9 files changed, 215 insertions, 302 deletions
diff --git a/ipa-server/ipa-install/Makefile.am b/ipa-server/ipa-install/Makefile.am
index 1b46d354..8a3e4a97 100644
--- a/ipa-server/ipa-install/Makefile.am
+++ b/ipa-server/ipa-install/Makefile.am
@@ -8,6 +8,7 @@ sbin_SCRIPTS =			\
 	ipa-server-install	\
 	ipa-replica-install	\
 	ipa-replica-prepare	\
+ 	ipa-server-certinstall  \
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall
new file mode 100644
index 00000000..932a6be1
--- /dev/null
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -0,0 +1,156 @@
+#! /usr/bin/python -E
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+sys.path.append("/usr/share/ipa")
+
+import traceback
+
+import krbV, ldap, getpass
+
+from ipaserver import certs, dsinstance, httpinstance, ipaldap, installutils
+
+def get_realm_name():
+    c = krbV.default_context()
+    return c.default_realm
+
+def parse_options():
+    from optparse import OptionParser
+    parser = OptionParser()
+
+    parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
+                      default=False, help="install certificate for the directory server")
+    parser.add_option("-w", "--http", dest="http", action="store_true",
+                      default=False, help="install certificate for the http server")
+
+
+    options, args = parser.parse_args()
+
+    if not options.dirsrv and not options.http:
+        parser.error("you must specify dirsrv and/or http")
+
+    if len(args) != 1:
+        parser.error("you must provide a pkcs12 filename")
+
+    return options, args[0]
+
+def set_ds_cert_name(cert_name, dm_password):
+    conn = ipaldap.IPAdmin("127.0.0.1")
+    conn.simple_bind_s("cn=directory manager", dm_password)
+
+    mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)]
+
+    conn.modify_s("cn=RSA,cn=encryption,cn=config", mod)
+
+    conn.unbind()
+
+def set_http_cert_name(cert_name):
+    # find the existing cert name
+    fd = open(httpinstance.NSS_CONF)
+    nick_name = None
+    file = []
+    for line in fd:
+        if "NSSNickname" in line:
+            file.append('NSSNickname "%s"\n' % cert_name)
+        else:
+            file.append(line)
+    fd.close()
+
+    fd = open(httpinstance.NSS_CONF, "w")
+    fd.write("".join(file))
+    fd.close()
+    
+        
+def choose_server_cert(server_certs):
+    print "Please select the certificate to use:"
+    num = 1
+    for cert in server_certs:
+        print "%d. %s" % (num, cert[0])
+        num += 1
+        
+    cert_num = 0
+    while 1:
+        cert_input = raw_input("Certificate number [1]: ")
+        print ""
+        if cert_input == "":
+            break
+        else:
+            try:
+                num = int(cert_input)
+            except ValueError:
+                print "invalid number"
+                continue
+            if num > len(server_certs):
+                print "number out of range"
+                continue
+            cert_num = num - 1
+            break
+    return server_certs[cert_num]
+    
+
+def import_cert(dirname, pkcs12_fname):
+    cdb = certs.CertDB(dirname)
+    cdb.create_passwd_file(False)
+    cdb.create_certdbs()
+    try:
+        cdb.import_pkcs12(pkcs12_fname)
+    except RuntimeError, e:
+        print str(e)
+        sys.exit(1)
+
+    server_certs = cdb.find_server_certs()
+    if len(server_certs) == 0:
+        print "could not find a suitable server cert in import"
+        sys.exit(1)
+    elif len(server_certs) == 1:
+        server_cert = server_certs[0]
+    else:
+        server_cert = choose_server_cert(server_certs)
+
+    cdb.trust_root_cert(server_cert[0])
+
+    return server_cert
+
+def main():
+    options, pkcs12_fname = parse_options()
+
+    try:
+        if options.dirsrv:
+            dm_password = getpass.getpass("Directory Manager password: ")
+            realm = get_realm_name()
+            dirname = dsinstance.config_dirname(realm)
+            server_cert = import_cert(dirname, pkcs12_fname)
+            set_ds_cert_name(server_cert[0], dm_password)
+
+        if options.http:
+            dirname = httpinstance.NSS_DIR
+            server_cert = import_cert(dirname, pkcs12_fname)
+            print server_cert
+            set_http_cert_name(server_cert[0])
+
+    except Exception, e:
+        print "an unexpected error occurred: %s" % str(e)
+        traceback.print_exc()
+        return 1
+
+    return 0
+
+    
+sys.exit(main())
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index 646512d5..ee5e929d 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -46,7 +46,6 @@ import ipaserver.krbinstance
 import ipaserver.bindinstance
 import ipaserver.httpinstance
 import ipaserver.ntpinstance
-import ipaserver.radiusinstance
 import ipaserver.webguiinstance
 
 from ipaserver import service
@@ -400,11 +399,6 @@ def main():
     webgui = ipaserver.webguiinstance.WebGuiInstance()
     webgui.create_instance()
 
-    # Create a radius instance
-    radius = ipaserver.radiusinstance.RadiusInstance()
-    # FIXME: ldap_server should be derived, not hardcoded to localhost, also should it be a URL?
