summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-102-0/+62
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-092-7/+0
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-081-0/+18
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
* Minor fixes for default SMB groupMartin Kosek2012-10-091-1/+1
| | | | | | | | This patch contains additional minor fixes which were proposed during review but were not pushed (accidentaly). Also amends a name of the default SMB group in a list of protected groups in group.py. https://fedorahosted.org/freeipa/ticket/3147
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-092-0/+9
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* Add new ipaIDobject to DNA plugin configuratonSumit Bose2012-10-041-1/+1
|
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-042-1/+4
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Index ipakrbprincipalalias and ipaautomountkey attributesMartin Kosek2012-10-011-0/+16
| | | | | | | | | | | | An unindexed search for ipakrbprincipalalias is fired for every ipa command (and other authentication events) which would degrade IPA server performance if not indexed. ipaautomountkey unindexed searches are hit when new key entries are being added. Add both indexes to new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/3020 https://fedorahosted.org/freeipa/ticket/3025
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-192-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Run the CLEANALLRUV task when deleting a replication agreement.Rob Crittenden2012-09-171-0/+5
| | | | | | | | | | | | This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv list-ruv can be use to list the update vectors the master has configugured clean-ruv can be used to fire off the CLEANRUV task to remove a replication vector. It should be used with caution. https://fedorahosted.org/freeipa/ticket/2303
* Expand Referential Integrity checksMartin Kosek2012-09-162-1/+109
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866
* Amend memberAllowCmd and memberDenyCmd attribute typesMartin Kosek2012-09-161-2/+2
| | | | | | | | | | | Attribute types of attributes designed to hold DN values are not supposed to hold own ORDERING or SUBSTR matching rules (which were even not correct in this case). Update these attributes to only define an EQUALITY rule just like other DN attribute types in IPA. https://fedorahosted.org/freeipa/ticket/2866
* Set SELinux default context to unconfined_u:s0-s0:c0.c1023Rob Crittenden2012-09-131-1/+1
| | | | | | | Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
* Add per-service option to store the types of PAC it supportsRob Crittenden2012-08-012-1/+5
| | | | | | Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184
* Use certmonger to renew CA subsystem certificatesRob Crittenden2012-07-302-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803
* Enable SOA serial autoincrementMartin Kosek2012-07-131-0/+1
| | | | | | | | | | | | | | | | | | SOA serial autoincrement is a requirement for major DNS features, e.g. zone transfers or DNSSEC. Enable it by default in named.conf both for new and upgraded installations. Name of the bind-dyndb-ldap option is "serial_autoincrement". From now on, idnsSOAserial attribute also has to be put to replication agreement exclude list as serial will be incremented on each DNS server separately and won't be shared. Exclude list has to be updated both for new replication agreements and the current ones. Minimum number of connections for bind-dyndb-ldap has been rised to 4 connections, the setting will be updated during package upgrade. https://fedorahosted.org/freeipa/ticket/2554
* Add automount map/key update permissionsMartin Kosek2012-07-101-2/+20
| | | | | | | | | | | | | Add missing permissions that can be used to delegate write access to existing automount maps or keys. Since automount key RDN has been changed in the past from "automountkey" to "description" and there can be LDAP entries with both RDNs, structure of relevant ACI need to be changed to different scheme. Now, it rather targets a DN of parent automount map object and uses targetfilter to limit the target to automount key objects only. https://fedorahosted.org/freeipa/ticket/2687
* ipasam: improve SASL bind callbackAlexander Bokovoy2012-07-061-1/+0
| | | | | | | | SASL bind callback due to refactoring was referencing local variable which didn't exist all the time. Fix that by including a copy of service principals into ipasam long term private struct. Rework ccache handling to avoid re-initing every time callback is called
* Create default range entry after upgradeMartin Kosek2012-07-021-2/+2
| | | | | | | | | | Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891
* Add objects for initial ID rangeSumit Bose2012-06-291-0/+14
|
* Extend LDAP schemaSumit Bose2012-06-291-0/+8
| | | | | | | | | | | The objectclass ipaIDobject can be used to reserve local UIDs, GIDs or SIDs for objects that are no neither users nor groups. The ipa*IDRange objectclasses will be used to store the used Posix ID ranges of the local domains (ipaDomainIDRange) or the ranges reserved for AD domains (ipaTrustedADDomainRange). To be able to map the Posix IDs to a RID and back the corresponding ranges can be saved here as well.
