summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Allow PassSync user to locate and update NT usersMartin Kosek2015-01-191-0/+78
| | | | | | | | | | | | | | | Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix zone find during forwardzone upgradeMartin Basti2015-01-091-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4818 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix: Upgrade forwardzones zones after adding newer replicaMartin Basti2015-01-091-31/+34
| | | | | | | | Patch fixes issue, when forwardzones has not been upgraded after adding replica >=4.0 into topology with IPA 3.x servers. Ticket: https://fedorahosted.org/freeipa/ticket/4818 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Remove usage of app_PYTHON in ipaserver MakefilesGabe2014-12-101-24/+0
| | | | | | | | - Remove ChangeLog from ipa-client/Makefile.am https://fedorahosted.org/freeipa/ticket/4700 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix upgrade referint pluginMartin Basti2014-11-132-0/+91
| | | | | | | | Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors. Now old setting are migrated to new style setting before upgrade Ticket: https://fedorahosted.org/freeipa/ticket/4622 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix: DNS policy upgrade raises asertion errorMartin Basti2014-11-131-1/+3
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4708 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldapupdater: set baserid to 0 for ipa-ad-trust-posix rangesPetr Vobornik2014-11-111-1/+68
| | | | | | | | New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix upgrade: do not use invalid ldap connectionMartin Basti2014-11-061-0/+3
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4670 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* updater: enable uid uniqueness plugin for posixAccountsAlexander Bokovoy2014-10-212-0/+116
| | | | | | https://fedorahosted.org/freeipa/ticket/4636 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support idviews in compat treeAlexander Bokovoy2014-10-201-0/+11
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-3/+4
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* idviews: Fix typo in upgrade handling of the Default Trust ViewTomas Babej2014-09-301-5/+5
| | | | | | | | | Fixed missing comma. Also removes leading spaces from the ldif, since this is not stripped by the updater. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* idviews: Create Default Trust View for upgraded serversTomas Babej2014-09-301-0/+48
| | | | | | | | | | | For upgraded servers with enabled AD trust support, we want to ensure that Default Trust View entry is created. Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix certmonger code causing the ca_renewal_master update plugin to failJan Cholasta2014-09-231-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4547 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow deleting obsolete permissions; remove operational attribute permissionsPetr Viktorin2014-09-121-18/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-051-0/+18
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-4/+4
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upload CA chain from DS NSS database to certificate store on server update.Jan Cholasta2014-07-301-16/+52
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-301-0/+46
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix DNS upgrade plugin should check if DNS container existsMartin Basti2014-07-281-0/+4
| | | | | | | Fortunately this cause no error, because dnszone-find doesnt raise exception if there is no DNS container Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Restore privileges after forward zones updateMartin Basti2014-07-041-1/+42
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix upgrade to forward zonesMartin Basti2014-07-031-1/+1
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Upgrade special master zones to forward zonesMartin Basti2014-06-271-2/+177
| | | | | | | | | | | This upgrade is executed only if IPA version is older than 4.0 Requires detection if 'idnsforwardzone' objectclass is presented in schema before schema is upgraded Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades Ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Added upgrade step executed before schmema is upgradedMartin Basti2014-06-272-1/+15
| | | | | | | | Class PreSchemaUpdate is executed before ldap schema update This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Join --type objectclass filters with ORPetr Viktorin2014-06-231-2/+3
| | | | | | | | | | | | For groups, we will need to filter on either posixgroup (which UPGs have but non-posix groups don't) and groupofnames/nestedgroup (which normal groups have but UPGs don't). Join permission_filter_objectclasses with `|` and add them as a single ipapermtargetfilter value. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add $REALM to variables supported by the managed permission updaterPetr Viktorin2014-06-181-0/+1
| | | | | | | | This will allow converting password policy permissions Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the update_dns_permissions pluginPetr Viktorin2014-06-181-56/+0
| | | | | | | | | This plugin created permissions that the managed permission updater would remove right away. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed permission updater: Add mechanism to replace SYSTEM permissionsPetr Viktorin2014-06-181-0/+18
