summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Add trust-related ACIsAlexander Bokovoy2012-06-071-1/+1
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-072-0/+4
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add trust management for Active Directory trustsAlexander Bokovoy2012-06-073-1/+4
|
* Use dedicated keytab for SambaAlexander Bokovoy2012-06-071-1/+3
| | | | | | | | Samba just needs the cifs/ key on the ipa server. Configure samba to use a different keytab file so that we do not risk samba commands (net, or similar) to mess up the system keytab. https://fedorahosted.org/freeipa/ticket/2168
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-073-1/+19
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* permission-find missed some results with --pkey-only optionMartin Kosek2012-06-011-0/+4
| | | | | | | | | | | | | When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
* - add a pair of ethers maps for computers with hardware addresses on fileNalin Dahyabhai2012-04-261-0/+23
|
* - create a "cn=computers" compat area populated with ieee802Device entries ↵Nalin Dahyabhai2012-04-261-0/+14
| | | | corresponding to computers with fqdn and macAddress attributes
* - index the fqdn and macAddress attributes for the sake of the compat pluginNalin Dahyabhai2012-04-261-0/+19
|
* Use mixed-case for Read DNS Entries permissionRob Crittenden2012-04-231-3/+3
| | | | https://fedorahosted.org/freeipa/ticket/2569
* Fix installation when server hostname is not in a default domainMartin Kosek2012-04-081-1/+1
| | | | | | | | | | | | | | | | | | | When IPA server is configured with DNS and its hostname is not located in a default domain, SRV records are not valid. Additionally, httpd does not serve XMLRPC interface because it IPA server domain-realm mapping is missing in krb5.conf. All CLI commands were then failing. This patch amends this configuration. It fixes SRV records in served domain to include full FQDN instead of relative hostname when the IPA server hostname is not located in served domain. IPA server forward record is also placed to correct zone. When IPA server is not in a served domain a proper domain-realm mapping is configured to krb5.conf. The template was improved in order to be able to hold this information. https://fedorahosted.org/freeipa/ticket/2602
* Return consistent value when hostcat and usercat is all.Rob Crittenden2012-04-081-1/+1
| | | | | | | | | | We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192
* Forbid public access to DNS treeMartin Kosek2012-04-011-0/+12
| | | | | | | | | | | | | | | | | | | With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
* Amend permissions for new DNS attributesMartin Kosek2012-03-251-1/+11
| | | | | | | | | | | | New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
* Add support for sudoOrderRob Crittenden2012-03-012-2/+2
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Fix nested netgroups in NIS.Rob Crittenden2012-02-291-1/+1
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Tweak the session auth to reflect developer consensus.John Dennis2012-02-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
* Global DNS optionsMartin Kosek2012-02-241-0/+1
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-241-2/+10
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-1/+1
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-1/+1
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-152-0/+10
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-132-0/+21
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-132-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/754
* Remove delegation from browser configAdam Young2012-02-071-1/+0
|
* Configure s4u2proxy during installation.Rob Crittenden2012-01-101-0/+22
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Add SELinux user mapping framework.Rob Crittenden2011-12-093-1/+20
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* ipa-kdb: Delegation ACL schemaSimo Sorce2011-12-081-0/+5
|
* Remove extraneous trailing single quote in nis.uldifRob Crittenden2011-12-051-1/+1
|
* Add ipasam samba passdb backendSumit Bose2011-12-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1874
* Add trust objectclass and attributes to v3 schemaSumit Bose2011-12-061-0/+10
|
* Add NT domain GUID attribute.Simo Sorce2011-11-211-1/+2
| | | | | We need this to be able to re-set it, as ipaUniqueID cannot be arbitraily set to a value. Only needed for the domain object.
* Fix nis netgroup config entry so users appear in netgroup triple.Rob Crittenden2011-10-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2028
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-23/+23
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* list users from nested groups, tooNalin Dahyabhai2011-10-051-1/+1
|
* Fix typo in v3 base schemaSumit Bose2011-09-211-3/+3
|
* Update samba LDAP schemaSumit Bose2011-09-201-1/+39
| | | | | | The samba LDAP schema is updated to the lastest version available from the samba source code to be able to use the new trust related object class and attributes.
* schema: Add new attributes and objectclasses for AD TrustsSimo Sorce2011-09-201-2/+13
|
* Add ipa-adtrust-install utilitySumit Bose2011-09-142-0/+29
| | | | https://fedorahosted.org/freeipa/ticket/1619
* The precendence on the modrdn plugin was set in the wrong location.Rob Crittenden2011-09-131-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/1370
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-125-6/+30
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Let Bind track data changesMartin Kosek2011-08-311-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-313-0/+42
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* v3-schema: Add new ipaExternalGroup objectclassSimo Sorce2011-08-262-0/+9
| | | | | | | | This construct allows to have a group of ipaExternalMember attributes, that can be nested in a normal ipa Group ('memberOf' is allowed). It cannot contain normal ipa users/groups and cannot be nested with another group of the same type ('member' is not allowed).
* schema: Split ipadns definitions from basev2 onesSimo Sorce2011-08-263-42/+47
|
* install: Use proper case for boolean valuesSimo Sorce2011-08-261-2/+2
|
generated by cgit (git 2.34.1) at 2024-06-08 00:47:54 +0000