freeipa.git/install/share, branch WIP Unnamed repository; edit this file 'description' to name the repository. WIP: SIDs 2012-04-30T15:26:24+00:00 Sumit Bose sbose@redhat.com 2012-03-26T10:18:39+00:00 760ea9432b01f46cbea3628519963f90e7685a6f 






Perform case-insensitive searches for principals on TGS requests
2012-04-30T15:26:24+00:00

Alexander Bokovoy
abokovoy@redhat.com

2012-03-26T11:23:42+00:00

3c8876c3587c86de9684afe882965d40f1c75847

We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577





We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577







Use a dedicated keytab for samba
2012-04-30T15:26:24+00:00

Sumit Bose
sbose@redhat.com

2012-01-03T16:58:54+00:00

08d169fb14dad41bb6e90132d94ad0ec629edc61

Fixes https://fedorahosted.org/freeipa/ticket/2168





Fixes https://fedorahosted.org/freeipa/ticket/2168







Use mixed-case for Read DNS Entries permission
2012-04-23T08:00:40+00:00

Rob Crittenden
rcritten@redhat.com

2012-04-20T15:07:47+00:00

0423213148a1a2f9762adf243f383398c1ec8b9e

https://fedorahosted.org/freeipa/ticket/2569





https://fedorahosted.org/freeipa/ticket/2569







Fix installation when server hostname is not in a default domain
2012-04-09T00:35:10+00:00

Martin Kosek
mkosek@redhat.com

2012-04-04T14:31:04+00:00

184a066f4abc0ef83434f8cebbec87028258db65

When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602





When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602







Return consistent value when hostcat and usercat is all.
2012-04-08T20:54:32+00:00

Rob Crittenden
rcritten@redhat.com

2012-04-05T14:03:04+00:00

7471ba22370626b26413c0f861c4ebb4a7128948

We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.

This requires slapi-nis 0.40+

https://fedorahosted.org/freeipa/ticket/2192





We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.

This requires slapi-nis 0.40+

https://fedorahosted.org/freeipa/ticket/2192







Forbid public access to DNS tree
2012-04-02T01:17:04+00:00

Martin Kosek
mkosek@redhat.com

2012-04-02T12:57:33+00:00

df13cdcb974e9f8b161be35fcef9651c2ffe0b5e

With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569





With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569







Amend permissions for new DNS attributes
2012-03-26T03:58:24+00:00

Martin Kosek
mkosek@redhat.com

2012-03-14T09:38:33+00:00

b944ad44b5ac66a253b28613cf0b722c4d4ad444

New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510





New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510







Add support for sudoOrder
2012-03-02T02:02:33+00:00

Rob Crittenden
rcritten@redhat.com

2012-03-01T19:02:28+00:00

d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e

Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314





Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314







Fix nested netgroups in NIS.
2012-02-29T15:01:58+00:00

Rob Crittenden
rcritten@redhat.com

2012-02-29T02:50:15+00:00

c48d34fa433e9472d196b0258cac16934a1dae48

We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.

https://fedorahosted.org/freeipa/ticket/2359





We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.

https://fedorahosted.org/freeipa/ticket/2359