summaryrefslogtreecommitdiffstats
path: root/install/updates
Commit message (Collapse)AuthorAgeFilesLines
* Use exop instead of kadmin.localSumit Bose2012-06-111-1/+1
|
* Add trust-related ACIsAlexander Bokovoy2012-06-071-0/+36
| | | | | | | | | A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
* Perform case-insensitive searches for principals on TGS requestsAlexander Bokovoy2012-06-071-0/+2
| | | | | | | | | | We want to always resolve TGS requests even if the user mistakenly sends a request for a service ticket where the fqdn part contain upper case letters. The actual implementation follows hints set by KDC. When AP_REQ is done, KDC sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests. https://fedorahosted.org/freeipa/ticket/1577
* Add separate attribute to store trusted domain SIDAlexander Bokovoy2012-06-073-0/+40
| | | | | | | | | | | We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed. https://fedorahosted.org/freeipa/ticket/2191
* permission-find missed some results with --pkey-only optionMartin Kosek2012-06-011-0/+6
| | | | | | | | | | | | | When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
* - add a pair of ethers maps for computers with hardware addresses on fileNalin Dahyabhai2012-04-261-0/+23
|
* - create a "cn=computers" compat area populated with ieee802Device entries ↵Nalin Dahyabhai2012-04-261-0/+15
| | | | corresponding to computers with fqdn and macAddress attributes
* - index the fqdn and macAddress attributes for the sake of the compat pluginNalin Dahyabhai2012-04-261-0/+16
|
* Return consistent value when hostcat and usercat is all.Rob Crittenden2012-04-082-0/+10
| | | | | | | | | | We were returning '' for the first entry when hostcat and usercat were set to all. All subsequent entries were padded with - which effectively denied access. This requires slapi-nis 0.40+ https://fedorahosted.org/freeipa/ticket/2192
* Amend permissions for new DNS attributesMartin Kosek2012-03-251-0/+4
| | | | | | | | | | | | New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
* Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.Rob Crittenden2012-03-261-0/+4
| | | | | | | | If minssf is set in configuration and this is not set then clients won't be able to detect the available namingContexts, defaultNamingContext, capabilities, etc. https://fedorahosted.org/freeipa/ticket/2542
* Fix nsslapd-anonlimitsdn dn in cn=configRob Crittenden2012-03-131-1/+1
| | | | | | | | | The dn value needs to be quoted otherwise it is interpreted to be a multi-value. This will replace whatever value is currently set. https://fedorahosted.org/freeipa/ticket/2452
* Add support for sudoOrderRob Crittenden2012-03-011-0/+2
| | | | | | | | | | Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
* Fix nested netgroups in NIS.Rob Crittenden2012-02-291-0/+5
| | | | | | | | We originally designed netgroups to use a special membership attribute, memberNisNetgroup. We changed it at implementation time but never updated the mapping. https://fedorahosted.org/freeipa/ticket/2359
* Add support defaultNamingContext and add --basedn to migrate-dsRob Crittenden2012-02-291-0/+6
| | | | | | | | | | | | | | | | | | | | There are two sides to this, the server and client side. On the server side we attempt to add a defaultNamingContext on already installed servers. This will fail on older 389-ds instances but the failure is not fatal. New installations on versions of 389-ds that support this attribute will have it already defined. On the client side we need to look for both defaultNamingContext and namingContexts. We still need to check that the defaultNamingContext is an IPA server (info=IPAV2). The migration change also takes advantage of this and adds a new option which allows one to provide a basedn to use instead of trying to detect it. https://fedorahosted.org/freeipa/ticket/1919 https://fedorahosted.org/freeipa/ticket/2314
* Global DNS optionsMartin Kosek2012-02-241-0/+3
| | | | | | | | | | | | Implement API for DNS global options supported in bind-dyndb-ldap. Currently, global DNS option overrides any relevant option in named.conf. Thus they are not filled by default they are left as a possibility for a user. Bool encoding had to be fixed so that Bool LDAP attribute can also be deleted and not just set to True or False. https://fedorahosted.org/freeipa/ticket/2216
* Update schema for bind-dyndb-ldapMartin Kosek2012-02-242-0/+72
| | | | | | | | | | | Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072
* Don't allow "Modify Group membership" permission to manage adminsRob Crittenden2012-02-231-0/+4
| | | | | | | | The permission "Modify Group membership" is used to delegate group management responsibilities. We don't want that to include managing the admins group. https://fedorahosted.org/freeipa/ticket/2416
* Limit the change password permission so it can't change admin passwordsRob Crittenden2012-02-201-0/+5
| | | | | | | We don't want those in the helpdesk role to be able to reset administrators passwords. https://fedorahosted.org/freeipa/ticket/2271
* Add S4U2Proxy delegation permissions on upgradesRob Crittenden2012-02-151-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/2396
* Correct update syntax in 30-s4u2proxy.updateRob Crittenden2012-02-151-1/+1
