path: root/install/updates
Commit message (Collapse)AuthorAgeFilesLines
* Add additional pam ftp services to HBAC, and a ftp HBAC service groupRob Crittenden2011-08-242-0/+44
| | | | | | This adds proftpd, pure-ftpd, vsftpd and gssftp.
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+4
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket
* Correct sudo runasuser and runasgroup attributes in schemaJr Aquino2011-07-192-0/+41
| | | |
* Correct behavior for sudorunasgroup vs sudorunasuserJr Aquino2011-07-192-0/+3
| | | |
* Set the ipa-modrdn plugin precedence to 60 so it runs lastRob Crittenden2011-07-171-0/+5
| | | | | | | | The default precedence for plugins is 50 and the run in more or less alphabetical order (but not guaranteed). This plugin needs to run after the others have already done their work.
* Disallow direct modifications to enrolledBy.Rob Crittenden2011-07-144-23/+27
| | | | | | | | | | This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis.
* Configure Managed Entries on replicas.Rob Crittenden2011-05-253-0/+28
| | | | | | | | | | | The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222
* A new flag to disable creation of UPGMartin Kosek2011-05-252-0/+3
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it.
* Enable 389-ds SSL host checking by defauiltRob Crittenden2011-05-202-0/+6
| | | | | | | | | | | | | Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. This also changes the way the ldapupdater modlist is generated to be more like the framework. Single-value attributes are done as replacements and there is a list of force-replacement attributes. ticket 1069
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-152-1/+14
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Add memberHost and memberUser to default indexesJr Aquino2011-04-081-0/+16
| | | |
* Fix ORDERING in some attributetypes and remove other unnecessary elements.Rob Crittenden2011-04-052-0/+23
| | | | | | | | | | | Looking at the schema in 60basev2.ldif there were many attributes that did not have an ORDERING matching rule specified correctly. There were also a number of attributeTypes that should have been just SUP distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc. This requires 389-ds-base- ticket 1153
* Allow a client to enroll using principal when the host has a OTPRob Crittenden2011-03-301-0/+18
| | | | | | | | | If the host has a one-time password but krbPrincipalName wasn't set yet then the enrollment would fail because writing the principal is not allowed. This creates an ACI that only lets it be written if it is not already set. ticket 1075
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-022-0/+10
| | | | Fixes:
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-012-40/+40
| | | | ticket 1005
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-223-1/+316
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Add aci to make managed netgroups immutable.Rob Crittenden2011-02-182-1/+6
| | | | ticket 962
* Updated default Kerberos password policyJan Zeleny2011-02-162-0/+5
| | | |
* Add permission/privilege for updating IPA configuration.Rob Crittenden2011-02-142-0/+19
| | | | ticket 950
* Move automount, default HBAC services, netgroup and hostgroup bootstrapping.Rob Crittenden2010-12-175-121/+0
| | | | | There is no need for these to be done as updates, just add these entries to the bootstrapping.
* Re-implement access control using an updated model.Rob Crittenden2010-12-014-746/+0
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-301-2/+2
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
* Add additional default HBAC login servicesRob Crittenden2010-11-081-0/+21
| | | | ticket 307
* Remove hardcoded domain value and replace with $SUFFIXRob Crittenden2010-11-041-3/+3
* Use correct attribute name, nshostlocation, not location.Rob Crittenden2010-11-031-1/+1
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-281-8/+8
| | | | merge in remove uuid
* Use correct description in hostgroup acis.Rob Crittenden2010-10-061-3/+3
| | | | This also corrects a duplication problem in acis.
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-1/+1
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Enabling SUDO supportDmitri Pal2010-09-161-7/+26
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Allow decoupling of user-private groups.Rob Crittenden2010-08-101-8/+8
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Add hbac service for su-l, su with a login shellRob Crittenden2010-08-061-0/+6
* Add container and initial ACIs for entitlement supportRob Crittenden2010-07-291-0/+37
| | | | | | | | The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27
* Add separate role group for enrolling hosts, enrollhostRob Crittenden2010-06-221-0/+8
* Include missing update file 30-hbacsvc.updateRob Crittenden2010-05-271-0/+35
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-271-0/+1
| | | | Also fix the memberOf attribute for the HBAC services
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-272-2/+1
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Use GSSAPI auth for the ipa-replica-manage list and del commands.Rob Crittenden2010-03-191-0/+37
| | | | | | | | | | | | This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
* Set proper dn in default automount locationNalin Dahyabhai2010-02-231-1/+1
* Add default automount location. Auto-create in new locations.Pavel Zuna2010-02-121-6/+10
* First pass at enforcing certificates be requested from same hostRob Crittenden2009-10-211-5/+37
| | | | | | | | | | | | We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
* Fix ACI for host delegationRob Crittenden2009-10-171-2/+2
| | | | | We had changed the DN format, I must have missed these ACIs the first go around.
* Fix an oops where I forgot to replace a string with a templateRob Crittenden2009-10-171-6/+6
* Use nestedgroup instead of groupofnames for rolegroups so we have memberofRob Crittenden2009-10-121-50/+50
* Enrollment for a host in an IPA domainRob Crittenden2009-09-241-5/+26
| | | | | | | | | | | | This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ...
* Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.Rob Crittenden2009-07-101-0/+139
| | | | | | | | | | | | There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
* Basic changes to get a default principal for DNSSimo Sorce2009-07-101-0/+20
| | | | | | | | Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy <>
* Fix quoting to work with new csv handler in ldapupdateRob Crittenden2009-05-192-112/+113
* Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)Rob Crittenden2009-05-191-0/+15
* Fill in the ACIs and taskgroups for most of the plugins.Rob Crittenden2009-04-011-13/+311
| | | | | | | | | | | This adds: group administration host administration host group administration delegation administration service administration automount administration netgroup administration
* Name update files so they can be easily sorted.Rob Crittenden2009-03-2516-24/+162
| | | | | We want to process some updates in a particular order (schema, structural). Using an init-inspired ordering mechanism.