summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
...
* block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865Jr Aquino2011-01-271-0/+6
|
* ACI plugin supports prefixesMartin Kosek2011-01-263-48/+48
| | | | | | | | | | | | | | | | | | | | | | | | When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764
* Enforce uniqueness on (key,info) pairs in automount keysJakub Hrozek2011-01-251-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/293
* Block anonymous access to HBAC, role and some member information.Rob Crittenden2011-01-242-0/+11
| | | | | | | | Prevents an unauthenticated user from accessing HBAC and role information as well as memberof which could disclose roles, memberships in HBAC, etc. ticket 811
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-202-0/+25
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Move HBAC services and service groups to cn=hbacJan Zeleny2011-01-181-21/+21
| | | | https://fedorahosted.org/freeipa/ticket/762
* Move sudo related data all under cn=sudoSimo Sorce2011-01-172-7/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/773
* Remove radius options completely.Simo Sorce2011-01-144-590/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-142-4/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Move Virtual Operations container under cn=etcSimo Sorce2011-01-141-13/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/759
* Allow using Kerberos credentials with the 'connect' commandSimo Sorce2011-01-141-1/+1
| | | | | | | | Now that we can setup GSSAPI authenticated replication we are not tied to use the Directory Manager password to set up replication agreements. Fixes: https://fedorahosted.org/freeipa/ticket/644
* Restrict anonymous tgtsSimo Sorce2011-01-121-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/432
* Bugfix for sudo compat cmdcat and deny commands ↵Jr Aquino2011-01-121-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/742
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-0/+1
|
* Make ipaDefaultLoginShell use IA5String syntax to match POSIX schema.Rob Crittenden2011-01-111-1/+1
| | | | ticket 739
* Allow the kdc to write krbExtraDataRob Crittenden2011-01-071-1/+1
|
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-38/+0
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* netgroups created by hostgroups lacked info ↵Jr Aquino2011-01-031-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/653
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-223-173/+180
| | | | ticket 638
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-0/+4
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-212-8/+22
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Remove common entries when deleting a master.Simo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Add replication related acis to all replicasSimo Sorce2010-12-213-12/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-211-2/+2
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by ↵Nalin Dahyabhai2010-12-211-1/+2
| | | | the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done
* sudo and netgroup schema compat updates - fix quoting of netgroup entries - ↵Nalin Dahyabhai2010-12-212-11/+32
| | | | don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-0/+21
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix delegation.ldif typoJakub Hrozek2010-12-201-1/+1
|
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-172-24/+17
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
* Move automount, default HBAC services, netgroup and hostgroup bootstrapping.Rob Crittenden2010-12-171-0/+135
| | | | | There is no need for these to be done as updates, just add these entries to the bootstrapping.
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-172-5/+29
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Fix a slew of tests.Rob Crittenden2010-12-171-2/+2
| | | | | | | - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests
* Use nsContainer and not extensibleObject for masters entriesSimo Sorce2010-12-151-1/+1
|
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-132-0/+20
| | | | https://fedorahosted.org/freeipa/ticket/543
* Set labels on all attributes in the config object.Rob Crittenden2010-12-101-1/+1
| | | | | | | Make the cert subject base read-only. This is here only so replicated servers know their base. ticket 466
* ipaHomesRootDir was changes to an IA5 string, change the matching rule tooRob Crittenden2010-12-081-1/+1
|
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-1/+1
| | | | ticket 496
* Provide list of available attributes for use in ACI UI.Rob Crittenden2010-12-031-1/+0
| | | | | | | Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446
* Re-implement access control using an updated model.Rob Crittenden2010-12-013-107/+546
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-302-0/+11
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-301-2/+6
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+3
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Display user and host membership in netgroups.Rob Crittenden2010-11-241-0/+6
| | | | | | | This uses an enhanced memberof plugin that allows multiple attributes to be configured to create memberOf attributes. tickets 109 and 110
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-222-0/+9
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* id ranges: change DNA configurationSimo Sorce2010-11-225-44/+24
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Ensure that Apache is running with MPM=PreforkJan Zeleny2010-11-221-1/+5
| | | | | | | Script wsgi.py checks if Apache is compiled with MPM=Prefork and if not, it refuses to run. https://fedorahosted.org/freeipa/ticket/252
* Give a detached group a full set of group objectclasses.Rob Crittenden2010-11-191-1/+1
| | | | | | | The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
* Add managedby to Host entriesRob Crittenden2010-11-191-0/+8
| | | | | | This will allow others to provision on behalf of the host. ticket 280
* Revoke a host's certificate (if any) when it is deleted or disabled.Rob Crittenden2010-11-191-1/+1
| | | | | | | | | Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
generated by cgit (git 2.34.1) at 2024-06-08 04:41:23 +0000