freeipa.git, branch getkeytab FreeIPA patches man: Add -r option to ipa-getkeytab.1 2014-06-09T18:53:56+00:00 Simo Sorce simo@redhat.com 2013-09-23T19:48:58+00:00 2c58b9f626e0f93ac76d76c83fd53a427c89dae5 Update the man page with the new ipa-getkeytab option. 
Update the man page with the new ipa-getkeytab option.
ipa-getkeytab: Add support for get_keytab extop 2014-06-09T18:53:55+00:00 Simo Sorce simo@redhat.com 2013-09-19T16:50:35+00:00 63f7aa46f2e1d0f4dec7951cc1684f555fb77d39 This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 
This new extended operation is tried by default and then the code falls back to
the old method if it fails.
The new method allows for server side password generation as well as retrieval
of existing credentials w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859
ipa-getkeytab: Modularize ldap_set_keytab function 2014-06-09T18:53:52+00:00 Simo Sorce simo@redhat.com 2013-09-19T16:49:45+00:00 a8310c2486a192a573f67947df79199bb3eaecd5 Isolate parts that will be reused in following patches. 
Isolate parts that will be reused in following patches.
keytab: Add new extended operation to get a keytab. 2014-06-09T18:49:42+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:30:14+00:00 aa785cf1ce101382c2adbc4a3c70361d1e7a27e0 This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 
This new extended operation allow to create new keys or retrieve
existing ones.
The new set of keys is returned as a ASN.1 structure similar to the one
that is passed in by the 'set keytab' extended operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute
named ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859
keytabs: Expose and modify key encoding function 2014-06-09T18:35:00+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:28:32+00:00 f440e927d8a66a3dd2e6505825e671052f66ae3e Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 
Make it available outside of the encoding.c file for use in a follow-up
patch.
Add option to not pass a password and generate a random key instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859
keytabs: Modularize setkeytab operation 2014-06-09T18:34:58+00:00 Simo Sorce simo@redhat.com 2013-09-17T04:25:14+00:00 7589c3144c7680ce0761c969a21869098d367dbd In preparation of adding another function to avoid code duplication. Related: https://fedorahosted.org/freeipa/ticket/3859 
In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859
Add version and API version 2014-06-09T14:27:41+00:00 Gabe redhatrises@gmail.com 2014-06-06T12:39:59+00:00 2a8c509567754877ed0188784d7c38250484be48 - Add API version to constants.py - Add version option to plugable.py - Add version to ipa manpage and fix a couple of typos https://fedorahosted.org/freeipa/ticket/4316 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
- Add API version to constants.py
- Add version option to plugable.py
- Add version to ipa manpage and fix a couple of typos

https://fedorahosted.org/freeipa/ticket/4316

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
ipautil.run args log message is confusing 2014-06-09T14:27:41+00:00 Gabe redhatrises@gmail.com 2014-06-06T12:55:23+00:00 ec282c7e96090f25bae4747e2e586af54bf49720 https://fedorahosted.org/freeipa/ticket/3724 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3724

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Check for password expiration in pre-bind 2014-06-09T06:18:16+00:00 Simo Sorce simo@redhat.com 2013-05-09T18:25:14+00:00 bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6 If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
If the password is expired fail a password bind.

Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Add missing attributes to 'Modify Sudo rule' permission 2014-06-04T15:34:18+00:00 Petr Viktorin pviktori@redhat.com 2014-05-14T13:10:10+00:00 f802845a7abfca0b414ad6801968d33e6788916b https://fedorahosted.org/freeipa/ticket/4344 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4344

Reviewed-By: Martin Kosek <mkosek@redhat.com>