summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* dns: Add idnsSecInlineSigning attribute, add --dnssec option to zonePetr Viktorin2014-05-281-1/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3801 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the global anonymous read ACIPetr Viktorin2014-05-262-18/+0
| | | | | | | | | | | | | | Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Replace "replica admins read access" ACI with a permissionPetr Viktorin2014-05-211-5/+0
| | | | | | | | | Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* aci-update: Trim the admin write blacklistPetr Viktorin2014-04-251-3/+0
| | | | | | | | | | | | | | | | | | | These attributes are removed from the blacklist, which means high-level admins can now modify them: - krbPrincipalAliases - krbPrincipalType - krbPwdPolicyReference - krbTicketPolicyReference - krbUPEnabled - serverHostName The intention is to only blacklist password attributes and attributes that are managed by DS plugins. Also, move the admin ACIs from ldif and trusts.update to aci.update. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add a new ipaVirtualOperation objectClass to virtual operationsPetr Viktorin2014-04-242-36/+1
| | | | | | | | The entries are moved from the ldif file to an update file. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* schema-compat: set precedence to 49 to allow OTP binds over compat treeAlexander Bokovoy2014-04-041-0/+4
| | | | | | | | | | | | | schema-compat plugin rewrites bind DN to point to the original entry on LDAP bind operation. To work with OTP tokens this requires that schema-compat's pre-bind callback is called before pre-bind callback of the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have a nsslapd-pluginprecedence value lower than (default) 50 which is used by the ipa-pwd-extop plugin. Note that this will only work if ticket 47699 is fixed in 389-ds. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* Use LDAP API to upload CA certificate instead of ldapmodify command.Jan Cholasta2014-03-252-8/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make all ipatokenTOTP attributes mandatoryNathaniel McCallum2014-02-211-1/+1
| | | | | | | | Originally we made them all optional as a workaround for the lack of SELFDN support in 389DS. However, with the advent of SELFDN, this hack is no longer necessary. This patch updates TOTP to match HOTP in this regard. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-212-1/+4
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* permissions: Use multivalued targetfilterPetr Viktorin2014-02-201-1/+1
| | | | | | | | | | | | | | | | Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Update ACIs to permit users to add/delete their own tokensNathaniel McCallum2014-02-131-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4087 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add support for managed permissionsPetr Viktorin2014-02-121-2/+2
| | | | | | | | | | | | | | | | This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove sourcehostcategory from the default HBAC rule.Jan Cholasta2014-02-061-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4158 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipa-adtrust-install: configure host netbios name by defaultAlexander Bokovoy2014-01-201-0/+1
| | | | | | Ensure we set host netbios name by default in smb.conf https://fedorahosted.org/freeipa/ticket/4116
* acl: Remove krbPrincipalExpiration from list of admin's excluded attrsTomas Babej2014-01-141-1/+1
| | | | | | | | Since we're exposing the krbPrincipalExpiration attribute for direct editing in the CLI, remove it from the list of attributes that admin cannot edit by default. Part of: https://fedorahosted.org/freeipa/ticket/3306
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Add new permission schemaPetr Viktorin2013-12-131-0/+9
| | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
* Allow kernel keyring CCACHE when supportedMartin Kosek2013-12-091-1/+1
| | | | | | | Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-031-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Add userClass attribute for usersAna Krivokapic2013-11-191-0/+1
| | | | | | | | | This new freeform user attribute will allow provisioning systems to add custom tags for user objects which can be later used for automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems https://fedorahosted.org/freeipa/ticket/3588
* Unify capitalization of attribute names in schema filesPetr Viktorin2013-11-183-19/+19
| | | | | | | | | | | Due to a bug[0], python-ldap doesn't parse schema LDIF files correctly if they use inconsistent capitalization. This patch works around the bug in IPA schema files. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Note: git's --word-diff option is recommended for viewing these changes
* Add formerly update-only schemaPetr Viktorin2013-11-184-1/+42
| | | | | | Some schema was only delivered in updates. Add it back as ldif files. https://fedorahosted.org/freeipa/ticket/3454
* Make schema files conform to new updaterPetr Viktorin2013-11-187-20/+20
| | | | | | | | | | | | | | | | | The new schema updater only compares textual representations of schema elements, as formatted by python-ldap. This works well, but it is too strict for the current schema files in two ways: - For attribute names in MAY and MUST, the correct letter case must be used - AttributeTypes must specify explicit EQUALITY and SYNTAX fields even if they are the same as its supertype's. When these restrictions are not followed, the updater will always overwrite the schema element. This is harmless but it fills up the log unnecessarily. Modify the schema files to conform to these restrictions. Part of the work for https://fedorahosted.org/freeipa/ticket/3454 Note: git's --word-diff option is recommended for viewing these changes
