imported via default zones.
---
 install/share/bind.named.conf.template | 16 ++++++++--------
 ipaserver/install/bindinstance.py      |  2 ++
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index b7c3a0b..f84d9be 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -4,9 +4,9 @@ options {
 
 	// Put files that named is allowed to write in the data/ directory:
 	directory "$NAMED_VAR_DIR"; // the default
-	dump-file		"data/cache_dump.db";
-	statistics-file		"data/named_stats.txt";
-	memstatistics-file	"data/named_mem_stats.txt";
+	dump-file		"$DATA_DIRcache_dump.db";
+	statistics-file		"$DATA_DIRnamed_stats.txt";
+	memstatistics-file	"$DATA_DIRnamed_mem_stats.txt";
 
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
@@ -29,16 +29,16 @@ options {
  */
 logging {
 	channel default_debug {
-		file "data/named.run";
+		file "$DATA_DIRnamed.run";
 		severity dynamic;
 		print-time yes;
 	};
 };
 
-zone "." IN {
-	type hint;
-	file "named.ca";
-};
+$DISABLE_DEBIANzone "." IN {
+$DISABLE_DEBIAN	type hint;
+$DISABLE_DEBIAN	file "named.ca";
+$DISABLE_DEBIAN};
 
 include "$RFC1912_ZONES";
 include "$ROOT_KEY";
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 03dce56..d6579f8 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -775,6 +775,8 @@ def __setup_sub_dict(self):
             NAMED_PID=paths.NAMED_PID,
             NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
             BIND_LDAP_SO=paths.BIND_LDAP_SO,
+            DATA_DIR='' if ipautil.file_exists(paths.ETC_DEBIAN_VERSION) else 'data/',
+            DISABLE_DEBIAN='//' if ipautil.file_exists(paths.ETC_DEBIAN_VERSION) else '',
             )
 
     def __setup_dns_container(self):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to