| | | | | | | Always have FQDN available in the update dictionary. There were cases where it would contain the ldapi socket path and not the FQDN. https://fedorahosted.org/freeipa/ticket/2147
* Update S4U2proxy delegation list when creating replicasRob Crittenden2012-02-151-1/+1
|
* Add update file for new schema in v2.2/3.0Rob Crittenden2012-02-152-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/2147
* Add update files for SELinuxUserMapRob Crittenden2012-02-153-2/+53
| | | | https://fedorahosted.org/freeipa/ticket/2344
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-132-0/+31
| | | | https://fedorahosted.org/freeipa/ticket/754
* Add LDAP schema for SSH public keys.Jan Cholasta2012-02-133-0/+23
| | | | https://fedorahosted.org/freeipa/ticket/754
* Use correct template variable for hosts, FQDN.Rob Crittenden2012-01-171-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/2268
* Configure s4u2proxy during installation.Rob Crittenden2012-01-102-0/+19
| | | | | | | | | | | | This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
* Add SELinux user mapping framework.Rob Crittenden2011-12-093-0/+43
| | | | | | | | This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
* Reorder privileges so that memberof for permissions are generated properly.Rob Crittenden2011-12-084-21/+34
| | | | | | | | | | | | The privilege was added after the permission causing the memberof to not be generated. Add a new task to regenerate memberof for existing PBAC to fix upgrades. https://fedorahosted.org/freeipa/ticket/2058 https://fedorahosted.org/freeipa/ticket/2059 https://fedorahosted.org/freeipa/ticket/2060 https://fedorahosted.org/freeipa/ticket/2061
* Enable automember for upgraded serversMartin Kosek2011-11-292-0/+23
| | | | | | | | | automember functionality is depends on predefined data is in LDAP. Since we add it for fresh installs only, automember cannot be used for upgraded servers. Make sure that automember LDAP data is added during upgrade too. https://fedorahosted.org/freeipa/ticket/1992
* Add plugin framework to LDAP updates.Rob Crittenden2011-11-221-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
* Fix nis netgroup config entry so users appear in netgroup triple.Rob Crittenden2011-10-272-0/+4
| | | | https://fedorahosted.org/freeipa/ticket/2028
* updates: Change default limits on ldap searchesSimo Sorce2011-10-121-0/+20
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/1867 https://fedorahosted.org/freeipa/ticket/1888
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-093-0/+29
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* The precendence on the modrdn plugin was set in the wrong location.Rob Crittenden2011-09-131-1/+5
| | | | https://fedorahosted.org/freeipa/ticket/1370
* Move Managed Entries into their own container in the replicated space.Jr Aquino2011-09-125-13/+49
| | | | | | | | | | | | | | Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for dynamically migrating any and all custom Managed Entries from the cn=config space into the new container. Separate the connection creation during update so that a restart can be performed to initialize changes before performing a delete. Add wait_for_open_socket() method in installutils https://fedorahosted.org/freeipa/ticket/1708
* Add additional pam ftp services to HBAC, and a ftp HBAC service groupRob Crittenden2011-08-242-0/+44
| | | | | | This adds proftpd, pure-ftpd, vsftpd and gssftp. https://fedorahosted.org/freeipa/ticket/1703
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+4
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Correct sudo runasuser and runasgroup attributes in schemaJr Aquino2011-07-192-0/+41
| | | | https://fedorahosted.org/freeipa/ticket/1309
* Correct behavior for sudorunasgroup vs sudorunasuserJr Aquino2011-07-192-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1309
* Set the ipa-modrdn plugin precedence to 60 so it runs lastRob Crittenden2011-07-171-0/+5
| | | | | | | | The default precedence for plugins is 50 and the run in more or less alphabetical order (but not guaranteed). This plugin needs to run after the others have already done their work. https://fedorahosted.org/freeipa/ticket/1370
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-144-23/+27
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
* Configure Managed Entries on replicas.Rob Crittenden2011-05-253-0/+28
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* A new flag to disable creation of UPGMartin Kosek2011-05-252-0/+3
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-202-0/+6
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-152-1/+14
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Add memberHost and memberUser to default indexesJr Aquino2011-04-081-0/+16
| | | | https://fedorahosted.org/freeipa/ticket/1138
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-052-0/+23
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base-1.2.8.0-1+ ticket 1153
* Allow a client to enroll using principal when the host has a OTPRob Crittenden2011-03-301-0/+18
| | | | | | | | | If the host has a one-time password but krbPrincipalName wasn't set yet then the enrollment would fail because writing the principal is not allowed. This creates an ACI that only lets it be written if it is not already set. ticket 1075
generated by cgit (git 2.34.1) at 2024-06-07 04:01:03 +0000