summaryrefslogtreecommitdiffstats
path: root/install/share
Commit message (Collapse)AuthorAgeFilesLines
* Store list of non-master replicas in DIT and provide way to list themSimo Sorce2011-03-021-0/+6
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1007
* Use Sudo rather than SUDO as a label.Rob Crittenden2011-03-011-3/+3
| | | | ticket 1005
* Fix replica setup using replication admin kerberos credentialsSimo Sorce2011-03-011-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1022
* Create default disabled sudo bind userJr Aquino2011-02-232-0/+10
| | | | | | | | Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
* Entitlements ACIs not visible to Permission pluginMartin Kosek2011-02-221-3/+6
| | | | | | | | This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997
* Add default roles and permissions for HBAC, SUDO and pw policyRob Crittenden2011-02-221-1/+1
| | | | | | | | | | | Created some default roles as examples. In doing so I realized that we were completely missing default rules for HBAC, SUDO and password policy so I added those as well. I ran into a problem when the updater has a default record and an add at the same time, it should handle it better now. ticket 585
* Browser configuration support for Firefox 4Martin Kosek2011-02-171-12/+32
| | | | | | | | | | | | | Support of navigator.preferences that is used to access browser configuration was dropped in Firefox 4. This disables automatic configuration of user preferences in this browser that is needed to use Kerberos single sign-on. This patch detectes a lack of this interface and tries to configure the browser using new Services module introduced in Gecko 2 (used in Firefox 4, SeaMonkey 2.1). https://fedorahosted.org/freeipa/ticket/975
* Updated default Kerberos password policyJan Zeleny2011-02-161-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/930
* Fixed cn attribute in ipaUniqueID uniqueness config.Endi S. Dewata2011-02-161-1/+1
|
* Fine tuning DNS optionsJakub Hrozek2011-02-141-2/+3
| | | | | | | | | | | | Add pointer to self to /etc/hosts to avoid chicken/egg problems when restarting DNS. On servers set both dns_lookup_realm and dns_lookup_kdc to false so we don't attempt to do any resolving. Leave it to true on clients. Set rdns to false on both server and client. https://fedorahosted.org/freeipa/ticket/931
* drop the group.upg NIS mapNalin Dahyabhai2011-02-141-12/+0
| | | | | | The group.upg NIS map was an experiment in providing UPG groups dynamically, and is not one of the maps that I'd ever expect a NIS client to "know" to search. We should probably just drop it.
* Make main selfservice aci visible to the selfservice plugin.Rob Crittenden2011-02-101-2/+2
| | | | ticket 934
* IPv6 enhancementsJakub Hrozek2011-02-021-0/+3
| | | | | | | * Make host-add, host-del and reverse zone creation IPv6 aware * Make Bind listen on IPv6 interfaces, too https://fedorahosted.org/freeipa/ticket/398
* Add support for tracking and counting entitlementsRob Crittenden2011-02-023-19/+46
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Add new schema to store information about permissions.Rob Crittenden2011-02-012-0/+51
| | | | | | | | | There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
* Rename permissions and privileges to be more readable.Rob Crittenden2011-01-313-261/+216
| | | | | | | This also drops description from permissions since it seems redundant and fixes up the help text a little. ticket 792
* Address entryusn initialization on replica installationSimo Sorce2011-01-281-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/637
* Put some safeguards against misconfiguration on the kdc accountSimo Sorce2011-01-281-0/+2
| | | | Ticket: https://fedorahosted.org/freeipa/ticket/862
* modifyprivilegemembership permission has nestedgroup OCMartin Kosek2011-01-281-1/+1
| | | | | | | modifyprivilegemembership permission object class in LDAP should be groupofnames, not nestedgroup. https://fedorahosted.org/freeipa/ticket/858
* Add support for account unlockingJan Zeleny2011-01-283-2/+14
| | | | | | | | This patch adds command ipa user-unlock and some LDAP modifications which are required by Kerberos for unlocking to work. Ticket: https://fedorahosted.org/freeipa/ticket/344
* block anonymous access to sudo info https://fedorahosted.org/freeipa/ticket/865Jr Aquino2011-01-271-0/+6
|
* ACI plugin supports prefixesMartin Kosek2011-01-263-48/+48
| | | | | | | | | | | | | | | | | | | | | | | | When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764
* Enforce uniqueness on (key,info) pairs in automount keysJakub Hrozek2011-01-251-1/+2
| | | | https://fedorahosted.org/freeipa/ticket/293
* Block anonymous access to HBAC, role and some member information.Rob Crittenden2011-01-242-0/+11