| | | | | | | | | | | | | | The "Read DNS Entries" permission, which was marked SYSTEM (no associated ACI), can now be converted to a regular managed permission. Add a mechanism for the updater to replace old SYSTEM permissions. This cannot be done in an update file because we do not want to replace V2 permissions with the same name. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-162-2/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Make 'permission' the default bind type for managed permissionsPetr Viktorin2014-06-111-1/+1
| | | | | | | | | | | This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add method to enumerate managed permission templatesPetr Viktorin2014-06-111-15/+30
| | | | | | This will ease writing audit and management scripts for managed permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* managed perm updater: Handle case where we changed default ACIs in the pastPetr Viktorin2014-06-101-2/+18
| | | | | | | | | | | This handles the case where IPA's default ACIs changed in something else than just attribute lists. In this case we can narrow the set of ACIs we think the user might be upgrading from. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for updating permissions to managedPetr Viktorin2014-06-041-8/+135
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Remove the global anonymous read ACIPetr Viktorin2014-05-262-96/+19
| | | | | | | | | | | | | | Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.xPetr Viktorin2014-05-261-0/+14
| | | | | | | | | | | | | | | When upgrading from an "old" IPA, or installing the first "new" replica, we need to keep allowing anonymous access to many user attributes. Add an optional 'fixup_function' to the managed permission templates, and use it to set the bind rule type to 'anonymous' when installing (or upgrading to) the first "new" master. This assumes that the anonymous read ACI will be removed in a "new" IPA. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* update_managed_permissions: Pass around anonymous ACI rather than its blacklistPetr Viktorin2014-05-261-17/+18
| | | | | | | | It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Replace "replica admins read access" ACI with a permissionPetr Viktorin2014-05-211-0/+61
| | | | | | | | | Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add several managed read permissions under cn=etcPetr Viktorin2014-04-241-2/+77
| | | | | | | | | | | | | | This adds permissions to: - cn=masters,cn=ipa (with new privilege) - cn=dna,cn=ipa (authenticated users) - cn=ca_renewal,cn=ipa (authenticated users) - cn=CAcert,cn=ipa (anonymous) - cn=replication (authenticated users) - cn=ad (authenticated users) Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add support for non-plugin default permissionsPetr Viktorin2014-04-241-2/+12
| | | | | | | | | Add support for managed permissions that are not tied to an object class and thus can't be defined in an Object plugin. A dict is added to hold templates for the non-plugin permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Do not ask for memberindirect when updating managed permissionsPetr Viktorin2014-04-171-1/+2
| | | | | | | | | | | | | One of the default_attributes of permission is memberofindirect, a virtual attribute manufactured by ldap2, which is set when a permission is part of a role. When update_entry is called on an entry with memberofindirect, ipaldap tries to add the attribute to LDAP and fails with an objectclass violation. Do not ask for memberindirect when retrieving the entry. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix update_ca_renewal_master plugin on CA-less installs.Jan Cholasta2014-04-101-26/+53
| | | | | | | | | This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add mechanism for adding default permissions to privilegesPetr Viktorin2014-04-101-0/+11
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow overriding all attributes of default permissionsPetr Viktorin2014-04-091-12/+40
| | | | | | | | | | | | Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation, objectclass of default managed permissions. This allows defining permissions that are not tied to an object type. Default values are same as before. Also, do not reset ipapermbindruletype when updating an existing managed permission. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Document the managed permission updater operationPetr Viktorin2014-04-091-0/+34
| | | | | | | | | The method was explained on the [Design] page, but as the updater is extended the design page would become obsolete. Document the operation in the docstring of the plugin itself. Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Store information about which CA server is master for renewals in LDAP.Jan Cholasta2014-03-252-0/+80
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add Object metadata and update plugin for managed permissionsPetr Viktorin2014-03-251-0/+160
| | | | | | | | The default read permission is added for Netgroup as an example. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add HOTP supportNathaniel McCallum2014-02-211-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Convert remaining update code to LDAPEntry API.Jan Cholasta2014-01-248-28/+25
|
* Remove legacy LDAPEntry properties data and orig_data.Jan Cholasta2014-01-101-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3488
generated by cgit (git 2.34.1) at 2025-09-02 04:01:37 +0000