freeipa.git/install/share, branch patternfly Unnamed repository; edit this file 'description' to name the repository. dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone 2014-05-28T13:58:24+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T17:42:41+00:00 8b7daf675e77d7a5e2de6eadb26ca3b682c0d67f Part of the work for: https://fedorahosted.org/freeipa/ticket/3801 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/3801

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Remove the global anonymous read ACI 2014-05-26T10:14:55+00:00 Petr Viktorin pviktori@redhat.com 2014-04-29T19:46:26+00:00 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Replace "replica admins read access" ACI with a permission 2014-05-21T07:57:16+00:00 Petr Viktorin pviktori@redhat.com 2014-04-28T12:23:19+00:00 86f943ca180a72c4cfa3a8a03226f2471a97981b Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
aci-update: Trim the admin write blacklist 2014-04-25T12:06:08+00:00 Petr Viktorin pviktori@redhat.com 2014-03-26T16:11:23+00:00 223e6dc3f766879220a01f855da627e29f30e385 These attributes are removed from the blacklist, which means high-level admins can now modify them: - krbPrincipalAliases - krbPrincipalType - krbPwdPolicyReference - krbTicketPolicyReference - krbUPEnabled - serverHostName The intention is to only blacklist password attributes and attributes that are managed by DS plugins. Also, move the admin ACIs from ldif and trusts.update to aci.update. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
These attributes are removed from the blacklist, which means
high-level admins can now modify them:

- krbPrincipalAliases
- krbPrincipalType
- krbPwdPolicyReference
- krbTicketPolicyReference
- krbUPEnabled
- serverHostName

The intention is to only blacklist password attributes and attributes
that are managed by DS plugins.

Also, move the admin ACIs from ldif and trusts.update to aci.update.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a new ipaVirtualOperation objectClass to virtual operations 2014-04-24T09:19:51+00:00 Petr Viktorin pviktori@redhat.com 2014-04-17T10:36:33+00:00 baa72b68b1336edb28ca833fcc1616fe466fe709 The entries are moved from the ldif file to an update file. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
schema-compat: set precedence to 49 to allow OTP binds over compat tree 2014-04-04T06:45:43+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-02-20T10:18:16+00:00 ad6480f845e91479647a2a6d509565e59c4aa480 schema-compat plugin rewrites bind DN to point to the original entry on LDAP bind operation. To work with OTP tokens this requires that schema-compat's pre-bind callback is called before pre-bind callback of the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have a nsslapd-pluginprecedence value lower than (default) 50 which is used by the ipa-pwd-extop plugin. Note that this will only work if ticket 47699 is fixed in 389-ds. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.

Note that this will only work if ticket 47699 is fixed in 389-ds.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Use LDAP API to upload CA certificate instead of ldapmodify command. 2014-03-25T15:54:54+00:00 Jan Cholasta jcholast@redhat.com 2014-01-02T13:28:22+00:00 48539b35d78f8872fc2996e045987bcfa6ab7db7 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Make all ipatokenTOTP attributes mandatory 2014-02-21T15:07:39+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-20T15:22:44+00:00 adcd373931c50d91550f6b74b191d08ecce5b137 Originally we made them all optional as a workaround for the lack of SELFDN support in 389DS. However, with the advent of SELFDN, this hack is no longer necessary. This patch updates TOTP to match HOTP in this regard. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add HOTP support 2014-02-21T09:26:02+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-01-28T22:11:04+00:00 abb63ed9d1027b967b4ac4473433e4eb5a3ff0b9 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
permissions: Use multivalued targetfilter 2014-02-20T12:11:41+00:00 Petr Viktorin pviktori@redhat.com 2014-01-06T14:51:20+00:00 e951f1841674fc57a867b9a36eea9d82ca31ad38 Change the target filter to be multivalued. Make the `type` option on permissions set location and an (objectclass=...) targetfilter, instead of location and target. Make changing or unsetting `type` remove existing (objectclass=...) targetfilters only, and similarly, changing/unsetting `memberof` to remove (memberof=...) only. Update tests Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Change the target filter to be multivalued.

Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.

Update tests

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>