summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
...
* Move automount, default HBAC services, netgroup and hostgroup bootstrapping.Rob Crittenden2010-12-171-0/+135
| | | | | There is no need for these to be done as updates, just add these entries to the bootstrapping.
* Fix the change_password permissions and the DNS access controls.Rob Crittenden2010-12-172-5/+29
| | | | | | | | | | The change_password permission was too broad, limit it to users. The DNS access controls rolled everything into a single ACI. I broke it out into separate ACIs for add, delete and add. I also added a new dns type for the permission plugin. ticket 628
* Fix a slew of tests.Rob Crittenden2010-12-171-2/+2
| | | | | | | - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests
* Use nsContainer and not extensibleObject for masters entriesSimo Sorce2010-12-151-1/+1
|
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-132-0/+20
| | | | https://fedorahosted.org/freeipa/ticket/543
* Set labels on all attributes in the config object.Rob Crittenden2010-12-101-1/+1
| | | | | | | Make the cert subject base read-only. This is here only so replicated servers know their base. ticket 466
* ipaHomesRootDir was changes to an IA5 string, change the matching rule tooRob Crittenden2010-12-081-1/+1
|
* Add new parameter type IA5Str and use this to enforce the right charset.Rob Crittenden2010-12-071-1/+1
| | | | ticket 496
* Provide list of available attributes for use in ACI UI.Rob Crittenden2010-12-031-1/+0
| | | | | | | Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446
* Re-implement access control using an updated model.Rob Crittenden2010-12-013-107/+546
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* Enable EntryUSN plugin by default, with global scopeSimo Sorce2010-11-302-0/+11
| | | | | | | This will allow clients to use entryusn values to track what changed in the directory regardles of replication delays. Fixes: https://fedorahosted.org/freeipa/ticket/526
* Reduce the number of attributes a host is allowed to write.Rob Crittenden2010-11-301-2/+6
| | | | | | | | | | The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
* Create user private groups with a uniqueid.Rob Crittenden2010-11-301-1/+3
| | | | | | | | | | If we don't then we need to add it when a group is detached causing aci issues. I had to move where we create the UPG template until after the DS restart so the schema is available. ticket 542
* Display user and host membership in netgroups.Rob Crittenden2010-11-241-0/+6
| | | | | | | This uses an enhanced memberof plugin that allows multiple attributes to be configured to create memberOf attributes. tickets 109 and 110
* Autotune directory server to use a greater number of filesSimo Sorce2010-11-222-0/+9
| | | | | | | | This changes the system limits for the dirsrv user as well as configuring DS to allow by default 8192 max files and 64 reserved files (for replication indexes, etc..). Fixes: https://fedorahosted.org/freeipa/ticket/464
* id ranges: change DNA configurationSimo Sorce2010-11-225-44/+24
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Ensure that Apache is running with MPM=PreforkJan Zeleny2010-11-221-1/+5
| | | | | | | Script wsgi.py checks if Apache is compiled with MPM=Prefork and if not, it refuses to run. https://fedorahosted.org/freeipa/ticket/252
* Give a detached group a full set of group objectclasses.Rob Crittenden2010-11-191-1/+1
| | | | | | | The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
* Add managedby to Host entriesRob Crittenden2010-11-191-0/+8
| | | | | | This will allow others to provision on behalf of the host. ticket 280
* Revoke a host's certificate (if any) when it is deleted or disabled.Rob Crittenden2010-11-191-1/+1
| | | | | | | | | Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
* pkinit: always configure pkinit_anchors in krb5.confSimo Sorce2010-11-181-0/+1
|
* Add support for configuring KDC certs for PKINITSimo Sorce2010-11-184-0/+50
| | | | | This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
* Increase # of chars in users and groups to 255 and default username to 32.Rob Crittenden2010-11-121-1/+1
| | | | ticket 434
* Use strongest keytype for master keySimo Sorce2010-11-091-1/+1
|
* Rename 60sudo.ldif to 60ipasudo.ldif to not overwrite the 389-ds version.Rob Crittenden2010-11-092-1/+1
