freeipa.git - FreeIPA project

	Commit message (Collapse)	Author	Age	Files	Lines
*	Fix: Missing ACI for records in 40-dns.update	Martin Basti	2014-07-04	1	-0/+1
\| \| \| \|	Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	Fix ACI in DNS	Martin Basti	2014-07-01	1	-1/+0
\| \| \| \| \| \| \|	Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord, tlsarecord Reviewed-By: Petr Viktorin <pviktori@redhat.com>
*	DNSSEC: DLVRecord type added	Martin Basti	2014-06-20	1	-1/+1
\| \| \| \| \|	Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
*	DNSSEC: added NSEC3PARAM record type	Martin Basti	2014-06-20	1	-1/+1
\| \| \| \| \|	Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
*	Convert DNS default permissions to managed	Petr Viktorin	2014-06-18	1	-59/+0
\| \| \| \| \| \| \| \| \| \| \|	Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
*	Per-domain DNS record permissions	Martin Kosek	2012-06-28	1	-1/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511
*	permission-find missed some results with --pkey-only option	Martin Kosek	2012-06-01	1	-0/+4
\| \| \| \| \| \| \| \| \| \| \| \| \|	When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
*	Use mixed-case for Read DNS Entries permission	Rob Crittenden	2012-04-23	1	-3/+3
\| \| \| \|	https://fedorahosted.org/freeipa/ticket/2569
*	Forbid public access to DNS tree	Martin Kosek	2012-04-01	1	-0/+12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
*	Amend permissions for new DNS attributes	Martin Kosek	2012-03-25	1	-1/+11
\| \| \| \| \| \| \| \| \| \| \| \|	New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
*	Global DNS options	Martin Kosek	2012-02-24	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \| \|	Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
*	Fix DNS permissions and membership in privileges	Rob Crittenden	2011-10-09	1	-23/+23
\| \| \| \| \| \| \| \| \| \| \| \| \|	This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
*	Rename permissions and privileges to be more readable.	Rob Crittenden	2011-01-31	1	-10/+10
\| \| \| \| \| \| \|	This also drops description from permissions since it seems redundant and fixes up the help text a little. ticket 792
*	Move permissions and privileges to their own container, cn=pbac,$SUFFIX	Rob Crittenden	2010-12-22	1	-14/+14
\| \| \| \|	ticket 638
*	Fix the change_password permissions and the DNS access controls.	Rob Crittenden	2010-12-17	1	-4/+28
\| \| \| \| \| \| \| \| \| \|	The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
*	Re-implement access control using an updated model.	Rob Crittenden	2010-12-01	1	-1/+26
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
*	Use the dns plug-in for addition of records during installation	Martin Nagy	2010-01-21	1	-88/+0
\| \| \| \|	Fixes #528943
*	Add a reverse zone with server's PTR record	Martin Nagy	2009-07-22	1	-2/+2
\| \| \| \|	Also, small cosmetic change in dns.ldif.
*	Use uppercase boolean values in dns.ldif	Martin Nagy	2009-07-15	1	-2/+2
\| \| \| \| \| \|	The newest 389 server implements syntax checking and causes problems if the boolean attribute is set to "True". The correct value should be "TRUE".
*	Basic changes to get a default principal for DNS	Simo Sorce	2009-07-10	1	-0/+1
\| \| \| \| \| \| \| \|	Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
*	Use LDAP instead of flat file for zone storage	Martin Nagy	2009-06-02	1	-0/+93