* Per-domain DNS record permissionsMartin Kosek2012-06-282-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511
* Defer adding ipa-cifs-delegation-targets until the Updates phase.Rob Crittenden2012-06-271-3/+5
| | | | | | | It was likely that this would fail being in an LDIF so let an update file add this potentially conflicting entry instead. https://fedorahosted.org/freeipa/ticket/2837
* Remove ipaNTHash from global allow ACIMartin Kosek2012-06-261-4/+4
| | | | | | | | ipaNTHash contains security sensitive information, it should be hidden just like other password attributes. As a part of preparation for ticket #2511, the ACI allowing global access is also updated to hide DNS zones. https://fedorahosted.org/freeipa/ticket/2856
* Set network.http.sendRefererHeader to 2 on browser configPetr Vobornik2012-06-221-9/+15
| | | | | | | | | | IPA web UI isn't functional when browser doesn't send http headers. This patch adds a functionality which sets Firefox network.http.sendRefererHeader configuration option to value '2' which enables it. Possible values: http://kb.mozillazine.org/Network.http.sendRefererHeader https://fedorahosted.org/freeipa/ticket/2778
* Add trust-related ACIsAlexander Bokovoy2012-06-071-1/+1
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-072-0/+4
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-073-1/+4
|
* Use dedicated keytab for SambaAlexander Bokovoy2012-06-071-1/+3
| | | | | | | | Samba just needs the cifs/ key on the ipa server. Configure samba to use a different keytab file so that we do not risk samba commands (net, or similar) to mess up the system keytab. https://fedorahosted.org/freeipa/ticket/2168
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-073-1/+19
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* permission-find missed some results with --pkey-only optionMartin Kosek2012-06-011-0/+4
| | | | | | | | | | | | | When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
* - add a pair of ethers maps for computers with hardware addresses on fileNalin Dahyabhai2012-04-261-0/+23
|
* - create a "cn=computers" compat area populated with ieee802Device entries ↵Nalin Dahyabhai2012-04-261-0/+14
| | | | corresponding to computers with fqdn and macAddress attributes
* - index the fqdn and macAddress attributes for the sake of the compat pluginNalin Dahyabhai2012-04-261-0/+19
|
* Use mixed-case for Read DNS Entries permissionRob Crittenden2012-04-231-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/2569
* Fix installation when server hostname is not in a default domainMartin Kosek2012-04-081-1/+1
| | | | | | | | | | | | | | | | | | | When IPA server is configured with DNS and its hostname is not located in a default domain, SRV records are not valid. Additionally, httpd does not serve XMLRPC interface because it IPA server domain-realm mapping is missing in krb5.conf. All CLI commands were then failing. This patch amends this configuration. It fixes SRV records in served domain to include full FQDN instead of relative hostname when the IPA server hostname is not located in served domain. IPA server forward record is also placed to correct zone. When IPA server is not in a served domain a proper domain-realm mapping is configured to krb5.conf. The template was improved in order to be able to hold this information. https://fedorahosted.org/freeipa/ticket/2602
* Return consistent value when hostcat and usercat is all.Rob Crittenden2012-04-081-1/+1
| | | | | | | | | | We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192
* Forbid public access to DNS treeMartin Kosek2012-04-011-0/+12
| | | | | | | | | | | | | | | | | | | With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
* Amend permissions for new DNS attributesMartin Kosek2012-03-251-1/+11
| | | | | | | | | | | | New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
* Add support for sudoOrderRob Crittenden2012-03-012-2/+2
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Fix nested netgroups in NIS.Rob Crittenden2012-02-291-1/+1
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Global DNS optionsMartin Kosek2012-02-241-0/+1
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-241-2/+10
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-1/+1
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-1/+1
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-152-0/+10
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
generated by cgit (git 2.34.1) at 2024-05-18 10:01:57 +0000