| | | | | | This meant that the compat sudo schema was not available. ticket 439
* add support for hostCategory and userCategoryNalin Dahyabhai2010-11-042-2/+2
|
* Use kerberos password policy.Rob Crittenden2010-11-014-8/+23
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Remove group nesting from the HBAC service groupsRob Crittenden2010-10-281-1/+1
| | | | ticket 389
* pwd-plugin: Always use a special salt by default.Simo Sorce2010-10-281-6/+8
| | | | | | | This should make renamed users able to keep using old credentials as the salt is not derived from the principal name but is always a random quantity. https://fedorahosted.org/freeipa/ticket/412
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-283-3/+6
| | | | merge in remove uuid
* ipa-modrdn: Enable plugin to handle krbPrincipalName on renamesSimo Sorce2010-10-282-0/+12
|
* Change SUDO command attr to be case sensitiveRob Crittenden2010-10-261-4/+6
| | | | | | * Fixed comments * Added attribute * Fixed objectclass
* Disallow writes on serverHostName and memberOfRob Crittenden2010-10-221-2/+1
| | | | | | | | | | | | | | serverHostName because this is tied to the FQDN so should only be changed on a host rename (which we don't do). memberOf because the plugin should do this. Directly manging this attribute would be pretty dangerous and confusing. Also remove a redundant aci granting the admins group write access to users and groups. They have it with through the "admins can modify any entry" aci. tickets 300, 304
* ipa-uuid: enable plugin in IPASimo Sorce2010-10-222-0/+11
|
* Default search limit to 100Adam Young2010-10-191-1/+1
|
* ntpdinstance: Do not replace the config files, just add needed optionsSimo Sorce2010-10-183-60/+0
|
* Fix a couple of typos in some ACIs.Rob Crittenden2010-10-061-3/+3
| | | | | | | One typo was mis-spelling the admins group name The second was an extraneous 'aci' in the name of two acis. ticket 335
* Add options to control NTLM hashesSimo Sorce2010-10-051-0/+2
| | | | | | By default LM hash is disabled. Of course generation still depends on whether the SamAccount objectclass is present in the user object.
* Add Generic config class.Simo Sorce2010-10-051-0/+4
| | | | | | Helps when you need to add random snippets of config that really do not deserve a full atttribute, but are still something you want to put in LDAP and have replicated.
* Fix descriptionsSimo Sorce2010-10-052-2/+2
|
* Allow and deny commands in one ruleDmitri Pal2010-10-041-12/+14
| | | | | | | | | | 1) Added new attribute memberDenyCommand 2) Renamed memberCmd to memberAllowCmd 3) Changed the object class: * removed type * reflected the rename change * added the new attribute 4) Renumbered the attributes (while we still can) for consistency.
* Remove reliance on the name 'admin' as a special user.Rob Crittenden2010-10-011-1/+1
| | | | | | | And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-271-0/+18
|
* Addressing issues found in schemaDmitri Pal2010-09-241-3/+3
| | | | | | * Matching rule was incorrect * Added memberOf attribute to the command * Switched from groupOfUniqueNames to groupOfNames
* Add new DNS install argument for setting the zone mgr e-mail addr.Rob Crittenden2010-09-231-1/+1
| | | | ticket 125
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-201-1/+2
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Set ipaUniqueId to be unwritable and add to uniqueness configuration.Rob Crittenden2010-09-202-2/+20
| | | | | | We don't want admins messing with this value. ticket 231
* Enabling SUDO supportDmitri Pal2010-09-163-1/+42
| | | | | | | | | | | * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch.
* Enable compat plugin by default and configure netgroupsRob Crittenden2010-08-192-15/+15
| | | | | | | | | Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91
* Make the server log level more configurable, not defaulting to debug.Rob Crittenden2010-08-191-2/+12
| | | | | | | | | | | | | | | | This disables debug output in the Apache log by default. If you want increased output create /etc/ipa/server.conf and set it to: [global] debug=True If this is too much output you can select verbose output instead: [global] debug=False verbose=True ticket 60
generated by cgit (git 2.34.1) at 2024-06-25 02:02:02 +0000