freeipa.git/install/updates, branch sync-token Unnamed repository; edit this file 'description' to name the repository. keytab: Add new extended operation to get a keytab. 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 5c0e7a5fb420377dcc06a956695afdcb35196444 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
sudorule: Enforce category ALL checks on dirsrv level 2014-06-25T18:14:51+00:00 Tomas Babej tbabej@redhat.com 2014-05-14T12:48:07+00:00 b1275c5b1c2038c9769377e9cf0afe04139d1d8d https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute 2014-06-25T18:14:50+00:00 Tomas Babej tbabej@redhat.com 2014-05-14T11:18:00+00:00 3a56b155e80a744c7a924915aae954e0a3d81e9e Makes sure we dereference the correct attribute. Also adds object class checking. https://fedorahosted.org/freeipa/ticket/4324 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Makes sure we dereference the correct attribute. Also adds object class
checking.

https://fedorahosted.org/freeipa/ticket/4324

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
sudorule: Allow using external groups as groups of runAsUsers 2014-06-25T18:14:49+00:00 Tomas Babej tbabej@redhat.com 2014-05-14T11:09:28+00:00 9304b649a32c57e80f53913d7fbdee92fd76a251 Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
sudorule: Allow using hostmasks for setting allowed hosts 2014-06-25T18:14:49+00:00 Tomas Babej tbabej@redhat.com 2014-05-14T10:52:26+00:00 a228d7a3cb32b14ff24b47adb14d896d317f6312 Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host commands, which allows setting a range of hosts specified by a hostmask. https://fedorahosted.org/freeipa/ticket/4274 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
trusts: Allow reading system trust accounts by adtrust agents 2014-06-25T13:01:52+00:00 Tomas Babej tbabej@redhat.com 2014-06-24T16:24:32+00:00 c2e6b74029e08a4eadb7a14a4c711febfc83b5be Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Convert Sudo Command Group default permissions to managed 2014-06-24T11:53:41+00:00 Petr Viktorin pviktori@redhat.com 2014-06-04T15:39:10+00:00 52003a9ffb2e335f613b1392eb9b7bdc1a46792b Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert Sudo Command default permissions to managed 2014-06-24T11:53:41+00:00 Petr Viktorin pviktori@redhat.com 2014-06-04T15:39:10+00:00 6b478628dc09f1138796deac5650d807bca02ee9 Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert SELinux User Map default permissions to managed 2014-06-24T11:53:41+00:00 Petr Viktorin pviktori@redhat.com 2014-06-04T15:39:10+00:00 f8dc51860c4ec006e25314d934e530cdcdfa4dda Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Convert HBAC Service Group default permissions to managed 2014-06-24T11:53:40+00:00 Petr Viktorin pviktori@redhat.com 2014-06-04T15:39:10+00:00 8e8e6b1ae7c28460f076475d549a8c46fda32c68 Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>