| | | | | | | | Prevents an unauthenticated user from accessing HBAC and role information as well as memberof which could disclose roles, memberships in HBAC, etc. ticket 811
* Allow SASL/EXTERNAL authentication for the root userSimo Sorce2011-01-202-0/+25
| | | | | | | | This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
* Make krb5kdc use the ldapi socket to talk to dirsrvSimo Sorce2011-01-201-1/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/812
* Move HBAC services and service groups to cn=hbacJan Zeleny2011-01-181-21/+21
| | | | https://fedorahosted.org/freeipa/ticket/762
* Move sudo related data all under cn=sudoSimo Sorce2011-01-172-7/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/773
* Remove radius options completely.Simo Sorce2011-01-144-590/+0
| | | | | | | This has been completely abandoned since ipa v1 and is not built by default. Instead of carrying dead weight, let's remove it for now. Fixes: https://fedorahosted.org/freeipa/ticket/761
* Move mep templates under cn=etcSimo Sorce2011-01-142-4/+4
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/760
* Move Virtual Operations container under cn=etcSimo Sorce2011-01-141-13/+13
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/759
* Allow using Kerberos credentials with the 'connect' commandSimo Sorce2011-01-141-1/+1
| | | | | | | | Now that we can setup GSSAPI authenticated replication we are not tied to use the Directory Manager password to set up replication agreements. Fixes: https://fedorahosted.org/freeipa/ticket/644
* Restrict anonymous tgtsSimo Sorce2011-01-121-0/+1
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/432
* Bugfix for sudo compat cmdcat and deny commands ↵Jr Aquino2011-01-121-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/742
* fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570Jr Aquino2011-01-121-0/+1
|
* Make ipaDefaultLoginShell use IA5String syntax to match POSIX schema.Rob Crittenden2011-01-111-1/+1
| | | | ticket 739
* Allow the kdc to write krbExtraDataRob Crittenden2011-01-071-1/+1
|
* Don't use Class of Service for account activation, use attribute.Rob Crittenden2011-01-041-38/+0
| | | | | | | | | | To support group-based account disablement we created a Class of Service where group membership controlled whether an account was active or not. Since we aren't doing group-based account locking drop that and use nsaccountlock directly. ticket 568
* netgroups created by hostgroups lacked info ↵Jr Aquino2011-01-031-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/653
* Move permissions and privileges to their own container, cn=pbac,$SUFFIXRob Crittenden2010-12-223-173/+180
| | | | ticket 638
* Rework old init and synch commands and use better names.Simo Sorce2010-12-211-0/+4
| | | | | | | | These commands can now be run exclusively o the replica that needs to be resynced or reinitialized and the --from command must be used to tell from which other replica it can will pull data. Fixes: https://fedorahosted.org/freeipa/ticket/626
* Remove referrals when removing agreementsSimo Sorce2010-12-212-8/+22
| | | | | | | | | Part of this fix requires also giving proper permission to change the replication agreements root. While there also fix replica-related permissions to have the classic add/modify/remove triplet of permissions. Fixes: https://fedorahosted.org/freeipa/ticket/630
* Remove common entries when deleting a master.Simo Sorce2010-12-211-0/+5
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/550
* Add replication related acis to all replicasSimo Sorce2010-12-213-12/+12
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/617
* In meta data make ACI attributes lower-case, sorted. Add possible attributes.Rob Crittenden2010-12-211-2/+2
| | | | | | | | | | | | The metadata contains a list of possible attributes that an ACI for that object might need. Add a new variable to hold possible objectclasses for optional elements (like posixGroup for groups). To make the list easier to handle sort it and make it all lower-case. Fix a couple of missed camel-case attributes in the default ACI list. ticket 641
* sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by ↵Nalin Dahyabhai2010-12-211-1/+2
| | | | the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done
* sudo and netgroup schema compat updates - fix quoting of netgroup entries - ↵Nalin Dahyabhai2010-12-212-11/+32
| | | | don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-0/+21
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix delegation.ldif typoJakub Hrozek2010-12-201-1/+1
|
* Don't use camel-case LDAP attributes in ACI and don't clear enrolledByRob Crittenden2010-12-172-24/+17
| | | | | | | | | | | | We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls. There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do. ticket 597
generated by cgit (git 2.34.1) at 2024-05-05 06:23:42 +0000