| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ticket 389
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ipaAssociation is the core of different association object.
It seems that the service is an exception rather then rule.
So it is moved into the object where it belongs.
Fixed matching rules and some attribute types.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/89
Removed unused password attribute and realigned OIDs.
|
| |
|
|
|
|
| |
serviceName was originally part of the HBAC rules. We dropped it
to use a separate service object instead so we could more easily
do groups of services in rules.
|
| |
|
|
| |
Also fix the memberOf attribute for the HBAC services
|
| |
|
|
|
|
|
| |
No longer install the policy or key escrow schemas and remove their
OIDs for now.
594149
|
| |
|
|
|
|
|
| |
Replace serviceName with memberService so we can assign individual
services or groups of services to an HBAC rule.
588574
|
| |
|
|
|
| |
Newer versions of 389-ds provide this certificate schema so no need to
provide it ourselves.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.
In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service
It might look something like:
admin
ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin
client
ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
|
| | |
|
| |
|
|
|
|
|
|
|
| |
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.
This also fixes up some unrelated unit test failures.
|
| |
|
|
| |
https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
|
| |
|
|
|
|
|
|
| |
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.
Signed-off-by: Martin Nagy <mnagy@redhat.com>
|
| |
|
|
|
|
| |
Removes two unneeded attributes and adds one attribute for specifying
DNS update policy. Additionally, use different namespace for them: 5.x
for attribute types and 6.x for object classes.
|
| |
|
|
| |
499731
|
| |
|
|
|
|
| |
If we use cn for hostname there is no easy way to distinguish between
a host and a hostgroup. So adding a fqdn attribute to be used to store
the hostname instead.
|
|
|
Loading this via LDIF is a temporary measure until we can load it online.
This requires removing the dNSRecord declarations from 05rfc2247.ldif
so a replacement copy is included for now.
Also add the netgroups container.
|