-    radius.create_instance(realm_name, host_name, 'localhost') 
-
     bind.setup(host_name, ip_address, realm_name)
     if options.setup_bind:
         skipbind = False
diff --git a/ipa-server/ipa-install/share/Makefile.am b/ipa-server/ipa-install/share/Makefile.am
index 36bb54e8..5d117dec 100644
--- a/ipa-server/ipa-install/share/Makefile.am
+++ b/ipa-server/ipa-install/share/Makefile.am
@@ -19,7 +19,7 @@ app_DATA =				\
 	krb.con.template		\
 	krbrealm.con.template		\
 	ntp.conf.server.template 	\
-	radius.radiusd.conf.template	\
+	preferences.html.template 	\
 	referint-conf.ldif		\
 	dna-posix.ldif			\
 	master-entry.ldif		\
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 9642070c..0a969de3 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -2,6 +2,8 @@ dn: $SUFFIX
 changetype: modify
 add: objectClass
 objectClass: pilotObject
+-
+add: info
 info: IPA V1.0
 
 dn: cn=accounts,$SUFFIX
@@ -80,6 +82,7 @@ gidNumber: 1001
 homeDirectory: /home/admin
 loginShell: /bin/bash
 gecos: Administrator
+nsAccountLock: False
 
 dn: cn=radius,$SUFFIX
 changetype: add
@@ -114,6 +117,7 @@ cn: admins
 description: Account administrators group
 gidNumber: 1001
 member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+nsAccountLock: False
 
 dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 95743eeb..5715259a 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -1,18 +1,18 @@
 # $SUFFIX (base entry)
-# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authewnticated users
+# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
 dn: $SUFFIX
 changetype: modify
 replace: aci
-aci: (targetattr != "userPassword || krbPrincipalKey || krbMKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || krbMKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Admin can manage any entry except for passwords"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Admin can write passwords"; allow (write) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn = "ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
-aci: (target="ldap:///cn=radius,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
 
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 changetype: modify
@@ -25,6 +25,12 @@ add: aci
 aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
+dn: cn=radius,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
diff --git a/ipa-server/ipa-install/share/preferences.html.template b/ipa-server/ipa-install/share/preferences.html.template
new file mode 100644
index 00000000..2d3684dc
--- /dev/null
+++ b/ipa-server/ipa-install/share/preferences.html.template
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+  <title>Automatically set browser preferences</title>
+</head>
+<body>
+<form action="undefined" method="get">
+<input type=button onclick="setPreferences()" name="prefs" value="Configure Firefox">
+</form>
+
+<script type="text/javascript">
+function setPreferences() {
+  try {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesWrite");
+      try {
+        navigator.preference("network.negotiate-auth.using-native-gsslib", true)
+        navigator.preference("network.negotiate-auth.delegation-uris", ".$DOMAIN")
+        navigator.preference("network.negotiate-auth.trusted-uris", ".$DOMAIN")
+        navigator.preference("network.negotiate-auth.allow-proxies", true)
+      } catch (e) {
+        alert("Unable to store preferences: " + e)
+      }
+      netscape.security.PrivilegeManager.disablePrivilege("UniversalPreferencesWrite");
+      alert("Successfully configured Firefox for single sign on.")
