freeipa.git/install/updates, branch master Unnamed repository; edit this file 'description' to name the repository. Allow hashed passwords in DS 2014-07-25T08:36:47+00:00 Martin Kosek mkosek@redhat.com 2014-07-23T11:03:57+00:00 15eb343b9c235a1ca3a6cc48f730590949d439ec Without nsslapd-allow-hashed-passwords being turned on, user password migration fails. https://fedorahosted.org/freeipa/ticket/4450 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.

https://fedorahosted.org/freeipa/ticket/4450

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
trusts: Make cn=adtrust agents sysaccount nestedgroup 2014-07-18T08:08:04+00:00 Tomas Babej tbabej@redhat.com 2014-07-10T15:26:25+00:00 b7a1401e9dd06c1c8b055295087907e33954a889 Since recent permissions work references this entry, we need to be able to have memberOf attributes created on this entry. Hence we need to include the nestedgroup objectclass. https://fedorahosted.org/freeipa/ticket/4433 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Since recent permissions work references this entry, we need to be
able to have memberOf attributes created on this entry. Hence we
need to include the nestedgroup objectclass.

https://fedorahosted.org/freeipa/ticket/4433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow read access to services in cn=masters to auth'd users 2014-07-04T13:58:14+00:00 Petr Viktorin pviktori@redhat.com 2014-07-04T11:19:37+00:00 23feb4e0271d6876e2137f301f209a9f3af19084 https://fedorahosted.org/freeipa/ticket/4425 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4425

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fix: Missing ACI for records in 40-dns.update 2014-07-04T10:27:24+00:00 Martin Basti mbasti@redhat.com 2014-07-01T15:25:43+00:00 3461be5c78dcc77a758235dce6f0cc8e370a0310 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Add NSEC3PARAM to zone settings 2014-07-02T12:54:41+00:00 Martin Basti mbasti@redhat.com 2014-06-30T16:29:40+00:00 30551a8aa30dcd39b3ae4c2fe97a163620773730 Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Remove NSEC3PARAM record 2014-07-02T12:54:41+00:00 Martin Basti mbasti@redhat.com 2014-06-30T15:17:02+00:00 ff7b44e3b09b2e94fde66f918a6d1fb6db043d80 Revert 5b95be802c6aa12b9464813441f85eaee3e3e82b Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Revert 5b95be802c6aa12b9464813441f85eaee3e3e82b

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Fix ACI in DNS 2014-07-01T10:43:55+00:00 Martin Basti mbasti@redhat.com 2014-06-25T15:24:45+00:00 c655aa28321f3a0ef00de89dd4c726f39f62653e Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord, tlsarecord Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Allow admins to write krbLoginFailedCount 2014-07-01T08:02:02+00:00 Petr Viktorin pviktori@redhat.com 2014-06-30T10:26:36+00:00 d1ede2068008e367f538a7f3d7e0e2d3ee128b79 Without write access to this attribute, admins could not unlock users. https://fedorahosted.org/freeipa/ticket/4409 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Without write access to this attribute, admins could not unlock users.

https://fedorahosted.org/freeipa/ticket/4409

Reviewed-By: Martin Kosek <mkosek@redhat.com>
keytab: Add new extended operation to get a keytab. 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 5c0e7a5fb420377dcc06a956695afdcb35196444 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
sudorule: Enforce category ALL checks on dirsrv level 2014-06-25T18:14:51+00:00 Tomas Babej tbabej@redhat.com 2014-05-14T12:48:07+00:00 b1275c5b1c2038c9769377e9cf0afe04139d1d8d https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>