summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Fix a couple of typos in some ACIs.Rob Crittenden2010-10-061-3/+3
| | | | | | | One typo was mis-spelling the admins group name The second was an extraneous 'aci' in the name of two acis. ticket 335
* Add options to control NTLM hashesSimo Sorce2010-10-051-0/+2
| | | | | | By default LM hash is disabled. Of course generation still depends on whether the SamAccount objectclass is present in the user object.
* Add Generic config class.Simo Sorce2010-10-051-0/+4
| | | | | | Helps when you need to add random snippets of config that really do not deserve a full atttribute, but are still something you want to put in LDAP and have replicated.
* Fix descriptionsSimo Sorce2010-10-052-2/+2
|
* Allow and deny commands in one ruleDmitri Pal2010-10-041-12/+14
| | | | | | | | | | 1) Added new attribute memberDenyCommand 2) Renamed memberCmd to memberAllowCmd 3) Changed the object class: * removed type * reflected the rename change * added the new attribute 4) Renumbered the attributes (while we still can) for consistency.
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-1/+1
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-271-0/+18
|
* Addressing issues found in schemaDmitri Pal2010-09-241-3/+3
| | | | | | * Matching rule was incorrect * Added memberOf attribute to the command * Switched from groupOfUniqueNames to groupOfNames
* Add new DNS install argument for setting the zone mgr e-mail addr.Rob Crittenden2010-09-231-1/+1
| | | | ticket 125
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-201-1/+2
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Set ipaUniqueId to be unwritable and add to uniqueness configuration.Rob Crittenden2010-09-202-2/+20
| | | | | | We don't want admins messing with this value. ticket 231
* Enabling SUDO supportDmitri Pal2010-09-163-1/+42
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Enable compat plugin by default and configure netgroupsRob Crittenden2010-08-192-15/+15
| | | | | | | | | Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91
* Make the server log level more configurable, not defaulting to debug.Rob Crittenden2010-08-191-2/+12
| | | | | | | | | | | | | | | | This disables debug output in the Apache log by default. If you want increased output create /etc/ipa/server.conf and set it to: [global] debug=True If this is too much output you can select verbose output instead: [global] debug=False verbose=True ticket 60
* Enable a host to retrieve a keytab for all its services.Rob Crittenden2010-08-161-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
* Add container and initial ACIs for entitlement supportRob Crittenden2010-07-291-0/+6
| | | | | | | | The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-291-2/+0
| | | | Javascript based ui.
* 1. Schema cleanupDmitri Pal2010-07-211-13/+12
| | | | | | | | | | | | The ipaAssociation is the core of different association object. It seems that the service is an exception rather then rule. So it is moved into the object where it belongs. Fixed matching rules and some attribute types. Addressing ticket: https://fedorahosted.org/freeipa/ticket/89 Removed unused password attribute and realigned OIDs.
* Fix nis netgroup configurationRob Crittenden2010-07-151-1/+11
| | | | | | | | This was originally configured to pull from the compat area but Nalin thinks that is a bad idea (and it stopped working anyway). This configures the netgroup map to create the triples on its own. Ticket #87
* Handle errors raised by plugins more gracefully in mod_wsgi.Rob Crittenden2010-07-121-6/+10
| | | | | | | | | | | | This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
* Add support for User-Private GroupsRob Crittenden2010-07-063-0/+37
| | | | | | | | | | | | | | | This uses a new 389-ds plugin, Managed Entries, to automatically create a group entry when a user is created. The DNA plugin ensures that the group has a gidNumber that matches the users uidNumber. When the user is removed the group is automatically removed as well. If the managed entries plugin is not available or if a specific, separate range for gidNumber is passed in at install time then User-Private Groups will not be configured. The code checking for the Managed Entries plugin may be removed at some point. This is there because this plugin is only available in a 389-ds alpha release currently (1.2.6-a4).
* Remove unused attribute serviceName and re-number schemaRob Crittenden2010-06-211-8/+7
| | | | | | serviceName was originally part of the HBAC rules. We dropped it to use a separate service object instead so we could more easily do groups of services in rules.
