freeipa.git/install/updates, branch webui-details FreeIPA patches Add container and initial ACIs for entitlement support 2010-07-29T14:50:29+00:00 Rob Crittenden rcritten@redhat.com 2010-07-21T19:44:49+00:00 d4adbc8052faf18fb31e7b1865037aa107067d4b The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27 
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.

ticket #27
Add separate role group for enrolling hosts, enrollhost 2010-06-22T17:56:17+00:00 Rob Crittenden rcritten@redhat.com 2010-06-02T18:00:05+00:00 8c6c93125f344ca117cc24b2e96c55b1d9ae31bd 






Include missing update file 30-hbacsvc.update
2010-05-27T14:51:49+00:00

Rob Crittenden
rcritten@redhat.com

2010-05-26T13:48:22+00:00

49b3d3ba0fec9907d2fa42c55905fbecb644e3b2












Add ipaUniqueID to HBAC services and service groups
2010-05-27T14:51:02+00:00

Rob Crittenden
rcritten@redhat.com

2010-05-21T20:27:40+00:00

e123fa66719c7f71587383406d3205d17e60f669

Also fix the memberOf attribute for the HBAC services





Also fix the memberOf attribute for the HBAC services







Re-number some attributes to compress our usage to be contiguous
2010-05-27T14:50:49+00:00

Rob Crittenden
rcritten@redhat.com

2010-05-21T19:15:20+00:00

fe7cb34f76a04e04e4dd0ffe9e1795752b422e26

No longer install the policy or key escrow schemas and remove their
OIDs for now.

594149





No longer install the policy or key escrow schemas and remove their
OIDs for now.

594149







Use GSSAPI auth for the ipa-replica-manage list and del commands.
2010-03-19T21:17:14+00:00

Rob Crittenden
rcritten@redhat.com

2010-02-19T18:29:14+00:00

c19911845d93e4cbbf296caf18568231549a3e60

This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.

Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.





This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.

Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.







Set proper dn in default automount location
2010-02-23T23:10:15+00:00

Nalin Dahyabhai
nalin@redhat.com

2010-02-22T21:23:39+00:00

edf243d83a9c22a19d6dece035865f88d86cacb2












Add default automount location. Auto-create auto.direct in new locations.
2010-02-12T15:46:20+00:00

Pavel Zuna
pzuna@redhat.com

2010-02-12T12:33:25+00:00

b31f259b1a24b5da8a8ed80d27b1f925220e8f24












First pass at enforcing certificates be requested from same host
2009-10-21T09:22:44+00:00

Rob Crittenden
rcritten@redhat.com

2009-10-20T15:59:07+00:00

453a19fcaca9c2be1e3d0e78b734bd05e7d50764

We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.





We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.







Fix ACI for host delegation
2009-10-18T04:51:53+00:00

Rob Crittenden
rcritten@redhat.com

2009-10-08T20:48:04+00:00

383492866e1c29110e8727ee81cf6dd5e110ab20

We had changed the DN format, I must have missed these ACIs the first
go around.





We had changed the DN format, I must have missed these ACIs the first
go around.