summaryrefslogtreecommitdiffstats
path: root/install/share/delegation.ldif
Commit message (Collapse)AuthorAgeFilesLines
* Convert Service default permissions to managedPetr Viktorin2014-06-241-55/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Role default permissions to managedPetr Viktorin2014-06-241-44/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert the Modify privilege membership permission to managedPetr Viktorin2014-06-241-9/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Netgroup default permissions to managedPetr Viktorin2014-06-241-44/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Hostgroup default permissions to managedPetr Viktorin2014-06-241-44/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Group default permissions to managedPetr Viktorin2014-06-241-46/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Automount default permissions to managedPetr Viktorin2014-06-241-62/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Host default permissions to managedPetr Viktorin2014-06-231-82/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert User default permissions to managedPetr Viktorin2014-06-101-72/+0
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the global anonymous read ACIPetr Viktorin2014-05-261-5/+0
| | | | | | | | | | | | | | Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add a new ipaVirtualOperation objectClass to virtual operationsPetr Viktorin2014-04-241-36/+0
| | | | | | | | The entries are moved from the ldif file to an update file. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove entitlement supportMartin Kosek2013-06-261-80/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-0/+9
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Add automount map/key update permissionsMartin Kosek2012-07-101-2/+20
| | | | | | | | | | | | | Add missing permissions that can be used to delegate write access to existing automount maps or keys. Since automount key RDN has been changed in the past from "automountkey" to "description" and there can be LDAP entries with both RDNs, structure of relevant ACI need to be changed to different scheme. Now, it rather targets a DN of parent automount map object and uses targetfilter to limit the target to automount key objects only. https://fedorahosted.org/freeipa/ticket/2687
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-1/+1
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-1/+1
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-151-1/+1
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-131-0/+18
| | | | https://fedorahosted.org/freeipa/ticket/754
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-141-2/+4
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Entitlements ACIs not visible to Permission pluginMartin Kosek2011-02-221-3/+6
| | | | | | | | This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-221-1/+1
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Add support for tracking and counting entitlementsRob Crittenden2011-02-021-18/+43
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Add new schema to store information about permissions.Rob Crittenden2011-02-011-0/+49
| | | | | | | | | There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
* Rename permissions and privileges to be more readable.Rob Crittenden2011-01-311-247/+202
| | | | | | | This also drops description from permissions since it seems redundant and fixes up the help text a little. ticket 792
* modifyprivilegemembership permission has nestedgroup OCMartin Kosek2011-01-281-1/+1
| | | | | | | modifyprivilegemembership permission object class in LDAP should be groupofnames, not nestedgroup. https://fedorahosted.org/freeipa/ticket/858
* Add support for account unlockingJan Zeleny2011-01-281-0/+10
| | | | | | | | This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344
* ACI plugin supports prefixesMartin Kosek2011-01-261-44/+44
| | | | | | | | | | | | | | | | | | | | | | | | When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764
* Block anonymous access to HBAC, role and some member information.Rob Crittenden2011-01-241-0/+5
| | | | | | | | Prevents an unauthenticated user from accessing HBAC and role information as well as memberof which could disclose roles, memberships in HBAC, etc. ticket 811
* Move Virtual Operations container under cn=etcSimo Sorce2011-01-141-13/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/759
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-221-155/+162
| | | | ticket 638
* Remove referrals when removing agreementsSimo Sorce2010-12-211-6/+14
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Add replication related acis to all replicasSimo Sorce2010-12-211-12/+0
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-211-2/+2
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* Fix delegation.ldif typoJakub Hrozek2010-12-201-1/+1
|
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-171-21/+14
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-171-1/+1
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-106/+515
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Basic changes to get a default principal for DNSSimo Sorce2009-07-101-0/+348
Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-25 16:27:17 +0000