summaryrefslogtreecommitdiffstats
path: root/install/share/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* Add LDAP schema for certificate store.Jan Cholasta2014-07-301-0/+1
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use LDAP API to upload CA certificate instead of ldapmodify command.Jan Cholasta2014-03-251-1/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add formerly update-only schemaPetr Viktorin2013-11-181-0/+2
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-101-0/+1
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Add ipa-advise plugins for legacy clientsAna Krivokapic2013-08-071-0/+4
| | | | | | | | | | | | | | | | | Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Enable SASL mapping fallback.Jan Cholasta2013-06-271-0/+1
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-171-0/+1
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Upload CA cert in the directory on installSimo Sorce2013-01-231-1/+2
| | | | | This will later allow clients to securely download the CA cert by performaing mutual auth using LDAP with GSSAPI
* Fix schema replication from old mastersPetr Viktorin2012-11-231-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-101-0/+1
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-091-0/+1
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-041-1/+2
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-0/+1
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-071-0/+1
|
* Add support for sudoOrderRob Crittenden2012-03-011-1/+1
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-151-0/+1
|
* Add ipa-adtrust-install utilitySumit Bose2011-09-141-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/1619
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-121-0/+2
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-311-0/+2
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* v3-schema: Add new ipaExternalGroup objectclassSimo Sorce2011-08-261-0/+1
| | | | | | | | This construct allows to have a group of ipaExternalMember attributes, that can be nested in a normal ipa Group ('memberOf' is allowed). It cannot contain normal ipa users/groups and cannot be nested with another group of the same type ('member' is not allowed).
* schema: Split ipadns definitions from basev2 onesSimo Sorce2011-08-261-0/+1
|
* ipa-kdb: Change install to use the new ipa-kdb kdc backendSimo Sorce2011-08-261-2/+0
| | | | | | Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
* Create default disabled sudo bind userJr Aquino2011-02-231-0/+1
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-201-0/+1
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Remove radius options completely.Simo Sorce2011-01-141-1/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Add replication related acis to all replicasSimo Sorce2010-12-211-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-131-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/543
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-301-0/+1
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-221-0/+1
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* id ranges: change DNA configurationSimo Sorce2010-11-221-2/+1
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Add support for configuring KDC certs for PKINITSimo Sorce2010-11-181-0/+2
| | | | | This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
* Rename 60sudo.ldif to 60ipasudo.ldif to not overwrite the 389-ds version.Rob Crittenden2010-11-091-1/+1
| | | | | | This meant that the compat sudo schema was not available. ticket 439
* Use kerberos password policy.Rob Crittenden2010-11-011-0/+1
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* ipa-modrdn: Enable plugin to handle krbPrincipalName on renamesSimo Sorce2010-10-281-0/+1
|
* ipa-uuid: enable plugin in IPASimo Sorce2010-10-221-0/+1
|
* ntpdinstance: Do not replace the config files, just add needed optionsSimo Sorce2010-10-181-2/+0
|
* Enabling SUDO supportDmitri Pal2010-09-161-0/+1
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Add support for User-Private GroupsRob Crittenden2010-07-061-0/+2
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-271-1/+0
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-051-0/+1
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Run ipaserver under mod_wsgiJason Gerard DeRose2010-03-011-0/+1
|
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-211-1/+0
| | | | Fixes #528943
* No longer use the IPA-specific memberof plugin. Use the DS-supplied one.Rob Crittenden2009-10-121-0/+1
|
* Install the ldapi ldif fileRob Crittenden2009-08-281-0/+1
|
* Make --setup-dns work on replica installationMartin Nagy2009-07-221-1/+2
| | | | | | | The ipa-replica-install script will setup the DNS if user specifies the --setup-dns option. It will only add the zone into LDAP if the cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add the records.
* Let anonymous users browse the VLV indexRob Crittenden2009-07-101-0/+1
| | | | | | This is needed for automount support on Solaris http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
* Basic changes to get a default principal for DNSSimo Sorce2009-07-101-0/+1
| | | | | | | | Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
* Use LDAP instead of flat file for zone storageMartin Nagy2009-06-021-0/+1
|
* New tool to enable/disable DS plugin to act as NIS serverRob Crittenden2009-05-131-1/+2
|
* Add signing profile to CA installation so we can sign the firefox jar file.Rob Crittenden2009-05-041-0/+1
| | | | | | | Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
generated by cgit (git 2.34.1) at 2024-05-24 04:29:37 +0000