+    } catch (e) {
+      alert("Unable to apply recommended settings.\n\nClick on the Certificate Authority link and select trust for all, then reload this page and try again.\n\nThe error returned was: " + e);
+      return;
+  }
+}
+</script>
+
+</body>
+</html>
diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template
deleted file mode 100644
index 3bc4927d..00000000
--- a/ipa-server/ipa-install/share/radius.radiusd.conf.template
+++ /dev/null
@@ -1,285 +0,0 @@
-#
-# WARNING: This file is automatically generated, do not edit
-#
-# $CONFIG_FILE_VERSION_INFO
-#
-prefix = /usr
-exec_prefix = /usr
-sysconfdir = /etc
-localstatedir = /var
-sbindir = /usr/sbin
-logdir = $${localstatedir}/log/radius
-raddbdir = $${sysconfdir}/raddb
-radacctdir = $${logdir}/radacct
-confdir = $${raddbdir}
-run_dir = $${localstatedir}/run/radiusd
-db_dir = $${localstatedir}/lib/radiusd
-log_file = $${logdir}/radius.log
-libdir = /usr/lib
-pidfile = $${run_dir}/radiusd.pid
-user = radiusd
-group = radiusd
-max_request_time = 30
-delete_blocked_requests = no
-cleanup_delay = 5
-max_requests = 1024
-bind_address = *
-port = 0
-hostname_lookups = no
-allow_core_dumps = no
-regular_expressions = yes
-extended_expressions = yes
-log_stripped_names = no
-log_auth = no
-log_auth_badpass = no
-log_auth_goodpass = no
-usercollide = no
-lower_user = no
-lower_pass = no
-nospace_user = no
-nospace_pass = no
-checkrad = $${sbindir}/checkrad
-security {
-	max_attributes = 200
-	reject_delay = 1
-	status_server = no
-}
-proxy_requests = yes
-$$INCLUDE  $${confdir}/proxy.conf
-$$INCLUDE  $${confdir}/clients.conf
-snmp = no
-$$INCLUDE  $${confdir}/snmp.conf
-thread pool {
-	start_servers = 5
-	max_servers = 32
-	min_spare_servers = 3
-	max_spare_servers = 10
-	max_requests_per_server = 0
-}
-modules {
-	chap {
-		authtype = CHAP
-	}
-	pam {
-		pam_auth = radiusd
-	}
-	unix {
-		cache = no
-		cache_reload = 600
-		shadow = /etc/shadow
-		radwtmp = $${logdir}/radwtmp
-	}
-$$INCLUDE $${confdir}/eap.conf
-	mschap {
-	}
-	ldap {
-		server = "$LDAP_SERVER"
-		use_sasl = yes
-		sasl_mech = "GSSAPI"
-		krb_keytab = "$RADIUS_KEYTAB"
-		krb_principal = "$RADIUS_PRINCIPAL"
-		basedn = "$RADIUS_USER_BASE_DN"
-		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
-		base_filter = "(objectclass=radiusprofile)"
-		start_tls = no
-		profile_attribute = "radiusProfileDn"
-		default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
-		# FIXME: we'll want to toggle the access_attr feature on/off,
-		# but it needs a control, so disable it for now.
-		#access_attr = "$ACCESS_ATTRIBUTE"
-		#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
-		dictionary_mapping = $${raddbdir}/ldap.attrmap
-		ldap_connections_number = 5
-		edir_account_policy_check=no
-		timeout = 4
-		timelimit = 3
-		net_timeout = 1
-		clients_basedn = "$CLIENTS_BASEDN"
-	}
-	realm IPASS {
-		format = prefix
-		delimiter = "/"
-		ignore_default = no
-		ignore_null = no
-	}
-	realm suffix {
-		format = suffix
-		delimiter = "@"
-		ignore_default = no
-		ignore_null = no
-	}
-	realm realmpercent {
-		format = suffix
-		delimiter = "%"
-		ignore_default = no
-		ignore_null = no
-	}
-	realm ntdomain {
-		format = prefix
-		delimiter = "\\"
-		ignore_default = no
-		ignore_null = no
-	}	
-	checkval {
-		item-name = Calling-Station-Id
-		check-name = Calling-Station-Id
-		data-type = string
-	}
-	preprocess {
-		huntgroups = $${confdir}/huntgroups
-		hints = $${confdir}/hints
-		with_ascend_hack = no
-		ascend_channels_per_line = 23
