freeipa.git/install/updates, branch replace_private_samba_calls Unnamed repository; edit this file 'description' to name the repository. Add ACI to allow regenerating ipaNTHash from ipasam 2012-08-22T14:21:27+00:00 Alexander Bokovoy abokovoy@redhat.com 2012-08-22T11:24:33+00:00 155d1efd488a25ff6c5847423c6a2f9d40410cbf ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute, Part 2 of https://fedorahosted.org/freeipa/ticket/3016 
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,

Part 2 of https://fedorahosted.org/freeipa/ticket/3016
Add per-service option to store the types of PAC it supports 2012-08-01T14:15:51+00:00 Rob Crittenden rcritten@redhat.com 2012-08-01T14:14:11+00:00 fb817d340139822d17414da93853be5bc3bf6086 Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184 
Create a per-service default as well.

https://fedorahosted.org/freeipa/ticket/2184
Use certmonger to renew CA subsystem certificates 2012-07-30T11:39:08+00:00 Rob Crittenden rcritten@redhat.com 2012-07-11T19:51:01+00:00 03837bfd6dbf7fd1eaa437da22807d7061b99af7 Certificate renewal can be done only one one CA as the certificates need to be shared amongst them. certmonger has been trained to communicate directly with dogtag to perform the renewals. The initial CA installation is the defacto certificate renewal master. A copy of the certificate is stored in the IPA LDAP tree in cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the certificate, when a certificate is renewed. Only the most current certificate is stored. It is valid to have no certificates there, it means that no renewals have taken place. The clones are configured with a new certmonger CA type that polls this location in the IPA tree looking for an updated certificate. If one is not found then certmonger is put into the CA_WORKING state and will poll every 8 hours until an updated certificate is available. The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case. When this certificate is updated we also need to update its entry in the dogtag tree, adding the updated certificate and telling dogtag which certificate to use. This is the certificate that lets IPA issue certificates. On upgrades we check to see if the certificate tracking is already in place. If not then we need to determine if this is the master that will do the renewals or not. This decision is made based on whether it was the first master installed. It is concievable that this master is no longer available meaning that none are actually tracking renewal. We will need to document this. https://fedorahosted.org/freeipa/ticket/2803 
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
Add automount map/key update permissions 2012-07-11T00:41:14+00:00 Martin Kosek mkosek@redhat.com 2012-07-10T13:27:37+00:00 4760c15cb2c8692b0e258ef62234aa18ab5fc193 Add missing permissions that can be used to delegate write access to existing automount maps or keys. Since automount key RDN has been changed in the past from "automountkey" to "description" and there can be LDAP entries with both RDNs, structure of relevant ACI need to be changed to different scheme. Now, it rather targets a DN of parent automount map object and uses targetfilter to limit the target to automount key objects only. https://fedorahosted.org/freeipa/ticket/2687 
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.

Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.

https://fedorahosted.org/freeipa/ticket/2687
Create default range entry after upgrade 2012-07-02T14:27:33+00:00 Martin Kosek mkosek@redhat.com 2012-07-02T12:07:01+00:00 d5fe02999cca064dd64a8a3495f937ea7bcefbd8 Create default range both on new install and on upgrades. Also make sure that all range object classes are present for upgraded machines. Default range LDIF entry for new install was fixed so that new installation does not crash. https://fedorahosted.org/freeipa/ticket/2891 
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.

Default range LDIF entry for new install was fixed so that new
installation does not crash.

https://fedorahosted.org/freeipa/ticket/2891
Add objects for initial ID range 2012-06-29T20:21:20+00:00 Sumit Bose sbose@redhat.com 2012-06-12T09:58:41+00:00 0350b5e8a18ea63f04c753ae4bd71e5bc15cec90 






Per-domain DNS record permissions
2012-06-28T13:21:21+00:00

Martin Kosek
mkosek@redhat.com

2012-06-27T11:10:10+00:00

52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0

IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511





IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511







Remove ipaNTHash from global allow ACI
2012-06-26T19:28:25+00:00

Martin Kosek
mkosek@redhat.com

2012-06-26T16:09:32+00:00

32ef4efaca96d7cfa05c00484fe926bd89c80d12

ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.

https://fedorahosted.org/freeipa/ticket/2856





ipaNTHash contains security sensitive information, it should be hidden just
like other password attributes. As a part of preparation for ticket #2511,
the ACI allowing global access is also updated to hide DNS zones.

https://fedorahosted.org/freeipa/ticket/2856







Use exop instead of kadmin.local
2012-06-11T07:40:59+00:00

Sumit Bose
sbose@redhat.com

2012-03-13T13:06:02+00:00

b367c9ee7e2c7412473bae469f5ac67c0c8f1205












Add trust-related ACIs
2012-06-07T07:39:10+00:00

Alexander Bokovoy
abokovoy@redhat.com

2012-05-15T17:03:16+00:00

bd0d85804320e840db9b5cf19a5e69b3a0804e20

A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731





A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket #1731