freeipa.git/install/updates/10-bind-schema.update, branch webui_isolate FreeIPA patches Remove schema modifications from update files 2013-11-18T15:54:21+00:00 Petr Viktorin pviktori@redhat.com 2013-04-26T13:32:10+00:00 d9a1c09e7c70af697676449dab6737da0a392f66 As schema is now handled by the schema updater, these entries are superfluous. https://fedorahosted.org/freeipa/ticket/3454 
As schema is now handled by the schema updater, these entries
are superfluous.

https://fedorahosted.org/freeipa/ticket/3454
Fix syntax errors in schema files 2013-04-26T15:15:16+00:00 Petr Viktorin pviktori@redhat.com 2013-04-22T13:21:04+00:00 d4a0fa34afd30765e5ea6f0df21976a6494f13d6 - add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578 
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update

This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.

The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).

https://fedorahosted.org/freeipa/ticket/3578
Remove 'cn' attribute from idnsRecord and idnsZone objectClasses 2013-04-10T11:56:11+00:00 Petr Viktorin pviktori@redhat.com 2013-04-09T14:40:22+00:00 74abb432fb35ce222fd2a9b954557080cad63bf4 A commonName attribute has no meaning in DNS records. https://fedorahosted.org/freeipa/ticket/3514 
A commonName attribute has no meaning in DNS records.

https://fedorahosted.org/freeipa/ticket/3514
Change CNAME and DNAME attributes to single valued 2013-04-02T15:11:46+00:00 Martin Kosek mkosek@redhat.com 2013-03-04T11:48:05+00:00 81be28d6bd49cad19d41a572b0d09c6fe9663359 These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450 
These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.

https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
Add safe updates for objectClasses 2012-09-05T02:45:27+00:00 Martin Kosek mkosek@redhat.com 2012-09-04T11:18:54+00:00 917a48067586eac3f0c999cb972232309e889acd Current objectclass updates in a form of "replace" update instruction dependent on exact match of the old object class specification in the update instruction and the real value in LDAP. However, this approach is very error prone as object class definition can easily differ as for example because of unexpected X-ORIGIN value. Such objectclass update failures may lead to serious malfunctions later. When comparing the objectclasses, make sure we normalize them both before we compare them to mitigate these kinds of errors. python-ldap's objectclass model can be utilized to do the normalization part. One objectclass update instruction was changed to do a replace of an objectclass separately from add update instruction so that we really only replace what's stored in LDAP. https://fedorahosted.org/freeipa/ticket/2440 
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.

When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.

One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.

https://fedorahosted.org/freeipa/ticket/2440
Per-domain DNS record permissions 2012-06-28T13:21:21+00:00 Martin Kosek mkosek@redhat.com 2012-06-27T11:10:10+00:00 52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0 IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511 
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
Update schema for bind-dyndb-ldap 2012-02-24T08:40:36+00:00 Martin Kosek mkosek@redhat.com 2012-02-24T08:35:12+00:00 1816643a43802ca2a353930cb2bbb2781b39c80f Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072 
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072