* Add ipaUniqueID to HBAC services and service groupsRob Crittenden2010-05-272-31/+1
| | | | Also fix the memberOf attribute for the HBAC services
* Re-number some attributes to compress our usage to be contiguousRob Crittenden2010-05-275-46/+68
| | | | | | | No longer install the policy or key escrow schemas and remove their OIDs for now. 594149
* Add 'all' serviceCategory to default HBAC group and add some default servicesRob Crittenden2010-05-271-0/+31
|
* Add groups of services to HBACRob Crittenden2010-05-172-2/+18
| | | | | | | Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
* named.conf: Add trailing dot to the fake_mnameMartin Nagy2010-05-061-1/+1
| | | | | Yet another trailing dot issue, but this one was kept hidden because only the latest bind-dyndb-ldap package uses the fake_mname option.
* Create default HBAC rule allowing any user to access any host from any hostRob Crittenden2010-05-052-0/+15
| | | | | | | | | This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
* Remove some duplicated schemaRob Crittenden2010-04-301-9/+0
| | | | | Newer versions of 389-ds provide this certificate schema so no need to provide it ourselves.
* Use escapes in DNs instead of quoting.Rob Crittenden2010-04-191-2/+2
| | | | Based on initial patch from Pavel Zuna.
* Enable anonymous VLV so Solaris clients will work out of the box.Rob Crittenden2010-04-161-0/+4
| | | | | | | | Since one needs to enable the compat plugin we will enable anonymous VLV when that is configured. By default the DS installs an aci that grants read access to ldap:///all and we need ldap:///anyone
* Run ipaserver under mod_wsgiJason Gerard DeRose2010-03-012-0/+14
|
* - also ensure that krbCanonicalName is uniqueNalin Dahyabhai2010-02-051-0/+18
|
* - allow the KDC to read krbCanonicalNameNalin Dahyabhai2010-02-051-2/+2
|
* - pull in updated schema which adds the krbCanonicalName attributeNalin Dahyabhai2010-02-041-1/+15
|
* Set BIND to use ldapi and use fake mnameMartin Nagy2010-01-211-1/+2
| | | | | | The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now.
* Only add an NTP SRV record if we really are setting up NTPMartin Nagy2010-01-211-3/+1
| | | | | | | The sample bind zone file that is generated if we don't use --setup-dns is also changed. Fixes #500238
* Use the dns plug-in for addition of records during installationMartin Nagy2010-01-213-113/+0
| | | | Fixes #528943
* Fix merge issue, cut-and-paste errorRob Crittenden2010-01-211-2/+1
|
* User-defined certificate subjectsRob Crittenden2010-01-201-1/+3
| | | | | | | | | | | | | | | Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
* Add BIND pre-op for DS->IPA password migration to ipa-pwd-extop DS plugin.Pavel Zuna2010-01-202-3/+6
|
* Add default values for krb ticket policy attributes during installation.Pavel Zuna2010-01-132-0/+8
|
* Make hosts more like real services so we can issue certs for host principalsRob Crittenden2009-12-161-0/+6
| | | | | This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
* Make the IPA server host and its services "real" IPA entriesRob Crittenden2009-12-111-1/+1
| | | | | | | | | | | We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
* Add ipaUserGroup objectClass to default groups where missing.Pavel Zuna2009-12-011-0/+2
|
* Use a new mechanism for delegating certificate issuance.Rob Crittenden2009-11-032-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
* Use Directory String sytnax for the fqdn attribute, not DN syntax.Rob Crittenden2009-10-281-1/+1
|
* No longer use the IPA-specific memberof plugin. Use the DS-supplied one.Rob Crittenden2009-10-122-0/+6
|
* Add HBAC plugin and introduce GeneralizedTime parameter type.Pavel Zuna2009-10-051-0/+6
|
* Add support for per-group kerberos password policy.Rob Crittenden2009-10-051-0/+13
| | | | | | | | | | Use a Class of Service template to do per-group password policy. The design calls for non-overlapping groups but with cospriority we can still make sense of things. The password policy entries stored under the REALM are keyed only on the group name because the MIT ldap plugin can't handle quotes in the DN. It also can't handle spaces between elements in the DN.
generated by cgit (git 2.34.1) at 2024-07-04 03:29:09 +0000