* Do not add kadmin/changepw ACIs on new installsMartin Kosek2013-10-251-1/+0
| | | | | | | | | | | | These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon, now that a standard kadmin is used, ACIs are not needed anymore as kadmin uses the same driver as the KDC. The ACIs is not removed on upgrades to avoid breaking older replicas which may still use FreeIPA version with the ipa_kpasswd daemon. https://fedorahosted.org/freeipa/ticket/3987
* Add ipa-advise plugins for nss-pam-ldapd legacy clientsAna Krivokapic2013-10-185-3/+52
| | | | | | | | | | | Add three new ipa-advise plugins, to facilitate configuration of legacy clients using nss-pam-ldapd: * config-redhat-nss-pam-ldapd * config-generic-linux-nss-pam-ldapd * config-freebsd-nss-pam-ldapd https://fedorahosted.org/freeipa/ticket/3672
* Remove --no-serial-autoincrementMartin Kosek2013-10-111-1/+1
| | | | | | | | Deprecate this option and do not offer it in installation tools. Without this option enabled, advanced DNS features like DNSSEC would not work. https://fedorahosted.org/freeipa/ticket/3962
* Fix nsslapdPlugin object class after initial replication.Jan Cholasta2013-09-102-0/+8
| | | | | | This is a workaround for <https://fedorahosted.org/389/ticket/47490>. https://fedorahosted.org/freeipa/ticket/3915
* Add timestamps to named debug logs in /var/named/data/named.runPetr Spacek2013-09-061-0/+1
|
* Fix selected minor issues in the spec file and licenseMartin Kosek2013-08-132-4/+4
| | | | | | | | | | | | This patch fixes: - too long description for server-trust-ad subpackage - adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid overwriting potential user changes - changes permissions on default_encoding_utf8.so to prevent it pollute python subpackage Provides. - wrong address in GPL v2 license preamble in 2 distributed files https://fedorahosted.org/freeipa/ticket/3855
* Remove support for IPA deployments with no persistent searchTomas Babej2013-08-091-2/+0
| | | | | | | | | Drops the code from ipa-server-install, ipa-dns-install and the BindInstance itself. Also changed ipa-upgradeconfig script so that it does not set zone_refresh to 0 on upgrades, as the option is deprecated. https://fedorahosted.org/freeipa/ticket/3632
* Handle --subject option in ipa-server-installAna Krivokapic2013-08-081-2/+2
| | | | | | | | | | Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783
* Add ipa-advise plugins for legacy clientsAna Krivokapic2013-08-075-0/+71
| | | | | | | | | | | | | | | | | Old versions of SSSD do not directly support cross-realm trusts between IPA and AD. This patch introduces plugins for the ipa-advise tool, which should help with configuring an old version of SSSD (1.5-1.8) to gain access to resources in trusted domain. Since the configuration steps differ depending on whether the platform includes the authconfig tool, two plugins are needed: * config-redhat-sssd-before-1-9 - provides configuration for Red Hat based systems, as these system include the autconfig utility * config-generic-sssd-before-1-9 - provides configuration for other platforms https://fedorahosted.org/freeipa/ticket/3671 https://fedorahosted.org/freeipa/ticket/3672
* Add Camellia ciphers to allowed list.Rob Crittenden2013-07-181-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/3749
* Fix for small syntax error in OTP schemaNathaniel McCallum2013-07-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3765
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-111-1/+1
| | | | | | This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693
* Add missing equality index for ipaUniqueId.Jan Cholasta2013-07-111-0/+8
| | | | https://fedorahosted.org/freeipa/ticket/3743
* Add missing substring indices for attributes managed by the referint plugin.Jan Cholasta2013-07-111-0/+11
| | | | | | | | The referint plugin does a substring search on these attributes each time an entry is deleted, which causes a noticable slowdown for large directories if the attributes are not indexed. https://fedorahosted.org/freeipa/ticket/3706
* Enable SASL mapping fallback.Jan Cholasta2013-06-272-0/+5
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Remove entitlement supportMartin Kosek2013-06-262-86/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Add ipaRangeType attribute to LDAP SchemaTomas Babej2013-06-102-1/+3
| | | | | | | | | | This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-174-1/+39
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Add ipaUserAuthType and ipaUserAuthTypeClassNathaniel McCallum2013-05-171-0/+2
| | | | | | | | | | This schema addition will be useful for future commits. It allows us to define permitted external authentication methods on both the user and global config. The implementation is generic, but the immediate usage is for otp support. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Fix syntax errors in schema filesPetr Viktorin2013-04-262-2/+2
| | | | | | | | | | | | | | | | - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
* Fix syntax of the dc attributeTypePetr Viktorin2013-04-261-1/+1
| | | | | | | dc syntax is changed from Directory String to IA5 String to conform to RFC 2247. Part of the work for https://fedorahosted.org/freeipa/ticket/3578
* Add userClass attribute for hostsMartin Kosek2013-04-261-1/+1
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-101-1/+1
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-021-2/+2
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Put pid-file to named.confMartin Kosek2013-03-291-0/+1
| | | | | | | | | Fedora 19 has splitted /var/run and /run directories while in Fedora 18 it used to be a symlink. Thus, named may expect its PID file to be in other direct than it really is and fail to start. Add pid-file configuration option to named.conf both for new installations and for upgraded machines.
generated by cgit (git 2.34.1) at 2024-08-04 02:14:30 +0000