summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
...
* Global DNS optionsMartin Kosek2012-02-241-0/+1
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-241-2/+10
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-1/+1
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-1/+1
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Make ipausers a non-posix group on new installsPetr Viktorin2012-02-191-2/+0
| | | | | | | | | https://fedorahosted.org/freeipa/ticket/2238 It doesn't make a lot of sense for ipausers to be a posix group and we will save a few cycles in compat and sssd by making it non-posix. This is for new installs only.
* Use FQDN in place of FQHN for consistency in sub_dict.Rob Crittenden2012-02-152-3/+3
| | | | | | | For some reason lost to history the sub_dict in dsinstance and cainstance used FQHN instead of FQDN. This made upgrade scripts not work reliably as the variable might be different depending on context. Use FQDN universally instead.
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-152-0/+10
|
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-1/+1
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-132-0/+21
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-132-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/754
* Remove delegation from browser configAdam Young2012-02-071-1/+0
|
* Configure s4u2proxy during installation.Rob Crittenden2012-01-101-0/+22
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Add SELinux user mapping framework.Rob Crittenden2011-12-093-1/+20
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* ipa-kdb: Delegation ACL schemaSimo Sorce2011-12-081-0/+5
|
* Remove extraneous trailing single quote in nis.uldifRob Crittenden2011-12-051-1/+1
|
* Add ipasam samba passdb backendSumit Bose2011-12-061-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1874
* Add trust objectclass and attributes to v3 schemaSumit Bose2011-12-061-0/+10
|
* Add NT domain GUID attribute.Simo Sorce2011-11-211-1/+2
| | | | | We need this to be able to re-set it, as ipaUniqueID cannot be arbitraily set to a value. Only needed for the domain object.
* Fix nis netgroup config entry so users appear in netgroup triple.Rob Crittenden2011-10-271-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/2028
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-23/+23
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* list users from nested groups, tooNalin Dahyabhai2011-10-051-1/+1
|
* Fix typo in v3 base schemaSumit Bose2011-09-211-3/+3
|
* Update samba LDAP schemaSumit Bose2011-09-201-1/+39
| | | | | | The samba LDAP schema is updated to the lastest version available from the samba source code to be able to use the new trust related object class and attributes.
* schema: Add new attributes and objectclasses for AD TrustsSimo Sorce2011-09-201-2/+13
|
* Add ipa-adtrust-install utilitySumit Bose2011-09-142-0/+29
| | | | https://fedorahosted.org/freeipa/ticket/1619
* The precendence on the modrdn plugin was set in the wrong location.Rob Crittenden2011-09-131-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/1370
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-125-6/+30
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Let Bind track data changesMartin Kosek2011-08-311-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-313-0/+42
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* v3-schema: Add new ipaExternalGroup objectclassSimo Sorce2011-08-262-0/+9
| | | | | | | | This construct allows to have a group of ipaExternalMember attributes, that can be nested in a normal ipa Group ('memberOf' is allowed). It cannot contain normal ipa users/groups and cannot be nested with another group of the same type ('member' is not allowed).
* schema: Split ipadns definitions from basev2 onesSimo Sorce2011-08-263-42/+47
|
* install: Use proper case for boolean valuesSimo Sorce2011-08-261-2/+2
|
* install: Remove uid=kdc userSimo Sorce2011-08-262-15/+0
| | | | | The ipadb DAL driver gets access to the ldap server as Directory Manager now so this user is not needed anymore.
* ipa-kdb: Change install to use the new ipa-kdb kdc backendSimo Sorce2011-08-266-56/+40
| | | | | | Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+8
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Fixed browser configuration pagesEndi S. Dewata2011-08-171-2/+5
| | | | | | | The browser configuration pages have been modified to improve the content and appearance. Ticket #1624
* Redirection after changing browser configurationPetr Vobornik2011-08-081-0/+29
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1502 Added redirection link. CSS styling of configuration page. Some CSS cleaning.
* Set the ipa-modrdn plugin precedence to 60 so it runs lastRob Crittenden2011-07-171-0/+1
| | | | | | | | The default precedence for plugins is 50 and the run in more or less alphabetical order (but not guaranteed). This plugin needs to run after the others have already done their work. https://fedorahosted.org/freeipa/ticket/1370
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-141-2/+4
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Remove redundant configuration values from krb5.conf.Jan Cholasta2011-06-281-3/+0
| | | | ticket 1358
* Allow recursion by defaultMartin Kosek2011-06-271-0/+3
| | | | | | | Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335
* Remove root autobind search restriction, fix upgrade logging & error handling.Rob Crittenden2011-06-131-5/+0
| | | | | | | | | | | | | | | There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
* Configure Managed Entries on replicas.Rob Crittenden2011-05-252-0/+4
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* 28 One Liner: Typo in host_nis_groups has been creating 2 CN'sJr Aquino2011-05-251-1/+1
|
* A new flag to disable creation of UPGMartin Kosek2011-05-251-1/+1
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Wait for memberof task and DS to start before proceeding in installation.Rob Crittenden2011-04-221-0/+2
| | | | | | | | | | | | | This was causing a replica DS instance to crash if the task was not completed when we attempted a shutdown to do a restart. In replication.py we were restarting the DS instance without waiting for the ports to become available. It is unlikely that the dn of the memberof task will change but just in case I noted it in the two places it is referenced. ticket 1188
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-151-0/+6
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-051-20/+20
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
generated by cgit (git 2.34.1) at 2025-09-04 09:56:29 +0000