summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-313-0/+42
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+8
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Fixed browser configuration pagesEndi S. Dewata2011-08-171-2/+5
| | | | | | | The browser configuration pages have been modified to improve the content and appearance. Ticket #1624
* Redirection after changing browser configurationPetr Vobornik2011-08-081-0/+29
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1502 Added redirection link. CSS styling of configuration page. Some CSS cleaning.
* Set the ipa-modrdn plugin precedence to 60 so it runs lastRob Crittenden2011-07-171-0/+1
| | | | | | | | The default precedence for plugins is 50 and the run in more or less alphabetical order (but not guaranteed). This plugin needs to run after the others have already done their work. https://fedorahosted.org/freeipa/ticket/1370
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-141-2/+4
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Remove redundant configuration values from krb5.conf.Jan Cholasta2011-06-281-3/+0
| | | | ticket 1358
* Allow recursion by defaultMartin Kosek2011-06-271-0/+3
| | | | | | | Update name server configuration file to allow any host to issue recursive queries (allow-recursion statement). https://fedorahosted.org/freeipa/ticket/1335
* Remove root autobind search restriction, fix upgrade logging & error handling.Rob Crittenden2011-06-131-5/+0
| | | | | | | | | | | | | | | There was no point in limiting autobind root to just search cn=config since it could always just modify its way out of the box, so remove the restriction. The upgrade log wasn't being created. Clearing all other loggers before we calling logging.basicConfig() fixes this. Add a global exception when performing updates so we can gracefully catch and log problems without leaving the server in a bad state. https://fedorahosted.org/freeipa/ticket/1243 https://fedorahosted.org/freeipa/ticket/1254
* Configure Managed Entries on replicas.Rob Crittenden2011-05-252-0/+4
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* 28 One Liner: Typo in host_nis_groups has been creating 2 CN'sJr Aquino2011-05-251-1/+1
|
* A new flag to disable creation of UPGMartin Kosek2011-05-251-1/+1
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Wait for memberof task and DS to start before proceeding in installation.Rob Crittenden2011-04-221-0/+2
| | | | | | | | | | | | | This was causing a replica DS instance to crash if the task was not completed when we attempted a shutdown to do a restart. In replication.py we were restarting the DS instance without waiting for the ports to become available. It is unlikely that the dn of the memberof task will change but just in case I noted it in the two places it is referenced. ticket 1188
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-151-0/+6
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-051-20/+20
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-3/+3
| | | | ticket 1005
* Fix replica setup using replication admin kerberos credentialsSimo Sorce2011-03-011-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1022
* Create default disabled sudo bind userJr Aquino2011-02-232-0/+10
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Entitlements ACIs not visible to Permission pluginMartin Kosek2011-02-221-3/+6
| | | | | | | | This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-221-1/+1
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Browser configuration support for Firefox 4Martin Kosek2011-02-171-12/+32
| | | | | | | | | | | | | Support of navigator.preferences that is used to access browser configuration was dropped in Firefox 4. This disables automatic configuration of user preferences in this browser that is needed to use Kerberos single sign-on. This patch detectes a lack of this interface and tries to configure the browser using new Services module introduced in Gecko 2 (used in Firefox 4, SeaMonkey 2.1). https://fedorahosted.org/freeipa/ticket/975
* Updated default Kerberos password policyJan Zeleny2011-02-161-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/930
* Fixed cn attribute in ipaUniqueID uniqueness config.Endi S. Dewata2011-02-161-1/+1
|
* Fine tuning DNS optionsJakub Hrozek2011-02-141-2/+3
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* drop the group.upg NIS mapNalin Dahyabhai2011-02-141-12/+0
| | | | | | The group.upg NIS map was an experiment in providing UPG groups dynamically, and is not one of the maps that I'd ever expect a NIS client to "know" to search. We should probably just drop it.
* Make main selfservice aci visible to the selfservice plugin.Rob Crittenden2011-02-101-2/+2
| | | | ticket 934
* IPv6 enhancementsJakub Hrozek2011-02-021-0/+3
| | | | | | | * Make host-add, host-del and reverse zone creation IPv6 aware * Make Bind listen on IPv6 interfaces, too https://fedorahosted.org/freeipa/ticket/398
* Add support for tracking and counting entitlementsRob Crittenden2011-02-023-19/+46
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Add new schema to store information about permissions.Rob Crittenden2011-02-012-0/+51
| | | | | | | | | There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
* Rename permissions and privileges to be more readable.Rob Crittenden2011-01-313-261/+216
| | | | | | | This also drops description from permissions since it seems redundant and fixes up the help text a little. ticket 792
* Address entryusn initialization on replica installationSimo Sorce2011-01-281-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/637
* Put some safeguards against misconfiguration on the kdc accountSimo Sorce2011-01-281-0/+2
| | | | Ticket: https://fedorahosted.org/freeipa/ticket/862
* modifyprivilegemembership permission has nestedgroup OCMartin Kosek2011-01-281-1/+1
| | | | | | | modifyprivilegemembership permission object class in LDAP should be groupofnames, not nestedgroup. https://fedorahosted.org/freeipa/ticket/858
* Add support for account unlockingJan Zeleny2011-01-283-2/+14
| | | | | | | | This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344
* block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865Jr Aquino2011-01-271-0/+6
|
* ACI plugin supports prefixesMartin Kosek2011-01-263-48/+48
| | | | | | | | | | | | | | | | | | | | | | | | When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764
* Enforce uniqueness on (key,info) pairs in automount keysJakub Hrozek2011-01-251-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/293
* Block anonymous access to HBAC, role and some member information.Rob Crittenden2011-01-242-0/+11
| | | | | | | | Prevents an unauthenticated user from accessing HBAC and role information as well as memberof which could disclose roles, memberships in HBAC, etc. ticket 811
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-202-0/+25
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Move HBAC services and service groups to cn=hbacJan Zeleny2011-01-181-21/+21
| | | | https://fedorahosted.org/freeipa/ticket/762
* Move sudo related data all under cn=sudoSimo Sorce2011-01-172-7/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/773
* Remove radius options completely.Simo Sorce2011-01-144-590/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-142-4/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Move Virtual Operations container under cn=etcSimo Sorce2011-01-141-13/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/759
* Allow using Kerberos credentials with the 'connect' commandSimo Sorce2011-01-141-1/+1
| | | | | | | | Now that we can setup GSSAPI authenticated replication we are not tied to use the Directory Manager password to set up replication agreements. Fixes: https://fedorahosted.org/freeipa/ticket/644
* Restrict anonymous tgtsSimo Sorce2011-01-121-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/432
* Bugfix for sudo compat cmdcat and deny commands ↵Jr Aquino2011-01-121-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/742
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-0/+1
|
generated by cgit (git 2.34.1) at 2024-05-03 07:53:53 +0000