summaryrefslogtreecommitdiffstats
path: root/install/updates
Commit message (Collapse)AuthorAgeFilesLines
* ACIs for HOTP supportAlexander Bokovoy2014-02-111-0/+1
|
* Update ACIs to permit users to add/delete their own tokensNathaniel McCallum2014-02-101-0/+1
|
* Limit memberOf and refInt DS plugins to main IPA suffix.Petr Spacek2014-01-271-1/+12
| | | | | | This drastically improves performance of retro changelog trimming. https://fedorahosted.org/freeipa/ticket/3967
* sudoOrder missing in sudoersMartin Kosek2014-01-151-0/+2
| | | | | | | | sudoers compat plugin configuration missed the sudoOrder attribute and it thus did not show up in ou=sudoers. Add the definion to update file. https://fedorahosted.org/freeipa/ticket/4107
* Enable Retro Changelog and Content Synchronization DS pluginsAna Krivokapic2014-01-142-0/+10
| | | | | | | | | Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967
* acl: Remove krbPrincipalExpiration from list of admin's excluded attrsTomas Babej2014-01-141-1/+3
| | | | | | | | Since we're exposing the krbPrincipalExpiration attribute for direct editing in the CLI, remove it from the list of attributes that admin cannot edit by default. Part of: https://fedorahosted.org/freeipa/ticket/3306
* Add RADIUS proxy support to ipalib CLINathaniel McCallum2013-12-033-0/+13
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Remove schema modifications from update filesPetr Viktorin2013-11-1813-532/+1
| | | | | | | As schema is now handled by the schema updater, these entries are superfluous. https://fedorahosted.org/freeipa/ticket/3454
* Add a privilege and a permission needed for automember rebuild commandAna Krivokapic2013-11-151-0/+19
| | | | | Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership https://fedorahosted.org/freeipa/ticket/3752
* Add support for managing user auth typesNathaniel McCallum2013-11-081-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3368
* Remove deprecated AllowLMhash configMartin Kosek2013-11-011-1/+1
| | | | | | | Remove this ipaConfigString value as LM hash is deprecated and in fact even insecure. https://fedorahosted.org/freeipa/ticket/3795
* Do not add kadmin/changepw ACIs on new installsMartin Kosek2013-10-251-1/+0
| | | | | | | | | | | | These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon, now that a standard kadmin is used, ACIs are not needed anymore as kadmin uses the same driver as the KDC. The ACIs is not removed on upgrades to avoid breaking older replicas which may still use FreeIPA version with the ipa_kpasswd daemon. https://fedorahosted.org/freeipa/ticket/3987
* Remove faulty DNS memberOf TaskMartin Kosek2013-10-041-9/+2
| | | | | | | | | | | This task was added with a DN colliding with privilege update memberOf task being run later and caused this task to be ineffective and thus miss some privilege membership, like "SELinux User Map Administrators" DNS update plugin do not need to run any task at all as privileges will be updated later in scope of 55-pbacmemberof.update https://fedorahosted.org/freeipa/ticket/3877
* ipa-sam: do not modify objectclass when trust object already createdAlexander Bokovoy2013-09-201-0/+1
| | | | | | | | | | | When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
* Increase default SASL buffer sizeMartin Kosek2013-08-071-0/+6
| | | | | | | Default SASL buffer size was too small and could lead for example to migration errors. https://fedorahosted.org/freeipa/ticket/3826
* Add Camellia ciphers to allowed list.Rob Crittenden2013-07-182-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/3749
* Fix for small syntax error in OTP schemaNathaniel McCallum2013-07-111-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3765
* Add missing equality index for ipaUniqueId.Jan Cholasta2013-07-111-0/+7
| | | | https://fedorahosted.org/freeipa/ticket/3743
* Add missing substring indices for attributes managed by the referint plugin.Jan Cholasta2013-07-111-33/+32
| | | | | | | | The referint plugin does a substring search on these attributes each time an entry is deleted, which causes a noticable slowdown for large directories if the attributes are not indexed. https://fedorahosted.org/freeipa/ticket/3706
* Enable SASL mapping fallback.Jan Cholasta2013-06-271-0/+10
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Add ipaRangeType attribute to LDAP SchemaTomas Babej2013-06-101-0/+2
| | | | | | | | | | This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647
* Do not check userPassword with 7-bit pluginTomas Babej2013-06-062-0/+7
| | | | | | | | Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-173-1/+37
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Add ipaUserAuthType and ipaUserAuthTypeClassNathaniel McCallum2013-05-171-0/+4
| | | | | | | | | | This schema addition will be useful for future commits. It allows us to define permitted external authentication methods on both the user and global config. The implementation is generic, but the immediate usage is for otp support. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Fix syntax errors in schema filesPetr Viktorin2013-04-262-2/+2
| | | | | | | | | | | | | | | | - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
* Fix syntax of the dc attributeTypePetr Viktorin2013-04-261-0/+3
| | | | | | | dc syntax is changed from Directory String to IA5 String to conform to RFC 2247. Part of the work for https://fedorahosted.org/freeipa/ticket/3578
* Add userClass attribute for hostsMartin Kosek2013-04-261-0/+1
| | | | | | | | | This new freeform host attribute will allow provisioning systems to add custom tags for host objects which can be later used for in automember rules or for additional local interpretation. Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Ticket: https://fedorahosted.org/freeipa/ticket/3583
