| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
ticket 638
|
|
|
|
|
|
|
|
| |
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
|
|
|
|
|
|
|
|
|
| |
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/550
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/617
|
|
|
|
|
|
|
|
|
|
|
|
| |
The metadata contains a list of possible attributes that an ACI for that
object might need. Add a new variable to hold possible objectclasses for
optional elements (like posixGroup for groups).
To make the list easier to handle sort it and make it all lower-case.
Fix a couple of missed camel-case attributes in the default ACI list.
ticket 641
|
|
|
|
| |
the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done
|
|
|
|
| |
don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container
|
|
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
|
|
|
|
|
| |
There is no need for these to be done as updates, just add these entries
to the bootstrapping.
|
|
|
|
|
|
|
|
|
|
| |
The change_password permission was too broad, limit it to users.
The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.
ticket 628
|
|
|
|
|
|
|
| |
- Skip the DNS tests if DNS isn't configured
- Add new attributes to user entries (displayname, cn and initials)
- Make the nsaccountlock value consistent
- Fix the cert subject for cert tests
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/543
|
|
|
|
|
|
|
| |
Make the cert subject base read-only. This is here only so replicated servers
know their base.
ticket 466
|
| |
|
|
|
|
| |
ticket 496
|
|
|
|
|
|
|
| |
Also include flag indicating whether the object is bindable. This will
be used to determine if the object can have a selfservice ACI.
ticket 446
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
|
|
|
|
|
|
|
| |
This will allow clients to use entryusn values to track what changed in the
directory regardles of replication delays.
Fixes: https://fedorahosted.org/freeipa/ticket/526
|
|
|
|
|
|
|
|
|
|
| |
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.
ticket 416
|
|
|
|
|
|
|
|
|
|
| |
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
|
|
|
|
|
|
|
| |
This uses an enhanced memberof plugin that allows multiple attributes
to be configured to create memberOf attributes.
tickets 109 and 110
|
|
|
|
|
|
|
|
| |
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
|
|
|
|
|
|
|
| |
Script wsgi.py checks if Apache is compiled with MPM=Prefork
and if not, it refuses to run.
https://fedorahosted.org/freeipa/ticket/252
|
|
|
|
|
|
|
| |
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
|
|
|
|
|
|
| |
This will allow others to provision on behalf of the host.
ticket 280
|
|
|
|
|
|
|
|
|
| |
Disable any services when its host is disabled.
This also adds displaying the certificate attributes (subject, etc)
a bit more universal and centralized in a single function.
ticket 297
|
| |
|
|
|
|
|
| |
This patch adds support only for the selfsign case.
Replica support is also still missing at this stage.
|
|
|
|
| |
ticket 434
|
| |
|
|
|
|
|
|
| |
This meant that the compat sudo schema was not available.
ticket 439
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lets the KDC count password failures and can lock out accounts for
a period of time. This only works for KDC >= 1.8.
There currently is no way to unlock a locked account across a replica. MIT
Kerberos 1.9 is adding support for doing so. Once that is available unlock
will be added.
The concept of a "global" password policy has changed. When we were managing
the policy using the IPA password plugin it was smart enough to search up
the tree looking for a policy. The KDC is not so smart and relies on the
krbpwdpolicyreference to find the policy. For this reason every user entry
requires this attribute. I've created a new global_policy entry to store
the default password policy. All users point at this now. The group policy
works the same and can override this setting.
As a result the special "GLOBAL" name has been replaced with global_policy.
This policy works like any other and is the default if a name is not
provided on the command-line.
ticket 51
|
|
|
|
| |
ticket 389
|
|
|
|
|
|
|
| |
This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.
https://fedorahosted.org/freeipa/ticket/412
|
|
|
|
| |
merge in remove uuid
|
| |
|
|
|
|
|
|
| |
* Fixed comments
* Added attribute
* Fixed objectclass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
serverHostName because this is tied to the FQDN so should only be changed
on a host rename (which we don't do).
memberOf because the plugin should do this. Directly manging this attribute
would be pretty dangerous and confusing.
Also remove a redundant aci granting the admins group write access to
users and groups. They have it with through the "admins can modify any
entry" aci.
tickets 300, 304
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
One typo was mis-spelling the admins group name
The second was an extraneous 'aci' in the name of two acis.
ticket 335
|
|
|
|
|
|
| |
By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.
|
|
|
|
|
|
| |
Helps when you need to add random snippets of config that really do not deserve
a full atttribute, but are still something you want to put in LDAP and have
replicated.
|