-		with_ntdomain_hack = no
-		with_specialix_jetstream_hack = no
-		with_cisco_vsa_hack = no
-	}
-	files {
-		usersfile = $${confdir}/users
-		acctusersfile = $${confdir}/acct_users
-		preproxy_usersfile = $${confdir}/preproxy_users
-		compat = no
-	}
-	detail {
-		detailfile = $${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
-		detailperm = 0600
-	}
-	acct_unique {
-		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
-	}
-	radutmp {
-		filename = $${logdir}/radutmp
-		username = %{User-Name}
-		case_sensitive = yes
-		check_with_nas = yes		
-		perm = 0600
-		callerid = "yes"
-	}
-	radutmp sradutmp {
-		filename = $${logdir}/sradutmp
-		perm = 0644
-		callerid = "no"
-	}
-	attr_filter {
-		attrsfile = $${confdir}/attrs
-	}
-	counter daily {
-		filename = $${db_dir}/db.daily
-		key = User-Name
-		count-attribute = Acct-Session-Time
-		reset = daily
-		counter-name = Daily-Session-Time
-		check-name = Max-Daily-Session
-		allowed-servicetype = Framed-User
-		cache-size = 5000
-	}
-	sqlcounter dailycounter {
-		counter-name = Daily-Session-Time
-		check-name = Max-Daily-Session
-		reply-name = Session-Timeout
-		sqlmod-inst = sql
-		key = User-Name
-		reset = daily
-		query = "SELECT SUM(AcctSessionTime - \
-                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
-                 FROM radacct WHERE UserName='%{%k}' AND \
-                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
-	}
-	sqlcounter monthlycounter {
-		counter-name = Monthly-Session-Time
-		check-name = Max-Monthly-Session
-		reply-name = Session-Timeout
-		sqlmod-inst = sql
-		key = User-Name
-		reset = monthly
-		query = "SELECT SUM(AcctSessionTime - \
-                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
-                 FROM radacct WHERE UserName='%{%k}' AND \
-                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
-	}
-	always fail {
-		rcode = fail
-	}
-	always reject {
-		rcode = reject
-	}
-	always ok {
-		rcode = ok
-		simulcount = 0
-		mpp = no
-	}
-	expr {
-	}
-	digest {
-	}
-	exec {
-		wait = yes
-		input_pairs = request
-	}
-	exec echo {
-		wait = yes
-		program = "/bin/echo %{User-Name}"
-		input_pairs = request
-		output_pairs = reply
-	}
-	ippool main_pool {
-		range-start = 192.168.1.1
-		range-stop = 192.168.3.254
-		netmask = 255.255.255.0
-		cache-size = 800
-		session-db = $${db_dir}/db.ippool
-		ip-index = $${db_dir}/db.ipindex
-		override = no
-		maximum-timeout = 0
-	}
-	krb5 {
-		keytab = "$RADIUS_KEYTAB"
-		service_principal = "$RADIUS_PRINCIPAL"
-	}
-}
-instantiate {
-	exec
-	expr
-}
-authorize {
-	preprocess
-	chap
-	mschap
-	suffix
-	eap
-	#files
-	ldap
-}
-authenticate {
-	Auth-Type CHAP {
-		chap
-	}
-	Auth-Type MS-CHAP {
-		mschap
-	}
-	eap
-	Auth-Type Kerberos {
-		krb5
-	}
-}
-preacct {
-	preprocess
-	acct_unique
-	suffix
-	files
-}
-accounting {
-	detail
-	unix
-	radutmp
-}
-session {
-	radutmp
-}
-post-auth {
-}
-pre-proxy {
-}
-post-proxy {
-	eap
-}
diff --git a/ipa-server/ipa-install/share/referint-conf.ldif b/ipa-server/ipa-install/share/referint-conf.ldif
index 7a547ba5..533b97de 100644
--- a/ipa-server/ipa-install/share/referint-conf.ldif
+++ b/ipa-server/ipa-install/share/referint-conf.ldif
@@ -2,6 +2,10 @@ dn: cn=referential integrity postoperation,cn=plugins,cn=config
 changetype: modify
 replace: nsslapd-pluginenabled
 nsslapd-pluginenabled: on
+-
+add: nsslapd-pluginArg7
 nsslapd-pluginArg7: manager
+-
+add: nsslapd-pluginArg8
 nsslapd-pluginArg8: secretary