summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Allow deleting obsolete permissions; remove operational attribute permissionsPetr Viktorin2014-09-121-18/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-051-0/+18
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-4/+4
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upload CA chain from DS NSS database to certificate store on server update.Jan Cholasta2014-07-301-16/+52
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-301-0/+46
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix DNS upgrade plugin should check if DNS container existsMartin Basti2014-07-281-0/+4
| | | | | | | Fortunately this cause no error, because dnszone-find doesnt raise exception if there is no DNS container Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Restore privileges after forward zones updateMartin Basti2014-07-041-1/+42
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix upgrade to forward zonesMartin Basti2014-07-031-1/+1
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Upgrade special master zones to forward zonesMartin Basti2014-06-271-2/+177
| | | | | | | | | | | This upgrade is executed only if IPA version is older than 4.0 Requires detection if 'idnsforwardzone' objectclass is presented in schema before schema is upgraded Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Added upgrade step executed before schmema is upgradedMartin Basti2014-06-272-1/+15
| | | | | | | | Class PreSchemaUpdate is executed before ldap schema update This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Join --type objectclass filters with ORPetr Viktorin2014-06-231-2/+3
| | | | | | | | | | | | For groups, we will need to filter on either posixgroup (which UPGs have but non-posix groups don't) and groupofnames/nestedgroup (which normal groups have but UPGs don't). Join permission_filter_objectclasses with `|` and add them as a single ipapermtargetfilter value. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add $REALM to variables supported by the managed permission updaterPetr Viktorin2014-06-181-0/+1
| | | | | | | | This will allow converting password policy permissions Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the update_dns_permissions pluginPetr Viktorin2014-06-181-56/+0
| | | | | | | | | This plugin created permissions that the managed permission updater would remove right away. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed permission updater: Add mechanism to replace SYSTEM permissionsPetr Viktorin2014-06-181-0/+18
| | | | | | | | | | | | | | The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-162-2/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make 'permission' the default bind type for managed permissionsPetr Viktorin2014-06-111-1/+1
| | | | | | | | | | | This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add method to enumerate managed permission templatesPetr Viktorin2014-06-111-15/+30
| | | | | | This will ease writing audit and management scripts for managed permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed perm updater: Handle case where we changed default ACIs in the pastPetr Viktorin2014-06-101-2/+18
| | | | | | | | | | | This handles the case where IPA's default ACIs changed in something else than just attribute lists. In this case we can narrow the set of ACIs we think the user might be upgrading from. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for updating permissions to managedPetr Viktorin2014-06-041-8/+135
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the global anonymous read ACIPetr Viktorin2014-05-262-96/+19
| | | | | | | | | | | | | | Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.xPetr Viktorin2014-05-261-0/+14
| | | | | | | | | | | | | | | When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* update_managed_permissions: Pass around anonymous ACI rather than its blacklistPetr Viktorin2014-05-261-17/+18
| | | | | | | | It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Replace "replica admins read access" ACI with a permissionPetr Viktorin2014-05-211-0/+61
| | | | | | | | | Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add several managed read permissions under cn=etcPetr Viktorin2014-04-241-2/+77
| | | | | | | | | | | | | | This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support for non-plugin default permissionsPetr Viktorin2014-04-241-2/+12
| | | | | | | | | Add support for managed permissions that are not tied to an object class and thus can't be defined in an Object plugin. A dict is added to hold templates for the non-plugin permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Do not ask for memberindirect when updating managed permissionsPetr Viktorin2014-04-171-1/+2
| | | | | | | | | | | | | One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2, which is set when a permission is part of a role. When update_entry is called on an entry with memberofindirect, ipaldap tries to add the attribute to LDAP and fails with an objectclass violation. Do not ask for memberindirect when retrieving the entry. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix update_ca_renewal_master plugin on CA-less installs.Jan Cholasta2014-04-101-26/+53
| | | | | | | | | This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for adding default permissions to privilegesPetr Viktorin2014-04-101-0/+11
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow overriding all attributes of default permissionsPetr Viktorin2014-04-091-12/+40
| | | | | | | | | | | | Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation, objectclass of default managed permissions. This allows defining permissions that are not tied to an object type. Default values are same as before. Also, do not reset ipapermbindruletype when updating an existing managed permission. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Document the managed permission updater operationPetr Viktorin2014-04-091-0/+34
| | | | | | | | | The method was explained on the [Design] page, but as the updater is extended the design page would become obsolete. Document the operation in the docstring of the plugin itself. Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-252-0/+80
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-251-0/+160
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Convert remaining update code to LDAPEntry API.Jan Cholasta2014-01-248-28/+25
|
* Remove legacy LDAPEntry properties data and orig_data.Jan Cholasta2014-01-101-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3488
* Turn LDAPEntry.single_value into a dictionary-like property.Jan Cholasta2013-11-051-2/+2
| | | | | | This change makes single_value consistent with the raw property. https://fedorahosted.org/freeipa/ticket/3521
* Do not fail upgrade if the global anonymous read ACI is not foundPetr Viktorin2013-10-041-2/+6
| | | | | | This helps forward compatibility: the anon ACI is scheduled for removal. https://fedorahosted.org/freeipa/ticket/3956
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-111-1/+1
| | | | | | This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693
* Add update plugin to fill in ipaRangeType attributeTomas Babej2013-06-102-0/+117
| | | | | | | | | | | | | | Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-171-7/+18
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Update only selected attributes for winsync agreementTomas Babej2013-04-161-4/+9
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-152-0/+58
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* Remove ipaserver/ipaldap.pyPetr Viktorin2013-03-131-1/+1
| | | | | | In addition to removing the module, fix all places where it was imported. Preparation for: https://fedorahosted.org/freeipa/ticket/3446
* Don't base64-encode the CA cert when uploading it during an upgrade.Rob Crittenden2013-03-071-2/+1
| | | | | | | | We want to store the raw value. Tools like ldapsearch will automatically base64 encode the value because it's binary so we don't want to duplicate that. https://fedorahosted.org/freeipa/ticket/3477
* Remove support for DN normalization from LDAPClient.Jan Cholasta2013-03-011-2/+2
|
* Remove some uses of raw python-ldapPetr Viktorin2013-03-011-4/+3
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Replace entry.getValue by entry.single_valuePetr Viktorin2013-03-011-2/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove IPAdmin.updateEntry calls from fix_replica_agreementsPetr Viktorin2013-03-011-4/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused imports from ipaserver/installPetr Viktorin2013-03-014-7/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
generated by cgit (git 2.34.1) at 2024-06-10 22:11:30 +0000