summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-6/+10
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Add support for User-Private GroupsRob Crittenden2010-07-063-0/+37
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Remove unused attribute serviceName and re-number schemaRob Crittenden2010-06-211-8/+7
| | | | | | serviceName was originally part of the HBAC rules. We dropped it to use a separate service object instead so we could more easily do groups of services in rules.
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-272-31/+1
| | | | Also fix the memberOf attribute for the HBAC services
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-275-46/+68
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Add 'all' serviceCategory to default HBAC group and add some default servicesRob Crittenden2010-05-271-0/+31
|
* Add groups of services to HBACRob Crittenden2010-05-172-2/+18
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* named.conf: Add trailing dot to the fake_mnameMartin Nagy2010-05-061-1/+1
| | | | | Yet another trailing dot issue, but this one was kept hidden because only the latest bind-dyndb-ldap package uses the fake_mname option.
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-052-0/+15
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Remove some duplicated schemaRob Crittenden2010-04-301-9/+0
| | | | | Newer versions of 389-ds provide this certificate schema so no need to provide it ourselves.
* Use escapes in DNs instead of quoting.Rob Crittenden2010-04-191-2/+2
| | | | Based on initial patch from Pavel Zuna.
* Enable anonymous VLV so Solaris clients will work out of the box.Rob Crittenden2010-04-161-0/+4
| | | | | | | | Since one needs to enable the compat plugin we will enable anonymous VLV when that is configured. By default the DS installs an aci that grants read access to ldap:///all and we need ldap:///anyone
* Run ipaserver under mod_wsgiJason Gerard DeRose2010-03-012-0/+14
|
* - also ensure that krbCanonicalName is uniqueNalin Dahyabhai2010-02-051-0/+18
|
* - allow the KDC to read krbCanonicalNameNalin Dahyabhai2010-02-051-2/+2
|
* - pull in updated schema which adds the krbCanonicalName attributeNalin Dahyabhai2010-02-041-1/+15
|
* Set BIND to use ldapi and use fake mnameMartin Nagy2010-01-211-1/+2
| | | | | | The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-211-3/+1
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-213-113/+0
| | | | Fixes #528943
* Fix merge issue, cut-and-paste errorRob Crittenden2010-01-211-2/+1
|
* User-defined certificate subjectsRob Crittenden2010-01-201-1/+3
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin.Pavel Zuna2010-01-202-3/+6
|
* Add default values for krb ticket policy attributes during installation.Pavel Zuna2010-01-132-0/+8
|
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-161-0/+6
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-111-1/+1
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Add ipaUserGroup objectClass to default groups where missing.Pavel Zuna2009-12-011-0/+2
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-032-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Use Directory String sytnax for the fqdn attribute, not DN syntax.Rob Crittenden2009-10-281-1/+1
|
* No longer use the IPA-specific memberof plugin. Use the DS-supplied one.Rob Crittenden2009-10-122-0/+6
|
* Add HBAC plugin and introduce GeneralizedTime parameter type.Pavel Zuna2009-10-051-0/+6
|
* Add support for per-group kerberos password policy.Rob Crittenden2009-10-051-0/+13
| | | | | | | | | | Use a Class of Service template to do per-group password policy. The design calls for non-overlapping groups but with cospriority we can still make sense of things. The password policy entries stored under the REALM are keyed only on the group name because the MIT ldap plugin can't handle quotes in the DN. It also can't handle spaces between elements in the DN.
* Ensure that dnaMaxValue is higher than dnaNextValue at install timeRob Crittenden2009-09-091-2/+2
| | | | Resolves 522179
* Use DNS forwarders in /etc/named.confMartin Nagy2009-09-021-0/+3
| | | | | | | | | This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line.
* Install the ldapi ldif fileRob Crittenden2009-08-281-0/+1
|
* Add option to the installer for uid/gid starting numbers.Rob Crittenden2009-08-272-7/+7
| | | | | | | | | | | | This also adds a new option to the template system. If you include eval(string) in a file that goes through the templater then the string in the eval will be evaluated by the Python interpreter. This is used so one can do $UIDSTART+1. If any errors occur during the evaluation the original string is is returned, eval() and all so it is up to the developer to make sure the evaluation passes. The default value for uid and gid is now a random value between 1,000,000 and (2^31 - 1,000,000)
* Enable ldapi connections in the management framework.Rob Crittenden2009-08-271-0/+6
| | | | | | If you don't want to use ldapi then you can remove the ldap_uri setting in /etc/ipa/default.conf. The default for the framework is to use ldap://localhost:389/
* Add a new objectclass, ipaObject, that will add a UUID to many IPA objectsRob Crittenden2009-08-102-0/+3
| | | | | | | | | ipaObject is defined as an auxiliary objectclass so it is up to the plugin author to ensure that the objectclass is included an a UUID generated. ipaUniqueId is a MUST attribute so if you include the objectclass you must ensure that the uuid is generated. This also fixes up some unrelated unit test failures.
* Include schema for key escrow managementRob Crittenden2009-08-102-1/+10
| | | | https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
* Make --setup-dns work on replica installationMartin Nagy2009-07-221-1/+2
| | | | | | | The ipa-replica-install script will setup the DNS if user specifies the --setup-dns option. It will only add the zone into LDAP if the cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add the records.
* Add a reverse zone with server's PTR recordMartin Nagy2009-07-222-2/+26
| | | | Also, small cosmetic change in dns.ldif.
* Use uppercase boolean values in dns.ldifMartin Nagy2009-07-151-2/+2
| | | | | | The newest 389 server implements syntax checking and causes problems if the boolean attribute is set to "True". The correct value should be "TRUE".
* Let anonymous users browse the VLV indexRob Crittenden2009-07-102-0/+10
| | | | | | This is needed for automount support on Solaris http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
* Configure BIND LDAP driver to use SASL authenticationMartin Nagy2009-07-101-15/+16
| | | | | We use /etc/named.keytab generated by ipa-server-install to authenticate against the LDAP server. Also tidy up /etc/named.conf since we're there.
* Basic changes to get a default principal for DNSSimo Sorce2009-07-104-1/+351
| | | | | | | | Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <mnagy@redhat.com>
* Make object classes of automatically created entries lowercase.Pavel Zuna2009-07-101-16/+16
| | | | | This makes them more consistent with entries created by plugins. It's a cosmetic thing, not that useful.
* Use root.$HOST.$DOMAIN. instead of root.$DOMAIN.Martin Nagy2009-06-021-1/+1
|
* Use LDAP instead of flat file for zone storageMartin Nagy2009-06-023-10/+99
|
* Change DNS LDAP attributesMartin Nagy2009-06-021-14/+13
| | | | | | Removes two unneeded attributes and adds one attribute for specifying DNS update policy. Additionally, use different namespace for them: 5.x for attribute types and 6.x for object classes.
* Add memberOf as a MAY to ipaHostRob Crittenden2009-05-261-1/+1
| | | | 499731
* Schema change so the nisnetgroup triples work properly.Rob Crittenden2009-05-191-1/+2
| | | | | | If we use cn for hostname there is no easy way to distinguish between a host and a hostgroup. So adding a fqdn attribute to be used to store the hostname instead.
generated by cgit (git 2.34.1) at 2024-07-03 09:18:08 +0000