* Add missing permissions to Host Administrators privilegeAna Krivokapic2013-04-241-0/+8
| | | | | | | | The 'Host Administrators' privilege was missing two permissions ('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing the inability to remove a host with a certificate. https://fedorahosted.org/freeipa/ticket/3585
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-151-5/+0
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-121-4/+19
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Remove 'cn' attribute from idnsRecord and idnsZone objectClassesPetr Viktorin2013-04-101-0/+1
| | | | | | A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514
* Change CNAME and DNAME attributes to single valuedMartin Kosek2013-04-021-0/+2
| | | | | | | | These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450
* Add Kerberos ticket flags management to service and host plugins.Jan Cholasta2013-03-291-1/+3
| | | | https://fedorahosted.org/freeipa/ticket/3329
* Configure ipa_dns DS plugin on install and upgradeMartin Kosek2013-03-221-0/+16
| | | | | | | | | | The plugin is configured unconditionally (i.e. does not check if IPA was configured with DNS) as the plugin is needed on all replicas to prevent objectclass violations due to missing SOA serial in idnsZone objectclass. The violation could happen if just one replica configured DNS and added a new zone. https://fedorahosted.org/freeipa/ticket/3347
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-0/+12
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Change DNA magic value to -1 to make UID 999 usablePetr Viktorin2013-03-111-0/+10
| | | | | | | | | | | | | Change user-add's uid & gid parameters from autofill to optional. Change the DNA magic value to -1. For old clients, which will still send 999 when they want DNA assignment, translate the 999 to -1. This is done via a new capability, optional_uid_params. Tests included https://fedorahosted.org/freeipa/ticket/2886
* Add NFS specific default for authorization data typeSumit Bose2013-03-081-0/+5
| | | | | | | Since the hardcoded default fpr the NFS service was removed the default authorization data type is now set in the global server configuration. https://fedorahosted.org/freeipa/ticket/2960
* Remove disabled entries from sudoers compat tree.Jan Cholasta2013-03-061-0/+2
| | | | | | | The removal is triggered by generating an invalid RDN when ipaEnabledFlag of the original entry is FALSE. https://fedorahosted.org/freeipa/ticket/3437
* Remove ORDERING for IA5 attributeTypesMartin Kosek2013-02-271-6/+3
| | | | | | | | IA5 string syntax does not have a compatible ORDERING matching rule. Simply use default ORDERING for these attributeTypes as we already do in other cases. https://fedorahosted.org/freeipa/ticket/3398
* Add missing v3 schema on upgrades, fix typo in schema.Rob Crittenden2013-02-222-9/+24
| | | | | | | | Add mising ipaExternalMember attribute and ipaExternalGroup objectclass. Replacing mis-spelled ORDERING value on new install and upgrades. https://fedorahosted.org/freeipa/ticket/3398
* Update sudocmd ACIs to use targetfilterPetr Viktorin2013-02-201-3/+8
| | | | | | | Sudo commands created in the past have the sudocmd in their RDN, while the new case-sensitive ones have ipaUniqueID. In order for permissions to apply to both of these, use a targetfilter for objectclass=ipasudocmd instead of sudocmd=* in the target.
* Add list of domains associated to our realm to cn=etcAna Krivokapic2013-02-192-0/+9
| | | | | | | | | Add new LDAP container to store the list of domains associated with IPA realm. Add two new ipa commands (ipa realmdomains-show and ipa realmdomains-mod) to allow manipulation of the list of realm domains. Unit test file covering these new commands was added. https://fedorahosted.org/freeipa/ticket/2945
* Add SID blacklist attributesMartin Kosek2013-02-121-3/+7
| | | | | | | | Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
* Don't add another nsDS5ReplicaId on updates if one already existsPetr Viktorin2013-02-061-3/+3
| | | | | | | | | | Modify update file to use default: rather than add: in cn=replication,cn=etc,$SUFFIX. Drop quotes around nsDS5ReplicaRoot because default: values are not parsed as CSV. https://fedorahosted.org/freeipa/ticket/3394
* Add crond as a default HBAC serviceAna Krivokapic2013-01-171-0/+7
| | | | Ticket: https://fedorahosted.org/freeipa/ticket/3215
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-214-38/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Set MLS/MCS for user_u context to what will be on remote systems.Rob Crittenden2012-11-021-1/+1
| | | | | | | The user_u context in the default list was broader than is actually configured by default on systems. https://fedorahosted.org/freeipa/ticket/3224
* Explicitly disable betxn plugins for the time being.Rob Crittenden2012-10-102-0/+38
| | | | | | | | This should work with 389-ds-base 1.2.x and 1.3.0. Without other plugin changes 389-ds-base can deadlock. https://fedorahosted.org/freeipa/ticket/3046
* Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-installAlexander Bokovoy2012-10-092-11/+2
| | | | | | | | | | | Since CIFS principal is generated by ipa-adtrust-install and is only usable after setting CIFS configuration, there is no need to include it into default setup. This should fix upgrades from 2.2 to 3.0 where CIFS principal does not exist by default. https://fedorahosted.org/freeipa/ticket/3041
* Add uniqueness plugin configuration for sudorule cnRob Crittenden2012-10-082-0/+17
| | | | | | | | | We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017
generated by cgit (git 2.34.1) at 2024-06-12 02:16:33 +0000